Introduction
In the Microsoft 365 ecosystem, external users are often invited to collaborate on specific projects using their own identity. However, when these collaborations evolve into long-term engagements, it becomes necessary to convert these external users to internal users. This conversion ensures continuity of access, permissions, and history without creating new accounts.
While Microsoft Entra ID offers the functionality to convert users to internal at the individual level, it lacks tools to perform bulk conversions. In this article, we explore a PowerShell-based solution for managing bulk conversions securely and in an organized manner.
Good to Know
Converting an external user to internal maintains their unique identifier, permissions, and activity while the security policies applied are updated to match internal requirements.
Why Convert External Users to Internal Users?
Common Scenarios
Here are typical cases requiring the conversion of external users:
- Mergers and Acquisitions: Employees from an acquired company are initially added as guests. Converting these accounts when they become internal ensures a smooth transition.
- Employee Onboarding: Interns or contractors who started with limited access can be converted to internal users when they transition to full employment.
- Long-Term Collaborations: External partners or consultants engaged on extended projects should be integrated internally to consolidate their permissions.
Method to Convert External Users
Native Microsoft Entra ID Functionality
Conversion can be performed via the Microsoft Entra portal. Here are the steps for individual-level conversion:
- Go to Entra ID → Users → All users → Select a user.
- In the Overview tab, click Convert to internal user under the B2B Collaboration section.
Although simple, this method is impractical for bulk conversions.
Conversion via Microsoft Graph API
For custom conversions, you can use the Graph API with an HTTP request:
1Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/users/{userId}/microsoft.graph.convertExternalToInternalMemberUser" -Method PATCHHowever, this method requires individual data manipulation and becomes tedious for managing multiple users.
Conversion with the Convert-MgBetaUserExternalToInternalMemberUser Cmdlet
The PowerShell cmdlet allows grouped operations while requiring a UPN and password for each user. To simplify, an advanced PowerShell script can be used.
PowerShell Script for Bulk Conversion
Essential Script Features
Our dedicated PowerShell script offers the following features:
- Bulk conversion of external users listed in a CSV file.
- Automatic generation of UPNs and passwords if not provided.
- Supports accounts with MFA or CBA (certificate-based authentication).
- Exports detailed logs to a password-protected ZIP file.
Tip
The script automatically installs necessary modules like Microsoft Graph Beta and 7Zip4Powershell, ensuring a ready-to-use environment.
Script Execution Example
Data Preparation
Create a CSV file with the following mandatory columns:
- UserId: Unique identifier (UPN, email, or object ID).
- NewUserPrincipalName: (optional) New UPN to assign.
- NewPassword: (optional) Password to configure.
- ForceChangePasswordNextSignIn: (Yes or No).
1UserId,NewUserPrincipalName,NewPassword,ForceChangePasswordNextSignIn2externaluser@example.com,,,3externaluser2@example.com,newupn@example.com,newpassword,YesScript Execution
Import the CSV file and execute:
1./ConvertExternalUsersToInternalUsersM365.ps1 -InputCSVFilePath "C:\Users\InputFile.csv"The script generates a log file detailing the conversion history.
Advanced Options
- Automatic UPN Generation: Add the
-AutoGenerateNewUPNparameter. - Automatic Password Generation: Use
-AutoGeneratePassword. - Combine these options to fully automate the process.
1./ConvertExternalUsersToInternalUsersM365.ps1 -AutoGenerateNewUPN -AutoGeneratePasswordTechnical Impact of Conversion
When a user is converted to internal, here are the major changes:
- Audit and History Maintained: The user object remains unchanged.
- Policies and Permissions Updated: Internal access policies are applied.
- Authentication and Licensing: Existing configurations are preserved.
Warning
A review of dynamic members may be necessary to prevent unintended access to sensitive resources following the conversion.
Conclusion
Bulk conversion of external users to internal users is a strategic process under Microsoft 365. The PowerShell script presented offers a robust and automated solution suited for various uses. Whether you are leading a massive migration or a specific adjustment, this process will ensure a smooth transition while respecting security and compliance.
Do you have questions or comments? Share them in the comments below!



