Converting External Users to Internal Users with PowerShell

Introduction

In the Microsoft 365 ecosystem, external users are often invited to collaborate on specific projects using their own identity. However, when these collaborations evolve into long-term engagements, it becomes necessary to convert these external users to internal users. This conversion ensures continuity of access, permissions, and history without creating new accounts.

While Microsoft Entra ID offers the functionality to convert users to internal at the individual level, it lacks tools to perform bulk conversions. In this article, we explore a PowerShell-based solution for managing bulk conversions securely and in an organized manner.

Why Convert External Users to Internal Users?

Common Scenarios

Here are typical cases requiring the conversion of external users:

• Mergers and Acquisitions: Employees from an acquired company are initially added as guests. Converting these accounts when they become internal ensures a smooth transition.
• Employee Onboarding: Interns or contractors who started with limited access can be converted to internal users when they transition to full employment.
• Long-Term Collaborations: External partners or consultants engaged on extended projects should be integrated internally to consolidate their permissions.

Method to Convert External Users

Native Microsoft Entra ID Functionality

Conversion can be performed via the Microsoft Entra portal. Here are the steps for individual-level conversion:

1. Go to Entra ID → Users → All users → Select a user.
2. In the Overview tab, click Convert to internal user under the B2B Collaboration section.

Although simple, this method is impractical for bulk conversions.

Conversion via Microsoft Graph API

For custom conversions, you can use the Graph API with an HTTP request:

1Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/users/{userId}/microsoft.graph.convertExternalToInternalMemberUser" -Method PATCH

However, this method requires individual data manipulation and becomes tedious for managing multiple users.

Conversion with the Convert-MgBetaUserExternalToInternalMemberUser Cmdlet

The PowerShell cmdlet allows grouped operations while requiring a UPN and password for each user. To simplify, an advanced PowerShell script can be used.

PowerShell Script for Bulk Conversion

Essential Script Features

Our dedicated PowerShell script offers the following features:

• Bulk conversion of external users listed in a CSV file.
• Automatic generation of UPNs and passwords if not provided.
• Supports accounts with MFA or CBA (certificate-based authentication).
• Exports detailed logs to a password-protected ZIP file.

Script Execution Example

Data Preparation

Create a CSV file with the following mandatory columns:

• UserId: Unique identifier (UPN, email, or object ID).
• NewUserPrincipalName: (optional) New UPN to assign.
• NewPassword: (optional) Password to configure.
• ForceChangePasswordNextSignIn: (Yes or No).

1UserId,NewUserPrincipalName,NewPassword,ForceChangePasswordNextSignIn
2externaluser@example.com,,,
3externaluser2@example.com,newupn@example.com,newpassword,Yes

Script Execution

Import the CSV file and execute:

1./ConvertExternalUsersToInternalUsersM365.ps1 -InputCSVFilePath "C:\Users\InputFile.csv"

The script generates a log file detailing the conversion history.

Advanced Options

• Automatic UPN Generation: Add the -AutoGenerateNewUPN parameter.
• Automatic Password Generation: Use -AutoGeneratePassword.
• Combine these options to fully automate the process.

1./ConvertExternalUsersToInternalUsersM365.ps1 -AutoGenerateNewUPN -AutoGeneratePassword

Technical Impact of Conversion

When a user is converted to internal, here are the major changes:

• Audit and History Maintained: The user object remains unchanged.
• Policies and Permissions Updated: Internal access policies are applied.
• Authentication and Licensing: Existing configurations are preserved.

Conclusion

Bulk conversion of external users to internal users is a strategic process under Microsoft 365. The PowerShell script presented offers a robust and automated solution suited for various uses. Whether you are leading a massive migration or a specific adjustment, this process will ensure a smooth transition while respecting security and compliance.

Do you have questions or comments? Share them in the comments below!