Entra ID Invitation Emails
Entra ID Invitation Emails May Not Be Delivered in Some Tenants
Microsoft is currently rolling out changes to the standard Entra ID invitation email pattern. While this update does not impact all environments, some tenants may experience issues where external guest invitations are not successfully delivered.
When Does This Issue Occur?
This problem can occur in tenants that still use the default Microsoft-provided domain as their primary domain, such as:
- company.onmicrosoft.com
In these cases, Entra ID invitation emails are sent from this default domain.
Why Can Invitations Be Blocked?
The onmicrosoft.com domain is fully owned and managed by Microsoft. Because of this, tenant administrators cannot configure important email authentication mechanisms such as:
- SPF
- DKIM
- DMARC
Many email providers enforce strict DMARC policies. If an invitation email cannot be properly authenticated, it may be flagged as suspicious or rejected entirely.
Example Scenario
A tenant uses company.onmicrosoft.com as its primary domain. When an external guest user is invited through Entra ID, the invitation email is sent from that domain. Since the domain cannot be optimized for mail authentication, the recipient's email provider may block the message. As a result, the invited user never receives the invitation.
Recommended Solution
To improve deliverability, Microsoft recommends using a properly configured custom domain as the tenant's primary domain, for example:
- company.com
A custom domain allows full control over DKIM, SPF, and DMARC settings, which helps ensure invitation emails are accepted by external mail systems.
Additional Information
More information can also be found here.