Answered

User has entered another contact's invitation code

(0) Share

Report

Posted on by hantsjoel

Hello,

We have tested a scenario where a user (Person A) has entered another person's (Person B) invitation code. This has allowed Person A to go into the portal, and the portal thinks they are Person B - they see Person B's contact record and will presumably be able to act as that person.

Looking at the underlying tables, I can see that Person A's Entra (AD) user ID has recorded against Person B's Invitation and Contact records. These are simple string columns, and changing these to Person B's Entra user ID seems to have no effect...whenever person A logs in they are still seeing the records of Person B.

How does Power Pages match the logged in user to the Contact record? How can I uncouple Person A from Person B's records?

Any help greatly appreciated!

Thanks

Joel

Categories:

General topics

I have the same question (0)

All responses (2)

Answers (2)

Verified answer

oliver.rodrigues 9,368 Most Valuable Professional on at

Like (0)

Report

To fix your data, I think you can delete the "External Identity" record associated with the contacts, this should fix the problem I think

"How does Power Pages match the logged in user to the Contact record?"

Basically this is the logic of an invitation, the user got access to an invitation code and simply used that. Perhaps you can consider adding MFA if you are using Azure AD B2C for example

Was this reply helpful? Yes No
Verified answer

Fubar 8,346 Super User 2025 Season 2 on at

Like (0)

Report

As per Oliver's response, once the invitation is redeemed the linkage between the Contact record and the external identity provider is in the External Identity record in your dataverse - it has a Lookup to Contact and also holds the identifier of the user in the external identity provider e.g. with Azure B2C it holds the guid of that user as recorded in B2C.

The data fix depends on how you want to approach it, e.g remove the External Identity record (and resend invitations). If it is in your B2C or Azure AD, you can get the correct guid from it and then edit the External Identity record (and then clear the portal cache). But also, delete the Invitation record or set the Maximum redemption field - so that old invitation code becomes invalid and cannot be reused.

The other scenario where this type of problem can occur is when someone is on a shared computer and does not close the browser session and another user opens an Invitation link in that same session.

Also, there is a column on the Invitation record to set Maximum redemptions (the field may not be on the form by default depending on versions etc). We have customers that default this field to 1.

Was this reply helpful? Yes No