The Symantec IGA (CA Identity manager) Azure REST Connector supports two user types "Guest" and "Member"  (refer to the product documentation for more information - Link below) 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-azure/manage-azure-with-rest-connector.html#concept.dita_65480e1a9def53c7ed2ee520ab0d801c268499b0_CreateanAccountTemplate 

The documentation states, to create a guest user, configure an account template and fill the "User Type" field with the word "Guest", however, this does not work as expected.

IM appears to create an external "Guest" user which authenticates outside of the Tenant domain (@myDomain.onmicrosoft.com). To change this to authenticate inside the Tenant domain (@myDomain.com) requires an invitation to be sent to the participant.

This is documented by Microsoft as follows: If you want to create an azure type guest, you should use this HTTP Post to Azure:

https://docs.microsoft.com/es-es/graph/api/invitation-post?view=graph-rest-1.0&tabs=http

       and fill the invitedUserEmailAddress field with the '[email protected]' email address of the invited user.

 But the actual Azure connector is doing is this:

https://docs.microsoft.com/es-es/graph/api/user-post-users?view=graph-rest-1.0&tabs=http

 and filling the UserType field with "Guest".

What is the expected functionality of the Azure connector in IM?

Release : 14.x

Component : IdentityMinder(Identity Manager)

Currently, the Azure REST connector does not fully support the Guest user type (the invitation operation is not supported). This feature will be implemented in a feature release of Symantec IGA (CA Identity Manager).