We have an enterprise account where users are provisioned from Azure AD using SCIM. This works as intended, however we do see that some users are not following the instructions correctly from the invitation emails, and end up with personal (free) accounts associated with their corporate domain email address. As admins we have no way of telling when users have created personal accounts, other than the indicator that they are still listed with the ‘invited’ tag in the portal. If we re-send the invite, they are able to join the organization, so at least that part’s working.
Since the invitation emails are going out automatically when users are provisioned, and we cannot customize them in any way, it would be great if there was an option to lock down the (verified) domain name(s) associated with an enterprise account, so that users attempting to register would not be able to create personal accounts with their work email and instead would be set up automatically within the organization (since the user is already provisioned with the email address it should be possible to match up the accounts?) We have the ‘single organization’ policy enabled, but this doesn’t apply for the sign-up process, it only prevents users from joining other orgs once they’ve joined ours.