Add Symptom

Adding a symptom with cause and solution

Author: riantu

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md

@@ -522,6 +522,28 @@ $smssignin = Get-MgUserAuthenticationPhoneMethod -UserId $userId
 ##### End the script
 ```
 
+#### Symptom - Users fail to provision with error "AzureActiveDirectoryForbidden"
+
+Users in scope fail to provision. The provisioning logs details include the following error message:
+
+```
+The provisioning service was forbidden from performing an operation on Azure Active Directory, which is unusual. 
+A simultaneous change to the target object may have occurred, in which case, the operation might succeed when it is retried.
+Alternatively, the target of the operation, or one of its properties, may be mastered on-premises, in which case, 
+the provisioning service is not permitted to update it, and the corresponding source entry should be removed from the provisioning service's scope.
+Otherwise, authorizations may have been customized in such a way as to prevent the provisioning service from modifying the target object or one of its properties; 
+if so, then, again, the corresponding source entry should be removed from scope. 
+This operation was retried 0 times. It will be retried again after this date: 2023-04-14T16:57:48.5266936Z UTC
+```
+
+**Cause**
+
+This error indicates the Guest invite settings in the target tenant are configured with the most restrictive setting "No one in the organization can invite guest users including admins (most restrictive)"
+
+**Solution**
+
+Change the Guest invite settings in the target tenant to a less restrictive setting. For more information, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md).
+
 ## Next steps
 
 - [Tutorial: Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md)