Merge pull request #204389 from Gargi-Sinha/patch-130

Replacing a FAQ with a new one and explanation

Author: 19BMG00

articles/active-directory/external-identities/faq.yml

@@ -189,9 +189,19 @@ sections:
           For information about what licenses your organization needs to use Azure AD B2B, see [External Identities pricing](external-identities-pricing.md).
 
       - question: |
-          Can B2B collaboration users sign in with their non-UPN email address?
+          What happens if I invite a user whose email and UPN don’t match?
         answer: |
-          Yes. For more information about email as an alternate login ID for B2B collaboration, see [B2B guest user sign-in with an email address](../authentication/howto-authentication-use-email-signin.md#b2b-guest-user-sign-in-with-an-email-address).
+          It depends. By default, Azure AD only allows UPN for login ID. When UPN and email are the same, Azure AD B2B invitations and subsequent sign-ins work as expected. However, issues can arise when a user’s email and UPN don’t match, and the email is used instead of the UPN to sign in.
+          When a user is invited with a non-UPN email, they will be able to redeem the invitation if they redeem using the [email invitation link](https://docs.microsoft.com/azure/active-directory/external-identities/redemption-experience#redemption-through-the-invitation-email), but redemptions via a [direct link](https://docs.microsoft.com/azure/active-directory/external-identities/redemption-experience#redemption-through-a-direct-link) will fail. However, even if the user successfully redeems the invitation, subsequent sign-in attempts using the non-UPN email will fail unless the identity provider (either Azure AD or a federated identity provider) is configured to allow email as an alternative login ID. 
+          This issue can be mitigated by:
+          1. [Enabling email as an alternate login ID](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-use-email-signin) in the invited/home Azure AD tenant
+          2. Enabling the federated identity provider to support email as login ID (if Azure AD is federated to another identity provider) or
+          3. Instructing the user to redeem/sign-in using their UPN.
+          To avoid this issue entirely, administrators should ensure users’ UPN and email are the same value.
+
+          ![Screenshot shows the flow for guest redemption.](media/user-invitation-different-email-upn/guest-redemption.png)
+
+          ![Screenshot shows the flow for subsequent sign-ins.](media/user-invitation-different-email-upn/subsequent-sign-in.png)
 
       - question: |
           Instant-on: What can cause replication latency?