Merge pull request #108257 from riantu/patch-23

Add Symptom

Author: Jak-MS

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md

@@ -522,6 +522,28 @@ $smssignin = Get-MgUserAuthenticationPhoneMethod -UserId $userId
 ##### End the script
 ```
 
+#### Symptom - Users fail to provision with error "AzureActiveDirectoryForbidden"
+
+Users in scope fail to provision. The provisioning logs details include the following error message:
+
+```
+The provisioning service was forbidden from performing an operation on Azure Active Directory, which is unusual. 
+A simultaneous change to the target object may have occurred, in which case, the operation might succeed when it is retried.
+Alternatively, the target of the operation, or one of its properties, may be mastered on-premises, in which case, 
+the provisioning service is not permitted to update it, and the corresponding source entry should be removed from the provisioning service's scope.
+Otherwise, authorizations may have been customized in such a way as to prevent the provisioning service from modifying the target object or one of its properties; 
+if so, then, again, the corresponding source entry should be removed from scope. 
+This operation was retried 0 times. 
+```
+
+**Cause**
+
+This error indicates the Guest invite settings in the target tenant are configured with the most restrictive setting: "No one in the organization can invite guest users including admins (most restrictive)".
+
+**Solution**
+
+Change the Guest invite settings in the target tenant to a less restrictive setting. For more information, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md).
+
 ## Next steps
 
 - [Tutorial: Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md)