Sonntag, 8. August 2021

Guest users in Azure AD - available options and scenarios

The easiest way to give an external person access to a Microsoft 365 service is to invite him as a guest user via Azure AD. If an external person is invited directly via Teams, SharePoint, PowerBI, etc., this also automatically results in a guest user in Azure AD.
However, this is not the only option. Technically, there are different ways to do it:
  1. A user is invited as a guest. The authenticating instance is either another Azure AD, or an IDP supported by Azure AD. Well known examples are Google and Facebook. More details are described here: Identity Providers for External Identities
  2. The second option is that the user is created in the local AD or in the Azure AD. This is the case if customers or partners already have accounts in the local AD that should now also be used to access cloud resources, or if a company wants to manage guest users completely itself. The IDP is then also the own AD / Azure AD for the guest user.
  3. A guest user who logs in via one-time passcode. Details are described in this article: Onetime Passcode Authentication to access Microsoft 365 Group resources
In Azure AD's, a guest user from the first or the third scenario technically looks like this: However, the user logs in normally as
A user created via the second scenario, however, also technically has a UPN that follows the "normal" layout:

What makes a user a guest user?

Which instance does the authentication says nothing about whether a user is technically a guest user or a member. The value "UserType" which can be set via PowerShell determines whether an account is defined as a guest or as a member.

Set-MsolUser -UserPrincipalName "" -UserType Member

This makes the user, who was invited as a guest, a full member in Azure AD. This user can now also be added to a Microsoft Team as a member or owner.

The other way a user from the on-premises AD or Azure AD can be configured as a guest user.

Set-MsolUser -UserPrincipalName "" -UserType Guest

When a user is changed from a guest to a member, he must also be licensed. If a user is newly created or synchronized via AAD Connect, it is always a member of Azure AD. Via "-UserType Guest" he can be turned into a guest account and does not need to be licensed anymore.
Microsoft article about this:


Example 1 - Account in Azure AD is reconfigured from member to guest user:

Example 2 - Account in Azure AD is reconfigured from guest user to member:

Keine Kommentare:

Kommentar veröffentlichen