Mar 24, 2024
MORE ABOUT GUESTS– Planning and Managing Azure AD Identities
While guests are typically part of an invitation process, with the new Azure AD cross-tenant synchronization feature (currently in preview), you can automate the provisioning of guest objects between trusted tenants similar to how you would with your own directory synchronization. Microsoft recommends this feature only for Azure AD tenants that belong to the same organization. For more information on the new cross-tenant sync feature, see https://learn.microsoft.com/en-us/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.
While guest users can be viewed and edited in the Microsoft 365 admin center, they can only be provisioned through the Azure AD portal. Clicking Add a guest user in the Microsoft 365 admin center transfers you over to the Azure AD portal to complete the invitation process.
Figure 5.7 – Guest users administration in Microsoft 365 admin center
After either logging in to the Azure AD portal or being redirected there by the Microsoft 365 admin, center you can begin the process of inviting guests. To invite a new guest user from the Azure AD portal, click New user and then select Invite external user.
Figure 5.8 – Inviting a new guest user
The user interface elements for inviting a guest user are very similar to those for creating a new cloud user. The main differences are in the selection of the template and, in the case of a guest user, you have the opportunity to supply message content (which will be included as part of the email invitation sent). See Figure 5.9.
Figure 5.9 – Configuring the guest invitation
Once a guest has been invited, take note of the properties:
- The guest identity’s User principal name value is formatted as emailalias_domain.com#EXT#@tenantname.onmicrosoft.com
- User type is set to Guest
- Initially, the Identities property on the Overview tab is set to tenant.onmicrosoft.com
- The invitation state is set to PendingAcceptance
See Figure 5.10 for reference.
Figure 5.10 – Newly invited guest user
Upon receiving and accepting the invitation, the recipient is prompted to read and accept certain terms and grant permissions:
- Receive profile data including name, email address, and photo
- Collect and log activity including logins, data that has been accessed, and content associated with apps and resources in the inviting tenant
- Use profile and activity data by making it available to other apps inside the organization
- Administer the guest user account
Figure 5.11 – Invitation redemption consent
After consenting, the invitation state in the Azure portal is updated from PendingAcceptance to Accepted. Additionally, depending on what identity source the guest user is authenticated against, the Identity property could be updated to one of several possible values:
- External Azure AD: An Azure AD identity from another organization
- Microsoft Account: An MSA account ID associated with Hotmail, Outlook.com, Xbox, LiveID, or other Microsoft consumer properties
- Google.com: A user identity associated with Google’s consumer products (such as Gmail) or a Google Workspace offering
- Facebook.com: A user identity authenticated by the Facebook service
- {issuer URI}: Another SAML/WS-Fed-based identity provider
Guest users can be assigned licenses, granted access to apps, and delegated administrative roles inside the inviter’s tenant.
More Details