Azure AD guest users and how to manage them?

B2B collaboration overview - Azure AD | Microsoft Docs

Well this is true for the digital society. Before it was your passwords you had to keep safe. Now the password doesn’t make a huge difference as it should be only the first stage of sign-in process and second would be a device you own, something you are or other evidence that your really are the one making the logon.

Your identity

If you have an email address, you already have a way of proving who you are and if you had two-factor authentication to that account, you will have a secure way of telling that it’s really you.

When you have this side secured with what ever provider you want to use. You could be using others services with that identity example Azure. Microsoft offers Azure B2B or B2C capabilities for external business or consumer users, you can be allowed to access external resources based on invite or creation

I will not be covering the B2C side of external identities, at least not now.

External user sign-in flow

When a user is invited or created to the organization as a Guest, they will be welcomed with the following process.

If you are a guest user with invite you will state 1 or 2, depending on what kind of account you have. In this diagram it shows that you have to have MS Account or External Azure AD account but you don’t.

You can use what ever email address you have and that was approved by the organization that allows you to access their resources.

How to invite a guest

When organization invites you the process is really simple from Azure AD perspective.

Admin adds your email and welcome message if needed, nothing else.

And admin will see user as invited in Azure AD

How guest is seeing the process

And you will an email invite for this email address.

When you accept the invite you will be asked for a consent.

When you accept you will be re-directed to

And the organizational admin will see that you have accepted the invite and can reset the invitation status and require the guest to do the consent again.

Microsoft has verifiable credentials in preview. With verifiable credentials you can use your passport, driving license, school certificate or what ever evidence the organization requires to be provided, kinda excellent feature and I will be covering this one in my next posts.

What to do when I have the guest inside my directory?

This user has a same kind of identity that all the other users. You can add the account to a group and assign permissions, policies, roles licenses to it.

Adding guest users to Dynamic Microsoft 365 Group.

Add a dynamic query for guest. This is a simple query but you could use very complex multi-layered queries against the user attributes, see Microsoft for reference

You can add expiration for the group, minimum 30 days.

Now you could be using let’s say Conditional Access to force policies to this group.

And the external guest can remove himself from the organization by going to and selecting “leave organization”

Last but not least

So that’s it, with these instructions you could allow external guest users to your organization. The only downside with this and also Entitlement management is that your really cannot remove the external users from your directory.

Edit 11.10.2021: Access reviews can do user removal thru dynamic groups. Either from the existing Microsoft 365 groups or thru a Dynamic User filtered External Guests users group. I will cover this on the next posts.

You can remove the users from a group and disallow them to access a resource it’s mapped to but you cannot remove the users automatically when they don’t need the access anymore.

For this one you should be using an external Identity and Access Management governance solution that can automate user invites, modification or removals.

Some examples of the ones I have experience with.

That’s a wrap for this post.

KEEP CALM AND PROTECT YOUR IDENTITY - Keep Calm and Posters Generator,  Maker For Free -
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *