A user who is outside of the organization. They could be Vendor/Contract workers/Company partnerships/friend & family with the universal identity of email. We can literally invite any email address on this planet. Added guest users in the group, need not install any app or client. They can use their preferred email app or browser.
A guest user can do all the stuff with the file just as a normal user does and all the SharePoint policies will work as well.
Any email address can be added as an external/guest user. Added user will be added to Active Azure Directory (AAD-B2B) which is used for guest user access. Guest can work seamlessly with Microsoft apps and services like Microsoft Teams/One Drive for Business/ SharePoint Which also uses AAD as their platform.
Based on the policies defined by the IT Admin, one can add a guest user to the groups. It is just like adding new member to a group. While adding an external user to a group (info message pops up saying you are adding an external user). Once a user is added, they will get a welcome email saying you “have been added to the group” with all the information the user needs to collaborate with the group.
It also has “Access file link” which will take the user to sign in page. Gmail users need to follow a two-step process (create MS account and password). Outlook/O365 users can use their existing credentials.
With every conversation, there is a footer which contains all information that user can use to collaborate like leaving the group/ learn more about O365 / accessing group files.
We can identify the guests (external users) in my organization and in groups by the globe icon and using guest filter in Outlook web which filters guest users in that group.
How can IT Admin control/manage guest access?
Figure 4 IT Admin policies
There are four level of policies to control guest access.
- Guest inviter role:
Admin can specify a group of people for guest inviter role. Only those people will be able to add a guest user in that tenant. And that can be based on job designation, job title or any property in the AD.
PowerShell Script to assign guest inviter role:
“Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress <RoleMemberEmailAddress>”
Figure 5 User setting option in AAD
More detail: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations
2. Group level policy: Admin can configure “allow to add guest” setting for each group individually. So, for a group, Admin can enable/disable it.
3. Allow/block list: Admin can specify a list of domains as allowed/blocked. People can invite guests either from those domains or those domains will be blocked.
PowerShell Scripts to alter allow/block list:
– Create/replace allow list:
Set-GuestAllowBlockDomainPolicy.ps1 -Update -AllowList @(“contoso.com”, “fabrikam.com”)
– Create/replace block list:
Set-GuestAllowBlockDomainPolicy.ps1 -Update -BlockList @(“contoso.com”, “fabrikam.com”)
– Add more domains:
Set-GuestAllowBlockDomainPolicy.ps1 -Append -AllowList @(“contoso.com”)
Set-GuestAllowBlockDomainPolicy.ps1 -Append -BlockList @(“contoso.com”) ·
– Migrate from SharePoint online:
Set-GuestAllowBlockDomainPolicy.ps1 -MigrateFromSharepoint ·
– Clear list:
Set-GuestAllowBlockDomainPolicy.ps1 -Remove Required: Go to Script for Allow/Block policy at Microsoft Download Center to download the script (Set-GuestAllowBlockDomainPolicy.ps1) for Allow/Block policy.
4. IT managed: selected IT- Only IT admins will be able to add guests.
All these policies are at AAD B2B level (team, planner, project will inherit these policies) and can be customized based on one’s business needs to manage guest access in groups.
Guest expiry: When a guest user is invited in an organization for a designated task for the limited time. Admin can set up guest user expiry policy which would require group owners to review the membership on periodically and we can customize that period. Based on the period set, the group owner will send a notification email to extend/decline membership or they can ignore.
Audit Logs: For every guest invitation, guest user accessing any resource, guest user sign-in all tracked at azure B2B level. All data will be available at portal.azure.com and can also disable guest user sign-in based on the number of sign-in’s.