Managing guest users in Microsoft 365 is a critical task for system administrators, given the crucial role this feature plays in corporate collaboration. By adding guest users to your organization directory, you can allow partners, clients, contractors, or other stakeholders to access certain resources, data, and groups in your organization. This article provides comprehensive insights into creating and managing guest users in Microsoft 365, in alignment with the parameters of the MS-100 Microsoft 365 Identity and Services exam.
Creating Guest Users in Microsoft 365
A guest user can be invited to your organization in multiple ways, including through Azure Active Directory, Microsoft 365 admin center, or through applications such as Microsoft Teams. Here, let’s elaborate on the most common route— Azure Active Directory.
To create a guest user:
- Sign in to the Azure portal, select Azure Active Directory, and then select Users.
- Select the ‘New guest user’ under the directory menu.
- On the ‘New user’ page, enter the required information.
Name: It’s the display name for the guest user.
Email address: The person that you’re inviting as a guest user. This email will not be changed and cannot be used to create another Microsoft account. - Invite message: Customize your invitation message.
- Roles: Assign the user a role. If no role is assigned, the user is a regular member.
- Select ‘Invite’ to add the user.
Managing Guest Users in Microsoft 365
Once guest users are created, administrators can define their roles, access, and update their properties.
- Updating Guest User Role: To update a guest user’s role, select the user, then assign roles under the directory role.
- Managing Guest User Access: To modify a guest user’s access to new groups or applications, click on the user’s name, and then go to the ‘Groups’ or ‘Applications’ section. From here, you can add or remove the user to/from specific groups or applications.
- Removing Guest Users: If you want to remove a guest user, select the user and click on ‘Delete’.
Note: Keep in mind that the scope of guest users’ access should be strictly controlled and limited to only those resources necessary for their organizational roles.
Roles of Guest Users
Guest users typically fall into three categories in Azure AD and Microsoft 365. They are:
- Guest:
The most common role, these users have limited access and typically can’t access directory information. They have access to resources for which they’ve been granted permissions. - External User:
These users were invited to access your directory via B2B collaboration and have accepted the invitation. They have access to resources for which their identities were explicitly added. - Anonymous Guest:
These users were also invited for B2B collaboration but have not yet accepted the invitation. These users have no access until their invitation is accepted.
Guest | External User | Anonymous Guest | |
---|---|---|---|
Access Directory | No | Yes | No |
Resource Access | Given permission | Explicitly added | No Access |
Overall, managing guest access is a balance between providing adequate access to resources while maintaining security and control over your organization’s data. Properly implementing and managing this feature is a prerequisite to the well-rounded skillset of an MS-100 Microsoft 365 Identity and Services exam candidate.
Practice Test
True or False: One can disable sign-in for a guest user in Microsoft
- True
- False
Answer: True
Explanation: The Microsoft 365 admin center allows the management of guest users where one can disable their ability to sign in.
Which of the following is not a method of creating guest accounts in Microsoft 365?
- a. Azure AD
- b. Microsoft Teams
- c. SharePoint Online
- d. Windows 10
Answer: d. Windows 10
Explanation: Although Microsoft 365 guest accounts can be created through Azure AD, Microsoft Teams, and SharePoint Online, they cannot be created directly from Windows
True or False: A guest user’s email address does not need to be part of the organization to be added to Microsoft
- True
- False
Answer: True
Explanation: Guest users can be added to Microsoft 365 using an email address that isn’t part of the organization, such as a Gmail address.
What do you use to add guest users manually in Microsoft 365?
- a. Azure AD
- b. Exchange Online
- c. SharePoint Online
- d. Microsoft Teams
Answer: a. Azure AD
Explanation: While all the other platforms allow for the addition of guest users, adding them manually is done through Azure Active Directory.
True or False: When a guest user is added to Microsoft 365, they immediately have access to all files and folders.
- True
- False
Answer: False
Explanation: Guest users only gain access to what is specifically shared with them. They don’t automatically have access to all files and folders.
Which of the following features are not available to guest users?
- a. View files
- b. Create files
- c. Share files
- d. Access to the admin center
Answer: d. Access to the admin center
Explanation: Guest users can view, create and share files. However, they do not have access to the Microsoft 365 admin center.
True or False: Guest user access can be limited to specific Microsoft 365 resources.
- True
- False
Answer: True
Explanation: Access for guest users can be configured to specific resources within Microsoft
Which of the following requires a license for guest users?
- a. SharePoint Online
- b. OneDrive
- c. Teams
- d. None of the above
Answer: d. None of the above
Explanation: Self-service sign-up, SharePoint Online, OneDrive and Teams all allow guest access without requiring a license.
True or False: A guest’s access can be revoked in Microsoft
- True
- False
Answer: True
Explanation: Microsoft 365 admin center provides the ability to revoke a guest’s access.
What action can be taken to limit the number of guests who can access your organization’s resources?
- a. Set an organization wide limit in Azure AD
- b. Enable guest access in Teams
- c. Share documents via OneDrive
- d. None of the above
Answer: a. Set an organization wide limit in Azure AD
Explanation: Azure AD allows an organization to limit the number of guests who can access its resources. Teams and OneDrive do not provide this feature.
Interview Questions
How can you add a guest user in the Azure Active Directory?
You can add a guest user in the Azure AD by going to the Azure portal. Go to Azure Active Directory, then select ‘Users’, and then click on ‘+ New guest user’.
What is the maximum number of guest users that can be added to the Microsoft 365?
There is no limit to the number of guest users you can add to Microsoft 365. However, the number of guests that can participate in a single call or meeting might be limited based on the capabilities of the specific application or service used.
Which type of email account can a guest user have?
A guest user can have any type of email account. This could be a work, personal, or school email account. They do not need to have a Microsoft email account.
Is it possible to set a password for guest users on Microsoft 365?
No, guest users do not have a password set by the organization. They use their own Microsoft, work, or school account password.
Can guest users see the full directory in Microsoft 365?
By default, guest users have limited access to the directory in Microsoft 365 and can only see basic information. However, an admin can change permissions to allow them to see more.
How can you remove a guest user?
You can remove a guest user through the Microsoft 365 admin center by searching for and selecting the user, then choosing ‘Delete user’.
What permissions does a guest user have in Microsoft 365?
A guest user, by default, has limited permissions in Microsoft 365. They have access to resources shared with them but cannot independently browse directory information.
How can you change a guest user’s permissions in Microsoft 365?
The admin can change a guest user’s permissions by going to the Azure portal, selecting the guest user, and then adjusting their role or assigning them to a group with the desired permissions.
Can guest users create or delete files in Microsoft 365?
Guest users can create or delete files only if they have been given the necessary permissions by the admin or the owner of the specific file or folder.
Are guest users listed in the Microsoft 365 admin center?
Yes, guest users are listed in the Microsoft 365 admin center. They appear with ‘#EXT#’ in their usernames.
Can an organization control the access of a guest user to apps and services?
Yes, the organization can control a guest user’s access to apps and services by means of Azure AD Conditional Access policies.
How to reset a password for a guest user in Microsoft 365?
The Microsoft 365 admin cannot reset a password for a guest user as they use their own Microsoft, work, or school account password. If a guest user forgets their password, they must reset it through their own account.
Can guest users edit their own details in Microsoft 365?
No, guest users cannot edit their own details in Microsoft 365. However, they can edit their own details from their own Microsoft, work, or school account.
Can guest users be converted into member users in Microsoft 365?
No, guest users cannot directly be converted into member users. They will need to be removed from the organization’s Azure AD and then re-invited as member users.
Can guest users access OneDrive in Microsoft 365?
Yes, guest users can access OneDrive if they have been given access to a specific file or folder within it. However, they can’t use OneDrive to store their own files or create new files.