Guest users are special accounts that have limited rights in the Azure AD environment. In most contexts, guest users are synonymous with Azure Business-to-Business (B2B) identities, so that’s the reference point that will be used to discuss.
Azure B2B guest accounts are generally created through an invitation process, such as inviting someone from an external organization to participate in a Microsoft SharePoint site, collaborate ona document in OneDrive, or access files in a Teams channel. When an invitation is sent, an identity object is created in the inviting organization’s Azure AD tenant and an invitation email is sent to the external recipient. After the recipient clicks on the link in the invitation email, the recipient is directed to an Azure AD sign-in flow that prompts them to enter credentials corresponding to their own identity source, whether that’s another Azure AD or Microsoft 365 tenant, a consumer account (such as Microsoft, Google, or Facebook), or another third-party issuer that uses a SAML/WS-Fed-based identity provider. The process of the recipient accepting the invitation is called redemption.
More About Guests
While guests are typically part of an invitation process, with the new Azure AD cross-tenant synchronization feature (currently in preview), you can automate the provisioning of guest objects between trusted tenants like you would with your own directory synchronization. Microsoft recommends this feature only for Azure AD tenants that belong to the same organization. For more information on the new cross-tenant sync feature, see https://learn.microsoft. com/en-us/azure/active-directory/multi-tenant-organizations/ cross-tenant-synchronization-overview.
While guest users can be viewed and edited in the Microsoft 365 admin center, they can only be provisioned through the Azure AD portal.
Clicking Add a guest user, as shown in Figure 2.7, in the Microsoft 365 admin center transfers you to the Azure AD portal to complete the invitation process:
Figure 2.7 – Guest users administration in Microsoft 365 admin center
After either logging into the Azure AD portal or being redirected there from the Microsoft 365 admin portal, you can begin the process of inviting guests. To invite a new guest user from the Azure AD portal, click New user and then select Invite external user. See Figure 2.8:
Figure 2.8 – Inviting a new guest user
The user interface elements for inviting a guest user are very similar to those for creating a new cloud user. The main differences are in the selection of the template and, in the case of a guest user, you have the opportunity to supply message content (which will be included as part of the email invitation sent). See Figure 2.9:
Figure 2.9 – Configuring the guest invitation
Once a guest has been invited, take note of the properties:
• The guest identity’s User principal name value is formatted
as emailalias_domain.com#EXT#@tenantname.onmicrosoft.com.
• The user type is set to Guest.
• Initially, the Identities property is set to tenant.onmicrosoft.com
• The invitation state is set to PendingAcceptance.
See Figure 2.10 for reference:
Figure 2.10 – Newly invited guest user
Upon receiving and accepting the invitation, the recipient is prompted to read and accept certain terms and grant permissions:
• Receive profile data including name, email address, and photo
• Collect and log activity including logins, data that has been accessed, and content associated with apps and resources in the inviting tenant
• Use profile and activity data by making it available to other apps inside the organization
• Administer the guest user account
58 Managing Users and Groups
See Figure 2.11 for reference:
Figure 2.11 – Invitation redemption consent
After consenting, the invitation state in the Azure portal is updated from PendingAcceptance to Accepted. Additionally, depending on what identity source the guest user is authenticated against, the Identities property could be updated to one of several possible values:
• External Azure AD: Azure AD identity from another organization
• Microsoft Account: The Microsoft Account (MSA) account ID associated with Hotmail, Outlook.com, Xbox, LiveID, or other Microsoft consumer properties
Chapter 2 59
• Google.com: A user identity associated with Google’s consumer products (such as Gmail) or a Google Workspace offering
• Facebook.com: A user identity authenticated by the Facebook service
• {issuer URI}: Another SAML/WS-Fed-based identity provider
Guest users can be assigned licenses, granted access to apps, and delegated administrative roles inside the inviter’s tenant.