1. Introduction to Guest Users
Guest Users in Microsoft Entra ID are external identities that are invited into an organization’s tenant to collaborate securely with internal users. These users are commonly vendors, partners, contractors, consultants, customers, or temporary collaborators who require controlled access to organizational resources without becoming full internal employees.
Guest Users are part of Microsoft Entra Business-to-Business (B2B) collaboration. Instead of creating traditional internal accounts for outside individuals, organizations invite external users using their existing identities such as:
Microsoft Accounts
Other Microsoft Entra tenants
Gmail accounts
Federation identities
One-time passcode authentication accounts
A Guest User is identified in Microsoft Entra ID with the User Type: Guest
Guest formatted as: john_smith_gmail.com#EXT#@contoso.onmicrosoft.com
|
Attribute |
Description |
Example |
|
DisplayName |
User’s display name |
John Smith |
|
UserPrincipalName |
Internal Entra guest format |
john_smith_gmail.com#EXT#@contoso.onmicrosoft.com |
|
|
External email address |
john.smith@gmail.com |
|
UserType |
Identifies user as Guest |
Guest |
|
Id |
Unique Entra object ID |
GUID |
|
AccountEnabled |
Account status |
True |
|
CreationType |
Invitation source |
Invitation |
|
ExternalUserState |
Invitation status |
Accepted |
|
ExternalUserStateChangeDateTime |
Last redemption change |
Date/Time |
|
MailNickname |
Mail alias |
johnsmith |
|
Identity Provider |
External authentication source |
Google / Microsoft |
|
CompanyName |
External company |
Vendor Corp |
|
Department |
Optional department |
Consulting |
|
JobTitle |
Optional title |
Engineer |
|
UsageLocation |
Country/region |
US |
Default Directory Restrictions
Microsoft intentionally restricts Guests from seeing directory information.
Default Guest limitations include:
|
Directory Capability |
Default |
|
View All Users |
Restricted |
|
View Groups |
Restricted |
|
Read Directory Roles |
Restricted |
|
Browse Tenant |
Restricted |
Even though Guests have minimal permissions, they are still authenticated identities.
Meaning:
They exist inside your tenant
They consume tokens
They can appear in logs
They can potentially be targeted by attackers
Important Security Exception
Even though Guests have minimal permissions, they are still authenticated identities.
Meaning:
They exist inside your tenant
They consume tokens
They can appear in logs
They can potentially be targeted by attackers
Therefore: Minimal access does not mean Zero Risk
Default Guest Permissions Setting
Microsoft has a Built-In Setting called:
Guest Users have Limited Access to Properties and Memberships of Directory Objects
This is the recommended default.
Three Guest Permission Models
Most Restrictive
Guests can only access Explicitly Assigned Resources.
Recommended for High-Security Environments.
Limited Access (Default)
Guests can see Limited Directory Information.
Most organizations use this.
Same Access as Members
NOT Recommended.
Guests behave almost like internal users.
High Security Risk.
Azure RBAC Permissions
Guest Users receive NO Azure Permissions unless assigned.
Example:
|
Azure Resource |
Default Guest Access |
|
Subscription |
None |
|
Resource Group |
None |
|
Virtual Machine |
None |
|
Storage Account |
None |
To grant Azure access:
Azure RBAC assignment required
Example:
New-AzRoleAssignment
Microsoft Teams Example
If invited to Teams:
Guest User can:
Access that Team
Access SharePoint Files
Participate in Chats/Channels
But Cannot:
Access other Teams
Browse Tenant Resources
Become Admin Automatically
Common Misunderstanding
Many Administrators Believe:
Guest User = Harmless
This is incorrect.
Improperly managed Guests can become:
Persistent Attack Vectors
Overshared Collaboration Risks
Shadow Access Identities
Data Leakage Sources
Recommended Security Best Practices
|
Security Control |
Recommendation |
|
MFA |
Mandatory |
|
Conditional Access |
Mandatory |
|
Least Privilege |
Always |
|
Access Reviews |
Quarterly Minimum |
|
Expiration Policies |
Enabled |
|
Guest Restrictions |
Enabled |
|
Admin Roles for Guests |
Avoid |
|
Monitor Sign-ins |
Continuous |
Best Practice Statement
Correct Enterprise Design:
Guest Users should receive Zero Access by Default and only gain explicitly approved access through controlled assignments.
Typical Guest User Access Includes:
Microsoft Teams
SharePoint Online
Onedrive Shared Content
Applications
Azure resources
Power BI
Custom Enterprise Applications
Guest Users help Organizations Collaborate Securely while Maintaining Identity Governance and Access Control.
2. Guest User Architecture
The Guest User Model Includes:
|
Component |
Description |
|
Home Tenant |
The tenant where the external user originates |
|
Resource Tenant |
Your organization’s tenant hosting resources |
|
Invitation Process |
Process used to invite the external identity |
|
Redemption Process |
Guest accepts invitation and establishes trust |
|
Conditional Access |
Policies controlling authentication and access |
|
Entitlement Management |
Governance and lifecycle management |
|
Access Reviews |
Periodic validation of continued access |
|
Cross-Tenant Access Settings |
Defines trust relationships between tenants |
3. Types of Guest User Authentication
Guest Users can authenticate using:
|
Authentication Method |
Description |
|
Microsoft Entra Account |
External organization account |
|
Microsoft Account (MSA) |
Outlook.com, Hotmail.com |
|
Google Federation |
Gmail identities |
|
One-Time Passcode |
Email-based temporary authentication |
|
SAML Federation |
Third-party identity providers |
|
Social Identity |
External social accounts |
4. Benefits of Guest Users
|
Benefit |
Description |
|
Secure Collaboration |
Share resources safely |
|
Reduced Account Sprawl |
No need for internal accounts |
|
External Partner Access |
Vendors and consultants can collaborate |
|
Centralized Governance |
Manage external access centrally |
|
Conditional Access Integration |
Apply MFA and device controls |
|
Lifecycle Management |
Automate onboarding/offboarding |
|
Auditability |
Track all external access |
5. Licensing Requirements
|
Feature |
License Requirement |
|
Basic B2B Collaboration |
Free |
|
Conditional Access |
Microsoft Entra ID P1 |
|
Access Reviews |
Microsoft Entra ID P2 |
|
Entitlement Management |
Microsoft Entra ID P2 |
|
Identity Governance |
Microsoft Entra Suite / P2 |
Microsoft uses a Monthly Active User (MAU) Billing Model for External Identities.
6. Guest User Configuration Using Microsoft Entra Portal
Step 1 – Open Microsoft Entra Admin Center
Navigate to:
https://entra.microsoft.com
Step 2 – Navigate to Users
Go to:
Identity
Users
All Users
Step 3 – Create Guest User
Select:
New User
Invite External User
Step 4 – Configure Guest Information
Provide:
|
Setting |
Example |
|
Email Address |
vendor@company.com |
|
Display Name |
Vendor Support |
|
Message |
Welcome Message |
|
Groups |
Optional Assignment |
|
Roles |
Optional Roles |
Step 5 – Send Invitation
Select:
Invite
The external user receives an Invitation Email.
7. Guest User Redemption Process
The Invited User:
Receives Invitation Email
Clicks Acceptance Link
Authenticates with their External Identity
Accepts Permissions
Gains Access to Assigned Resources
After redemption:
ExternalUserState = Accepted
8. Configure Guest Access Restrictions
Navigate to:
Identity
External Identities
External Collaboration Settings
Key settings include:
|
Setting |
Recommendation |
|
Guest Invite Restrictions |
Limit to Admins or Approved Users |
|
Guest permissions |
Restrict Directory Visibility |
|
Collaboration restrictions |
Allow only Approved Domains |
|
Self-service sign-up |
Disable Unless Required |
9. Configure Guest Users Using PowerShell
Install Microsoft Graph module:
Install-Module Microsoft.Graph -Force
Connect:
Connect-MgGraph -Scopes User.Invite.All
Invite Guest User:
$params = @{
InvitedUserEmailAddress = "vendor@company.com"
InviteRedirectUrl = "https://myapplications.microsoft.com"
SendInvitationMessage = $true
InvitedUserDisplayName = "Vendor Support"
}
New-MgInvitation -BodyParameter $params
View Guest Users:
Get-MgUser -Filter "userType eq 'Guest'"
Remove Guest User:
Remove-MgUser -UserId user@domain.com
10. Managing Guest Users
Guest User management includes:
|
Management Area |
Description |
|
Access Control |
Limit Permissions |
|
Group Membership |
Control Access Via Groups |
|
Role Assignment |
Avoid Privileged Assignments |
|
Lifecycle Monitoring |
Remove Stale Accounts |
|
Access Reviews |
Validate Necessity |
|
Sign-In Monitoring |
Audit External Activity |
11. Group-Based Guest User Management
Best practice is to assign Guest Users to groups rather than directly to resources.
Example:
|
Group |
Purpose |
|
External-Vendors |
Vendor Collaboration |
|
External-Consultants |
Consultant Access |
|
Partner-Teams |
Partner Project Collaboration |
Benefits:
Easier Auditing
Simplified Removal
Centralized Permissions
Reduced Configuration Errors
12. Dynamic Groups for Guest Users
Example Dynamic Membership Rule:
(user.userType -eq "Guest")
Useful for:
Conditional Access
Monitoring
Reporting
Governance
13. Conditional Access for Guest Users
Conditional Access is critical for securing Guest Users.
Recommended policies:
|
Policy |
Recommendation |
|
MFA Enforcement |
Required |
|
Block Legacy Authentication |
Required |
|
Country Restrictions |
Restrict Risky Regions |
|
Risk-Based Policies |
Enable |
|
Device Compliance |
Require Where Possible |
|
Session Controls |
Apply Sign-In Frequency |
Example policy targets:
Include:
Guest or External Users
Exclude:
Emergency Access Accounts
14. Multi-Factor Authentication for Guest Users
Always require MFA for Guest Users.
Recommended approaches:
|
Method |
Recommendation |
|
Trusted MFA from External Tenant |
Preferred |
|
Native MFA in Resource Tenant |
Alternative |
|
Authentication Strength Policies |
Strongly Recommended |
Authentication Strength example:
Phishing-Resistant MFA
15. Guest User Security Best Practices
Least Privilege Access - Grant Only Minimum Required Permissions.
Avoid Permanent Access - Use Temporary or Time-Bound Access.
Enforce MFA - Require MFA for every Guest User.
Restrict Directory Visibility - Prevent Guests from Enumerating Users/Groups.
Use Access Reviews - Regularly Validate Active Guest Users.
Monitor Sign-In Activity - Review Unusual Login Patterns.
Block Legacy Authentication - Disable Older Insecure Protocols.
Restrict Guest Invitations - Only Authorized Personnel should invite Guests.
Use Named Locations - Restrict Risky Geographies.
Apply Session Controls - Limit Persistent Sessions.
Use Entitlement Management - Automate Approvals and Expirations.
16. Cross-Tenant Access Settings
Cross-Tenant Access enables trusted collaboration between organizations.
Navigate to:
Identity
External Identities
Cross-tenant Access Settings
Configuration Areas:
|
Area |
Description |
|
Inbound Access |
External Users Accessing Your Tenant |
|
Outbound Access |
Your Users Accessing External Tenants |
|
Trust Settings |
MFA/device trust |
|
Organization Settings |
Per-Partner Configuration |
17. Guest User Governance
Governance Includes:
|
Governance Control |
Purpose |
|
Access Reviews |
Validate access |
|
Expiration Policies |
Auto-remove stale accounts |
|
Entitlement Management |
Approval workflows |
|
Audit Logs |
Track activity |
|
Lifecycle Workflows |
Automate onboarding/offboarding |
18. Access Reviews for Guest Users
Recommended Review Frequency:
|
User Type |
Frequency |
|
Vendors |
Quarterly |
|
Contractors |
Monthly |
|
Partners |
Quarterly |
|
Temporary Users |
Weekly |
Access Reviews help:
Remove inactive accounts
Reduce attack surface
Maintain compliance
Validate business need
19. Entitlement Management
Entitlement Management Automates:
Access requests
Approval workflows
Expiration dates
Resource assignment
Re-certification
Example Access Package:
|
Resource |
Access |
|
Teams Site |
Member |
|
SharePoint |
Read |
|
App Access |
User Role |
20. Ongoing Management of Guest User Accounts
Ongoing management is one of the most important areas of external identity security.
Daily Tasks
|
Task |
Purpose |
|
Monitor sign-ins |
Detect Suspicious Activity |
|
Review alerts |
Investigate Risky Users |
|
Audit failed logins |
Detect Attacks |
Weekly Tasks
|
Task |
Purpose |
|
Review inactive Guests |
Remove Stale Accounts |
|
Validate group memberships |
Remove Unnecessary Access |
|
Review Conditional Access logs |
Ensure Policy Enforcement |
Monthly Tasks
|
Task |
Purpose |
|
Perform Access Reviews |
Validate Necessity |
|
Review privileged Guests |
Remove Elevated Access |
|
Validate MFA compliance |
Ensure Secure Authentication |
Quarterly Tasks
|
Task |
Purpose |
|
Full Guest User audit |
Governance validation |
|
Review cross-tenant trusts |
Confirm business need |
|
Review external domains |
Remove obsolete partners |
21. Monitoring and Auditing Guest Users
Monitoring Locations:
Microsoft Entra Admin Center
Monitoring
Sign-in Logs
Important Monitoring Fields:
|
Field |
Description |
|
User Type |
Guest |
|
Authentication Requirement |
MFA status |
|
Conditional Access |
Policy results |
|
Risk Level |
Identity Protection |
|
Location |
Geographic source |
22. Common Security Risks with Guest Users
|
Risk |
Mitigation |
|
Orphaned Guest Accounts |
Access Reviews |
|
Excessive Permissions |
Least privilege |
|
No MFA |
Mandatory MFA |
|
Old External Relationships |
Quarterly reviews |
|
Shared Accounts |
Prohibit usage |
|
Persistent Access |
Use expiration policies |
23. Recommended Guest User Design Model
Recommended Architecture:
Guest User
↓
Assigned to Security Group
↓
Conditional Access Policies Applied
↓
MFA Enforcement
↓
Least Privilege Access
↓
Access Reviews
↓
Automatic Expiration
24. Guest User Lifecycle
|
Phase |
Description |
|
Invitation |
Guest account created |
|
Redemption |
User accepts invitation |
|
Access Assignment |
Groups/apps assigned |
|
Monitoring |
Activity monitored |
|
Review |
Access validated |
|
Expiration |
Access removed |
|
Deletion |
Account removed |
25. Guest User Cleanup Best Practices
Remove Guest Users when:
Project ends
Vendor contract expires
User inactive for long periods
No recent sign-ins
Access no longer required
Example PowerShell cleanup query:
Get-MgUser -Filter "userType eq 'Guest'"
Inactive sign-in analysis:
Get-MgAuditLogSignIn
26. Do’s and Don’ts
|
Do |
Don’t |
|
Require MFA |
Allow password-only access |
|
Use groups |
Assign direct permissions everywhere |
|
Perform reviews |
Ignore stale accounts |
|
Use Conditional Access |
Allow unrestricted access |
|
Automate lifecycle |
Manage manually at scale |
|
Restrict invitations |
Allow everyone to invite Guests |
27. Real-World Use Cases
|
Use Case |
Example |
|
Vendor Collaboration |
External IT support |
|
Partner Projects |
Joint development |
|
Consultants |
Temporary business access |
|
Mergers and Acquisitions |
Cross-company access |
|
Customer Portals |
Shared applications |
28. Recommended Enterprise Security Baseline
|
Security Control |
Recommendation |
|
MFA |
Mandatory |
|
Conditional Access |
Mandatory |
|
Legacy Auth |
Block |
|
Access Reviews |
Quarterly minimum |
|
Guest Expiration |
Enabled |
|
Risk Policies |
Enabled |
|
Privileged Guest Access |
Avoid if possible |
|
Monitoring |
Continuous |
29. Conclusion
Guest Users are a critical component of secure enterprise collaboration in Microsoft Entra ID. Proper configuration, governance, and continuous monitoring are essential to prevent external identities from becoming a major attack surface.
A mature Guest User strategy should include:
Strong Authentication
Least Privilege Access
Conditional Access Enforcement
Lifecycle Automation
Continuous Auditing
Access Reviews
Expiration Controls
Centralized Governance
Organizations that properly manage Guest Users significantly reduce security risk while enabling efficient and secure collaboration with external partners and vendors.
0 comments