Guest Users (aka B2B Users)

These are users that are added as ‘Guest’ users in your AAD tenant. Some external users (e.g. vendors ) are truly B2B users. For example, you may have a SaaS app that is maintained by your vendor. You may want to add some of the vendor’s users (e.g. [email protected]) as authorized users for your AAD Enterprise App. This is typically done to test out sandboxes and production cutovers.

Read this Microsoft doc to understand the difference between access at a Service level and the AAD level.

Access to O365 Apps

Access to O365 apps (for guest users) is controlled at two levels. The first level is the service (e.g. Sharepoint Online) itself. Which can be set to let in ANYONE (bad practice) or invited guest users only.

In addition to this level, Guest user access can be controlled at the AAD level itself (collaboration level of guest users). This is a radio button option.

This AAD control OVERRIDES anything at the O365 level (e.g. Sharepoint Online Level).

The thing to watch out here is that:

  • a) These users are automatically part of the AAD tenant (and not a particular app)
  • b) These guest users will automatically get access to sharepoint online and other O365 services, unless explicitly denied at the O365 service itself.
  • Most of these O365 services, have a radio button option (allow guest users, allow internal users only, allow everyone…). So this is controlled at the individual SaaS level. Sharepoint Online (each site with SPS Online), OneDrive (each drive within OneDrive) – all have their own radio button option of whether to let in Guest users or not.
  • c) Guest users (added to a group such as Guest_AAD) – can be then associated with an enterprise app fairly easily.
  • Deep Link Testing – YOURTENANTNAME.sharepoint.com – Ensure that your guest users cannot get to the direct link of the service.

Also read Limiting Exposure with  Guest Users   (to restrict access at the Service level)

What about Unauthorized User File Sharing?

In Sharepoint (and Onedrive), it is possible to share with individual users, without making them a guest user in AAD. This is done through one time sharing links , which can require an additional code to be accessible. This is different from adding guest users to  AAD and granting access from there.

For more on Unauthorized Users and File Sharing, see this microsoft doc

Summary

Adding Guest Users is easy, but one has to be mindful of what else they are allowed into.

Ensure, that for each O365 service, the guest users you just added are not automatically let in by the SaaS’s guest user settings.



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Identity Migration? Set up a time with Anuj Varma.