More on AAD Guest Users
(Also read AAD B2B External Users and Apps Visible in MyApps)
Per Microsoft’s Documentation
Member: This value indicates an employee of the host organization and a user in the organization’s payroll. For example, this user expects to have access to internal-only sites. This user is not considered an external collaborator. BUT This is not usually done unless the user belongs to an AD that is considered part of the Host AD forest
Guest: This value indicates a user who isn’t considered internal to the company, such as an external collaborator, partner, or customer.
Can Guest Users be assigned additional Azure Roles (including directory reader or writer)?
Yes. Any RBAC role can be assigned to Guest users.
AAD Guest Users and Default Access
Guest users are typically added via invitation emails or invitation direct links. (There is a backdoor way to add them using Powershell and Graph API).
What enterprise apps guest users have access to depends on the configuration of the service itself. Sharepoint Online may be set to ALLOW all guest users – and this would let in ANY guest user added to that AAD.
Guest Users also come in two flavors – True GUESTs and COLLABORATORS
Any EXTERNAL user is automatically of Type = GUEST (even if you mark it as a collaborator).
In order to be a true collaborator, the IdP that they are coming from needs to be trusted within the AD that contains your true internal users (corporate users)
Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.