Create Guest Users, External Users and Internal Users in Azure AD & Microsoft 365 Step by Step

Create Guest Users: How to Create and Manage Guest Users in Azure AD

No comments

Loading

In this users management in Azure AD and Microsoft 365 article, we will learn how to create guest users, external users, and internal users from the Azure AD portal as well as from the Microsoft 365 admin centre portal.

Guest user management in Microsoft 365 and Azure Portal is an essential part of enabling collaboration while maintaining security. With businesses increasingly adopting hybrid and remote working models, it’s common to work with external partners, contractors, and consultants who require temporary access to your resources. Microsoft’s guest access features allow you to securely grant these users the necessary permissions without compromising sensitive data.

This article will guide you through the step-by-step process of creating and managing guest users in Microsoft 365 and Azure Portal, covering best practices and frequently asked questions. Let’s dive in!

Table of Contents

Why Manage Guest Users in Microsoft 365 and Azure Portal?

Guest users are individuals outside your organization who need access to certain Microsoft services, such as Teams, SharePoint, or Azure resources. Proper management ensures:

  1. Seamless Collaboration: External users can collaborate using shared files, chats, or projects.
  2. Enhanced Security: Access is limited to necessary resources.
  3. Compliance: It helps organizations meet data governance and regulatory requirements.

Step 1: Enable Guest Access in Microsoft 365

Before inviting external users, ensure that guest access is enabled in Microsoft 365.

Enable Guest Access in Azure AD

  1. Sign in to the Azure Portal.
  2. Navigate to Azure Active Directory (Azure AD) > External Identities.
  3. Under User settings, click Manage external collaboration settings.
  4. Ensure that:

Enable Guest Access for Microsoft Teams

  1. Go to the Microsoft Teams Admin Center.
  2. Navigate to Org-wide settings > Guest access.
  3. Toggle the switch to Allow guest access in Teams.
  4. Set additional permissions like screen sharing or meeting participation as needed.

We can create a guest user or normal user using the Microsoft 365 admin centre as well as using the Azure portal active directory. I will explain both approaches.

Approach 1: Create Guest Users – Add a Guest User in Microsoft 365 Admin Center

Once guest access is enabled, you can invite external users to join your organization.

Invite Guest Users via Microsoft 365 Admin Center

  1. Log in to the Microsoft 365 Admin Center.
  2. Go to Users > Guest users.
Guest users in Microsoft 365 Admin Center
Guest users in Microsoft 365 Admin Center
  1. Click Add a guest user.

Once you click on the “Add a guest user” link, you will be redirected to a Azure Portal guest user creation screen.

Create guest user in Azure AD
Create guest user in Azure AD

Here, you can either select create user or invite user.

First, I will go with the “Create user” template (Create a new user in your organization).

Create user in Azure AD
Create user in Azure AD

Enter the user details as shown above. Then, click on the “Create” button. The new user will be created.

  1. Enter the guest user’s:
  2. Assign roles or permissions if necessary.
  3. Click Send invitation. The user will receive an email invitation to join.

Next, I will go with the “Invite user” template.

Note:

  • Invite a new guest user to collaborate with your organization. The user will be emailed an invitation they can accept in order to begin collaborating.
Create guest user using Invite user template in Azure AD
Create guest user using Invite user template in Azure AD

Other information on this screen is as below, and keep it as is:

Invite guest user in Azure Portal
Invite guest user in Azure Portal

In the above demo, I have started creating the guest user from the Microsoft 365 admin centre and ended in the Azure portal.

Approach 2: Create Guest Users – Invite Users Using Azure AD

  1. Go to the Azure Portal.
  2. Navigate to Azure Active Directory (or search with the Users text)> Users > New user.
Create new user and external user in Azure AD
Create new user and external user in Azure AD

Create new user in Azure – Create a new internal user in your organization

Click on the “Create new user” from the Users creation screen.

Fill out the user details and other properties, then, click on the “Review and Create” button.

Create new user in Azure Portal
Create new user in Azure Portal

Your new internal user will be created.

Invite External User: Invite an external user to collaborate with your organization

Then, to create a guest user or external user, click on the “Invite external user” link, and you will get the invite external user screen (Invite an external user to collaborate with your organization). Enter the external user personal email ID, for example, Gmail ID.

Invite external user in Azure Portal
Invite external user in Azure Portal

Click on the “Review + Invite” button, the new external user will receive an email notification.

  1. Select Invite user and fill in the required details:
    • Email address.
    • Optional personal message.
  2. Set a group membership or assign roles.
  3. Click Invite. The guest will receive an invitation to join.

The external user will get a notification like below:

External user invitation from Azure AD
External user invitation from Azure AD

Then, the external user needs to click on the “Accept invitation” link to accept the invitation.

Then, click on the “Send code” button.

Authentication send code in Azure AD for Gmail user
Authentication send code in Azure AD for Gmail user

Your external Gmail user will receive a Microsoft account verification code, like below:

Microsoft account verification code for External Gmail User
Microsoft account verification code for External Gmail User

Use the above code to Sign in to Microsoft 365 environment.

Login to Microsoft 365 using Gmail Account
Login to Microsoft 365 using Gmail Account

After entering the authentication code, you need to accept the acknowledgement “The resource is not shared by Microsoft” .

Login to Microsoft 365 using Gmail Account - Acceptance this resource is not shared by Microsoft
Login to Microsoft 365 using Gmail Account – Acceptance this resource is not shared by Microsoft

Once your external user click on the “Accept” button, your external user will be able to login to Microsoft 365 apps dashboard.

Successfully log in to Microsoft 365 using Gmail
Successfully log in to Microsoft 365 using Gmail

Technical Differences Between Microsoft 365 Admin Center and Azure Portal for User Creation

As we have seen, we can create internal and guest users using both the approaches of Microsoft 365 admin centre as well as Azure Portal. Let’s have their differences in tabular format for your ease of understanding:

New User Creation using Microsoft 365 Admin Centre vs. Azure Portal

Feature/Aspect Microsoft 365 Admin Center Azure Portal When to Use
Primary Purpose Simplified user and license management for Microsoft 365 services. Comprehensive identity and access management. Use the Admin Center for day-to-day user management focused on collaboration tools. Use Azure Portal for advanced identity and security needs.
Terminology Guest Users (external), Active Users (internal). External Identities (external), Members (internal). Use Admin Center for clarity in terminology when working primarily with Microsoft 365 collaboration tools.
Interface Complexity User-friendly, intuitive, and simplified. Advanced, with more granular options. Choose Admin Center for quick and straightforward tasks; use Azure for in-depth configurations.
User Properties Available Limited to basic properties (name, email, job title, department). Extensive, including custom attributes, authentication methods, and role assignments. Use Admin Center for basic user setup; Azure Portal for configuring detailed user properties.
Security Features Basic security configurations, relies on Azure AD for MFA and other advanced policies. Advanced options like Conditional Access, MFA, and Identity Protection policies. Admin Center for default security; Azure Portal for custom and advanced security setups.
Access Control Assign pre-defined roles (e.g., Global Admin, Billing Admin). Role-Based Access Control (RBAC) and custom role creation. Use Admin Center for quick role assignments; Azure Portal for creating tailored roles and permissions.
Integration with External Apps Focused on Microsoft 365 apps like Teams, SharePoint, and Exchange. Integrates with third-party and enterprise apps via Azure AD. Admin Center for Microsoft ecosystem; Azure Portal for hybrid or multi-cloud environments.
Invitation Process (External) Email invitations sent automatically to external users with limited configuration options. Allows detailed configuration during the invitation process, including role and group assignments. Use Admin Center for basic invitations; Azure Portal for assigning advanced permissions or policies during user creation.
License Management Simplified assignment and management of Microsoft 365 licenses. No direct license management; integrates with Admin Center for licensing. Use Admin Center for managing user licenses.
Audit and Logging Limited activity tracking. Advanced logging with detailed activity and sign-in reports. Admin Center for simple monitoring; Azure Portal for compliance-focused auditing.
Customization Options Minimal, focuses on pre-configured settings. Extensive, supports custom domains, attributes, and integrations. Use Admin Center for pre-set user configurations; Azure Portal for deep customization or integration scenarios.
Best For Quick user setup and collaboration management in Microsoft 365 services. Advanced identity management, hybrid/cloud deployments, and enterprise-level configurations. Admin Center for small to medium tasks; Azure Portal for complex enterprise-level requirements.

When to Use Each Approach

Scenario Use Microsoft 365 Admin Center Use Azure Portal
Adding a new employee or contractor to Teams or SharePoint Simplify the process by creating a user in the Admin Center. Use Azure Portal if the user needs additional security or conditional access rules.
Managing external guest users for collaboration Admin Center is sufficient for inviting and managing basic access. Use Azure Portal to configure advanced policies like domain restrictions or MFA.
Managing licenses for Microsoft 365 services Use Admin Center for assigning and tracking licenses. Azure Portal integrates but defers license management to the Admin Center.
Securing resource access with conditional policies The Admin Center lacks direct Conditional Access configuration. Use Azure Portal to enforce MFA, location-based policies, or device compliance.
Monitoring user activity or auditing Admin Center provides limited insights into user activities. Azure Portal provides detailed auditing and sign-in logs for compliance purposes.
Supporting hybrid environments (on-premises and cloud) Admin Center doesn’t support hybrid scenarios natively. Use Azure Portal for hybrid identity integration with on-premises directories.
Customizing user attributes or login flows Admin Center is limited to basic attributes and functionality. Use Azure Portal to customize user attributes or integrate social login options.

This table provides a clear comparison to help administrators determine the best tool for their needs, whether they are focusing on simplicity and collaboration or advanced security and identity management.

Step 3: Manage Guest Users

Managing guest users effectively ensures they have access only to the resources they need.

Review and Assign Permissions

  1. Open the Azure Portal and navigate to Azure AD > Users.
  2. Select the guest user from the list.
  3. Assign or remove roles under the Assigned roles tab.

Popular roles include:

  • Reader: View-only access.
  • Contributor: Allows making changes without managing access.
  • Owner: Full administrative privileges.

Add Guests to Microsoft Teams

To add a guest user to a team:

  1. Open Microsoft Teams.
  2. Go to the desired team and click More options (•••) > Manage team.
  3. Click Add member, type the guest’s email, and select Add as guest.
  4. Guests will receive an email and gain access to the team.

Restrict Guest Access in SharePoint

  1. Go to the SharePoint Admin Center.
  2. Select the desired site and click Settings > Site permissions.
  3. Adjust guest permissions by:
    • Granting view-only access.
    • Limiting access to shared files or folders.

Step 4: Best Practices for Guest User Management

Implementing these best practices ensures secure and efficient collaboration:

Use Groups to Manage Access

  • Create Microsoft 365 Groups or Azure AD Groups to streamline access control.
  • Add guest users to groups instead of assigning individual permissions.

Regularly Review Guest Accounts

  • Periodically review guest users in the Azure AD or Microsoft 365 Admin Center.
  • Remove inactive accounts to reduce security risks.

Configure Conditional Access Policies

  • Use Azure AD Conditional Access to enforce security requirements like MFA (Multi-Factor Authentication) for guest users.
  • Restrict access based on factors such as location or device type.

Enable Expiration Policies

  • Use the Access Reviews feature in Azure AD to automate guest user access reviews.
  • Set expiration dates for guest accounts to ensure temporary users don’t retain unnecessary access.

Troubleshooting Common Issues

Guest User Didn’t Receive Invitation

  • Ensure the email address is correct.
  • Ask the guest to check their spam/junk folder.
  • Resend the invitation via Azure AD or Microsoft 365 Admin Center.

Guest User Can’t Access Shared Resources

  • Verify the guest’s role assignments in Azure AD.
  • Check if the guest has accepted the invitation and logged in with the same email.

Access Denied Errors

  • Review Conditional Access Policies for restrictions.
  • Ensure that resource-specific sharing settings (e.g., SharePoint permissions) are properly configured.

FAQs on Guest Users, External Users, and Internal Users

What is the difference between a guest user and an external user?

A guest user is an external user invited to collaborate in your organization, typically for services like Teams or SharePoint. An external user is a broader term used in Azure AD to refer to users outside your organization, including guests and those from other identity providers.

Can guest users access internal resources like employees?

Guest users have restricted access compared to internal users. Their permissions are limited to what is explicitly shared or granted, ensuring they cannot access all internal resources by default.

Do guest users need licenses in Microsoft 365?

Guest users do not need separate Microsoft 365 licenses for basic collaboration. However, licenses are required if they need advanced features, such as Power BI Pro.

How do internal users differ from external users in Azure AD?

Internal users are full members of your organization, managed directly in Azure AD or connected through an on-premises directory. External users are outside collaborators managed with guest access or external identity settings.

Can external users use their own credentials to log in?

Yes, external users can use credentials from their home organization or social accounts (e.g., Google, Facebook) when invited via Azure AD.

How secure is guest user access in Microsoft 365?

Guest access is secure when configured properly, with features like Multi-Factor Authentication (MFA), Conditional Access Policies, and limited sharing settings to control access.

What happens if an external user leaves their organization?

If an external user’s account is deleted in their home organization, their access to your resources may no longer work. Regular access reviews can help identify and deactivate such accounts.

Can guest users invite other users to the organization?

By default, guest users cannot invite others. However, this setting can be configured in Azure AD’s external collaboration settings.

Is there a limit to the number of guest users I can add?

Microsoft allows up to 5 guest users for each licensed Microsoft 365 user, with no additional cost for basic collaboration tasks.

How do I remove a guest user’s access?

You can remove guest users from both the Microsoft 365 Admin Center and Azure Portal by deleting their account or revoking their access to shared resources and applications.

Can guest and internal users be managed together in groups?

Yes, both guest and internal users can be added to Microsoft 365 Groups or Azure AD Groups, making it easier to assign permissions collectively.

Can I track guest user activities?

Yes, Azure AD provides detailed sign-in logs and activity reports for guest users, helping monitor their actions and ensure compliance.

Are there differences in creating users in Microsoft 365 Admin Center and Azure Portal?

Yes, the Microsoft 365 Admin Center simplifies user creation for collaboration tools, while Azure Portal offers advanced options like Conditional Access, role assignments, and user attribute customization.

Do external users have access to all the organization’s apps?

No, external users can only access the resources explicitly shared with them. Access to other apps or data must be granted individually or via group membership.

Conclusion: Add External Users in SharePoint Online

Managing guest users in Microsoft 365 and Azure Portal is vital for fostering secure collaboration with external partners. By following the steps and best practices outlined above, you can create, manage, and monitor guest accounts with confidence. Leveraging advanced features such as Conditional Access and Access Reviews further strengthens your organization’s security posture.

Start streamlining your guest access processes today and ensure smooth collaboration across your network!

About Post Author

Do you have a better solution or question on this topic? Please leave a comment