Tom Talks Microsoft Teams and Microsoft 365 news and opinions

Understanding and Reporting on Office 365 Guest Accounts and External members in Microsoft 365

What is the difference between Microsoft 365 and Office 365?

Originally Office 365 was the name for Microsoft’s cloud Office apps (e.g. the Office apps, Word, Excel, PowerPoint etc.) and services (SharePoint, OneDrive, Microsoft Teams) suite and Microsoft 365 was a bundle that included Office 365, Windows 10 and Enterprise Mobility and Security products.

However recently Microsoft has been renaming features replacing Office 365 with Microsoft 365, e.g. “Office 365 Groups” will become “Microsoft 365 Groups”. Even if you are just using “Office 365”.

What is an Office 365 Tenant?

To understand Office 365 Guests, you need to understand tenants. Tenant is a term used for an Office 365 Organization. Each tenant has its own Azure AD and any services enabled for those users will tie back to the tenant. A user of Office 365 in the organisation is a member of the tenant.

What is an Office 365 Guest Account?

When enabled, an Office 365 user (in Tenant A) can:

  • Invites someone external of the tenant to join a Microsoft 365 group, e.g. Microsoft Teams team, Planner, or Yammer
  • Shares files to someone external of the tenant specifically via SharePoint or OneDrive for Business (which leverages Azure Active Directory B2B Collaboration)

When they do this, a “guest account” is automatically created in Tenant A for the person that has been invited into the group or shared to.

The guest account represents their activities and access on Tenant A and controls the guest’s access.

Guest accounts have a UPN in the format username_domain#EXT#@tenantname.onmicrosoft.com

The number of guest accounts in Tenant A can grow very quickly.

How can I report on Office 365 Guest Accounts?

From the Azure Active Directory UI https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers

You can filter for “External, Users” or “User Type” = Guest (the terms external users and guest users are used interchangeably by Microsoft)

image

Azure Active Directory portal will show the source of the user:

  • Members
    • Azure Active Directory: This user belongs to the tenant and authenticates by using an Azure AD for this tenant
    • Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization.
  • Guests
    • Invited User: This user has been invited but has not yet redeemed an invitation
    • External Azure Active Directory: This user is homed in an external Office 365 organization and authenticates by using an Azure AD account that belongs to the other organization.
    • Microsoft account: This user is homed in a Microsoft account (e.g. the old LiveID or consumer accounts) and authenticates by using a Microsoft account.

You can download this guest list as a CSV

image

You can also get a nice list from PowerShell

Get-AzureADUser -Filter “UserType eq ‘Guest'” -All $true

image

I have written a quick summary report in PowerShell here

image

Can I report on which guests are in Which Office 356 Groups?

Yes, Tony Redmond has already written a great little script to do that here

External members – “User Type” does not define how the user signs in, but their level of access/functionality in the tenant

Interestingly, even though so far we have been filtering on User Type = Guest to get “guests”. You can have users outside of your tenant (external users) who have been manually changed to “members”. I would call these external members.

The User Type properly simply the user’s relationship to the host tenant and allows the organization to enforce policies that depend on this property.

  • Member: This value indicates an employee of the host organization and a user in the organization’s payroll. For example, this user expects to have access to internal-only sites. This user is not considered an external collaborator.
  • Guest: This value indicates a user who isn’t considered internal to the company, such as an external collaborator, partner, or customer. Such a user isn’t expected to receive a CEO’s internal memo or receive company benefits, for example.

In some cases, users external to the tenant can be listed as members and have member abilities.

For example, if an organisation has two tenants, but are a single organisation, the organization might want to treat users in tenant B as members in tenant A instead of guests. They can use the Azure AD B2B Invitation Manager APIs to add or invite an external person as a member or convert the user type with PowerShell.

In a practical example, a guest in Tenant A cannot be an owner of a Microsoft Teams team in Tenant A, but an external account that has been set to a member can be a team owner.

You can find these external users that are members with the following AzureAD PowerShell command

Get-AzureADUser -filter “userType eq ‘Member'”-all $True | where {$_.userprincipalname -like “*#EXT#*”}

image

This account is external but can be an owner of a team

image

image

image

 

Can a guest user leave the organisation?

In practice, this rarely happens, but a guest user can decide to leave an organization at any time if they no longer need to use apps from that organization or maintain any association. A user can leave an organization on their own, without having to contact an administrator.

Users can leave guest organisations from their profile here https://account.activedirectory.windowsazure.com/r/#/profile

image

When a user leaves an organization, the user account is “soft deleted” in the directory. By default, the user object moves to the Deleted users area in Azure AD but isn’t permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions) if the user makes a request to restore the account within the 30-day period.

More detail here

Some great content/references:

Properties of an Azure Active Directory B2B collaboration user

Discover Who Creates Guest Accounts in Office 365 Applications

Identifying Obsolete Guest User Accounts in an Office 365 Tenant

Report Old Guest Accounts and Their Membership of Office 365 Groups

Azure Active Directory PowerShell for Graph

About the author

Tom Arbuthnot

A Microsoft MVP and Microsoft Certified Master, Tom Arbuthnot is Principal Solutions Architect at Microsoft Collaboration specialists Modality Systems.

Tom stays up to date with industry developments and shares news and his opinions on his blog, Microsoft Teams Podcast and email list. He is a regular speaker at events around the world.

4 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Tom Talks Microsoft Teams and Microsoft 365 news and opinions