What is the difference between Microsoft 365 and Office 365?
Originally Office 365 was the name for Microsoft’s cloud Office apps (e.g. the Office apps, Word, Excel, PowerPoint etc.) and services (SharePoint, OneDrive, Microsoft Teams) suite and Microsoft 365 was a bundle that included Office 365, Windows 10 and Enterprise Mobility and Security products.
However recently Microsoft has been renaming features replacing Office 365 with Microsoft 365, e.g. “Office 365 Groups” will become “Microsoft 365 Groups”. Even if you are just using “Office 365”.
What is an Office 365 Tenant?
To understand Office 365 Guests, you need to understand tenants. Tenant is a term used for an Office 365 Organization. Each tenant has its own Azure AD and any services enabled for those users will tie back to the tenant. A user of Office 365 in the organisation is a member of the tenant.
What is an Office 365 Guest Account?
When enabled, an Office 365 user (in Tenant A) can:
- Invites someone external of the tenant to join a Microsoft 365 group, e.g. Microsoft Teams team, Planner, or Yammer
- Shares files to someone external of the tenant specifically via SharePoint or OneDrive for Business (which leverages Azure Active Directory B2B Collaboration)
When they do this, a “guest account” is automatically created in Tenant A for the person that has been invited into the group or shared to.
The guest account represents their activities and access on Tenant A and controls the guest’s access.
Guest accounts have a UPN in the format username_domain#EXT#@tenantname.onmicrosoft.com
The number of guest accounts in Tenant A can grow very quickly.
How can I report on Office 365 Guest Accounts?
From the Azure Active Directory UI https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers
You can filter for “External, Users” or “User Type” = Guest (the terms external users and guest users are used interchangeably by Microsoft)
Azure Active Directory portal will show the source of the user:
- Members
- Azure Active Directory: This user belongs to the tenant and authenticates by using an Azure AD for this tenant
- Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization.
- Guests
- Invited User: This user has been invited but has not yet redeemed an invitation
- External Azure Active Directory: This user is homed in an external Office 365 organization and authenticates by using an Azure AD account that belongs to the other organization.
- Microsoft account: This user is homed in a Microsoft account (e.g. the old LiveID or consumer accounts) and authenticates by using a Microsoft account.
You can download this guest list as a CSV
You can also get a nice list from PowerShell
Get-AzureADUser -Filter “UserType eq ‘Guest'” -All $true
I have written a quick summary report in PowerShell here
Can I report on which guests are in Which Office 356 Groups?
Yes, Tony Redmond has already written a great little script to do that here
External members – “User Type” does not define how the user signs in, but their level of access/functionality in the tenant
Interestingly, even though so far we have been filtering on User Type = Guest to get “guests”. You can have users outside of your tenant (external users) who have been manually changed to “members”. I would call these external members.
The User Type properly simply the user’s relationship to the host tenant and allows the organization to enforce policies that depend on this property.
- Member: This value indicates an employee of the host organization and a user in the organization’s payroll. For example, this user expects to have access to internal-only sites. This user is not considered an external collaborator.
- Guest: This value indicates a user who isn’t considered internal to the company, such as an external collaborator, partner, or customer. Such a user isn’t expected to receive a CEO’s internal memo or receive company benefits, for example.
In some cases, users external to the tenant can be listed as members and have member abilities.
For example, if an organisation has two tenants, but are a single organisation, the organization might want to treat users in tenant B as members in tenant A instead of guests. They can use the Azure AD B2B Invitation Manager APIs to add or invite an external person as a member or convert the user type with PowerShell.
In a practical example, a guest in Tenant A cannot be an owner of a Microsoft Teams team in Tenant A, but an external account that has been set to a member can be a team owner.
You can find these external users that are members with the following AzureAD PowerShell command
Get-AzureADUser -filter “userType eq ‘Member'”-all $True | where {$_.userprincipalname -like “*#EXT#*”}
This account is external but can be an owner of a team
Can a guest user leave the organisation?
In practice, this rarely happens, but a guest user can decide to leave an organization at any time if they no longer need to use apps from that organization or maintain any association. A user can leave an organization on their own, without having to contact an administrator.
Users can leave guest organisations from their profile here https://account.activedirectory.windowsazure.com/r/#/profile
When a user leaves an organization, the user account is “soft deleted” in the directory. By default, the user object moves to the Deleted users area in Azure AD but isn’t permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions) if the user makes a request to restore the account within the 30-day period.
More detail here
Some great content/references:
Properties of an Azure Active Directory B2B collaboration user
Discover Who Creates Guest Accounts in Office 365 Applications
Identifying Obsolete Guest User Accounts in an Office 365 Tenant
Report Old Guest Accounts and Their Membership of Office 365 Groups
Great article Tom. You’ve given me work for tomorrow morning.
UserType can also be empty https://itpro-tips.com/2019/usertype-empty-usertype-vide/
Great tip thanks!
[…] Understanding and Reporting on Office 365 Guest Accounts and External members in Microsoft 365 […]
If you have 100+ guest accounts from one specific domain, when would you start considering federation towards that domain? Why? Why not? Any legal concerns?
Nice article. I’m trying to figure out out how to pull Guest users and some of their information into a report. I need additional groups they have access to. I’ve been able to pull everything with a powershell command. Get-AzureADUser. But I cannot find where “source” is located on any Azure Object from any Azure PowerShell comandlet. Do you have any ideas where I can obtain this from?
I haven’t looked into this yet, but it’s a greet idea.