Delegate365-Working with guest users
Friday, June 26, 2020
Delegate365 supports working with guest users. Guest users or external users are users that are invited to the company tenant by email. Once they accept the invitation, they get access to corporate resources. For example, a guest user can be a member of a Microsoft team or collaborate in Planner or in a SharePoint site or similar. See some samples here.
Invite a guest user
In Delegate365, admins can invite a guest user by clicking on the "Invite guest user" icon next to the "+" icon (new user). If you don´t see this icon, ask your Delegate365 Portal Admin to enable that feature in the permission policies.
Fill out the invite guest user form and click the Invite button.
You will find the invited user in the users list instantly as here. You can manage that user in the same way as the other users.
What´s the user´s UPN?
Azure AD stores that user internally with the default domain of the tenant. In this sample, we see that user
email@example.com became doris.doe_gmail.com#EXT#@M365x193702.onmicrosoft.com.
Note: When inviting external users, the default domain of the tenant is used. So, this can be a custom domain as well. The Azure AD portal and the Microsoft 365 admin center show the original username firstname.lastname@example.org. Anyway, internally the extended username is used.
We can change the username to a more friendly name or to a different domain later in Delegate365, see below.
How does the guest user complete the invitation?
The invited user gets an email. Here, the user accepts the invitation to that Microsoft 365 tenant.
Then, the user follows the process and signs-in with a custom password. Also, the user has to accept that the Microsoft 365 tenant can sign him or her in and to read the user´s (Azure AD) profile. Now the guest user has his email address and a password for the organization´s Microsoft 365 tenant. If the organization enforces MFA, the user must follow that process as well to get access.
Note: In Azure AD, the guest user is added as "Microsoft Account" and the status is "Invitation accepted". Other invited users that have not accepted the invitation get the status "Invited user".
In Delegate365, the guest users show up after the sync in the users list as Type "User" and Status "Cloud".
Assign guest users to OU´s
The same happens to users that have been invited outside of Delegate365, e.g. in the Azure AD portal. The Azure AD UPN is ending with #EXT#@M365x193702.onmicrosoft.com. Here, users email@example.com and John@doe.com are shown in the list of OU / Assign.
So, we can assign these users to an OU, in our sample, we assign the two selected users to OU New York at the page bottom.
Manage guest users UPNs
As we see, now there are 3 guest users which we can manipulate in the same way as the internal users we can manage.
Important: A administrator must be assigned to an OU AND to the DOMAIN of the users he or she can manage. In our sample, the current admin has the OU New York assigned AND the domain M365x193702.onmicrosoft.com! See also Troubleshooting Delegate365.
Wait! What if you don´t want to assign the default domain to your admins in Delegate365?
Well, then you can modify the UPN domain of the guest user as follows.
Modify the guest users UPN
In Delegate365, you can change the UPN. The UPN is the internal name of the guest user in your tenant.
Note: You can´t change the guest users UPN in the Azure AD portal, so that´s a feature of Delegate365.
), as in the sample here when we remove the #EXT# and change the domain:
So, now the UPN is <name>firstname.lastname@example.org.
How does the guest user sign-in to Microsoft 365?
Even if you change the guest user´s UPN in your Microsoft 365 tenant, the user continues to use his or her own email address to sign-in. So, the login process is unchanged as we see here. When the guest user signs-in to e.g. portal.office.com…
..after the successful login, the Office portal follows.
Benefits of managing guest users in Delegate365
Guest users can be managed in Delegate365. Notice the domain of the UPN of the guest user, and check if the domain is assigned to the admins in Delegate365. Benefits are:
- Changing the UPN of guest users in Delegate365 helps to get a friendly UPN.
- Changing the UPN and the domain allows to delegate guest user management to admins that are now allowed to manage the default domain of the Microsoft 365 tenant. In our sample, admins who are only allowed to manage users with the domain "atwork.fun" (but not the tenant´s default domain M365x193702.onmicrosoft.com), will see that guest user and are able to manage that user.
- Also, the user can get an Office 365 license from your organization if needed.
- Guest users that are assigned to the own OU´s (or Guest OU´s) can be added to groups as well.
- Note: There´s a change in Delegate365 v9.2: If a admin is assigned to a Group OU, the domain assignments will no longer be used as filter in that case. The people picker (e.g. in group membership assignments) will show ALL users in the Group OU, regardless of the domain. This allows admins to add users to their groups, regardless of the user´s UPN domain. This is only valid for Group OU´s. Users in assigned OU´s still filter for the domain of the current admin.
We have seen, that administration of guest users can be delegated with Delegate365. Portal Admins can control, what users can be managed by whom and what guest users can be managed.