Forum Discussion
AAD Guest Users and SPO list/library access
There is a list in a SharePoint site. I want to permit a guest to create and to modify list entries (i.e., “contributor” rights). The guest person is already a guest user object in AAD. I’ve broken permissions between the list and its site.
1. When I try to give the guest user permission from the list settings/permissions page, the dialog cannot identify the person. (I could add their e-mail address here, but since SPO didn’t recognize the name or address as a guest user’s, I’m concerned that SPO wouldn’t connect the two pieces of data and so I wouldn’t be able to control the person generally from AAD.)
2. When I create a group in AAD with the guest user as a member, SPO does not recognize the group when I try to give the group permission from the list settings/permissions page.
3. I can create a group at the SPO subsite level to give that group permission from the list settings/permissions page, but I couldn’t add the AAD guest user as a member.
So:
A. How should I be giving this AAD guest user Contributor privileges to one specific SPO list?
B. How should I be giving an AAD group of AAD guest users access to one specific SPO list or document library?
- 1. The user account listed for the guest is to be used on the list, this will say external but it will use the same account.
2. The group should be listed as a security group in azure portal in order for SPO to recognize and utilize it.1. The AAD guest user account is not recognized by SPO in the permission-granting dialog, when I enter the name or e-mail prefix. (Did you mean something else?)
2. The domain group (AAD security group) in which the guest user is a member is recognized by SPO in the permission-granting dialog. Yesterday I might not have waited long enough for the data to sync on Msft's side.
From some testing, one explanation that appears possible, if not reasonable, is that domain security groups will be recognized, but that individual guest users will be recognized only if they have already accessed SPO resources through a file or folder sharing invitation. Is that possible?
- Correct once they access it will recognize when they are in the site collection user list. But to add an existing guest you need to use their full email. It’ll says external user etc. but it will still map to the existing guest account.
