Forum Discussion

T11EJD's avatar
T11EJD
Copper Contributor
Jan 08, 2020
Solved

Add/Remove External Guest User from SP Site behavour in Azure/365

Hi,   Adding external "User1" from within SP (Sharing Site) creates guest "User1" in Azure and 365Admin consoles. Removing same external User1 from SP does not remove guest user1 in Azure and 365A...
Authentication
office 365
sharepoint
  • oliwer_sundgren's avatar
    oliwer_sundgren
    Jan 08, 2020

    HelloT11EJD ! 

    I will answer your questions below (A1 for Q1 and A2 for Q2)

     

    A1: Yes this is by design. When you invite an external user to a Sharepoint file or folder, a guest account in your companies Azure AD needs to be created. This is to make sure that the guest users are authenticated and get any security ( Conditional access ) policies for example. 
    This is the same behavior as inviting an external user to Teams. 

     

    A2: No, as long as external users need to athenticate then they will need to have a guest account. 

    If you however share a document with an anonymous link, then they dont need a guest account. 

     

    Automaitcally removing guest users when removed from a sharepoint site could be troublesome. Imagine if that guest user was a member of 3 different sites, that would mean they would loose access to all 3 sites. 

     

    Guest users in Azure AD is not a problem, just make sure, like with any users, that you do an audit of what users you have and what users you can terminate. 

     

    I hope this answered your questions! 
    Let me know if you have further questions or if my replies are unclear! 

    Kind Regards
    Oliwer Sjöberg

oliwer_sundgren's avatar
oliwer_sundgren
Steel Contributor
Jan 08, 2020

HelloT11EJD ! 

I will answer your questions below (A1 for Q1 and A2 for Q2)

 

A1: Yes this is by design. When you invite an external user to a Sharepoint file or folder, a guest account in your companies Azure AD needs to be created. This is to make sure that the guest users are authenticated and get any security ( Conditional access ) policies for example. 
This is the same behavior as inviting an external user to Teams. 

 

A2: No, as long as external users need to athenticate then they will need to have a guest account. 

If you however share a document with an anonymous link, then they dont need a guest account. 

 

Automaitcally removing guest users when removed from a sharepoint site could be troublesome. Imagine if that guest user was a member of 3 different sites, that would mean they would loose access to all 3 sites. 

 

Guest users in Azure AD is not a problem, just make sure, like with any users, that you do an audit of what users you have and what users you can terminate. 

 

I hope this answered your questions! 
Let me know if you have further questions or if my replies are unclear! 

Kind Regards
Oliwer Sjöberg