Forum Discussion
Guest user with Global admin role
Hi
I was, a while ago, told by an MVP that the "correct" way for granting External Consultants access to O365 - was to create them as 'Guest users' (and using their private/corporate email) and then assign them the appropriate 'Directory role' like the SharePoint Administrator role - however, doing this, the Consultant - gets into AAD  - but when trying to access https://tenant-admin.sharepoint.com he's getting no access - and the message this site isn't externally shared. 
Can someone confirm that this is the "right way" to grant Consultants access - and what am I missing in order giving access? 
 
- I'm with Juan here. While you can technically add admin roles to guest users or even create mailboxes for them, I've never seen a statement from Microsoft that this is supported. In fact, the only place I've seen Guest admin access work is the (old) Office 365 Admin Center. 
11 Replies
- W.K. LaiBrass ContributorChange the user type from guest to member for the external consultant. That should give him/her access to SP admin center. 
- oinskipCopper ContributorOkay, it has been over a year since this was initially raised. Has Microsoft addressed this issue? They, and the MVPs push the "guest" account access fairly heavily, but if the user can't access the required resources with a guest account, even with GA privileges, then we are left to create a member account and the user is required to track an additional set of credentials. This would seem to defeat the entire purpose of guest accounts.- Unfortunately this isn't resolved yet. Delegated Admin privileges works towards resolving this for CSP partners but granular permissions (GDAP) are not available (yet!)
 https://practical365.com/identifying-potential-unwanted-access-by-your-msp-csp-reseller/
 
- AOEHCopper ContributorTaen keren I know, this thread is already old. We are currently struggling with the same topic. Did you find a way to add a Guest to Global Admin (or SP Admin) in order to use the Sharepoint admin center? I had to change member type via powershell from Guest to Member. This workaround does the job, means the user can access the admin center. Nevertheless, it is an ugly solution. In addition, we do have another problem when accessing further admin centers. The invited admin always jumps into its own Tenant and we didn't find a way to change this behavior... so far. - Taen kerenIron Contributorno not solved
- AOEHCopper ContributorYes, this solution only works to get proper permissions but... It looks to me as if the only multi tenant capable console is Azure Portal. We had to create a dedicated Admin for our partner. Very ugly solution but currently the only way to get what we want. Microsoft has to provide multi tenant support for all the consoles. 
 
 
- I'm with Juan here. While you can technically add admin roles to guest users or even create mailboxes for them, I've never seen a statement from Microsoft that this is supported. In fact, the only place I've seen Guest admin access work is the (old) Office 365 Admin Center. - Taen kerenIron ContributorVasilMichev - thx - I'll have another (serious) "Chat" with the MVP that recommended this way... - DevrykBrass ContributorTaen keren Hi!, what did you do at the end?, could you give the guest user the global admin role and that user could have access to the admin center? 
 
 
- That is very strange, if the user has a SPO Admin Role, he/she should be able to browse the SPO Admin Center...by the way, It does not sound good to me giving an external user such a role in an Office 365 tenant