Forum Discussion
Guest Users vs. External Users
We use the terms interchangeably at Microsoft as well. External user is an older term from back when all "guests" in the directory authenticated outside of the home tenant. When we added support for managed guest users (i.e. the user authenticates inside the home tenant), the "external" piece stopped making sense and "guest user" was born.
And as with many of these types of things, we ended up using both names to refer to the same set of features. If there is a feature/scenario where this language does make a difference, we try to make sure it's clearly labeled to avoid confusion.
Thanks,
Stephen Rice
OneDrive Program Manager II
MicrosoftMy pleasure! To make this easier, let's imagine we have your tenant, Contoso and you're working with my tenant, Fabrikam.
Technically, if you share to me at Fabrikam, when I authenticate in your tenant, I actually sign-in to Fabrikam's tenant, then access the Contoso tenant. Thus, I am a guest in your directory and authenticate externally.
On the other hand, Contoso IT might be very strict and so they create a Contoso account that I sign into at Contoso, and my account is just marked as a guest. Thus I authenticated internally, even though I am still a guest user.
Both users are "guests" but, technically, only the first is an "external user". We don't really expose these as different scenarios though which is why the language is mixed.
Hope that makes sense!
Stephen Rice
Program Manager II
Thank you very much for the explanation.
If I understand correctly:
- In the first scenario, the sharing starts from a Contoso user with the invite of a Fabrikam user. Initially the Contoso tenant does not know the credentials of the Fabrikam user, so, when the Fabrikam user accepts the invite for the first time, he must be authenticated by the Fabrikam tenant. Hence the Fabrikam user is initially an external user to Contoso. (Also if, after the first access, a corresponding Contoso guest user is automatically created in the Contoso directory, and hence subsequent accesses will be authenticated directly by the Contoso tenant, correct?)
- In the second scenario, Contoso IT directly create a user in Contoso directory, specifying immediately the user's credentials. Hence the user is from the first moment a guest user to Contoso, i.e. he is from the first moment authenticated by the Contoso tenant.
Am I missing something?
Thank you for the explanation. I am of the belief that the terminology and concepts will be difficult to grasp for a lot of people. chrs
How do we get the guest ID?
Hi @Sarat Subramaniam StephenRice
We are seeing something like this in our tenant.
We see some users listed as Guests but when we run “Get-SPOExternalUser” only a subset are listed, clearly there is a difference between these "Guests" and "External Users".
This is confusing us as we are troubleshooting some issues with guests invited into SharePoint Online sites that were previously set up but a former employee on 365 Groups. When we try and share with these users we see an error saying that the account couldn't be resolved.
Sometimes we think the external user is seeing an email which says “We're sorry, but bob@fabrikam.com can't be found in the contoso.sharepoint.com directory. Please try again later, while we try to automatically fix this for you."
For these users we have their email account(s) in our SharePoint Online admin center with an Bob_fabrikam_com#EXT#@contoso.com guest account but something seems to be confused.
Essentially it’s all a bit of a confusing mess. Is there a guide to clear up how the authentication works? I would ideally like to see a flow chart or infographic that walks through the process of inviting a guest and all its subtleties.
For now, we are experimenting with Deleting the user and purging them from the Recycle Bin in order to re-invite them, this is a bit of a problem if you don't know everything they previously had access to.
Thanks
Cam
Deleted
I was not clear enough, sorry: occasionally, as workaround, I used to send as "alternative credentials" the Contoso (my comapny's tenant) loginn and password using the Reset Password option in the Admin Center, as the user could not create an account at Fabrikam (his company's tenant). The login used was something like john.smith_EXT_Fabrikam@Contoso.onmicrosoft.com (clearly a contoso account) which was created automatically inviting the guest john.smith@fabrikam.com.
I said "I used to" as it seems that the option to reset the password for a guest user has been removed from the Admin Center, and if you use the Azure AD you get the error message "The password can not be reset. This may be due to an incorrect level of administrative privilege or if trying to reset your own password."
Alberto Schiavon it's always going to depend on the login used. The guest accounts on Contoso side doesn't have it's own set of login and credentials, even thou you can reset the password it doesn't matter, because anytime you use Microsoft's login page and enter the fabrikam login, it's going to authenticate to the Fabrikam Azure AD, there is a just a trust relationship built there that once you authenticate then you can go to resources via that guest user on contoso's Azure with that linked guest account.
So in essence, resetting that password has no affect on anything since you never actually use that password to authenticate that account (it gets directed to their domain).
- StephenRice
Hi Alberto Schiavon,
That is actually a very good question that I don't have a good answer to. I'm adding Sarat Subramaniam who is an expert on AAD & guest integration who may know the answer. Thanks!
Stephen Rice
OneDrive Program Manager II
Thanks Stephen for the info.
One additional questions: let's imagine that that Salvatore cannot properly redeem the invitation sent from you because he cannot authenticate at Fabrikam (e.g. he cannot create the account at Fabrikam with his Fabrikam email address).
As workaround the admin at Contoso resets the password of his "sub account" (e.g. Salvatore_EXT_Fabrikam@Contoso.onmicrosoft.com) so he can access Contoso resources using the "sub account" credentials.
Can you explain how the 2 accounts (Contoso and Fabrikam) are related before and after this password reset action?
Thanks,
- StephenRice
When you Stephen "invites" Salvatore, where are you assuming the action takes place? Is this in SharePoint or OneDrive? Or in Azure? Thanks!
Stephen Rice
Hi Stephen,
This is interesting topic and I do have few questions to you.
Stephen (a member of Contoso-Uses Azure AD) invites Salvatore (a member of Fabrikam-doesn't have an enterprise Azure Active Directory. Meaning, uses AD on premise (2008) and IBM web signon (for email and many web apps))
Now Stephen invites Salvatore to Contoso tenant. As usual Invite email sent to Salvatore and on click of accept it will ask to crate the password. After creating the password Salvatore successfully invited to Contoso tenant. As he dosen't have Azure AD how he can reset the password to Contoso tenant access if he forgot the password he created during the Invite? Who have the ability to reset his password?
Looking forward your inputs here. Thank you for your time.
- StephenRice
Hi Inigo Adin,
I've replied to your private message and we can work through this there. Thanks!
Stephen Rice
OneDrive Program Manager II
Dear Stephen,
I fear that it might be late to post into that conversation, but I try as we are struggling with a similar problem and we don't know how to progress.
We have external guests invited to some content created by our company in a sharepoint group. They have access to the files login with their own emails (which also have to be registered at microsoft.com). And they are able to view the file the first time, but when they try to access the second time their emails are not recognised.
Any suggestions on how we shoudl solve it?
Thanks a lot for your help
Inigo Adin
- StephenRice
Oh don't even get me started on that thing! Makes discussions internally fun when you say things like "And then you need to sign in with your Microsoft account" :D
Can you send me a PM with the issues you are having though? Thanks!
Stephen Rice
OneDrive Program Manager II
- Stephen, I am having similar issues with users from this company called Microsoft! Fabrikam and Contoso and Live and Hotmail all work fine but Guest users with Pernille-Eskebo.com are struggling. Q: Does MSIT follow these rules and do Microsoft accounts act as normal guests or externals? NB: I really mean blue badge, not people with a "Microsoft Account", that's another whole ball of wax!
- StephenRice
My pleasure!
Stephen Rice
Thanks! Now it is really clear!
- StephenRice
Almost got it!
In that first case, the user will always authenticate with Fabrikam, not Contoso. Here are the two flows:
- Stephen (a member of Contoso) invites Salvatore (a member of Fabrikam) to a document in the Contoso tenant. Salvatore receives an invitation mail.
- When Salvatore clicks on the link in the mail, he goes through the invitation acceptance process which results in the creation of an account in the Contoso tenant. This is really kind of a sub account though as Salvatore will always authenticatate at Fabrikam.
- When he attempts to access content, he will land at Azure Active Directory which recognizes that though he is logging into Contoso, he authenticates with Fabrikam.
In the second case, Salvatore's user account is actually managed by Contoso (for example, Contoso admins could reset his password) and it is not tied in any way to his Fabrikam account. Thus, in the first case, Salvatore authenticates externally to the tenant while the second case has him authenticate internallyto the tenant.
Hopefully that made sense :)
Stephen Rice
OneDrive Program Manager II
