Forum Discussion
Guest Users vs. External Users
We use the terms interchangeably at Microsoft as well. External user is an older term from back when all "guests" in the directory authenticated outside of the home tenant. When we added support for managed guest users (i.e. the user authenticates inside the home tenant), the "external" piece stopped making sense and "guest user" was born.
And as with many of these types of things, we ended up using both names to refer to the same set of features. If there is a feature/scenario where this language does make a difference, we try to make sure it's clearly labeled to avoid confusion.
Thanks,
Stephen Rice
OneDrive Program Manager II
StephenRice this is still very confusing. External/Guest user was able to access files on my company SharePoint Online last week and now all of a sudden they cannot access the files. Why?
MicrosoftHi Shery Kirby,
Can you share what type of error the users are seeing? Has the user's access been revoked in some way? Thanks!
Stephen Rice
OneDrive Program Manager II
- Ref: open the invite link with Incognito tab - yes, this really is the only way to make sure the guest signs in properly by making them enter and verify the right account and credentials.
BTW: I seem to have more success if I send them to SharePoint first rather than Teams or OWA - do these different URLs change the guest-register-in-AD experience?
https://outlook.office365.com/owa/account@realm/groupsubscription.ashx?realm=realm&source=WelcomeEmail&action=files
https://teams.microsoft.com/l/team/guid1(thread.skype/conversations?tenantId=guid2
https://realm.sharepoint.com/sites/site/Shared%20Documents/ - Yes, you can delete from AzureAD and invite again. There really isn't a way to prevent where they come in from because they are essentially mapping their account to the guest account that is setup in your AD to theirs. You can recommend to that user to right click and open the invite link with Incongnito tab so they can make sure to select the right login to use.
So is there a way to fix an account that was added as a Microsoft Account, but should have been external AD? We invited a few guest accounts, and one person connected successfully as an External AD account, and the other shows up as "Microsoft Account", so I assume they created a new Microsoft account with the same creds as suggested by ChrisWebbTech . Now they can't access some resources (Teams) and I assume it is cookies/cached creds. Can we just remove the account from Azure AD, and then re-invite them again? Is it entirely on the guest to select "Organizational account" or can we send a specific invite to prevent them from signing up with a Microsoft Account?
- Sam Larson
Shery Kirby Do you currently have a support ticket opened with Microsoft? I'd love to have our teams take a look at some logging and details about the user accounts logging in. Feel free to PM me as well!
- I Honestly try and make use of anyone links when working external they are much less hassle when it comes to those outside “users”. And now since you can set passwords on them they are even more of an alternative.
- ChrisWebbTech It hasn't been easy to help the external users to understand the importance of deleting browsing history, clearing cookies and cache and close browser and then open in private browser. Most come back seconds later saying they've done all that with the same access denied screenshot; more times than not that doesn't really happen. Maybe one day my org will allow video chat with our external users so we can better help them. I've spent hours on just this one issue today going back and forth. And, I must say, this is a common issue. I just thought I'd seek Community help just in case I've missed something.
- Yes they use their own. But what usually happens is they will have a personal Microsoft account with matching email address because they had it before office 365. And they will usually sign in wrong there or they will have another one setup and logged in via cookie and not know it. Hence why incognito usually works when doing sharing links.
When an organization uses Microsoft, does the external/guest user sign in to my org's SharePoint using the same credentials they use to log into their's? Because that's what I've been telling them for a couple of years now. StephenRice
- StephenRice
Hi Shery Kirby,
I am not sure. My best guess at the moment is that they may have two different identities in the Microsoft ecosystem and the error is a result of them not being signed in with "the right one".
Stephen Rice
StephenRiceWill do. If my guess is correct they are not equating Outlook:Mac 2010 with having an organizational account that is registered with Microsoft? Is that the correct way to think about this?
- StephenRice
Hi Shery Kirby,
I would try removing them and re-adding them (first site collection, and if that still doesn't help, then Azure AD). If one of those does work, please let me know so we can keep tracking down what causes this type of issue. Thanks!
Stephen Rice
StephenRiceI just received a screenshot after asking which email application they use. It is Outlook: MAC 2010. They see the usual Microsoft sign in page that shows their email address and asks for the password with the links: "Can't access your account?" and "Sign-in options."
I am going to remove them from the site collection and send a new link. They told us they were not using Office 365 but apparently they are using Microsoft and maybe should not have registered their email account with Microsoft? Or, do they still need to be removed from Azure Active Directory?
- They tell me they have tried that as well. I'm out of things to try other than deleting them from the site collection and asking the IT department to remove them from our Azure Active Directory and start over. That generally doesn't make users very happy to go through the Microsoft registration process all over again.
- StephenRice
Hi Shery Kirby,
Thanks for the additional detail! If you open the link in incognito mode, does it work then? Thanks!
Stephen Rice
OneDrive Program Manager II
StephenRiceI haven't done anything to revoke the access.
