Home

Azure B2B Guest User Management

%3CLINGO-SUB%20id%3D%22lingo-sub-202536%22%20slang%3D%22en-US%22%3EAzure%20B2B%20Guest%20User%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202536%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20easily%20verify%20which%20Guest%20User%20was%20invited%20by%20whom%20%3F%26nbsp%3B%20and%20to%20which%20SaaS%20App%20he%20actually%20has%20Access%20to%20%3F%20I%20cannot%20find%20such%20a%20Option%20within%20the%20Azure%20AD%20Portal%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20its%20really%20necessary%20especially%20if%20normal%20Users%20can%20easily%20Invite%20People%20from%20Outside%20of%20your%20Company%20directly%20via%20Azure%20B2B%20without%20really%20notify%20the%20IT%20Admins.%20As%20im%20working%20under%20a%20Group%20Scenario%20means%20we%20have%20a%20lot%20of%20Companies%20with%20dedicated%20IT%20sharing%20the%20same%20Tenant%20but%20with%20only%20one%20Department%20having%20Root%20%2F%20Global%20Admin%20to%20the%20Tenant.%20So%20this%20Department%20needs%20easy%20overview%20which%20Users%20have%20done%20what%20regarding%20Guest%20Users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHelp%20to%20find%20a%20Solution%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3EUeli%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-202536%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-361073%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2B%20Guest%20User%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-361073%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F148334%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Ueli%20Zimmermann%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%20ChangeAuditor%20for%20Active%20Directory%20which%20logs%20all%20Azure%20AD%20Events%2C%26nbsp%3B%20from%20%3CA%20href%3D%22https%3A%2F%2Fwww.quest.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EQuest%3C%2FA%3E%20will%20all%20you%20do%20see%20who%20is%20creating%20and%20inviting%20external%20users%20into%20your%20tenant%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265846%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2B%20Guest%20User%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F148334%22%20target%3D%22_blank%22%3E%40Ueli%20Zimmermann%3C%2FA%3E%26nbsp%3Bagrre%20with%20you%20that%20there%20is%20no%20easy%20way%20to%20get%20this.%20In%20case%20of%20SharePoint%2C%20there%20is%20a%20cmdlet%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fsharepoint-online%2Fget-spoexternaluser%3Fview%3Dsharepoint-ps%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EGet-SPOExtUser%26nbsp%3B%3C%2FA%3E.%20This%20cmdlet%20gives%20invited%20by%20information.%20But%20it%20is%20not%20consistent.%20I%20see%20invited%20by%20information%20for%20some%20site%20collections%20and%20I%20dont%20see%20it%20for%20other%20site%20collections.%20This%20cmdlet%20is%20very%20buggy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-206720%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2B%20Guest%20User%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206720%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Rishabh%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%20yes%20this%20one%20i%20know%20but%20i%20was%20more%20interested%20in%20kind%20of%20a%20detailed%20overview%20like%20to%20which%20resources%20the%20user%20has%20access%20to%20and%20what%20he%20actively%20is%20using%20from%20that%20resources%20and%20especially%20who%20did%20invite.%20Mostly%20in%20our%20Case%20its%20is%20kind%20of%20the%20%22Microsoft%20Invitation%20Service%22%20or%20SharePoint%20Default%20Guest%20Invitation%20Service%2C%20so%20there%20is%20no%20way%20to%20see%20who%20actually%20did%20the%20invite%20and%20to%20which%20resources.%20I%20believe%20this%20is%20not%20really%20transparent%20with%20regards%20to%20Security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EUeli%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-206060%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2B%20Guest%20User%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206060%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Ueli%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20aware%20of%20any%20third%20party%20tool%2C%20the%20article%20that%20I%20was%20referring%20was%20%3A-%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fauditing-and-reporting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fauditing-and-reporting%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204930%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2B%20Guest%20User%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204930%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Rishabh%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExcuse%20the%20late%20reply.%20Regarding%20this%20i%20agree%20with%20you%20but%20what%20i%20mean%20is%20i%20would%20like%20to%20have%20a%20better%20view%20or%20understanding%20who%20is%20inviting%20which%20user%20and%20to%20which%20SaaS%20Apps%20and%20Resources%20on%20that%20SaaS%20App.%20I%20wish%20Azure%20Portal%20would%20kind%20of%20have%20a%20Dashboard%20to%20simplify%20search%20for%20a%20Guest%20or%20normal%20User%20and%20you%20could%20see%20right%20away%20to%20which%20apps%20he%20has%20access%20and%20which%20documents%20or%20files%20he%20lately%20accessed%20or%20having%20access%20to.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Audit%20Logs%20you%20mentioned%20are%20ok%20but%20for%20example%20as%20inviter%20normally%20there%20is%20just%20the%20AzureB2B%20Inviter%20Service%20listened%20not%20the%20original%20User%20initiated%20the%20Invite.%20So%20basically%20you%20cannot%20see%20fully%20transparent%20which%20user%20invited%20the%20Guest%20and%20to%20which%20resources%20in%20detail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20good%20way%20to%20achieve%20this%20with%20the%20Built%20In%20Tools%20or%20is%20there%20at%20least%26nbsp%3Ba%20good%203th%20Party%20Reports%20or%26nbsp%3BAudit%20Tool%20which%20brings%20all%20the%20Information%20in%20a%20good%20readable%20form%20out%20of%20the%20System%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3EUeli%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-202630%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2B%20Guest%20User%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202630%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Ueli%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20details%20regarding%20invitation%20sent%20to%20guest%20users%20can%20be%20checked%20in%20azure%20active%20directory%20audit%20logs.%3C%2FP%3E%3CP%3ELook%20for%20%22Initiated%20by%20-%20Microsoft%20B2B%20admin%20worker%22%20and%20%22%3CSPAN%3EMicrosoft%20Invitation%20Acceptance%20Portal%3C%2FSPAN%3E%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3C%2FLINGO-BODY%3E
Ueli Zimmermann
Contributor

Hello All,

 

Is there a way to easily verify which Guest User was invited by whom ?  and to which SaaS App he actually has Access to ? I cannot find such a Option within the Azure AD Portal ? 

I think its really necessary especially if normal Users can easily Invite People from Outside of your Company directly via Azure B2B without really notify the IT Admins. As im working under a Group Scenario means we have a lot of Companies with dedicated IT sharing the same Tenant but with only one Department having Root / Global Admin to the Tenant. So this Department needs easy overview which Users have done what regarding Guest Users.

 

Help to find a Solution would be appreciated.

 

Cheers

Ueli

6 Replies

Hello Ueli,

 

The details regarding invitation sent to guest users can be checked in azure active directory audit logs.

Look for "Initiated by - Microsoft B2B admin worker" and "Microsoft Invitation Acceptance Portal".

 

Regards,

Rishabh

Hello Rishabh,

 

Excuse the late reply. Regarding this i agree with you but what i mean is i would like to have a better view or understanding who is inviting which user and to which SaaS Apps and Resources on that SaaS App. I wish Azure Portal would kind of have a Dashboard to simplify search for a Guest or normal User and you could see right away to which apps he has access and which documents or files he lately accessed or having access to. 

 

The Audit Logs you mentioned are ok but for example as inviter normally there is just the AzureB2B Inviter Service listened not the original User initiated the Invite. So basically you cannot see fully transparent which user invited the Guest and to which resources in detail.

 

Is there a good way to achieve this with the Built In Tools or is there at least a good 3th Party Reports or Audit Tool which brings all the Information in a good readable form out of the System ? 

 

Cheers

Ueli

Hey Ueli,

 

I am not aware of any third party tool, the article that I was referring was :- 

https://docs.microsoft.com/en-us/azure/active-directory/b2b/auditing-and-reporting

 

Regards,

Rishabh

Hello Rishabh

 

Thank you, yes this one i know but i was more interested in kind of a detailed overview like to which resources the user has access to and what he actively is using from that resources and especially who did invite. Mostly in our Case its is kind of the "Microsoft Invitation Service" or SharePoint Default Guest Invitation Service, so there is no way to see who actually did the invite and to which resources. I believe this is not really transparent with regards to Security.

 

Best regards

Ueli

@Ueli Zimmermann agrre with you that there is no easy way to get this. In case of SharePoint, there is a cmdlet: Get-SPOExtUser . This cmdlet gives invited by information. But it is not consistent. I see invited by information for some site collections and I dont see it for other site collections. This cmdlet is very buggy.

@Ueli Zimmermann  ChangeAuditor for Active Directory which logs all Azure AD Events,  from Quest will all you do see who is creating and inviting external users into your tenant

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies