Forum Discussion
Best practice to add guest to AAD?
I could give a guest access to SPO directly from the site's permissions settings, and I could give a guest access to Teams directly from the Teams interface (at least in a channel, if not in chat). Is there any reason not to first register the guest(s) in AAD?
- Yeah, working on Desktop now, you used to not be able to pick, not sure when it got added, but it's there now :).
Anyway, so bottom line here, you should be able to chose, having a guest is not required. Test with my tenant if you wish, but if it works, and you can't do that with someone you're trying to reach and you don't get the "search externally for" and it doesn't connect, then they must not have their end configured, but inviting them or adding them as a guest to your tenant allows them to tenant switch to chat, which isn't the same as federation.
Anyway, let us know if you have other questions or need help with more testing.
21 Replies
- Dean_GrossSilver Contributor
Some other benefits of pre-adding them is that you can add additional attributes, control the groups they go into and use the Access Review process to help confirm that they still belong on a routine schedule
- To answer you question regarding Teams. If you just need to chat with them you can use federation(external access needs enabled in admin center on both sides) and just click new chat and type in their address and do so.
However if you have added them to a Team and you want to have private chat, you can still do so just by clicking new chat and typing their name, Once a guest is invited to a Team you have the ability to then Chat with them.
Keep in mind this will house the chat in your tenant, and they will have to tenant switch in the client to your tenant to participate in that chat. The only way to prevent this is to not have them as a guest and use the chat federation, but then they can't be in a Team. It's a mess, but Microsoft says they are working on updating this, it'll just be awhile, but those are the 2 situations and how the chat works when dealing with guests.- JosephNierenbergIron Contributor
ChrisWebbTech wrote:
federation(external access needs enabled in admin center on both sides)
they will have to tenant switch in the client to your tenant to participate in that chat. The only way to prevent this is to not have them as a guest and use the chat federation, but then they can't be in a Team. It's a messYour first point on having to enable external access on both ends might well be why the "just add them to chat" didn't work. I'll test this weekend.
Your second point couldn't be truer. The idea of switching tenants makes fine sense in theory, and without pondering too much it probably makes good if not essential sense from a security/access management perspective, but it's extremely cumbersome.
I think the answer to all this is to enter the people in AAD when possible; develop some written or video guide to administratively enabling federated chat and send a link to collaborating entities; and hope for the best.
In this context, is there any point--at all--in entering an external as a mail user? We had to do that for a few guests in order to get them into mail-enabled security groups, but with the ability to add them into AAD as guests it seems that a 'mail user' is no longer necessary or appropriate for externals. Thoughts?
- JosephNierenbergIron Contributor
According to my testing, adding an external to the Chat blade in Teams, i.e., not adding them to a team in the Teams blade, only works if they have been pre-added as a guest in AAD (assuming all other settings are correct).
- ThinkSyncBrass Contributor
Hi Joseph,
The short answer is no – both ways create “shadow” accounts in your tenant, which the B2B user then needs to redeem before use.
https://docs.microsoft.com/en-us/azure/active-directory/b2b/redemption-experience
Some customers manage and restrict account creation using the B2B portal, or create B2B accounts for their users to then assign to resources.
If you’d like to restrict B2B account creation, please refer to the ‘External collaboration settings’ blade.
Hope this helps.
- EarlZirkleIron ContributorThanks for the tip. Very helpful!
- ThinkSyncBrass Contributor
Apologises, didn't see the other replies :)
If you'd like to move B2B invitations away from SPO/Teams, try the B2B portal or delegate one of the 3rd parties B2B accounts, the Guest Inviter role.
https://docs.microsoft.com/en-us/azure/active-directory/b2b/delegate-invitations
https://docs.microsoft.com/en-us/azure/active-directory/b2b/self-service-portal
- Just to make clear of my previous post! Users can add guests if it’s setup this way via teams, sharepoint! This happens automatically! However they cannot pre add into AAd
- bbhorriganBrass Contributor
I really wish out of the box it would disable the guest access for everyone. This was flagged by our security team because of the nature of business my company does. I think it should be turned off, but I am most likely in the minority in this one.
- It all depends on how your org works..users can’t add users in AAD! If you want to control what guests are invited in the organization- pre add them is a good way to have control! Then you can set permissions for users to add the guests that’s already in the tenant!
Most orgs wants users to be able to add guests themselves via sharing, teams etc..
Also a scenario to pre add in AAD is if you collaborate with another company and want all those users as guests, it’s a good idea to mass import them into AAD- JosephNierenbergIron Contributor
Hi. thanks. Yes, I should have added that I'm aware of the differing abilities of users and admins to add guests in AAD. i think your reply implicitly answers the question, though, that there is no downside, and potentially some upsides, to pre-adding a guest in AAD. My actual situation is that there are two externals with whom I need regularly to chat across a number of different projects. I could add them into a Teams channel without pre-registering them in AAD, but sometimes the chats need to be outside the project-oriented Teams channels. To add them as a contact in Teams chat, I think I'll need to pre-register them as guest users in AAD. Sounds like there's no reason not to do that--right?
- Hi!
They will already be guests in AAD, created during the invitation process to teams