Why guest access to teams requires me to grant for 'login on behalf of the user'?

Occasional Visitor

I've been ask from a different company to join their Microsoft Team workspace as a guest. When I try to accept the invitation, I've been told that the company would like to be granted of the authorization to 'login on behalf of the user' (I'm translating from another language, so, I don't know exactly the message in english).

I don't want to grant anyone to 'login on behalf of me' :)

I'm sure that Microsoft didn't want to require that; can you explain how this grant works and what the administrators of the company will be able to do with my account?



4 Replies
I don’t really know the technicality of why it says so, but in the end this is how it works:

A guest account with your mail address will be created in the inviting tenant! They don’t have any passwords! When you login you will be authenticating to your own tenant / with your own MSA account (mostly used) they can however add information to your guest account, like contact information, picture, delete the account etc...this will apply to the guest account only, and as I mentioned they can’t access your ”real” account


Unlike many guest access services, a new account isn't being created for you. It's the Office 365 account that you are using today that will be granted access as a guest to the other tenant. This keeps you from having to remember usernames and passwords and tends to give a single sign-on experience. 

This is happening because the other Office 365 tenant sees that the account that the invite was sent to is hosted in an Office 365 tenant. As such, it will use the existing account for authentication.

Its intent is to make the interoperability between companies much smoother and it actually increases security for a number of reasons. One of the reasons is that if they are sharing information with you, because you are a contractor and need access, but you leave the company that you are contracting for, then when your company disables your access, your access is also disabled in the customer tenant. 

That's the default "user_impersonation" permission, which translates to "Allow the application to access GIVEN_APP on your behalf." Nothing scary :)

Now that I'm rereading the message, are you actually seeing this prompt when redeeming the Teams invite? It should not appear in that scenario, perhaps you can share a screenshot?

Related Conversations