Forum Discussion

Salvatore Biscari's avatar
Salvatore Biscari
Silver Contributor
May 07, 2017
Solved

Guest Users vs. External Users

At this point, I cannot see any difference between the two wordings: it appears to me that "Guest User" and "External User" have exactly the same meaning, with the former being only a more "modern" w...
onedrive
SharePoint Online
  • StephenRice's avatar
    StephenRice
    May 15, 2017

    We use the terms interchangeably at Microsoft as well. External user is an older term from back when all "guests" in the directory authenticated outside of the home tenant. When we added support for managed guest users (i.e. the user authenticates inside the home tenant), the "external" piece stopped making sense and "guest user" was born. 

     

    And as with many of these types of things, we ended up using both names to refer to the same set of features. If there is a feature/scenario where this language does make a difference, we try to make sure it's clearly labeled to avoid confusion. 

     

    Thanks,

     

    Stephen Rice

    OneDrive Program Manager II

Alberto Schiavon's avatar
Alberto Schiavon
Copper Contributor
Mar 04, 2018

Thanks Stephen for the info.

One additional questions: let's imagine that that Salvatore cannot properly redeem the invitation sent from you because he cannot authenticate at Fabrikam (e.g. he cannot create the account at Fabrikam with his Fabrikam email address).

As workaround the admin at Contoso resets the password of his "sub account"  (e.g. Salvatore_EXT_Fabrikam@Contoso.onmicrosoft.com) so he can access Contoso resources using the "sub account" credentials.

Can you explain how the 2 accounts (Contoso and Fabrikam) are related before and after this password reset action?

Thanks,

 

Deleted's avatar
Deleted
Mar 05, 2018

Alberto Schiavon it's always going to depend on the login used. The guest accounts on Contoso side doesn't have it's own set of login and credentials, even thou you can reset the password it doesn't matter, because anytime you use Microsoft's login page and enter the fabrikam login, it's going to authenticate to the Fabrikam Azure AD, there is a just a trust relationship built there that once you authenticate then you can go to resources via that guest user on contoso's Azure with that linked guest account. 

 

So in essence, resetting that password has no affect on anything since you never actually use that password to authenticate that account (it gets directed to their domain). 

  • Alberto Schiavon's avatar
    Alberto Schiavon
    Brass Contributor
    May 01, 2018

    Deleted 

    I was not clear enough, sorry: occasionally, as workaround, I used to send as "alternative credentials" the Contoso (my comapny's tenant) loginn and password using the Reset Password option in the Admin Center, as the user could not create an account at Fabrikam (his company's tenant). The login used was something like john.smith_EXT_Fabrikam@Contoso.onmicrosoft.com (clearly a contoso account) which was created automatically inviting the guest john.smith@fabrikam.com.

    I said "I used to" as it seems that the option to reset the password for a guest user has been removed from the Admin Center, and if you use the Azure AD you get the error message "The password can not be reset. This may be due to an incorrect level of administrative privilege or if trying to reset your own password." 

     

Resources