Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Best practice to add guest to AAD?

Iron Contributor

I could give a guest access to SPO directly from the site's permissions settings, and I could give a guest access to Teams directly from the Teams interface (at least in a channel, if not in chat). Is there any reason not to first register the guest(s) in AAD?

21 Replies
It all depends on how your org works..users can’t add users in AAD! If you want to control what guests are invited in the organization- pre add them is a good way to have control! Then you can set permissions for users to add the guests that’s already in the tenant!
Most orgs wants users to be able to add guests themselves via sharing, teams etc..

Also a scenario to pre add in AAD is if you collaborate with another company and want all those users as guests, it’s a good idea to mass import them into AAD
Just to make clear of my previous post! Users can add guests if it’s setup this way via teams, sharepoint! This happens automatically! However they cannot pre add into AAd

Hi. thanks. Yes, I should have added that I'm aware of the differing abilities of users and admins to add guests in AAD. i think your reply implicitly answers the question, though, that there is no downside, and potentially some upsides, to pre-adding a guest in AAD. My actual situation is that there are two externals with whom I need regularly to chat across a number of different projects. I could add them into a Teams channel without pre-registering them in AAD, but sometimes the chats need to be outside the project-oriented Teams channels. To add them as a contact in Teams chat, I think I'll need to pre-register them as guest users in AAD. Sounds like there's no reason not to do that--right?

Hi Joseph,

 

The short answer is no – both ways create “shadow” accounts in your tenant, which the B2B user then needs to redeem before use.

https://docs.microsoft.com/en-us/azure/active-directory/b2b/redemption-experience

 

Some customers manage and restrict account creation using the B2B portal, or create B2B accounts for their users to then assign to resources.

 

If you’d like to restrict B2B account creation, please refer to the ‘External collaboration settings’ blade.External Collaboration Settings.PNG

Hope this helps.

 

Hi!
They will already be guests in AAD, created during the invitation process to teams

Apologises, didn't see the other replies :)

 

If you'd like to move B2B invitations away from SPO/Teams, try the B2B portal or delegate one of the 3rd parties B2B accounts, the Guest Inviter role.

 

https://docs.microsoft.com/en-us/azure/active-directory/b2b/delegate-invitations

https://docs.microsoft.com/en-us/azure/active-directory/b2b/self-service-portal

 

 

 

To answer you question regarding Teams. If you just need to chat with them you can use federation(external access needs enabled in admin center on both sides) and just click new chat and type in their address and do so.

However if you have added them to a Team and you want to have private chat, you can still do so just by clicking new chat and typing their name, Once a guest is invited to a Team you have the ability to then Chat with them.

Keep in mind this will house the chat in your tenant, and they will have to tenant switch in the client to your tenant to participate in that chat. The only way to prevent this is to not have them as a guest and use the chat federation, but then they can't be in a Team. It's a mess, but Microsoft says they are working on updating this, it'll just be awhile, but those are the 2 situations and how the chat works when dealing with guests.

Some other benefits of pre-adding them is that you can add additional attributes, control the groups they go into and use the Access Review process to help confirm that they still belong on a routine schedule


@Chris Webb wrote:
federation(external access needs enabled in admin center on both sides)

they will have to tenant switch in the client to your tenant to participate in that chat. The only way to prevent this is to not have them as a guest and use the chat federation, but then they can't be in a Team. It's a mess

Your first point on having to enable external access on both ends might well be why the "just add them to chat" didn't work. I'll test this weekend.

 

Your second point couldn't be truer. The idea of switching tenants makes fine sense in theory, and without pondering too much it probably makes good if not essential sense from a security/access management perspective, but it's extremely cumbersome.

 

I think the answer to all this is to enter the people in AAD when possible; develop some written or video guide to administratively enabling federated chat and send a link to collaborating entities; and hope for the best.

 

In this context, is there any point--at all--in entering an external as a mail user? We had to do that for a few guests in order to get them into mail-enabled security groups, but with the ability to add them into AAD as guests it seems that a 'mail user' is no longer necessary or appropriate for externals. Thoughts?

 

According to my testing, adding an external to the Chat blade in Teams, i.e., not adding them to a team in the Teams blade, only works if they have been pre-added as a guest in AAD (assuming all other settings are correct).

You do not have to add people to use external federation “chat” tab. If everything is setup properly. You click new chat and type in their email and you should get a “search externally for x” underneath. If you are not getting this then something going on with config somehow.
Yes! What you are seeing is that teams found your guest account when searching for a person in chat! It can be confusing because this will start a chat within your tenant ( the person will see this when it’s switched to your tenant! Keep typing and search externally
Well if they add people ahead of time and it has a match then they won’t get the option to chat externally. It’s one of the big disconnects between federation and having a local account that can get tricky to understand

@Chris Webb wrote:
You do not have to add people to use external federation “chat” tab. If everything is setup properly. You click new chat and type in their email and you should get a “search externally for x” underneath. If you are not getting this then something going on with config somehow.

When everything is configured properly on my end to Teams with externals, and I click on the Chat tab to start a new chat, and enter the name of an external person who is not in my AAD, Teams responds with, "We didn't find any matches." Note that I have no idea how the organizations for those externals have configured their own Teams.

 

So, given that experience and the earlier replies here, would it be correct to state the following:

  • I can chat (not in a team) with an external who is a guest in my AAD if their Teams is configured for external chat (I do this presently);
  • I cannot chat with an external who is not in my AAD if their Teams is not configured for external chat (I receive the "We didn't find any matches" message); and
  • My experience is inconclusive on whether I can chat with an external who is not in my AAD if their Teams is configured for external chat?
Interesting. Because in the mobile app I can chat with guest or use federation. I couldn’t do that on desktop client previously. They either added it or mobile can do it only will test when I get home.

If you chat with a guest user they are switching to your tenant to chat with you most likely.

Anyway if you want to test federation use turismon@webbtech.org it has open federation you could send a message to.
I’ve been able to use federation from the desktop client when same mail is used as guest in my AAD! This was tested not long ago though

Adam
best response confirmed by Joseph Nierenberg (Iron Contributor)
Solution
Yeah, working on Desktop now, you used to not be able to pick, not sure when it got added, but it's there now :).

Anyway, so bottom line here, you should be able to chose, having a guest is not required. Test with my tenant if you wish, but if it works, and you can't do that with someone you're trying to reach and you don't get the "search externally for" and it doesn't connect, then they must not have their end configured, but inviting them or adding them as a guest to your tenant allows them to tenant switch to chat, which isn't the same as federation.

Anyway, let us know if you have other questions or need help with more testing.

I really wish out of the box it would disable the guest access for everyone. This was flagged by our security team because of the nature of business my company does. I think it should be turned off, but I am most likely in the minority in this one.

No, I think I'm good. Thanks for letting me test. Just one note: adding as a guest does not require tenant switching if the conversation is under the Chat tab instead of the Teams tab. Again, thanks for sticking with this thread.
1 best response

Accepted Solutions
best response confirmed by Joseph Nierenberg (Iron Contributor)
Solution
Yeah, working on Desktop now, you used to not be able to pick, not sure when it got added, but it's there now :).

Anyway, so bottom line here, you should be able to chose, having a guest is not required. Test with my tenant if you wish, but if it works, and you can't do that with someone you're trying to reach and you don't get the "search externally for" and it doesn't connect, then they must not have their end configured, but inviting them or adding them as a guest to your tenant allows them to tenant switch to chat, which isn't the same as federation.

Anyway, let us know if you have other questions or need help with more testing.

View solution in original post