Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Guest user with Global admin role

Steel Contributor

Hi 

 

I was, a while ago, told by an MVP that the "correct" way for granting External Consultants access to O365 - was to create them as 'Guest users' (and using their private/corporate email) and then assign them the appropriate 'Directory role' like the SharePoint Administrator role - however, doing this, the Consultant - gets into AAD  - but when trying to access https://tenant-admin.sharepoint.com he's getting no access - and the message this site isn't externally shared. 

Can someone confirm that this is the "right way" to grant Consultants access - and what am I missing in order giving access? 
 

10 Replies
That is very strange, if the user has a SPO Admin Role, he/she should be able to browse the SPO Admin Center...by the way, It does not sound good to me giving an external user such a role in an Office 365 tenant
best response confirmed by Taen keren (Steel Contributor)
Solution

I'm with Juan here. While you can technically add admin roles to guest users or even create mailboxes for them, I've never seen a statement from Microsoft that this is supported. In fact, the only place I've seen Guest admin access work is the (old) Office 365 Admin Center.

@Vasil Michev  - thx - I'll have another (serious) "Chat" with the MVP that recommended this way... 

@Taen keren Hi!, what did you do at the end?, could you give the guest user the global admin role and that user could have access to the admin center?

@Taen keren I know, this thread is already old. We are currently struggling with the same topic. Did you find a way to add a Guest to Global Admin (or SP Admin) in order to use the Sharepoint admin center?

I had to change member type via powershell from Guest to Member. This workaround does the job, means the user can access the admin center. Nevertheless, it is an ugly solution. In addition, we do have another problem when accessing further admin centers. The invited admin always jumps into its own Tenant and we didn't find a way to change this behavior... so far.

@AOEHApparently this scenario just work when you want to add a guest in Azure AD. Didn't find a solution for the Microsoft 365 admin center.

no not solved

@Devryk 

Yes, this solution only works to get proper permissions but... It looks to me as if the only multi tenant capable console is Azure Portal. We had to create a dedicated Admin for our partner. Very ugly solution but currently the only way to get what we want. Microsoft has to provide multi tenant support for all the consoles.

Okay, it has been over a year since this was initially raised. Has Microsoft addressed this issue? They, and the MVPs push the "guest" account access fairly heavily, but if the user can't access the required resources with a guest account, even with GA privileges, then we are left to create a member account and the user is required to track an additional set of credentials. This would seem to defeat the entire purpose of guest accounts.
Unfortunately this isn't resolved yet. Delegated Admin privileges works towards resolving this for CSP partners but granular permissions (GDAP) are not available (yet!)

https://practical365.com/identifying-potential-unwanted-access-by-your-msp-csp-reseller/
1 best response

Accepted Solutions
best response confirmed by Taen keren (Steel Contributor)
Solution

I'm with Juan here. While you can technically add admin roles to guest users or even create mailboxes for them, I've never seen a statement from Microsoft that this is supported. In fact, the only place I've seen Guest admin access work is the (old) Office 365 Admin Center.

View solution in original post