New external member of security group: user or no user?

Joseph Nierenberg · ‎Dec 29 2021

We have to add two externals to a security group in AAD. They are not currently users. It appears that I could invite them into the group through AAD, even if they are not users; but to invite them through the M365 admin center, they would have to be users. What are the factors to consider on whether to make them users first and then invite them, or to try through AAD to invite them without making them external users first? The purpose of the group is to control access to a SPO document library.

Vasil Michev · ‎Dec 30 2021

Users have extended access to resources within your tenant, compared to Guests. Read here for detailed comparison: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

ChristianJBergstrom · ‎Dec 30 2021

I'm not sure Vasil is answering your question here, is he? There are members and guests, I assume you're asking about the difference of adding an external user from Azure AD compared to the group/team/site? If adding from Azure AD you have some additional options as to what give access to etc. (and you're the one doing it), if adding (i.e. sending invite) from SPO there's simply the permissions to that particular site, and also not necessarily you that is sending that invite.

Joseph Nierenberg · ‎Dec 31 2021

I think Vasil's answer is partway there. The choice is between adding a user from the M365 admin portal--not SPO--or from AAD. SPO already has permissions assigned to a security group. I need to add two persons to that group who are not in my organization. In the past, I've added them first as guest users in AAD, and then added them to the group. From the M365 admin portal, that is necessary, because otherwise it appears that I cannot add someone with just an e-mail address; however, from AAD, I *could* add someone to a security group with just an e-mail address. So the question is whether I should just do that, or whether it would be better for some reason to add them first as a guest user.

Joseph Nierenberg · ‎Jan 03 2022

@Joseph Nierenberg Hi, my apologies for the late reply, I've had some time off. I'm not sure I understand you here, if you add (i.e. invite) directly to the security group from AAD you'll send an invite just as if you were adding the guest user from AAD -> Users "New guest user". When going to the M365 admin portal you must have added the guest user beforehand.

I'm pretty sure Vasil was talking about the built-in default permissions for the user type "guest" which can be set here

Restrict guest user access permissions - Azure Active Directory | Microsoft Docs

Joseph Nierenberg · ‎Jan 03 2022

@Joseph Nierenberg Hi, my apologies for the late reply, I've had some time off. I'm not sure I understand you here, if you add (i.e. invite) directly to the security group from AAD you'll send an invite just as if you were adding the guest user from AAD -> Users "New guest user". When going to the M365 admin portal you must have added the guest user beforehand.

I'm pretty sure Vasil was talking about the built-in default permissions for the user type "guest" which can be set here

Restrict guest user access permissions - Azure Active Directory | Microsoft Docs

View solution in original post

New external member of security group: user or no user?

New external member of security group: user or no user?

Re: New external member of security group: user or no user?

Re: New external member of security group: user or no user?

Re: New external member of security group: user or no user?

Re: New external member of security group: user or no user?

Re: New external member of security group: user or no user?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

New external member of security group: user or no user?