cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Add/Remove External Guest User from SP Site behavour in Azure/365

T11EJD
Copper Contributor

‎Jan 08 2020 03:45 AM

‎Jan 08 2020 03:45 AM

Add/Remove External Guest User from SP Site behavour in Azure/365

Hi,

 

Adding external "User1" from within SP (Sharing Site) creates guest "User1" in Azure and 365Admin consoles.

Removing same external User1 from SP does not remove guest user1 in Azure and 365Admin consoles.

 

Q1. Is this by design? That User1 can be 'auto' added to Azure(AD) from SP but not correspondingly removed from Azure(AD) when removed from SP site.

 

Q.2 Is there a way to change this behaviour? As otherwise Azure(AD) is going to fill up with Guest Users, who although removed from a SP site are still available (presumably?) to be accidentally added by another Member User (with add guest user permissions) to say a OneDrive file or other feature.

 

Thank you

2,413 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by T11EJD (Copper Contributor)
oliwer_sundgren

‎Jan 08 2020 10:40 AM

‎Jan 08 2020 10:40 AM

Solution

Re: Add/Remove External Guest User from SP Site behavour in Azure/365

Hello@T11EJD ! 

I will answer your questions below (A1 for Q1 and A2 for Q2)

 

A1: Yes this is by design. When you invite an external user to a Sharepoint file or folder, a guest account in your companies Azure AD needs to be created. This is to make sure that the guest users are authenticated and get any security ( Conditional access ) policies for example. 
This is the same behavior as inviting an external user to Teams. 

 

A2: No, as long as external users need to athenticate then they will need to have a guest account. 

If you however share a document with an anonymous link, then they dont need a guest account. 

 

Automaitcally removing guest users when removed from a sharepoint site could be troublesome. Imagine if that guest user was a member of 3 different sites, that would mean they would loose access to all 3 sites. 

 

Guest users in Azure AD is not a problem, just make sure, like with any users, that you do an audit of what users you have and what users you can terminate. 

 

I hope this answered your questions! 
Let me know if you have further questions or if my replies are unclear! 

Kind Regards
Oliwer Sjöberg

1 Like
Reply
Vasil Michev

‎Jan 09 2020 12:58 AM

‎Jan 09 2020 12:58 AM

Re: Add/Remove External Guest User from SP Site behavour in Azure/365

You have features such as Access Reviews and the recently released Entitlement management to address #2. In particular, Entitlement management can be used to govern the whole process, from adding an external user to the directory, granting him access to SPO, removing access, removing the user altogether. But it requires Azure AD P2 licenses. Here's the documentation: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by T11EJD (Copper Contributor)
oliwer_sundgren

‎Jan 08 2020 10:40 AM

‎Jan 08 2020 10:40 AM

Solution

Re: Add/Remove External Guest User from SP Site behavour in Azure/365

Hello@T11EJD ! 

I will answer your questions below (A1 for Q1 and A2 for Q2)

 

A1: Yes this is by design. When you invite an external user to a Sharepoint file or folder, a guest account in your companies Azure AD needs to be created. This is to make sure that the guest users are authenticated and get any security ( Conditional access ) policies for example. 
This is the same behavior as inviting an external user to Teams. 

 

A2: No, as long as external users need to athenticate then they will need to have a guest account. 

If you however share a document with an anonymous link, then they dont need a guest account. 

 

Automaitcally removing guest users when removed from a sharepoint site could be troublesome. Imagine if that guest user was a member of 3 different sites, that would mean they would loose access to all 3 sites. 

 

Guest users in Azure AD is not a problem, just make sure, like with any users, that you do an audit of what users you have and what users you can terminate. 

 

I hope this answered your questions! 
Let me know if you have further questions or if my replies are unclear! 

Kind Regards
Oliwer Sjöberg

View solution in original post

1 Like
Reply