Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AAD Guest Users and SPO list/library access

Iron Contributor

There is a list in a SharePoint site. I want to permit a guest to create and to modify list entries (i.e., “contributor” rights). The guest person is already a guest user object in AAD. I’ve broken permissions between the list and its site.

 

1. When I try to give the guest user permission from the list settings/permissions page, the dialog cannot identify the person. (I could add their e-mail address here, but since SPO didn’t recognize the name or address as a guest user’s, I’m concerned that SPO wouldn’t connect the two pieces of data and so I wouldn’t be able to control the person generally from AAD.)

 

2. When I create a group in AAD with the guest user as a member, SPO does not recognize the group when I try to give the group permission from the list settings/permissions page.

 

3. I can create a group at the SPO subsite level to give that group permission from the list settings/permissions page, but I couldn’t add the AAD guest user as a member.

 

So:

 

A. How should I be giving this AAD guest user Contributor privileges to one specific SPO list?

 

B. How should I be giving an AAD group of AAD guest users access to one specific SPO list or document library?

 

11 Replies
1. The user account listed for the guest is to be used on the list, this will say external but it will use the same account.

2. The group should be listed as a security group in azure portal in order for SPO to recognize and utilize it.

@Chris Webb

1. The AAD guest user account is not recognized by SPO in the permission-granting dialog, when I enter the name or e-mail prefix. (Did you mean something else?)

 

2. The domain group (AAD security group) in which the guest user is a member is recognized by SPO in the permission-granting dialog. Yesterday I might not have waited long enough for the data to sync on Msft's side.

 

From some testing, one explanation that appears possible, if not reasonable, is that domain security groups will be recognized, but that individual guest users will be recognized only if they have already accessed SPO resources through a file or folder sharing invitation. Is that possible?

 

 

 

 

Correct once they access it will recognize when they are in the site collection user list. But to add an existing guest you need to use their full email. It’ll says external user etc. but it will still map to the existing guest account.

@Chris Webb 

When I try to add this user by their e-mail address, SPO won't recognize it or allow me to click or tab out of the field. (I thought I had done this successfully yesterday, but perhaps not.) See the attached image.

Hmm. Gonna have to go check sharing settings for that site in SPO Admin. Seems like external users is off.

@Chris Webb 

 

In SPO: "New and Existing Guests" is the sharing setting for both the organization and the root-level site that all of the sites/lists I tested are part of. (Rambling sentence, but hopefully clear.)

 

In AAD: Under "External Collaboration Settings," everything seems to be toggled correctly, although this seems irrelevant to the task at hand. The specific external has already authenticated.

@Chris Webb Any new insights after my reply to this, that 'new and existing guests' is enabled?

Only thing I know to try and I just did it, is use the modern interface to invite your guest to something on the site using the Share button on the list, to a individual item. Once you do this, they are added into the site's user list, then it will be available to select when sharing the entire list. 

 

Use the "Specific people" option. 

That Modern Sharing dialog looks and see's external users in the org to select. So once added there, you can then add to the full list.

@Chris WebbIt seems to go like this:

  • For both lists and document libraries, it is possible to make the external guest available for sharing by sharing a document library file or folder with them. Sharing a site should also work, but I haven't tested it. Once they redeem the sharing invitation, they're known to SPO, and they could be given access permissions to a SharePoint list.
  • It is not possible to provide access permission directly (i.e., without a group) to an external guest who has not previously accessed SPO. (It is possible to do so from a document library, but not from a list.)
  • It is possible to provide list access permission to an external guest who has not previously accessed SPO by first inviting them to redeem status as a guest in Azure AD; then, after they redeem, adding them to an Azure AD security group; and finally giving that security group access permission to the list.

At least this has been my experience. I'd be interested to hear anyone's views of other ways to go.