SOLVED

Guest Users vs. External Users

Silver Contributor

At this point, I cannot see any difference between the two wordings: it appears to me that "Guest User" and "External User" have exactly the same meaning, with the former being only a more "modern" wording. Am I correct?

On the other hand, "Guest User" is frequently used in Microsoft documentation when speaking about Groups, and this IMO creates a lot of confusion with "Guest Member", which is a separate concept (in fact, I believe that a "Guest Member" of a Group is always a "Guest User", but not necessarily viceversa).

Am I missing something?

cc @Juan Carlos González Martín @Vasil Michev

46 Replies

I agree there is a confussion around both terms that should be clarified...indeed to make it even more difficult, you can create "guests users" in Office 365 and then you will be able to invite them as external users in SPO Sites. By the way, adding here some folks to discuss about this: @Tony Redmond @Vasil Michev @Christophe Fiessinger 

Valid remark! Looking forward to this discussion.

I've been using the terms interchangingly, whether Microsoft puts a different meaning to those or not :)

best response confirmed by Salvatore Biscari (Silver Contributor)
Solution

We use the terms interchangeably at Microsoft as well. External user is an older term from back when all "guests" in the directory authenticated outside of the home tenant. When we added support for managed guest users (i.e. the user authenticates inside the home tenant), the "external" piece stopped making sense and "guest user" was born. 

 

And as with many of these types of things, we ended up using both names to refer to the same set of features. If there is a feature/scenario where this language does make a difference, we try to make sure it's clearly labeled to avoid confusion. 

 

Thanks,

 

Stephen Rice

OneDrive Program Manager II

Thank you, @Stephen Rice. Very interesting!

Can you please elaborate a bit about the two different types of authentication?

(I have not yet "connected the dots"... :-))

My pleasure! To make this easier, let's imagine we have your tenant, Contoso and you're working with my tenant, Fabrikam.

 

Technically, if you share to me at Fabrikam, when I authenticate in your tenant, I actually sign-in to Fabrikam's tenant, then access the Contoso tenant. Thus, I am a guest in your directory and authenticate externally. 

 

On the other hand, Contoso IT might be very strict and so they create a Contoso account that I sign into at Contoso, and my account is just marked as a guest. Thus I authenticated internally, even though I am still a guest user. 

 

Both users are "guests" but, technically, only the first is an "external user". We don't really expose these as different scenarios though which is why the language is mixed. 

 

Hope that makes sense!

 

Stephen Rice

Program Manager II

 

 

 

@Stephen Rice

Thank you very much for the explanation.
If I understand correctly:

  • In the first scenario, the sharing starts from a Contoso user with the invite of a Fabrikam user. Initially the Contoso tenant does not know the credentials of the Fabrikam user, so, when the Fabrikam user accepts the invite for the first time, he must be authenticated by the Fabrikam tenant. Hence the Fabrikam user is initially an external user to Contoso. (Also if, after the first access, a corresponding Contoso guest user is automatically created in the Contoso directory, and hence subsequent accesses will be authenticated directly by the Contoso tenant, correct?)
  • In the second scenario, Contoso IT directly create a user in Contoso directory, specifying immediately the user's credentials. Hence the user is from the first moment a guest user to Contoso, i.e. he is from the first moment authenticated by the Contoso tenant.

Am I missing something?

Almost got it! 

 

In that first case, the user will always authenticate with Fabrikam, not Contoso. Here are the two flows:

 

  • Stephen (a member of Contoso) invites Salvatore (a member of Fabrikam) to a document in the Contoso tenant. Salvatore receives an invitation mail.
  • When Salvatore clicks on the link in the mail, he goes through the invitation acceptance process which results in the creation of an account in the Contoso tenant. This is really kind of a sub account though as Salvatore will always authenticatate at Fabrikam.
  • When he attempts to access content, he will land at Azure Active Directory which recognizes that though he is logging into Contoso, he authenticates with Fabrikam. 

 

In the second case, Salvatore's user account is actually managed by Contoso (for example, Contoso admins could reset his password) and it is not tied in any way to his Fabrikam account. Thus, in the first case, Salvatore authenticates externally to the tenant while the second case has him authenticate internallyto the tenant.

 

Hopefully that made sense :)

 

Stephen Rice

OneDrive Program Manager II

 

 

Thanks! Now it is really clear!

My pleasure! 

 

Stephen Rice

Stephen, I am having similar issues with users from this company called Microsoft! Fabrikam and Contoso and Live and Hotmail all work fine but Guest users with @Pernille-Eskebo.com are struggling. Q: Does MSIT follow these rules and do Microsoft accounts act as normal guests or externals? NB: I really mean blue badge, not people with a "Microsoft Account", that's another whole ball of wax!

Oh don't even get me started on that thing! Makes discussions internally fun when you say things like "And then you need to sign in with your Microsoft account" :D

 

Can you send me a PM with the issues you are having though? Thanks!

 

Stephen Rice

OneDrive Program Manager II

 

Dear Stephen,

I fear that it might be late to post into that conversation, but I try as we are struggling with a similar problem and we don't know how to progress.

We have external guests invited to some content created by our company in a sharepoint group. They have access to the files login with their own emails (which also have to be registered at microsoft.com). And they are able to view the file the first time, but when they try to access the second time their emails are not recognised.

Any suggestions on how we shoudl solve it?

 

Thanks a lot for your help

Inigo Adin

Hi @Inigo Adin,

 

I've replied to your private message and we can work through this there. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Hi Stephen,

 

This is interesting topic and I do have few questions to you.

Stephen (a member of Contoso-Uses Azure AD) invites Salvatore (a member of Fabrikam-doesn't have an enterprise Azure Active Directory. Meaning, uses AD on premise (2008) and IBM web signon (for email and many web apps))

 

Now  Stephen  invites Salvatore to Contoso tenant. As usual Invite email sent to Salvatore and on click of accept it will ask to crate the password. After creating the password Salvatore  successfully invited to Contoso tenant. As he dosen't have Azure AD how he can reset the password to Contoso tenant access if he forgot the password he created during the Invite? Who have the ability to reset his password? 

 

Looking forward your inputs here. Thank you for your time.

 

 

Hi @Bharath Bharadwaj,

 

When you Stephen "invites" Salvatore, where are you assuming the action takes place? Is this in SharePoint or OneDrive? Or in Azure? Thanks!

 

Stephen Rice

Thanks Stephen for the info.

One additional questions: let's imagine that that Salvatore cannot properly redeem the invitation sent from you because he cannot authenticate at Fabrikam (e.g. he cannot create the account at Fabrikam with his Fabrikam email address).

As workaround the admin at Contoso resets the password of his "sub account"  (e.g. Salvatore_EXT_Fabrikam@Contoso.onmicrosoft.com) so he can access Contoso resources using the "sub account" credentials.

Can you explain how the 2 accounts (Contoso and Fabrikam) are related before and after this password reset action?

Thanks,

 

Hi @Alberto Schiavon,

 

That is actually a very good question that I don't have a good answer to. I'm adding @Sarat Subramaniam who is an expert on AAD & guest integration who may know the answer. Thanks!

 

Stephen Rice

OneDrive Program Manager II

@Alberto Schiavon it's always going to depend on the login used. The guest accounts on Contoso side doesn't have it's own set of login and credentials, even thou you can reset the password it doesn't matter, because anytime you use Microsoft's login page and enter the fabrikam login, it's going to authenticate to the Fabrikam Azure AD, there is a just a trust relationship built there that once you authenticate then you can go to resources via that guest user on contoso's Azure with that linked guest account. 

 

So in essence, resetting that password has no affect on anything since you never actually use that password to authenticate that account (it gets directed to their domain). 

1 best response

Accepted Solutions
best response confirmed by Salvatore Biscari (Silver Contributor)
Solution

We use the terms interchangeably at Microsoft as well. External user is an older term from back when all "guests" in the directory authenticated outside of the home tenant. When we added support for managed guest users (i.e. the user authenticates inside the home tenant), the "external" piece stopped making sense and "guest user" was born. 

 

And as with many of these types of things, we ended up using both names to refer to the same set of features. If there is a feature/scenario where this language does make a difference, we try to make sure it's clearly labeled to avoid confusion. 

 

Thanks,

 

Stephen Rice

OneDrive Program Manager II

View solution in original post