Forum Discussion

Maxwell Shifman's avatar
Maxwell Shifman
Copper Contributor
Feb 13, 2019

SharePoint Guests vs Azure AD Guests

I'm trying to understand the use of SharePoint Online Guests and the integration with Azure AD.   We use External Sharing via SharePoint/OneDrive for Business extensively, with the default being to...
Permissions
SharePoint Online
jcgonzalezmartin's avatar
jcgonzalezmartin
MVP
When you share a SPO Site with an external user he should be added also as external user in your Azure AD. Basically Azure AD is the hub that centrally manages how users (external and no external) can access to Office 365 services. Behind the scenes SPO and EXO have their own AD implementation that is bidirectionally synchronized with Azure AD so if an account is added to Azure AD, is going to be propaggated to SPO and the other way around
StephenRice's avatar
StephenRice
Icon for Microsoft rankMicrosoft
Feb 19, 2019

Hi Maxwell Shifman ,

 

Hopefully I can shed some light here :) 

 

At the moment, when you share to an entirely new person (i.e. never been shared to before) from ODB and share via the "specific people" option, one of two things can happen. If the recipient is an O365 user, when they redeem the link, they will be added to your directory as a full guest user (note that there are some cases where this may not occur). If they are not an O365 user, they are only instantiated on that site collection (or OneDrive).

 

This will all change in a few months when we fully migrate over to Azure B2B as the backing guest account service for ODB/SPO (as announced/demo'd at Ignite). Once done, all new shares will result in guest accounts being created.

 

The biggest difference between guest account created/not created is how you apply management & policy to those users.

 

Hope that helps!


Stephen Rice

OneDrive Program Manager II

  • roniy's avatar
    roniy
    Brass Contributor
    Jul 05, 2020

    Hi StephenRice 

     

    Could you please update whether currently, every share creates a guest user in AAD? 

     

    Thanks

    • StephenRice's avatar
      StephenRice
      Icon for Microsoft rankMicrosoft
      Jul 06, 2020

      Hi roniy,

       

      As of this moment, the answer is no, every share (from OneDrive or SharePoint) does not create a guest user. Some do (as discussed above) but the Azure B2B integration I mentioned previously is still opt-in at the moment. Hope that helps!


      Stephen Rice

      Senior Program Manager, OneDrive

      • roniy's avatar
        roniy
        Brass Contributor
        Jul 07, 2020

        Thank you StephenRice for the quick reply.

        I would like to understand exactly in which cases a guest user is created. Is there any documentation about this you can point me to? 

  • JonasBack's avatar
    JonasBack
    Steel Contributor
    Apr 15, 2021

    StephenRice Just wondering about the "Azure B2B as the backing guest account service for ODB/SPO"? Are all tenants now using the new way of sharing?

    • StephenRice's avatar
      StephenRice
      Icon for Microsoft rankMicrosoft
      Nov 09, 2023

      JonasBack, the short answer is "it's complicated, but getting less so" 🙂

       

      All new tenants as of June 2023 have Entra B2B Integration with SPO on by default. All guest sharing will go through B2B as a result.

       

      For existing tenants, they can opt into using B2B in all cases if desired. Otherwise file/folder sharing will use B2B accounts (if the guest already exists) or SharePoint one time passcode (if they do not). Sharing a site with a guest will always use B2B. There are a few other minor edge cases that use the legacy SharePoint Invitation Manager but we are working on deprecating those.

       

      Hopefully this all makes sense but let me know if you have any questions!

       

      Stephen Rice

      Principal Product Manager, OneDrive

      • JonasBack's avatar
        JonasBack
        Steel Contributor
        Nov 10, 2023

        StephenRice It's mainly the scenario when sharing a file/folder (if user that does not exist) I'm wondering about - any timeline when this will default to B2B rather than SharePoint OTP?

Share