cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SharePoint Guests vs Azure AD Guests

%3CLINGO-SUB%20id%3D%22lingo-sub-338247%22%20slang%3D%22en-US%22%3ESharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-338247%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20understand%20the%20use%20of%20SharePoint%20Online%20Guests%20and%20the%20integration%20with%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20use%20External%20Sharing%20via%20SharePoint%2FOneDrive%20for%20Business%20extensively%2C%20with%20the%20default%20being%20to%20Specific%20People%20with%20email%20address%20enforcement.%20At%20the%20moment%2C%20I%20can%20keep%20track%20of%20all%20Accounts%20that%20have%20ever%20been%20shared%20to%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fintrapac.sharepoint.com%2F_layouts%2F15%2Fpeople.aspx%3FMembershipGroupId%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftenant.sharepoint.com%2F_layouts%2F15%2Fpeople.aspx%3FMembershipGroupId%3D0.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20do%20not%20require%20manually%20adding%20Guest%20users%20to%20our%20Azure%20AD%2C%20and%20it%20is%20not%20our%20practice.%20Yet%2C%20when%20I%20go%20to%20Azure%20AD%20management%20(%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FUsersManagementMenuBlade%2FAllUsers%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FUsersManagementMenuBlade%2FAllUsers%3C%2FA%3E)%2C%20a%20subset%20(maybe%2050%25)%20of%20the%20external%20users%20that%20have%20been%20shared%20to%20via%20SharePoint%20are%20also%20shown%20as%20Guests%20in%20our%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20want%20to%20know%20is%3A%3C%2FP%3E%3COL%3E%3CLI%3EWhat%20is%20the%20trigger%20for%20an%20external%20user%20to%20be%20added%20automatically%20as%20a%20Guest%20to%20our%20Azure%20AD%3F%3C%2FLI%3E%3CLI%3EDo%20I%20need%20to%20keep%20users%20in%20our%20Azure%20AD%20as%20Guests%20if%20we%20are%20only%20sharing%20links%20via%20SharePoint%3F%3C%2FLI%3E%3CLI%3EIs%20there%20any%20additional%20benefit%20in%20ensuring%20external%20users%20are%20added%20as%20Guests%20in%20Azure%20AD%3F%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-338247%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-353474%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-353474%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F32847%22%20target%3D%22_blank%22%3E%40Maxwell%20Shifman%3C%2FA%3E%20%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20I%20can%20shed%20some%20light%20here%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20moment%2C%20when%20you%20share%20to%20an%20entirely%20new%20person%20(i.e.%20never%20been%20shared%20to%20before)%20from%20ODB%20and%20share%20via%20the%20%22specific%20people%22%20option%2C%20one%20of%20two%20things%20can%20happen.%20If%20the%20recipient%20is%20an%20O365%20user%2C%20when%20they%20redeem%20the%20link%2C%20they%20will%20be%20added%20to%20your%20directory%20as%20a%20full%20guest%20user%20(note%20that%20there%20are%20some%20cases%20where%20this%20may%20not%20occur).%20If%20they%20are%20not%20an%20O365%20user%2C%20they%20are%20only%20instantiated%20on%20that%20site%20collection%20(or%20OneDrive).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20will%20all%20change%20in%20a%20few%20months%20when%20we%20fully%20migrate%20over%20to%20Azure%20B2B%20as%20the%20backing%20guest%20account%20service%20for%20ODB%2FSPO%20(as%20announced%2Fdemo'd%20at%20Ignite).%20Once%20done%2C%20all%20new%20shares%20will%20result%20in%20guest%20accounts%20being%20created.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20biggest%20difference%20between%20guest%20account%20created%2Fnot%20created%20is%20how%20you%20apply%20management%20%26amp%3B%20policy%20to%20those%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20that%20helps!%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EStephen%20Rice%3C%2FP%3E%0A%3CP%3EOneDrive%20Program%20Manager%20II%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-338277%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-338277%22%20slang%3D%22en-US%22%3EWhen%20you%20share%20a%20SPO%20Site%20with%20an%20external%20user%20he%20should%20be%20added%20also%20as%20external%20user%20in%20your%20Azure%20AD.%20Basically%20Azure%20AD%20is%20the%20hub%20that%20centrally%20manages%20how%20users%20(external%20and%20no%20external)%20can%20access%20to%20Office%20365%20services.%20Behind%20the%20scenes%20SPO%20and%20EXO%20have%20their%20own%20AD%20implementation%20that%20is%20bidirectionally%20synchronized%20with%20Azure%20AD%20so%20if%20an%20account%20is%20added%20to%20Azure%20AD%2C%20is%20going%20to%20be%20propaggated%20to%20SPO%20and%20the%20other%20way%20around%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-338249%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-338249%22%20slang%3D%22en-US%22%3EI%20subsequently%20found%20the%20blog%20post%20which%20explains%20the%20new%20Sharing%20Experience%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSharePoint-Support-Blog%2FCoaching-your-guest-users-through-the-External-Sharing%2Fba-p%2F182739%23Classic%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSharePoint-Support-Blog%2FCoaching-your-guest-users-through-the-External-Sharing%2Fba-p%2F182739%23Classic%3C%2FA%3E).%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20this%20mean%20we%20can%20delete%20unneeded%20users%20from%20Azure%20AD%20and%20not%20lose%20their%20ability%20to%20access%20their%20existing%20links%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1504730%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504730%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181%22%20target%3D%22_blank%22%3E%40Stephen%20Rice%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20update%20whether%20currently%2C%20every%20share%20creates%20a%20guest%20user%20in%20AAD%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505402%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505402%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573037%22%20target%3D%22_blank%22%3E%40roniy%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20of%20this%20moment%2C%20the%20answer%20is%20no%2C%20every%20share%20(from%20OneDrive%20or%20SharePoint)%20does%26nbsp%3B%3CEM%3Enot%3C%2FEM%3E%20create%20a%20guest%20user.%20Some%20do%20(as%20discussed%20above)%20but%20the%20Azure%20B2B%20integration%20I%20mentioned%20previously%20is%20still%20opt-in%20at%20the%20moment.%20Hope%20that%20helps!%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EStephen%20Rice%3C%2FP%3E%0A%3CP%3ESenior%20Program%20Manager%2C%20OneDrive%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505950%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505950%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181%22%20target%3D%22_blank%22%3E%40Stephen%20Rice%3C%2FA%3E%26nbsp%3Bfor%20the%20quick%20reply.%3C%2FP%3E%3CP%3EI%20would%20like%20to%20understand%20exactly%26nbsp%3Bin%20which%20cases%20a%20guest%20user%20is%20created.%20Is%20there%20any%20documentation%20about%20this%20you%20can%20point%20me%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1507201%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1507201%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573037%22%20target%3D%22_blank%22%3E%40roniy%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20closest%20we%20have%20is%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fwhat-s-new-in-sharing-in-targeted-release%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fwhat-s-new-in-sharing-in-targeted-release%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20that%20helps!%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EStephen%20Rice%3C%2FP%3E%0A%3CP%3ESenior%20Program%20Manager%2C%20OneDrive%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509502%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509502%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181%22%20target%3D%22_blank%22%3E%40Stephen%20Rice%3C%2FA%3E!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELast%20question%3A%20is%20there%20a%20difference%20between%20sharing%20a%20site%20and%20sharing%20a%20file%2Ffolder%20in%20this%20regard%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509846%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181%22%20target%3D%22_blank%22%3E%40Stephen%20Rice%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20helpful%2C%20thanks!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EActually%20I%20was%20asking%20about%20the%20creation%20of%20guest%20users%20in%20AAD%20-%20is%20there%20a%20difference%20between%20sharing%20a%20site%20and%20sharing%20a%20file%2Ffolder%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20commented%20on%20a%20few%20different%20threads%20so%20sorry%20for%20the%20confusion%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509725%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509725%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573037%22%20target%3D%22_blank%22%3E%40roniy%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20mean%20for%20the%20expiration%20feature%3F%20There%20is%20no%20difference%20for%20this%20feature.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGoing%20a%20little%20more%20technical%3A%20Each%20site%2FOneDrive%20has%20an%20object%20called%20the%20User%20Info%20Table%20which%20stores%20information%20about%20the%20users%20who%20have%20access%20to%20content%20(regardless%20of%20whether%20they%20were%20added%20to%20the%20entire%20site%20or%20to%20a%20single%20file%20or%20folder).%20This%20expiration%20feature%20adds%20an%20expiration%20date%20to%20that%20user's%20entry%20in%20the%20User%20Info%20Table%20so%20that%20when%20they%20expire%2C%20they%20lose%20access.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20that%20helps!%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EStephen%20Rice%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEDIT%20FOR%20POSTERITY%3A%20This%20probably%20belonged%20in%20a%20different%20thread%20and%20isn't%20directly%20related%20to%20this%20subject%20matter%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509898%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509898%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573037%22%20target%3D%22_blank%22%3E%40roniy%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHa!%20You%20are%20totally%20right!%20My%20mistake%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20answer%20your%20actual%20question%2C%20yes%2C%20there%20are%20differences%20between%20file%2Ffolder%20sharing%20and%20site%20sharing%20(especially%20when%20Azure%20B2B%20integration%20is%20disabled).%20Site%20sharing%20requires%20account%20creation%20(either%20AAD%20or%20MSA)%20while%20file%2Ffolder%20sharing%20go%20through%20the%20One%20Time%20Passcode%20flow%20(which%20doesn't%20always%20result%20in%20account%20creation).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20Azure%20B2B%20is%20enabled%2C%20both%20file%2Ffolder%20sharing%20and%20site%20sharing%20go%20through%20the%20same%20B2B%20flow%20which%20results%20in%20guest%20account%20creation%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20this%20answers%20your%20actual%20question%20this%20time!%20%3AD%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStephen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1632138%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guests%20vs%20Azure%20AD%20Guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1632138%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F181%22%20target%3D%22_blank%22%3E%40Stephen%20Rice%3C%2FA%3E%26nbsp%3B%2C%20I%20have%20a%20related%20question%3A%3C%2FP%3E%3CP%3E%26nbsp%3BCan%20external%20users%20(not%20in%20AAD)%20be%20added%20to%20SharePoint%20groups%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Maxwell Shifman
New Contributor

‎Feb 12 2019 06:14 PM

‎Feb 12 2019 06:14 PM

SharePoint Guests vs Azure AD Guests

I'm trying to understand the use of SharePoint Online Guests and the integration with Azure AD.

 

We use External Sharing via SharePoint/OneDrive for Business extensively, with the default being to Specific People with email address enforcement. At the moment, I can keep track of all Accounts that have ever been shared to at https://tenant.sharepoint.com/_layouts/15/people.aspx?MembershipGroupId=0.

 

We do not require manually adding Guest users to our Azure AD, and it is not our practice. Yet, when I go to Azure AD management (https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers), a subset (maybe 50%) of the external users that have been shared to via SharePoint are also shown as Guests in our Azure AD.

 

What I want to know is:

  1. What is the trigger for an external user to be added automatically as a Guest to our Azure AD?
  2. Do I need to keep users in our Azure AD as Guests if we are only sharing links via SharePoint?
  3. Is there any additional benefit in ensuring external users are added as Guests in Azure AD?
Labels:
6,495 Views
0 Likes
13 Replies
Reply
13 Replies
Maxwell Shifman

‎Feb 12 2019 06:22 PM

‎Feb 12 2019 06:22 PM

Re: SharePoint Guests vs Azure AD Guests

I subsequently found the blog post which explains the new Sharing Experience (https://techcommunity.microsoft.com/t5/SharePoint-Support-Blog/Coaching-your-guest-users-through-the...).

Does this mean we can delete unneeded users from Azure AD and not lose their ability to access their existing links?
0 Likes
Reply
Juan Carlos González Martín

‎Feb 12 2019 10:34 PM

‎Feb 12 2019 10:34 PM

Re: SharePoint Guests vs Azure AD Guests

When you share a SPO Site with an external user he should be added also as external user in your Azure AD. Basically Azure AD is the hub that centrally manages how users (external and no external) can access to Office 365 services. Behind the scenes SPO and EXO have their own AD implementation that is bidirectionally synchronized with Azure AD so if an account is added to Azure AD, is going to be propaggated to SPO and the other way around
0 Likes
Reply
Stephen Rice

‎Feb 19 2019 09:53 AM

‎Feb 19 2019 09:53 AM

Re: SharePoint Guests vs Azure AD Guests

Hi @Maxwell Shifman ,

 

Hopefully I can shed some light here :) 

 

At the moment, when you share to an entirely new person (i.e. never been shared to before) from ODB and share via the "specific people" option, one of two things can happen. If the recipient is an O365 user, when they redeem the link, they will be added to your directory as a full guest user (note that there are some cases where this may not occur). If they are not an O365 user, they are only instantiated on that site collection (or OneDrive).

 

This will all change in a few months when we fully migrate over to Azure B2B as the backing guest account service for ODB/SPO (as announced/demo'd at Ignite). Once done, all new shares will result in guest accounts being created.

 

The biggest difference between guest account created/not created is how you apply management & policy to those users.

 

Hope that helps!


Stephen Rice

OneDrive Program Manager II

0 Likes
Reply
roniy

‎Jul 05 2020 07:13 AM

‎Jul 05 2020 07:13 AM

Re: SharePoint Guests vs Azure AD Guests

Hi @Stephen Rice 

 

Could you please update whether currently, every share creates a guest user in AAD? 

 

Thanks

0 Likes
Reply
Stephen Rice

‎Jul 06 2020 09:08 AM

‎Jul 06 2020 09:08 AM

Re: SharePoint Guests vs Azure AD Guests

Hi @roniy,

 

As of this moment, the answer is no, every share (from OneDrive or SharePoint) does not create a guest user. Some do (as discussed above) but the Azure B2B integration I mentioned previously is still opt-in at the moment. Hope that helps!


Stephen Rice

Senior Program Manager, OneDrive

0 Likes
Reply
roniy

‎Jul 06 2020 11:34 PM

‎Jul 06 2020 11:34 PM

Re: SharePoint Guests vs Azure AD Guests

Thank you @Stephen Rice for the quick reply.

I would like to understand exactly in which cases a guest user is created. Is there any documentation about this you can point me to? 

0 Likes
Reply
Stephen Rice

‎Jul 07 2020 02:28 PM

‎Jul 07 2020 02:28 PM

Re: SharePoint Guests vs Azure AD Guests

Hi @roniy,

 

The closest we have is this: https://docs.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release

 

Hope that helps!


Stephen Rice

Senior Program Manager, OneDrive

1 Like
Reply
roniy

‎Jul 08 2020 09:45 AM

‎Jul 08 2020 09:45 AM

Re: SharePoint Guests vs Azure AD Guests

Thank you @Stephen Rice!

 

Last question: is there a difference between sharing a site and sharing a file/folder in this regard? 

 

 

0 Likes
Reply
Stephen Rice

‎Jul 08 2020 10:56 AM - edited ‎Jul 08 2020 12:02 PM

‎Jul 08 2020 10:56 AM - edited ‎Jul 08 2020 12:02 PM

Re: SharePoint Guests vs Azure AD Guests

Hi @roniy,

 

Do you mean for the expiration feature? There is no difference for this feature. 

 

Going a little more technical: Each site/OneDrive has an object called the User Info Table which stores information about the users who have access to content (regardless of whether they were added to the entire site or to a single file or folder). This expiration feature adds an expiration date to that user's entry in the User Info Table so that when they expire, they lose access. 

 

Hope that helps!


Stephen Rice

 

EDIT FOR POSTERITY: This probably belonged in a different thread and isn't directly related to this subject matter :)

0 Likes
Reply
roniy

‎Jul 08 2020 11:43 AM

‎Jul 08 2020 11:43 AM

Re: SharePoint Guests vs Azure AD Guests

@Stephen Rice 

 

That's helpful, thanks! 

 

Actually I was asking about the creation of guest users in AAD - is there a difference between sharing a site and sharing a file/folder? 

 

I commented on a few different threads so sorry for the confusion :)

0 Likes
Reply
Stephen Rice

‎Jul 08 2020 12:05 PM

‎Jul 08 2020 12:05 PM

Re: SharePoint Guests vs Azure AD Guests

@roniy,

 

Ha! You are totally right! My mistake :)

 

To answer your actual question, yes, there are differences between file/folder sharing and site sharing (especially when Azure B2B integration is disabled). Site sharing requires account creation (either AAD or MSA) while file/folder sharing go through the One Time Passcode flow (which doesn't always result in account creation).

 

Once Azure B2B is enabled, both file/folder sharing and site sharing go through the same B2B flow which results in guest account creation :) 

 

Hopefully this answers your actual question this time! :D

 

Stephen

1 Like
Reply
roniy

‎Sep 03 2020 08:08 AM

‎Sep 03 2020 08:08 AM

Re: SharePoint Guests vs Azure AD Guests

Hi @Stephen Rice , I have a related question:

 Can external users (not in AAD) be added to SharePoint groups?

0 Likes
Reply
Jonas Back

‎Apr 15 2021 05:26 AM

‎Apr 15 2021 05:26 AM

Re: SharePoint Guests vs Azure AD Guests

@Stephen Rice Just wondering about the "Azure B2B as the backing guest account service for ODB/SPO"? Are all tenants now using the new way of sharing?

0 Likes
Reply