cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

New external member of security group: user or no user?

Joseph Nierenberg
Iron Contributor

‎Dec 29 2021 12:18 PM - last edited on ‎Jan 14 2022 03:53 PM by

‎Dec 29 2021 12:18 PM - last edited on ‎Jan 14 2022 03:53 PM by

New external member of security group: user or no user?

We have to add two externals to a security group in AAD. They are not currently users. It appears that I could invite them into the group through AAD, even if they are not users; but to invite them through the M365 admin center, they would have to be users. What are the factors to consider on whether to make them users first and then invite them, or to try through AAD to invite them without making them external users first? The purpose of the group is to control access to a SPO document library.

1,574 Views
0 Likes
4 Replies
Reply
4 Replies
Vasil Michev

‎Dec 30 2021 09:01 AM

‎Dec 30 2021 09:01 AM

Re: New external member of security group: user or no user?

Users have extended access to resources within your tenant, compared to Guests. Read here for detailed comparison: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
1 Like
Reply
ChristianJBergstrom

‎Dec 30 2021 11:51 AM

‎Dec 30 2021 11:51 AM

Re: New external member of security group: user or no user?

I'm not sure Vasil is answering your question here, is he? There are members and guests, I assume you're asking about the difference of adding an external user from Azure AD compared to the group/team/site? If adding from Azure AD you have some additional options as to what give access to etc. (and you're the one doing it), if adding (i.e. sending invite) from SPO there's simply the permissions to that particular site, and also not necessarily you that is sending that invite.
0 Likes
Reply
Joseph Nierenberg

‎Dec 31 2021 08:59 AM

‎Dec 31 2021 08:59 AM

Re: New external member of security group: user or no user?

I think Vasil's answer is partway there. The choice is between adding a user from the M365 admin portal--not SPO--or from AAD. SPO already has permissions assigned to a security group. I need to add two persons to that group who are not in my organization. In the past, I've added them first as guest users in AAD, and then added them to the group. From the M365 admin portal, that is necessary, because otherwise it appears that I cannot add someone with just an e-mail address; however, from AAD, I *could* add someone to a security group with just an e-mail address. So the question is whether I should just do that, or whether it would be better for some reason to add them first as a guest user.
0 Likes
Reply
best response confirmed by Joseph Nierenberg (Iron Contributor)
ChristianJBergstrom

‎Jan 03 2022 08:32 AM

‎Jan 03 2022 08:32 AM

Solution

Re: New external member of security group: user or no user?

@Joseph Nierenberg Hi, my apologies for the late reply, I've had some time off. I'm not sure I understand you here, if you add (i.e. invite) directly to the security group from AAD you'll send an invite just as if you were adding the guest user from AAD -> Users "New guest user". When going to the M365 admin portal you must have added the guest user beforehand.

 

I'm pretty sure Vasil was talking about the built-in default permissions for the user type "guest" which can be set here 

Restrict guest user access permissions - Azure Active Directory | Microsoft Docs

0 Likes
Reply