New external member of security group: user or no user?

Iron Contributor

We have to add two externals to a security group in AAD. They are not currently users. It appears that I could invite them into the group through AAD, even if they are not users; but to invite them through the M365 admin center, they would have to be users. What are the factors to consider on whether to make them users first and then invite them, or to try through AAD to invite them without making them external users first? The purpose of the group is to control access to a SPO document library.

4 Replies
Users have extended access to resources within your tenant, compared to Guests. Read here for detailed comparison:
I'm not sure Vasil is answering your question here, is he? There are members and guests, I assume you're asking about the difference of adding an external user from Azure AD compared to the group/team/site? If adding from Azure AD you have some additional options as to what give access to etc. (and you're the one doing it), if adding (i.e. sending invite) from SPO there's simply the permissions to that particular site, and also not necessarily you that is sending that invite.
I think Vasil's answer is partway there. The choice is between adding a user from the M365 admin portal--not SPO--or from AAD. SPO already has permissions assigned to a security group. I need to add two persons to that group who are not in my organization. In the past, I've added them first as guest users in AAD, and then added them to the group. From the M365 admin portal, that is necessary, because otherwise it appears that I cannot add someone with just an e-mail address; however, from AAD, I *could* add someone to a security group with just an e-mail address. So the question is whether I should just do that, or whether it would be better for some reason to add them first as a guest user.
best response confirmed by Joseph Nierenberg (Iron Contributor)

@Joseph Nierenberg Hi, my apologies for the late reply, I've had some time off. I'm not sure I understand you here, if you add (i.e. invite) directly to the security group from AAD you'll send an invite just as if you were adding the guest user from AAD -> Users "New guest user". When going to the M365 admin portal you must have added the guest user beforehand.


I'm pretty sure Vasil was talking about the built-in default permissions for the user type "guest" which can be set here 

Restrict guest user access permissions - Azure Active Directory | Microsoft Docs