Delegate365-Working with guest users

2020-06-26 | Toni Pohl

Delegate365 supports working with guest users. Guest users or external users are users that are invited to the company tenant by email. Once they accept the invitation, they get access to corporate resources. For example, a guest user can be a member of a Microsoft team or collaborate in Planner or in a SharePoint site or similar. See some samples here.

Invite a guest user

In Delegate365, admins can invite a guest user by clicking on the "Invite guest user" icon next to the "+" icon (new user). If you don´t see this icon, ask your Delegate365 Portal Admin to enable that feature in the permission policies.

image

Fill out the invite guest user form and click the Invite button.

image

You will find the invited user in the users list instantly as here. You can manage that user in the same way as the other users.

image

What´s the user´s UPN?

Azure AD stores that user internally with the default domain of the tenant. In this sample, we see that user

doris.doe@gmail.com became doris.doe_gmail.com#EXT#@M365x193702.onmicrosoft.com.

Note: When inviting external users, the default domain of the tenant is used. So, this can be a custom domain as well. The Azure AD portal and the Microsoft 365 admin center show the original username doris.doe@gmail.com. Anyway, internally the extended username is used.

We can change the username to a more friendly name or to a different domain later in Delegate365, see below.

How does the guest user complete the invitation?

The invited user gets an email. Here, the user accepts the invitation to that Microsoft 365 tenant.

image

Then, the user follows the process and signs-in with a custom password. Also, the user has to accept that the Microsoft 365 tenant can sign him or her in and to read the user´s (Azure AD) profile. Now the guest user has his email address and a password for the organization´s Microsoft 365 tenant. If the organization enforces MFA, the user must follow that process as well to get access.

Note: In Azure AD, the guest user is added as "Microsoft Account" and the status is "Invitation accepted". Other invited users that have not accepted the invitation get the status "Invited user".

image

In Delegate365, the guest users show up after the sync in the users list as Type "User" and Status "Cloud".

image

Assign guest users to OU´s

The same happens to users that have been invited outside of Delegate365, e.g. in the Azure AD portal. The Azure AD UPN is ending with #EXT#@M365x193702.onmicrosoft.com. Here, users anne.doe@gmail.com and John@doe.com are shown in the list of OU / Assign.

image

So, we can assign these users to an OU, in our sample, we assign the two selected users to OU New York at the page bottom.

image

Manage guest users UPNs

As we see, now there are 3 guest users which we can manipulate in the same way as the internal users we can manage.

image

Important: A administrator must be assigned to an OU AND to the DOMAIN of the users he or she can manage. In our sample, the current admin has the OU New York assigned AND the domain M365x193702.onmicrosoft.com! See also Troubleshooting Delegate365.

Wait! What if you don´t want to assign the default domain to your admins in Delegate365?

Well, then you can modify the UPN domain of the guest user as follows.

Modify the guest users UPN

In Delegate365, you can change the UPN. The UPN is the internal name of the guest user in your tenant.

Note: You can´t change the guest users UPN in the Azure AD portal, so that´s a feature of Delegate365.

), as in the sample here when we remove the #EXT# and change the domain:

image

So, now the UPN is <name>_gmail.com@atwork.fun.

image

How does the guest user sign-in to Microsoft 365?

Even if you change the guest user´s UPN in your Microsoft 365 tenant, the user continues to use his or her own email address to sign-in. So, the login process is unchanged as we see here. When the guest user signs-in to e.g. portal.office.com…

image

..after the successful login, the Office portal follows.

image

Benefits of managing guest users in Delegate365

Guest users can be managed in Delegate365. Notice the domain of the UPN of the guest user, and check if the domain is assigned to the admins in Delegate365. Benefits are:

We have seen, that administration of guest users can be delegated with Delegate365. Portal Admins can control, what users can be managed by whom and what guest users can be managed.

Categories: Delegate365, English, Microsoft, Microsoft365, Office365, Tools, atwork

Source: https://blog.atwork.at/post/Delegate365-guest-users