If a guest user has to access a PowerApp, they will not able to access it unless they have a license. On this blog post lets see how a M365 license can be assigned to a Guest user on your tenant. Before getting there, lets see some information about guest accounts. Microsoft 365 allows guest access which lets you to add users outside your organization for B2B collaboration on your organizations SharePoint site, Teams, Planner, OneDrive for Business, Microsoft 365 groups, Yammer & Azure applications. You can even invite guest users to use your paid Azure services. With B2B collaboration the application & services are securely shared while keeping the control over the data. This setting is turned on by default. The invited guest users should own an Azure Active Directory account (Work or School) or a Microsoft Account (created through hotmail, google, yahoo etc) to sign in. For more information on External Sharing, go through the following documentation links from Microsoft
- External Identities documentation
- Turn on or turn off guest access to Microsoft Teams
- Microsoft 365 guest sharing settings reference
- External sharing overview
Through Azure active directory you can
- Restrict External domains
- Add Social identity providers like Google, Facebook & custom SAML Identity providers for Sign in
- Control on who can invite guests
- Enable Email one-time passcode authentication for logging in without a Microsoft account
- Enable Self service sign up for applications
- As of now this feature is in preview which allows External users to sign up for specific application themselves. i.e providing options to signup with identity providers like Azure AD or Google, Facebook and collect information about the user during the sign up process. This can’t be enabled for SharePoint & Teams
- Bulk invite guest users
- Enforce MFA for guest users
SharePoint Online Invitations:
OneDrive/SharePoint Online has a separate invitation manager. The support for external sharing in OneDrive/SharePoint Online has started before Azure AD. OneDrive/SharePoint Online adds users to the directory after users have accepted their invitation. There will not be a user account in Azure AD portal before the user acceptance & user sign-in. SharePoint Online external sharing settings can be controlled at
- Organization Level
- Site level
On the SharePoint Tenant admin center, for a SharePoint site you have 4 options to select when it comes to external sharing:
- Anyone/Anonymous Access
- New and Existing guests
- Existing guests only
- Only people in your organization
A detailed blog post from Laura Kokkarinen on getting past SharePoint online guest troubles.
You can also invite/create a guest user from Azure Active Directory portal or Powershell.
Find a sample Invitation email below
Azure AD access reviews can ensure that guest users have appropriate access. You can ask the guests themselves or a decision maker to participate in an access review and recertify to the guests’ access. For more information, go through this documentation link from Microsoft.
Guest Account User principal name:
The UPN of the guest account will be in the following format username_domain#EXTfirstname.lastname@example.org
An UPN with #EXT# means the account is using Domain suffixes not associated with your Azure AD tenant i.e. guest account.
Assigning License to Guest account through active directory group:
The guest users can access services like SharePoint, Teams, Yammer without having a license but they can’t access PowerApps. To access PowerApp the guest user should have license from their organization or should have one from the tenant being invited. Microsoft documentation for Sharing a Canvas app to a guest user in Power Apps.
Create a Security group in Azure Active directory
Assign license to the security group by clicking the Licenses section in the Manage blade. Then click Assignments as shown below to assign a license
Now the group is ready to add members. Add the guest user to the group who needs a license. After assignment it should look like below from the Admin center for the guest user
I have assigned a E5 license but as per need the guest user can be assigned different licenses.
Assigning License to Guest account from Azure active directory Licenses blade:
Go to Azure Active directory Admin interface and then click Licenses under manage blade. Click All products, select the license and then click Assign as below
Now select the guest user and then click Assign
Hope you have found this informational & helpful. Let me know any feedback or comments on the comment section below