vectorfusionart - stock.adobe.co
How to manage Microsoft 365 guest users with PowerShell
The flexible automation tool used in conjunction with Microsoft Graph can give admins the right combination to quickly tackle a range of tasks related to guest user management.
Whether it's partners, clients, vendors or consultants, many organizations need to accommodate guest users in Microsoft 365. As the admin of this platform, it's your job to make management of guest users quick and painless.
Guest users are the key to extending your digital workspace into a shared environment to help cross-organizational projects succeed. You can use the admin portal for work related to guest users. But when you need to get work done quickly without introducing errors, it's worth using automation, particularly when you need to make changes in bulk. PowerShell with Microsoft Graph is one viable combination to handle guest user management on the Microsoft 365 platform when you need to maximize efficiency.
What is a guest user in Microsoft 365?
Guest users in Microsoft 365 are a vital bridge for collaboration to give individuals outside your organization access to specific resources, applications and data.
Guest users let organizations do the following:
- Enhance collaboration. Guest users facilitate teamwork across organizations. You can invite them to work together on documents, engage in team discussions and contribute to projects like internal team members.
- Streamline communication. Seamlessly communicate and share information with external stakeholders without separate communication platforms or constant email exchanges.
- Simplify access management. Rather than create separate user accounts for external partners, you grant guest users controlled access to your organization's resources.
- Enable secure sharing. Keep control over data security and privacy by defining permissions and access levels for guest users. Sensitive information remains protected while it is accessible to those who need it.
- Accelerate workflows. External experts contribute their expertise, leading to quicker decision-making and project completion.
- Expand business opportunities. Guest users open new routes for collaboration, potentially leading to business growth and innovation through partnerships and joint ventures.
The distinction between external and internal guest users is essential to understand their roles and how they work. Each category of guest user serves a distinct purpose when working jointly on projects while maintaining a clear separation of roles and access rights.
Understanding the types of guest users in Microsoft 365
A pivotal feature of Microsoft 365 is letting external users participate in your organization's internal processes without compromising security. It is essential to understand how the different types of guest users operate within Microsoft 365.
External guest users
These individuals belong to another organization or domain and are invited to work on specific projects, documents or shared resources. These users might include clients, partners, vendors, contractors or customers. It's important to preserve data security and control when partnering with these external stakeholders.
External guest users have the following characteristics and capabilities:
- Limited access. Organizations grant external guest users access to the resources and applications necessary for their tasks. This controlled access safeguards sensitive company data.
- Secure sharing. Microsoft 365 helps secure the environment even when collaborating with external entities by allowing you to define permissions, expiration dates and access levels for those external guest users.
- Collaboration. External guest users can collaborate on shared files, participate in discussions, and contribute to projects within specified boundaries. It fosters efficient teamwork while enforcing organizational boundaries.
Internal guest users
These individuals work within your organization's tenant but from a different Microsoft Entra ID -- formerly Azure Active Directory (AD) -- tenant. This is a common scenario when separate organizations are under the same umbrella, using other Microsoft Entra ID instances. These users benefit from seamless interaction with your organization's resources, applications and communication tools.
Key characteristics of internal guest users include the following:
- Cross-tenant collaboration. They work across tenants while adhering to their organization's policies and access controls.
- Unified experience. They have access to applications, data and communication tools within your organization's environment for a unified experience for efficient collaboration.
- Controlled access. Like external guests, you manage internal guest users access levels so they interact with the necessary resources without compromising data security.
How do guest users differ from regular users in Microsoft 365?
Both guest users and regular users have distinct roles, privileges and access levels that cater to different collaboration requirements.
While guests and regular users can collaborate within the Microsoft 365 environment, the scope, depth and control of their access differ substantially. Organizations must understand these differences to ensure efficient collaboration while maintaining robust security.
Access scope
- Guest users. Access is typically limited by the invitation to specific resources, such as a SharePoint site, Microsoft Teams channel or a Planner board. They can't view or access resources without permission.
- Regular users. Access to more resources within the tenant based on their licenses and role assignments. This could range from SharePoint sites to mailboxes and other Microsoft 365 services.
Administration
- Guest users. Identity management usually occurs outside the organization's domain, and the organization has limited control over their user attributes. Administrative actions on guest accounts are more constrained.
- Regular users. Admins have full control over these accounts to perform actions related to provisioning and role assignments.
Security
- Guest users. Given the external nature of their role, guest users might face more stringent access controls, multi-factor authentication requirements or conditional access policies.
- Regular users. While they're also subject to security policies, the depth and strictness might differ based on organizational roles.
Licensing
- Guest users. They don't often consume regular Microsoft 365 licenses. They might operate under a shared or pooled licensing model, or certain features might be available without a license.
- Regular users. Licensing is based on their roles, access needs and the apps they use within the Microsoft 365 suite.
What are the prerequisites for PowerShell management for guest users?
Microsoft Graph offers a unified way to access Microsoft 365 services from multiple programming languages.
Administrators use the Microsoft Graph PowerShell module to interact seamlessly with data in Microsoft services such Entra ID, SharePoint Online and Microsoft Teams. The module does more than just translate commands directly; it adapts to fit the familiar, native PowerShell experience to provide continuity and ease of use.
If needed, you can also use the Microsoft Entra and Entra ID portal capabilities. However, PowerShell management offers several advantages over the portal method. See the following pros and cons of using Microsoft Graph PowerShell versus Microsoft Entra B2B, formerly Azure AD B2B, for granting access and managing external guests.
Microsoft Graph pros
- Unified access. Allows interaction with many Microsoft services beyond Microsoft Entra ID for a more holistic management experience.
- Granularity. Provides a finer level of control over operations due to its rich set of commands and properties.
- Extensibility. Excels at integrating custom apps, workflows and automation scripts.
Microsoft Graph cons
- Complexity. Due to its comprehensive coverage, it can be overkill for simple, direct tasks.
- Permission management. Requires careful permissions management, which might introduce additional overhead.
Microsoft Entra B2B pros
- Simplicity. Tailored for managing external guests with a straightforward approach for specific tasks.
- Integration. Natively integrated into Microsoft Entra ID for compatibility with other Azure services.
- Dedicated features. Built-in features, such as like invitation redemption, ease the external collaboration process.
Microsoft Entra B2B cons
- Limited scope. Primarily centered around guest and external identity management, which limits its versatility.
You must weigh several factors to determine the appropriate tool for managing external users. If the primary focus is external user management, then Microsoft Entra B2B is the clear choice. However, Microsoft Graph is more comprehensive for more expansive tasks that touch a wide range of Microsoft services.
If you want to integrate with custom applications or automate intricate workflows that span multiple services, then Microsoft Graph is invaluable due to its versatility. Organizations that prioritize simplicity in their operations might find Microsoft Entra B2B's specific features more user-friendly and intuitive.
Lastly, it's essential to consider the future. If you anticipate a need to diversify management tasks, then starting with Microsoft Graph may help you avoid a significant shift later.
How to use the Microsoft Graph PowerShell module
To start using Microsoft Graph with PowerShell, install the module from the PowerShell Gallery with the following command.
Install-Module -Name Microsoft.Graph -Scope CurrentUser
To connect to the Microsoft Graph, run the following PowerShell command to get the access token for authentication to access Microsoft 365.
Connect-MgGraph
At the prompt, sign in with a Microsoft 365 account with the necessary permissions to access your desired data.
How to use PowerShell to work with Microsoft 365 guest users
Using the Microsoft Graph PowerShell SDK simplifies the process of working with guest users in areas related to invitation, user management, license management and permission control.
To execute any of the following PowerShell commands, connect to Microsoft Graph with an account that has the correct permissions.
How to invite individual guest users in Microsoft 365
$invitation = @{
InvitedUserEmailAddress = '[email protected]'
InviteRedirectUrl = 'https://portal.azure.com'
}
New-MgInvitation -BodyParameter $invitation
How to perform a bulk invitation for multiple guest users
$guestUsers = @('[email protected]', '[email protected]', '[email protected]')
foreach ($user in $guestUsers) {
$invitation = @{
InvitedUserEmailAddress = $user
InviteRedirectUrl = 'https://portal.azure.com'
}
New-MgInvitation -BodyParameter $invitation
}
How to view and export a list of guest users
$guests = Get-MgUser -Filter "usertype eq 'Guest'"
$guests | Export-Csv -Path 'C:\Reports\Guests.csv'
How to add or remove licenses for a guest user
Set-MgUserLicense `
-UserId '[email protected]' `
-Addlicenses @{SkuId = '4016f256-b063-4864-816e-d818aad600c9'} `
-RemoveLicenses @()
How to add or remove licenses for several guest users
$guestUsers = @('[email protected]', '[email protected]')
foreach ($user in $guestUsers) {
Set-MgUserLicense `
-UserId $user `
-Addlicenses @{SkuId = '4016f256-b063-4864-816e-d818aad600c9'} `
-RemoveLicenses @()
}
There are three primary access levels for guest users in Microsoft Entra ID: limited, full and restricted. These levels determine what actions a guest user can perform within the directory. You can use PowerShell to set the required permission level.
$directoryRoles = Get-MgDirectoryRole | Sort DisplayName
$globalAdmin = $directoryRoles | ? {$_.DisplayName -eq "Global administrator"} | `
Select -ExpandProperty Id
$user = Get-MgUser -UserId '[email protected]'
$roleMembers = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdmin
New-MgDirectoryRoleMemberByRef `
-DirectoryRoleId $globalAdmin `
-BodyParameter @{
"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($user.Id)"}
After adding a guest user to your Microsoft 365 tenant, your work continues. You can monitor the user's activities and check login activity to maintain security and understand guest-user interactions. Use the following PowerShell command to get information about guest user sign-ins.
Get-MgAuditLogSignin `
-Filter "userPrincipalName eq '[email protected]'"
How to delete a guest user from Microsoft 365
Before you remove any guest user, check that they don't own resources, such as a Microsoft Teams channel or a SharePoint site, and they are not associated with any essential data.
The first step is to retrieve a list of guest users.
$guests = Get-MgUser -Filter "userType eq 'Guest'"
$guests | Format-Table Id, DisplayName, Mail
Next, check if the guest user owns specific resources, which you can do either with PowerShell or the user interface. With the owner check completed, you can then safely remove the guest user.
Remove-MgUser -UserId $guestUserId -Confirm:$false
For optimal results when working with Microsoft 365 guest users, you can automate your frequently used actions with the PowerShell and Microsoft Graph combination. This helps you quickly execute tasks and do them in a consistent manner.
Liam Cleary runs his own consulting company that helps customers work with Microsoft 365 and Azure-based technologies. He specializes in internal and external collaboration, document and records management, business process automation and security measure implementation.