Microsoft Entra Guest vs External Accounts

Table of Contents

• Microsoft Entra (formerly Azure AD) Guest and External accounts
  • External Account
• OneDrive and SharePoint Integration with External Accounts
• Sharing Options

Microsoft Entra (formerly Azure AD) Guest and External accounts

• Guest Accounts
  • Description: Guest accounts are created in your Microsoft Entra tenant for external users. These users have a user object in your tenant.
  • Permissions: Guests can access Teams and SharePoint resources, participate in chats, calls, and meetings, and collaborate on files. They have nearly all the same capabilities as internal users but with some restrictions.
  • Use Case: Ideal for inviting partners, vendors, or contractors to collaborate on specific projects or teams. In Teams, guests can chat, call, and meet with people in your organization and access shared files and folders. In SharePoint, guests can be given permissions to view, edit, or contribute to documents and sites.
• External Accounts
  • Description: External users do not have a user object in your tenant. Instead, they use their own credentials from their home tenant to access resources in your organization.
  • Permissions: External users can find, call, chat, and set up meetings with people in your organization. They don’t have the same level of access to internal resources as guest users.
  • Use Case: Useful for setting up meetings or chats with users from other Microsoft 365 organizations or services like Skype for Business. External access is typically used for communication rather than collaboration on internal resources.
• Key Differences
  • User Object: Guests have a user object in your tenant; external users do not.
  • Access Level: Guests have broader access to resources and can collaborate more deeply within Teams and SharePoint, some features are restricted compared to internal users (e.g., access to certain apps, permissions customization, and administrative controls). External users have limited access, mainly for communication purposes.
  • Management: Guest accounts are managed within your tenant, allowing for more control over permissions and access. External access relies on the external user’s home tenant for authentication and management.

External Account

External accounts in Microsoft Entra are primarily used for communication in Teams and chatting, but they have other use cases as well. Here are some additional scenarios where external accounts can be useful:

Use Cases for External Accounts

• Teams and Skype for Business:
  • Communication: External accounts allow users to find, call, chat, and set up meetings with people outside your organization who use Teams or Skype for Business.
  • Meetings: External users can join Teams meetings, participate in calls, and collaborate during meetings.
• Cross-Organization Collaboration:
  • Shared Channels: External users can be added to shared channels in Teams, enabling collaboration on specific projects without giving full access to your internal resources.
  • Cross-Tenant Access: External accounts can be used for cross-tenant access, allowing trusted Microsoft 365 organizations to communicate seamlessly without adding users as guests. However, full collaboration, such as editing SharePoint documents, still requires guest access.
• Document Sharing:
  • OneDrive and SharePoint: External users can access shared documents and folders in OneDrive and SharePoint by authenticating with their home tenant, ensuring controlled access. However, if shared via ‘Anyone’ links, sign-in is not required, allowing broader but less secure access.
• Security and Compliance:
  • Secure Collaboration: External accounts can be configured to ensure secure collaboration with partners, vendors, and customers, while maintaining compliance with your organization’s policies.

OneDrive and SharePoint Integration with External Accounts

• External Sharing:
  • OneDrive: You can share files and folders with external users by sending them a sharing link. External users can access the shared content using their own credentials from their home tenant.
  • SharePoint: Similar to OneDrive, you can share sites, libraries, and documents with external users. They can access the shared content using their own credentials.
• B2B Sync:
  • Description: The OneDrive sync app allows users to sync libraries or folders in SharePoint or OneDrive that have been shared from other organizations. This is known as Business-to-Business (B2B) Collaboration.
  • Functionality: External users can sync shared content to their local devices, making it easier to collaborate on documents and projects but it only works for authenticated users from trusted tenants. Users must sign in with their organization’s credentials for syncing to work.
• Permissions and Access Control:
  • Management: External sharing settings can be configured in the OneDrive and SharePoint admin centers. You can control who can share content externally and what level of access external users have.
  • Security: External accounts are subject to the same compliance and auditing protections as internal users. You can also apply Microsoft Entra Conditional Access policies to ensure secure collaboration.
• Use Cases:
  • Document Collaboration: External users can collaborate on documents in real-time, making it ideal for projects involving partners, vendors, or clients.
  • Project Management: SharePoint sites can be shared with external users to manage projects, track progress, and store project-related documents.
• Summary: External accounts enable seamless collaboration in OneDrive and SharePoint by allowing users from other organizations to access shared content securely and efficiently. This integration supports various use cases, from document sharing to project management.

The sharing options in OneDrive and SharePoint, such as “Anyone,” “New and existing guests,” “Existing guests,” and “Only people in your organization,” determine how you can share content with external users, including those with external accounts. Here’s how these options relate to external accounts:

Sharing Options

• Anyone:
  • Description: Allows you to share files and folders with anyone, including people outside your organization, without requiring them to sign in. Since ‘Anyone’ links do not require authentication, they should be used with caution, as they can be forwarded and accessed by unintended recipients
  • Use Case: Ideal for sharing links publicly or with users who do not have a Microsoft account.
  • External Accounts: This option does not create a guest account in your tenant. It provides access via a link that can be forwarded to others.
• New and Existing Guests:
  • Description: Allows sharing with both new guests (who will be invited and added as guest accounts in your tenant) and existing guest accounts.
  • Use Case: Useful for collaborating with partners, vendors, or clients who need ongoing access to your resources.
  • External Accounts: New guests will be added as guest accounts in your tenant, while existing guests can continue to access shared content.
• Existing Guests:
  • Description: Restricts sharing to users who already have guest accounts in your tenant.
  • Use Case: Ensures that only pre-approved external users can access shared content.
  • External Accounts: Only existing guest accounts can access the shared content.
• Only People in Your Organization:
  • Description: Limits sharing to users within your organization.
  • Use Case: Ensures that content is only accessible to internal users.
  • External Accounts: External users cannot access content shared with this setting.

Summary

• “Anyone”: No guest account created; access via link.
• “New and Existing Guests”: Creates new guest accounts and allows existing guests.
• “Existing Guests”: Only allows existing guest accounts.
• “Only People in Your Organization”: Restricts access to internal users only.

These sharing options help you control how content is shared and who can access it, ensuring secure collaboration with external users.