Secure Collaboration in Office 365: Manage External Sharing & Guest Access. Do you need to secure your organization’s collaboration with external guests in Office 365? This article provides the steps and resources for managing external sharing and guest access in Microsoft 365.
To provide you with options, I divided the article into 2 parts. Firstly, we discuss how to manage external users using Azure Portal and Exchange Online admin portal.
Secondly, we explore performing the same tasks using Windows PowerShell.
Specifically, each section covers how to create and manage external users and guests. Beyond creating guests, the article examines how to grant or remove access to guests for secure collaboration in Office 365.
Overview of Users in Microsoft 365
There are 2 types of user objects in Microsoft 365: users within an organization and external users invited to collaborate with an organization. Moreover, the two user types are created in Azure Portal and PowerShell.
This article focuses on creating and managing external users.
You can invite guests from Azure Portal or by using a PowerShell script. However, before doing that, it is recommended to create a mail contact for the guest user.
Following this workflow – adding a mail contact before inviting the external user – is helpful if you want the external user to be listed in your organization’s address book.
From my experience, if you do not follow this workflow, internal users won’t not see the external users in the address book.
Based on this, in the subsequent sections, we use this workflow.
Method 1: Managing External Users and Guests in Azure Portal and Exchange Online
Add a Mail Contact for an External user in the Exchange Online Admin Portal
1. Open admin.exchange.microsoft.com and sign in with your Microsoft 365 admin account or an account with permission to create users.
2. Once signed in, expand the Recipients menu, click Contacts, and select “Add a mail user.”
3. Then, on the Basic page of the New Mail Contact workflow, enter the required information and click Next.
4. The next page of the workflow provides two optional sections – Contact information and Organisation information. If you want to add information in these sections, expand them.
Otherwise, click Next to continue.
5. Finally, review the information you provided and if you’re happy with it, click Create to add the new mail contact
Also Read Try InfraSOS Office 365 Reporting Tools
Invite a Guest User to a Microsoft 365 Organization in the Azure Portal
1. Sign in to portal.azure.com with your Microsoft 365 admin account. After that, search for and open Azure Active Directory.
2. Once the Azure AD page opens, click the Users menu.
3. On the Users page, click the New user and choose “Invite external user.”
4. On the Basic tab of the Invite external user page, enter the user’s email and click the “Review + invite” tab.
Add the new guest user to a group or assign roles from the Assignments tab. However, we perform these tasks later.
5. Finally, click Invite. The user receives the invite via the email you specified.
Once they click Accept invitation, they are confirmed as guest members of your Microsoft 365 organization.
When the user clicks the “Accept invitation” link, Microsoft requires the user to sign in to Azure. However, since the user does not have a password, they should use the “Forgot password” link to create a new password.
Once the new guest user signs in, Microsoft requests them to grant access to the organization they’re joining.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Assign a Licence to a Guest User in the Azure Portal
After creating an external user, one way to secure collaboration with internal Office 365 users is by granting a license to the external user. Follow these steps to assign a guest user a license.
1. Open the user in the Azure portal. Click Licenses.
2. Then, on the Licenses page, click Assignments.
3. Finally, select the licenses to assign the user, configure the license details, and click Save.
Add an External Office 365 User to a Group in the Azure Portal
Another way to secure collaboration with external Office 365 users is via groups and role assignments. In this subsection, we discuss adding a guest user to an Azure AD group.
After that, we would explain how to assign them Azure AD roles from the Azure Portal.
To add a user to a group, click Groups from the user’s properties page. Then, click “+ Add memberships.”
Finally, check the checkboxes next to each group you want to add the user to and click the Select button.
Assign Azure AD Role to a Guest User in the Azure Portal
1. Open the external user in Azure Active Directory via the portal.
2. Then, click “Assigned roles,” -> ” + Add assignments.”
3. Once the “Add assignments” page opens, select the Azure AD role you want to assign the guest account and click Next.
4. On the Settings page, select the Assignment type and click “Assign.”
Delete an External Use in the Azure Portal
To delete an external Azure AD user, click the Overview tab of the user’s properties page in the Azure AD portal. Afterward, select the Delete button and, finally, click Delete in the flyout.
Method 2: Managing External Users and Guests using Windows PowerShell
The commands in this section require the AzureADPreview and ExchangeOnlineManagement PowerShell modules. So, we install these 2 modules before proceeding.
It is important to mention that after installing the modules, before running the Azure AD commands, we must run the Connect-AzureAD command first. Similarly, before running the Exchange Online commands, running the Connect-ExchangeOnline command is a requirement.
The Connect-AzureAD and Connect-ExchangeOnline commands authenticate to Azure Active Directory and Exchange Online respectively.
Install the AzureADPreview and ExchangeOnlineManagement
1. Open powershell as administrator by searching for it and clicking “Run as administrator.”
2. Once PowerShell opens, set the Execution Policy to RemoteSigned by running the command below. This execution policy allows the running of modules downloaded from the internet.
powershell.exe -ExecutionPolicy RemoteSigned
3. After that, install the AzureADPreview and ExchangeOnlineManagement modules with this command.
Install-Module -Name AzureADPreview, ExchangeOnlineManagement, Az.Resources -AllowClobber -Force
4. After installing the modules, import them to the current PowerShell session with the Import-Module command.
Import-Module AzureADPreview, ExchangeOnlineManagement, Az.Resources
5. Finally, confirm that the modules are available on your PC by running the Get-Module command.
Get-Module -Name AzureADPreview, ExchangeOnlineManagement, Az.Resources
Add a Mail Contact for an External user using Exchange Online PowerShell Commands
1. Run the Connect-ExchangeOnline command to authenticate to your Exchange Online account. Change the sudo email address to your Azure sign-in email.
Connect-ExchangeOnline -Credential (Get-Credential name@domainname.com)
When you press the Enter key to execute the command, PowerShell prompts for the password. Enter it and click OK.
2. Once signed in successfully, create a mail contact with the New-MailContact command.
New-MailContact -Name "Victor Ashiedu (Gmail)" -ExternalEmailAddress "name@domainname.com"
After running the command, the mail contact is displayed in the Exchange Online admin center – admin.exchange.microsoft.com/#/contacts. The screenshot below shows the command and the contact in the Exchange Online admin portal.
Invite a Guest User to a Microsoft 365 using AzureAD PowerShell Commands
The New-MgInvitation command is used to invite external users to a Microsoft 365 organization. However, you must run the Connect-MgGraph command – with the required scopes – before running New-MgInvitation.
Speaking of scope, inviting external users requires the User.ReadWrite.All. Meanwhile, assigning users licences requires the Organization.Read.All scope.
In the following steps, we explain the details of running the commands to secure collaboration with external users in Office 365.
1. Authenticate to Azure AD by running the Connect-AzureAD command.
Connect-AzureAD -Credential (Get-Credential name@domainname.com)
PowerShell prompts for the Azure email password. Enter the password and click OK.
2. Run the Connect-MgGraph command to request access for Microsoft Graph.
Connect-MgGraph -Scopes User.ReadWrite.All, Organization.Read.All
The command displays a sign-in popup. Sign in with your Azure AD account.
Once you sign in, check “Consent on behalf of your organization” at the Microsoft Graph permission request pop-up and click Accept.
3. Invite the external user to your Azure tenant by running the New-MgInvitation command. Use the same email that you used when you created the mail contact in the last subsection.
New-MgInvitation -InvitedUserDisplayName "Victor Ashiedu (Gmail)" -InvitedUserEmailAddress name@domainname.com -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$true
Once this command runs successfully, PowerShell displays a confirmation. Additionally, the user you invited should receive an email.
Ask the invited user to accept the invite and sign in. However, since the user has no password, ask them to use the “Forgot password” link to create a new password.
4. To confirm that the user exists in your Microsft 365 tenant, use this sample command.
Get-AzureADUser -Filter "displayname eq 'Victor Ashiedu (Gmail)'"
The UserType should be “Guest.”
Add an External Office 365 User to a Group with AzureAD PowerShell Commands
1. Get the user’s ObjectID
$userRefObjectId = (Get-AzureADUser -Filter "displayname eq 'Victor Ashiedu (Gmail)'").ObjectID
2. Get the group ID to add the external user
$groupObjectId = (Get-AzureADGroup -Filter "displayname eq 'Helpdesk administrators'" ).ObjectID
3. Add the external Azure AD user to the group,
Add-AzureADGroupMember -ObjectId $groupObjectId -RefObjectId $userRefObjectId
Assign Azure AD Role to a Guest User using AzureAD PowerShell Commands
1. Get the Id of the external user.
$userId = (Get-AzureADUser -Filter "displayname eq 'Victor Ashiedu (Gmail)'").ObjectID
2. Next, get the name of the Azure AD role you want to assign the guest user.
$roleassignmentname = (Get-AzRoleDefinition | where-object {$_.name -eq "Security Admin"}).Name
3. Identify the scope of the role to assignment. Change veeambackup21 to the name of the resource you want to assign the user access to.
$scoperesourceID = (Get-AzResource | Where-object {$_.name -eq "veeambackup21"}).ResourceID
4. Finally, assign the role to the external AD user.
New-AzRoleAssignment -ObjectId $userid -RoleDefinitionName $roleassignmentname -Scope $scoperesourceID
Secure Collaboration in Office 365: Managing External Sharing and Guest Access Conclusion
Organizations work with external users, and Office 365 provides a way to secure this inevitable collaboration by allowing the creation of external or guest users. The process involves igniting the guest user to join an organization’s Microsoft 365 tenant.
Once an external user accepts the invite, the user is granted a license, added to a group, or assigned to an Azure AD role.
This allows the external user to securely collaborate with internal users.
This article provides a detailed step-by-step guide to adding external uses to Microsoft 365 and performing tasks like assigning the user a license, adding the guest user to a group, or assigning it an Azure role.
We discussed the steps to perform these tasks from the Exchange Online admin and Azure portals. Additionally, we explained how to manage external users using Windows PowerShell.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
