Will Holland is a Senior Software Engineer at ThreeWill. Will has proven to be adept at understanding a client’s needs and matching them with the appropriate solution. Recently he’s developed a passion for working with .NET, MVC, and cloud-based solutions such as Microsoft Azure and Microsoft 365.
As a developer who uses Microsoft 365, I come across Microsoft 365 guest access questions a lot. A variety of Microsoft 365 services need to be considered when understanding guest access in Microsoft 365.
Who Needs Guest Access?
There are some common reasons why guest access may be needed. One reason is that your company could have just gone through a merger, and you need to work together with the new organization before consolidating tenants. If that’s the case, check out a previous podcast on guest access to gain a further understanding. Another reason is that you could be working with another organization on a project and need to collaborate in a certain area within Microsoft 365.
Spreadsheet of Microsoft 365 Guest Access
I thought it would be helpful to lay out a spreadsheet outlining all of the possibilities surrounding Microsoft 365 guest access. Listed below are products/features within Microsoft 365, follow the row to discover if it supports guests and any notes about the guest access.
|Admin||No||It doesn’t appear that you can “share” admin portal sites with external users.|
|Calendar||Partially||You can share calendars with guests, but guests will always see their home calendars.|
|Delve||No||B2B users will always be directed back to Delve in their home tenant. Documents from guest tenants are not discoverable via Delve.|
|D365||Yes*||I wasn’t able to really confirm this, but I did find this documentation from MSFT that says you can invite B2B users to a D365 application.|
|Excel||Partially||B2B users will always be directed back to the OWA for their home tenant and cannot use the OWA to target guest locations as save locations. However, B2B users can open office documents in the browser.|
|Flow||Partially||A B2B user can trigger an automated Flow created by a member user by performing the trigger action.|
It doesn’t appear that a B2B user would be able to create a Flow themselves, though.
|Forms||Yes||B2B users can see and use custom forms, but not create them.|
|Kaizala||N/A||Not super familiar with this product, but it doesn’t appear at all tied to Azure AD. You sign up with a phone number and go from there.|
|OneDrive||Partially||B2B users can have files/folders shared with them by members, but they are not given personal OneDrives|
|OneNote||Partially||B2B users will always be directed back to the OWA for their home tenant and cannot use the OWA to target guest locations as save locations. However, B2B users can open office documents in the browser.|
|Outlook||No||B2B users will always be directed back to the OWA for their home tenant and cannot use the OWA to target guest locations as save locations.|
|People||No||B2B users will always be directed back to the OWA for their home tenant and cannot use the OWA to target guest locations as save locations.|
|Planner||Yes||B2B users can be assigned tasks, manage tasks in plans they can see. However, getting to the Planner for a remote tenant requires using a known URL. There is no way to switch orgs (like you can do in Teams).|
|PowerApps||Yes*||* – Currently requires a PowerApps license to use Canvas apps.A feature is rolling out to allow using PowerApps without a license. Slated for Q32019″Mobile” apps (i.e. customized list forms) are usable by guest users with no license.|
|PowerPoint||Partially||B2B users will always be directed back to the OWA for their home tenant and cannot use the OWA to target guest locations as save locations. However, B2B users can open office documents in the browser.|
|Security||Partially||B2B users can be added as “Security Administrators”, but they have no way to get to the Security Admin portal for a guest tenant (they’ll always go to their home tenants Security portal. This might give them permission to do stuff via PowerShell.|
|SharePoint||Yes||Of course, this assumes external sharing is enabled on sites and the user has been granted access|
|Stream||No||Stream does not currently allow sharing videos with external users. B2B users will see “Video not found” whenever trying to view videos in Stream. There is currently a feature in the roadmap to allow anonymous access to videos. https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=27728|
|Sway||Partially||B2B users can view Sways created by other users, if they have a link to the Sway and permissions for the Sway allow “anyone with the link to view”. Any sways created by a B2B user would exist in their home tenant and would, likewise, need to be shared/embedded in the host tenant (and allow for anyone with the link to view).|
|Tasks / To-Do||Partially||B2B users can access Tasks from their home tenant. Trying to access it from the host tenant will only redirect them back to their home tenant.|
|Teams||Yes||A guest cannot be listed as an Owner, but can be invited as a member.A guest cannot see channels they aren’t a member of.Guests are not automatically added to “Org-Wide” groups.|
|Video||No||Video is being replaced with Stream. It also does not allow external sharing of videos.|
|“Your Apps” link||No||This appears to only ever show apps linked to the guest users home tenant for B2B users|
|Tenant level branding||No||I do not see the custom logo I have on my developer tenant.|
|Microsoft Search bar||No||My guest user does not see the Microsoft Search bar available in my developer tenant.|
|“SharePoint” link||No||My guest user does not see the SharePoint link in the guest tenant.|
|Search Bookmarks/QnA/Locations||Yes||Guest users can still use the old way of searching and then changing the scope to “Organization”, which allows them to then view bookmarks and such.|
|Can a guest be a Team Owner?||No||No. Guests are limited to the “guest” role.|
|Can a guest be a Site Collection Admin?||Yes|
|Can a guest be a SharePoint Admin?||Yes*||* – Although I can make my guest a SharePoint admin, the guest account cannot access the SharePoint admin portal.|
|Can a guest be an O365 Global Admin?||No||It will let you try, but you’ll get an error telling you that the global admin role could not be associated with the chosen users.|
|Can a guest be a O365 Group Owner?||No||Attempting to add a guest as an owner to an O365 group resulted in the following error:|
“As per tenant wide policy guest users are not allowed to be owner of a unified group.”
I was unable to find any configurable policy.