1. Overview
Once guest users are invited and onboarded, you must manage their accounts within your Microsoft Entra directory. This includes:
Microsoft Entra gives admins granular control while maintaining a clear distinction between internal members and external collaborators.
2. Key Account Properties
| Property | Purpose |
|---|---|
| UserType | Indicates if the user is a Member (internal) or Guest (external). |
| Identities | Shows the user’s primary and secondary identity providers (e.g., Microsoft, Google, SAML). |
| Source | Where the account originated (on-prem, external tenant, etc.). |
| Sign-in Type | The method used to authenticate (password, federation, one-time passcode). |
3. UserType Property Explained
The UserType field is informational — it does not directly affect sign-in behavior or access rights, but it’s often used in Conditional Access or dynamic group rules.
Best Practice: Use the principle of least privilege. Assign guests only the permissions they need to do their work.
4. Managing Guest User Privileges
By default, guest users are limited in what they can do:
However, admins can:
This can be done from: Entra Admin Center → User Settings → External Users → Guest Access Restrictions.
Example: A long-term partner acting as an outsourced helpdesk might need elevated access. Admins can add this guest to specific roles (e.g., Helpdesk Administrator) using Privileged Identity Management (PIM) for just-in-time (JIT) access.
5. Managing Identities
Guest users can authenticate using various identity providers (IdPs):
| Identity Provider (IdP) | Authentication Method |
|---|---|
| Microsoft Entra tenant | Work account from another organization. |
| Microsoft account (MSA) | Personal Microsoft account (e.g., Outlook.com). |
| Federated Gmail or Google Workspace account. | |
| Self-service sign-up via Facebook. | |
| SAML/WS-Fed | External IdP (e.g., Okta, PingFederate). |
| Email (OTP) | One-time passcode for unmanaged domains. |
Admins can view this under the Identities tab in the user profile or via Microsoft Graph API.
6. Converting UserType (Guest ↔ Member)
While it’s technically possible to switch between Guest and Member using PowerShell:
Set-MsolUser -UserPrincipalName "user@domain.com" -UserType Member
…it’s not recommended unless the user’s actual relationship with the organization changes. Changing UserType does not automatically:
Only convert the UserType if the external user becomes a true internal employee (or vice versa).
7. Dynamic Groups and B2B Collaboration
Dynamic groups automate membership based on attributes (like department or userType).
Example rule:
(user.userType -eq "Guest")
This rule creates a group of all guest users — ideal for applying Conditional Access or license assignments automatically.
Dynamic groups require Microsoft Entra ID Premium P1 or P2.
8. Real-World Example
Scenario:
Contoso’s IT department creates a dynamic group for all external vendors using the rule (user.userType -eq "Guest").
They apply a Conditional Access policy requiring MFA for this group, ensuring that all guests — current and future — must authenticate securely.
9. Exam Tip
UserType = Member or Guest (relationship indicator).
Guests can be assigned any Entra role, including administrative ones.
Use PIM for temporary elevation.
Dynamic groups simplify applying policies automatically to all guests.
Summary
Unit 8 detailed how guest accounts function within Microsoft Entra ID.
Admins can view, restrict, elevate, or automate management of these accounts to align with both organizational security and collaboration needs.