This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Assign Azure roles to external guest users using the Azure portal
- 9 contributors
Azure role-based access control (Azure RBAC) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. You can use the capabilities in Microsoft Entra B2B to collaborate with external guest users and you can use Azure RBAC to grant just the permissions that guest users need in your environment.
Prerequisites
To assign Azure roles or remove role assignments, you must have:
- Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner
When would you invite guest users?
Here are a couple example scenarios when you might invite guest users to your organization and grant permissions:
- Allow an external self-employed vendor that only has an email account to access your Azure resources for a project.
- Allow an external partner to manage certain resources or an entire subscription.
- Allow support engineers not in your organization (such as Microsoft support) to temporarily access your Azure resource to troubleshoot issues.
Permission differences between member users and guest users
Native members of a directory (member users) have different permissions than users invited from another directory as a B2B collaboration guest (guest users). For example, members user can read almost all directory information while guest users have restricted directory permissions. For more information about member users and guest users, see What are the default user permissions in Microsoft Entra ID? .
Add a guest user to your directory
Follow these steps to add a guest user to your directory using the Microsoft Entra ID page.
Sign in to the Azure portal .
Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. For more information, see Configure external collaboration settings .
Click Microsoft Entra ID > Users > New guest user .
Follow the steps to add a new guest user. For more information, see Add Microsoft Entra B2B collaboration users in the Azure portal .
After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the accept invitation link in the invitation email.
For the guest user to be able to access your directory, they must complete the invitation process.
For more information about the invitation process, see Microsoft Entra B2B collaboration invitation redemption .
Assign a role to a guest user
In Azure RBAC, to grant access, you assign a role. To assign a role to a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity. Follow these steps assign a role to a guest user at different scopes.
In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups , Subscriptions , Resource groups , or a specific resource.
Click the specific resource for that scope.
Click Access control (IAM) .
The following shows an example of the Access control (IAM) page for a resource group.
Click the Role assignments tab to view the role assignments at this scope.
Click Add > Add role assignment .
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
The Add role assignment page opens.
On the Role tab, select a role such as Virtual Machine Contributor .
On the Members tab, select User, group, or service principal .
Click Select members .
Find and select the guest user. If you don't see the user in the list, you can type in the Select box to search the directory for display name or email address.
You can type in the Select box to search the directory for display name or email address.
Click Select to add the guest user to the Members list.
On the Review + assign tab, click Review + assign .
After a few moments, the guest user is assigned the role at the selected scope.
Assign a role to a guest user not yet in your directory
To assign a role to a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity.
If the guest user is not yet in your directory, you can invite the user directly from the Select members pane.
In the Select box, type the email address of the person you want to invite and select that person.
On the Review + assign tab, click Review + assign to add the guest user to your directory, assign the role, and send an invite.
After a few moments, you'll see a notification of the role assignment and information about the invite.
To manually invite the guest user, right-click and copy the invitation link in the notification. Don't click the invitation link because it starts the invitation process.
The invitation link will have the following format:
https://login.microsoftonline.com/redeem?rd=https%3a%2f%2finvitations.microsoft.com%2fredeem%2f%3ftenant%3d0000...
Send the invitation link to the guest user to complete the invitation process.
Remove a guest user from your directory
Before you remove a guest user from a directory, you should first remove any role assignments for that guest user. Follow these steps to remove a guest user from a directory.
Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.
Click the Role assignments tab to view all the role assignments.
In the list of role assignments, add a check mark next to the guest user with the role assignment you want to remove.
Click Remove .
In the remove role assignment message that appears, click Yes .
Click the Classic administrators tab.
If the guest user has a Co-Administrator assignment, add a check mark next to the guest user and click Remove .
In the left navigation bar, click Microsoft Entra ID > Users .
Click the guest user you want to remove.
Click Delete .
In the delete message that appears, click Yes .
Troubleshoot
Guest user cannot browse the directory.
Guest users have restricted directory permissions. For example, guest users cannot browse the directory and cannot search for groups or applications. For more information, see What are the default user permissions in Microsoft Entra ID? .
If a guest user needs additional privileges in the directory, you can assign a Microsoft Entra role to the guest user. If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Microsoft Entra ID. For more information, see Add Microsoft Entra B2B collaboration users in the Azure portal .
Guest user cannot browse users, groups, or service principals to assign roles
Guest users have restricted directory permissions. Even if a guest user is an Owner at a scope, if they try to assign a role to grant someone else access, they cannot browse the list of users, groups, or service principals.
If the guest user knows someone's exact sign-in name in the directory, they can grant access. If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Microsoft Entra ID. For more information, see Add Microsoft Entra B2B collaboration users in the Azure portal .
Guest user cannot register applications or create service principals
Guest users have restricted directory permissions. If a guest user needs to be able to register applications or create service principals, you can add the guest user to the Application Developer role in Microsoft Entra ID. For more information, see Add Microsoft Entra B2B collaboration users in the Azure portal .
Guest user does not see the new directory
If a guest user has been granted access to a directory, but they do not see the new directory listed in the Azure portal when they try to switch in their Directories page, make sure the guest user has completed the invitation process. For more information about the invitation process, see Microsoft Entra B2B collaboration invitation redemption .
Guest user does not see resources
If a guest user has been granted access to a directory, but they do not see the resources they have been granted access to in the Azure portal, make sure the guest user has selected the correct directory. A guest user might have access to multiple directories. To switch directories, in the upper left, click Settings > Directories , and then click the appropriate directory.
- Add Microsoft Entra B2B collaboration users in the Azure portal
- Properties of a Microsoft Entra B2B collaboration user
- The elements of the B2B collaboration invitation email - Microsoft Entra ID
Submit and view feedback for
Additional resources
IMAGES
VIDEO
COMMENTS
Assign a license to a guest user Show 4 more Check out all of our small business content on Small business help & learning. You can assign or unassign licenses for users in the Microsoft 365 admin center on either the Active users page, or on the Licenses page.
It is possible within the Office admin center and the AAD admin portal to assign a 'guest' a license. However while it does assign them a license it appears they aren't able to use that license. I've tried this with a guest authenticated through MSA and a guest from another valid AAD tenant (neither had their own Office 365 license).
10/20/2023 9 contributors Feedback In this article Before you begin Watch: Add guests to Teams Watch: Join a team as a guest Understanding guest accounts in Microsoft 365 Show 2 more By default, guest access for Microsoft 365 groups is turned on for your organization.
Assigning licenses to a guest user Ask Question Asked 4 years, 3 months ago Modified 4 years, 3 months ago Viewed 6k times Part of Microsoft Azure Collective 1 I have purchased an office 365 E3 subscription and want to assign the licenses to my guest users. What is the recommended way to proceed? azure azure-active-directory office365 Share
To assign Azure roles or remove role assignments, you must have: Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner When would you invite guest users?