Guest Users

Manage external users invited to collaborate in your Microsoft 365 environment. Guest users can access shared resources while maintaining their own identity from another organization or personal account.

Warning: Guest users represent external access to your tenant. Regularly review guest accounts, remove stale guests, and ensure appropriate access controls are in place.

Guest User List

Inviting a Guest

Click “Invite Guest” and configure:

Email Address

Required. The external email address to invite. Can be any email provider (work, personal Gmail, etc.).

Display Name

Optional. Override the display name for this guest in your directory.

Personal Message

Optional. Custom message included in the invitation email.

Redirect URL

Where to send the guest after accepting. Typically a SharePoint site or Teams team.

Send Invitation

Toggle to send email immediately or create the guest silently (for pre-staging).

Guest Identity Types

Azure AD B2B

Guest authenticates with their own Azure AD tenant. Strongest identity verification as they use their organization’s credentials and policies.

Example: partner@contoso.com signs in with Contoso’s Azure AD

Microsoft Account (MSA)

Guest authenticates with a personal Microsoft account. Common for individual consultants or personal email addresses.

Example: consultant@outlook.com, user@gmail.com (with MSA)

One-Time Passcode (OTP)

For guests who don’t have Azure AD or MSA. They receive a one-time code via email each time they sign in.

Example: user@companywithoutazuread.com

Google Federation

If configured, guests with Google Workspace accounts can sign in directly with their Google credentials.

Example: user@company.com (Google Workspace)

Guest Permissions

Guests have limited permissions compared to members by default:

Guests CAN

• Access shared files and folders
• Participate in Teams they’re added to
• View shared calendars
• Join meetings they’re invited to
• Read directory info (if allowed)

Guests CANNOT (by default)

• Enumerate all users in directory
• Create Teams or SharePoint sites
• Invite other guests
• Access admin portals
• Use Exchange mailbox (no license)

Guest Access Settings

Configure organization-wide guest settings in External Identities:

Guest User Access Restrictions

• Same as members (least restrictive)
• Limited to properties of their own objects
• Most restrictive (minimal directory access)

Guest Invite Restrictions

• Anyone can invite (including guests)
• Members and specific admins only
• Only admins can invite

Collaboration Restrictions

Allow or deny invitations to specific domains. Use allowlist for partners-only or blocklist to prevent invitations to competitors.

Guest Lifecycle

1. Invitation Sent — Guest receives email with redemption link
2. Redemption — Guest clicks link, authenticates, and consents to access
3. Active — Guest can access resources they’ve been granted
4. Access Review — Periodic review to confirm guest still needs access
5. Removal — Guest deleted when no longer needed

Stale Guest Detection

Identify guests who haven’t signed in recently:

• No sign-in 90+ days — Guests with extended inactivity
• Never signed in — Guests who never accepted invitations
• Pending invitations — Outstanding invitations not yet redeemed

Use filters to identify stale guests and bulk-remove them to reduce your attack surface.

Bulk Operations

• Bulk Invite — Upload CSV with email addresses to invite multiple guests
• Resend Invitations — Resend to guests who haven’t accepted
• Bulk Remove — Delete multiple stale guest accounts
• Export — Download guest list for review

Graph API Endpoints

• GET /users?$filter=userType eq 'Guest'
• POST /invitations
• DELETE /users/{id}
• GET /users/{id}/signInActivity

API Reference

• GET /api/identity/users?type=guest — List all guest users
• POST /api/identity/users/invite — Invite new guest user
• POST /api/identity/users/:id/resend-invite — Resend invitation email
• GET /api/identity/users/stale-guests — Get guests with no recent sign-in
• DELETE /api/identity/users/:id — Remove guest user