Skip to Content
IdentityInvite Guest User

Invite Guest User

Invite external users to your Microsoft 365 tenant as guest accounts. Guests can access shared resources like Teams, SharePoint, and OneDrive while maintaining their own identity from another organization or personal account.

Warning: Guest users represent external access to your tenant. Regularly review guest accounts, remove stale guests, and ensure appropriate access controls are in place.

Invitation Details

Click Invite Guest and configure the following fields:

FieldRequiredDescription
Email AddressYesThe external email address to invite (work, personal Gmail, etc.)
Display NameNoOverride the display name for this guest in your directory
Personal MessageNoCustom message included in the invitation email
Redirect URLNoWhere to send the guest after accepting (e.g., a SharePoint site or Teams team)
Send InvitationToggle to send email immediately or create the guest silently for pre-staging

Guest Identity Types

Guests authenticate using one of several identity methods depending on their account type:

Azure AD B2B

Guest authenticates with their own Azure AD tenant. Strongest identity verification as they use their organization’s credentials and policies.

Example: partner@contoso.com signs in with Contoso’s Azure AD

Microsoft Account (MSA)

Guest authenticates with a personal Microsoft account. Common for individual consultants or personal email addresses.

Example: consultant@outlook.com, user@gmail.com (with MSA)

One-Time Passcode (OTP)

For guests who do not have Azure AD or MSA. They receive a one-time code via email each time they sign in.

Example: user@companywithoutazuread.com

Google Federation

If configured, guests with Google Workspace accounts can sign in directly with their Google credentials.

Example: user@company.com (Google Workspace)

Guest Lifecycle

The guest user lifecycle follows these stages:

  1. Invitation Sent — Guest receives email with redemption link
  2. Redemption — Guest clicks link, authenticates, and consents to access
  3. Active — Guest can access resources they have been granted
  4. Access Review — Periodic review to confirm guest still needs access
  5. Removal — Guest deleted when no longer needed

Guest Permissions

Guests have limited permissions compared to members by default:

Guests CAN

  • Access shared files and folders
  • Participate in Teams they are added to
  • View shared calendars
  • Join meetings they are invited to
  • Read directory info (if allowed)

Guests CANNOT (by default)

  • Enumerate all users in directory
  • Create Teams or SharePoint sites
  • Invite other guests
  • Access admin portals
  • Use Exchange mailbox (no license)

Guest Access Settings

Configure organization-wide guest settings in External Identities:

Guest User Access Restrictions

  • Same as members (least restrictive)
  • Limited to properties of their own objects
  • Most restrictive (minimal directory access)

Guest Invite Restrictions

  • Anyone can invite (including guests)
  • Members and specific admins only
  • Only admins can invite

Collaboration Restrictions

Allow or deny invitations to specific domains. Use an allowlist for partners-only access or a blocklist to prevent invitations to competitors.

Guest User List Columns

ColumnDescription
Display NameName from guest’s home directory
EmailExternal email address (identity)
User TypeGuest (vs Member)
SourceInvited user, B2B collaboration, External Azure AD
Invitation StatusPending, Accepted, or N/A
CreatedWhen the guest was invited
Last Sign-inMost recent authentication
Invited ByUser who sent the invitation

Stale Guest Detection

Identify guests who have not signed in recently:

MetricDescription
No sign-in 90+ daysGuests inactive for over 3 months
Never signed inGuests who accepted but never authenticated
Pending invitationsInvitations that have not been redeemed

Use filters to identify stale guests and bulk-remove them to reduce your attack surface.

Bulk Operations

  • Bulk Invite — Upload CSV with email addresses to invite multiple guests
  • Resend Invitations — Resend to guests who have not accepted
  • Bulk Remove — Delete multiple stale guest accounts
  • Export — Download guest list for review

Best Practices

  • Review guest accounts quarterly and remove stale entries
  • Use the most restrictive guest access settings appropriate for your organization
  • Require MFA for guest sign-ins via Conditional Access policies
  • Use domain allowlists to restrict guest invitations to known partner organizations
  • Set up access reviews in Azure AD to automate guest lifecycle management

Graph API Endpoints

  • GET /users?$filter=userType eq 'Guest' — List guest users
  • POST /invitations — Send guest invitation
  • DELETE /users/[id] — Remove guest user
  • GET /users/[id]/signInActivity — Check guest sign-in activity

API Reference

  • GET /api/identity/users?type=guest — List all guest users
  • POST /api/identity/users/invite — Invite new guest user
  • POST /api/identity/users/:id/resend-invite — Resend invitation email
  • GET /api/identity/users/stale-guests — Get guests with no recent sign-in
  • DELETE /api/identity/users/:id — Remove guest user
Last updated on
Guest UsersAssign Licenses