When a user is added within Azure AD, they are automatically assigned a certain permission set. There is a difference in the origin of the user here. There are 2 options: A user from your own organization (from the same tenant), called a member user. Or that they have been invited from another organization (through B2B collaboration), also known as a guest user.
Although the rights that a guest user is assigned are already a lot more restricted compared to a member user, it is still possible for the guest user to gain insight into many details. Such as other users, groups and group memberships. Depending on the content of Azure AD, it is therefore possible to disclose information that you prefer to keep within your own organization.
As a solution to this, an option has been added within the “Guest user access restrictions” section of the “External Collaboration Settings” of Azure AD regarding the rights of guest users: “Guest user access is restricted to properties and memberships of their own directory. objects (most restrictive) “. This makes it possible to further limit the default rights of a guest user. In addition, there are no licensing requirements for using this feature.
When access for guest users is restricted, they can view only their own user profile. Permission to view other users isn’t allowed even if the guest is searching by User Principal Name or objectId. Restricted access also restricts guest users from seeing the membership of groups they’re in. For an overview of all standard permissions, see the overview below.
|Area||Member user permissions||Default guest user permissions||Restricted guest user permissions|
|Users and contacts||Read all public properties of users and contactsInvite guestsChange own passwordManage own mobile phone numberManage own photoInvalidate own refresh tokens||Read own propertiesRead display name, email, sign in name, photo, user principal name, and user type properties of other users and contactsChange own passwordSearch for another user by Display Name, User Principal Name or ObjectId (if allowed)Read manager and direct report information of other users||Read own propertiesChange own password|
|Groups||Create security groupsCreate Microsoft 365 groupsRead all properties of groupsRead non-hidden group membershipsRead hidden Microsoft 365 group memberships for joined groupManage properties, ownership, and membership of groups the user ownsAdd guests to owned groupsManage dynamic membership settingsDelete owned groupsRestore owned Microsoft 365 groups||Read properties of all non-hidden groups, including membership and ownership (even non-joined groups)Read hidden Microsoft 365 group memberships for joined groupsSearch for groups by Display Name or ObjectId (if allowed)||No permissions|
|Applications||Register (create) new applicationRead properties of registered and enterprise applicationsManage application properties, assignments, and credentials for owned applicationsCreate or delete application password for userDelete owned applicationsRestore owned applications||Read properties of registered and enterprise applications||Read properties of registered and enterprise applications|
|Devices||Read all properties of devicesManage all properties of owned devices||No permissions||No permissions|
|Directory||Read all company informationRead all domainsRead all partner contracts||Read display name and verified domains||Read display name and verified domains|
|Roles and Scopes||Read all administrative roles and membershipsRead all properties and membership of administrative units||No permissions||No permissions|
|Subscriptions||Read all subscriptionsEnable Service Plan Member||No permissions||No permissions|
|Policies||Read all properties of policiesManage all properties of owned policy||No permissions||No permissions|
To change the default permissions for guest users, follow the steps below.
Please note that in order to configure the external collaboration settings you must be in the Global Administrator role.
- Open Azure Active Directory
- Click on “User Settings” in the left pane
- On the newly opened “User settings” blade click on “Manage external collaboration settings”
- Select the most restrictive (3rd option) from the guest user access options
You can also use the AzureAD module for PowerShell to configure this setting for all of your guest users by changing the GuestUserRoleID property of the Azure AD authorization policy. To do this, execute:
Connect-AzureAD #Login to your Tenant Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'
To verify the current GuestUserRoleID of the Azure AD authorization policy, execute:
The GUID identifier for each of the 3 permissions levels is the following:
- a0b1b346-4d3e-4e8b-98f8-753987be4970 (Same access as member users)
- 10dae51f-b6af-4016-8d66-8c2a99b929b3 (Default Guest Permissions)
- 2af84b1e-32c8-42b7-82bc-daa82404023b (Restricted Guest User Permissions)
For more information about restricting guest access permissions in Azure Active Directory see the following documentation:
For more information about the default user permissions within Azure Active Directory check out the following page: