Implications of "Guest" on Azure AD account (not B2B)

0
votes

Let me start with my question's background, then ask the question:

Scenario:

  • Users are standard users in Azure AD - not B2B or B2C, just normal users
  • The account is set to be a "Guest" account through Set-AzureADUser -UserType Guest

Justification:

  • Setting a user as a Guest enables setting the options on a tenant to restrict access to information about other users, for example:

The settings for a tenant around Guest such as restricting properties access and membership information of other users

  • As a software developer, you have a tenant for your customers, but you can't use B2B or B2C because some Azure services don't support them or you need capabilities such as On-Behalf-Of that those offerings don't have today

Question:

What are the other implications of setting the UserType flag to Guest besides offering the information restriction options and invite options shown earlier?

I believe that my answer is at https://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-properties where it reads in a note:

The UserType has no relation to how the user signs in, the directory role of the user, and so on. This property simply indicates the user's relationship to the host organization and allows the organization to enforce policies that depend on this property.

which means that ultimately there's no other impacts, but I would like some validation that I'm understanding that note correctly.

2
azure-active-directory

2 Answers

1
votes

Your understanding is right. There is no difference except for the relationship with the host organization. You can even add a guest user to any role and even remove the default guest user restrictions in the directory to give a user the same privileges as members. It's possible to turn off the default limitations so that a guest user in the company directory has the same permissions as a member user.

0
votes

If you convert a member account to a guest account, or convert a guest account to a member account, will it implications the account? I think it is implications. These impacts are not limited to the access rights to the resources of the AD organization, but are specific to the account type itself.

To give a very simple example: You can use the application permissions to add member accounts to the team, but if you want to add guest accounts, you must use delegated permissions with administrator login. Even if you set in the Azure portal Guest users have the same access as members (most inclusive) ,still so.

Therefore, I think some operations involving account types will definitely have an impact.