Share via

Internal Guests Accounts cause many problems in Teams and Sharepoint

Arne Brödel 11 Reputation points
2024-11-13T23:25:20.93+00:00

Hello Community,

On the Microsoft documentation website, Microsoft describes four possible combinations of authentication (internal vs. external) and UserType (Member vs. Guest). For my use case, the best matching combination seems to be "Internal Guest," but I am encountering several problems with it.

I am an educator offering online courses for health professionals. Unfortunately, my company does not qualify for an Education license. I utilize Microsoft Teams for webinars, as well as for chat and collaboration among students. Additionally, I use SharePoint and Microsoft Stream for asynchronous learning.

Many of my students do not regularly use a PC and often have only basic IT skills. It is crucial that accessing Teams and the resources in my tenant is as straightforward as possible to avoid frustration and reduce the need for support. Every additional click or switch between apps, browsers, or email clients can become a significant hurdle.

For years, I used an automated flow in Power Automate that took new students' data from a spreadsheet and created accounts for each student in my tenant, including a UPN and an initial password. An individual email was then sent to each student with instructions on how to log in using the account I created for them. This authentication method, where accounts are created within my tenant, is classified as "Internal."

However, my students do not need full access to the organization, a working email address in my tenant, or personal storage space. Therefore, they do not need to be Members but fit the typical criteria for Guests. This is why "Internal Guest" seemed like the right choice.

Microsoft does not outline any restrictions between "Internal Guests" and "External Guests," aside from the authentication provider. Despite this, I have been facing multiple issues that seem to be worsening:

A few years ago, I could no longer add "Internal Guests" to a Team via the Teams UI. When I type the user's name, the search box finds them, but clicking to add results in an error stating the email is incorrect.

I found a workaround by adding users to the corresponding group in Azure AD, which then added them to the Team without issues. It appears that Teams is misclassifying the UserType and authentication method, treating all Guests as External.

Workaround Stopped Functioning:

About two months ago, the workaround stopped working. Users were still added to the group in Entra ID but did not appear in Teams.

I discovered that changing the UserType to "Member" allowed them to appear in the Team. After adding them, reverting the UserType back to "Guest" kept them in the Team and functional. This indicates an error in identifying "Internal Guests."

Recently, internal guests began encountering errors when accessing SharePoint content shared with "everyone in my organization." Previously, internal guests were treated as part of the organization, but now they receive errors stating that the content is only accessible to internals, despite being internal guests.

These issues suggest that Microsoft is confusing the terminology between external and internal guests, leading to errors.

Given that these problems persist and seem to be worsening—and considering that support has been unable to assist me effectively—I fear I may need to seek an alternative solution. It appears Microsoft expects me to use External Guests in a B2B scenario, which seems more complicated and harder to standardize.

Challenges with External Guests:

The standard invitation appears unattractive, confusing, and untrustworthy to me.

Students must authenticate using personal accounts from Google, Facebook, or Microsoft, which some are hesitant to use.

If they don’t have such accounts, they are forced to create a personal Microsoft account, requiring extensive data entry and multiple clicks, making the process more frustrating than using a pre-created account with a provided UPN and password.

I highly value using Microsoft 365 for my students, but proper onboarding and login are essential. I am frustrated that Microsoft is pushing a complicated External Guest invitation process instead of supporting the straightforward Internal Guest solution.

I don’t understand why these errors for Internal Guests aren’t being addressed. Am I missing something? Is there a modern and supported alternative that is as easy for me as the admin and for the students as creating accounts through a flow and sending UPNs and passwords? Is there any chance to get the Internal Guest configuration working properly again?

I appreciate any insights or solutions the community can offer.

Thank you!

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,388 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,898 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,935 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,268 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmyYang-MSFT 54,156 Reputation points Microsoft Vendor
    2024-11-14T08:25:05.1966667+00:00

    @Arne Brödel

    Here are a few insights and suggestions that might help you navigate these issues:

    1. Internal vs. External Guests

    • Internal Guests: These are typically users within your organization's Azure AD tenant but are marked as guests. This classification should ideally provide a seamless experience similar to internal users.
    • External Guests: These are users external to your tenant, managed as B2B collaboration users. External guests need to authenticate using their own identity provider (such as Google, Microsoft, etc.). Given the issues you’re encountering with Internal Guests, it seems Microsoft’s recent changes may indeed be causing confusion in how these users are classified and managed.

    2. Possible Solutions and Workarounds

    Using B2B External Guests

    While you mentioned concerns with the external guest process, you might consider optimizing the B2B experience:

    • Create a Custom Invitation Process: You can customize the invitation email to make it more appealing and clear. This can be done using Power Automate or other tools to send more friendly and detailed invitations.
    • Simplify Account Creation: If students don’t have the required external accounts, provide clear step-by-step guides for creating a Microsoft account, reducing the perceived complexity.

    Leveraging Azure AD B2C

    Azure AD B2C is designed for scenarios where external users need to access your applications. It supports custom branding and user flows, which might help streamline the onboarding process for your students. However, it might require more setup and management than your current process.

    • Custom Branding: You can set up custom branding for the sign-up and sign-in experiences.
    • User Flows: Create user flows that guide the students through the sign-up and sign-in process in a more user-friendly manner.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Navya 13,050 Reputation points Microsoft Vendor
    2024-11-18T20:11:08.1066667+00:00

    Hi @Arne Brödel

    Thank you for posting this in Microsoft Q&A.

    Adding to the above information provided by JimmyYang-MSFT

    We have an option called self-service sign-up user flows that allow users to sign up for an app and create a new guest account. You can only use Microsoft Entra or Azure B2C user flows with applications built by your organization. User flows can't be used for Microsoft apps like SharePoint or Teams.

    Yes, I agree with your choice: instead of selecting members, you should go with guests. I would like to mention that we have an option called 'Restrict access to Microsoft Entra admin center.' You can restrict your tenant users from utilizing resources in your Entra.

    Even though you selected the 'Everyone in my organization' option, your guest users are not able to access SharePoint. It seems the issue occurred when you converted member accounts to guest accounts. Can you please check the guest user permissions on your SharePoint? It appears that the guest users have not been added to the SharePoint site."

    For more information: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/administration/access-denied-or-need-permission-error-sharepoint-online-or-onedrive-for-business

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.