Direct Inward Dialing: +1 408 916 9890
For security reasons, administrators will want to restrict what guest users can see in their organization's Microsoft Entra ID. While the member users get a full set of user permissions, guest users are set to a limited permission level by default. You can also use the guest user permissions level in your Microsoft Entra's external collaboration settings for even more restricted access. Guest access user levels are:
Permission level | Access level | Value |
---|---|---|
Same as member users | Guests have the same access to the resources as member users | a0b1b346-4d3e-4e8b-98f8-753987be4970 |
Limited access (default) | Guests can see membership of all the non-hidden groups | 10dae51f-b6af-4016-8d66-8c2a99b929b3 |
Restricted access | Guests cannot see membership of any group | 2af84b1e-32c8-42b7-82bc-daa82404023b |
Guests can only view their profile when the guest access is restricted. Even if the guest searches for other users using their User Principal Name or object ID, they still cannot view other users.
Steps to update guest user access permissions in Microsoft Entra ID:
You can also use Microsoft Graph API to configure guest permissions. The below API calls will help you assign permission levels. The guestUserRoleId value shows the permission setting (refer table above).
To configure it for the first time:
POST https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy { "guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b" }
To update the existing value:
PATCH https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy { "guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b" }
To view the current value:
GET https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
You can also use PowerShell to configure the restricted permissions.
Get command: Get-MgPolicyAuthorizationPolicy
Get-MgPolicyAuthorizationPolicy | Format-List
Update command: Update-MgPolicyAuthorizationPolicy
Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'
Microsoft 365 services that support guest restriction setting:
ManageEngine M365 Manager Plus is a Microsoft 365 reporting, auditing, management and monitoring tool. With M365 Manager Plus, you can:
Manage users, guest users, contacts, and groups in bulk.