Support
 
PhoneGet Quote
 
Support
 
US Sales: +1 888 720 9500
US Support: +1 844 245 1108
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9890

 
 

How to restrict guest access permissions in Microsoft Entra ID (formerly Azure Active Directory)

For security reasons, administrators will want to restrict what guest users can see in their organization's Microsoft Entra ID. While the member users get a full set of user permissions, guest users are set to a limited permission level by default. You can also use the guest user permissions level in your Microsoft Entra's external collaboration settings for even more restricted access. Guest access user levels are:

Permission level Access level Value
Same as member users Guests have the same access to the resources as member users a0b1b346-4d3e-4e8b-98f8-753987be4970
Limited access (default) Guests can see membership of all the non-hidden groups 10dae51f-b6af-4016-8d66-8c2a99b929b3
Restricted access Guests cannot see membership of any group 2af84b1e-32c8-42b7-82bc-daa82404023b

Guests can only view their profile when the guest access is restricted. Even if the guest searches for other users using their User Principal Name or object ID, they still cannot view other users.

Steps to update guest user access permissions in Microsoft Entra ID:

  1. Sign in to Microsoft Entra ID as at least Global Administrator.
  2. Select Users > All Users > External Users. Now, select Manage external collaboration settings.
  3. Select Guest user access is restricted to properties and memberships of their own directory objects options.
  4. Select Save. The changes might take up to 15 minutes to take effect.

You can also use Microsoft Graph API to configure guest permissions. The below API calls will help you assign permission levels. The guestUserRoleId value shows the permission setting (refer table above).

To configure it for the first time:

POST https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
        {
          "guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
        }
        

Click to copy entire script

To update the existing value:

PATCH https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
        {
          "guestUserRoleId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
        }
        

Click to copy entire script

To view the current value:

GET https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
        

Click to copy entire script

You can also use PowerShell to configure the restricted permissions.

Get command: Get-MgPolicyAuthorizationPolicy

Get-MgPolicyAuthorizationPolicy | Format-List
        

Click to copy entire script

Update command: Update-MgPolicyAuthorizationPolicy

Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'

Click to copy entire script

Microsoft 365 services that support guest restriction setting:

  • Teams
  • Outlook (OWA)
  • SharePoint
  • Planner in Teams
  • Planner mobile app
  • Planner web app
  • Project for the web
  • Project Operations

About M365 Manager Plus

ManageEngine M365 Manager Plus is a Microsoft 365 reporting, auditing, management and monitoring tool. With M365 Manager Plus, you can:

  • Enhance your comprehension of Microsoft services using user-friendly reports, easily scheduled, exported, and emailed from a unified console.
  • Track all user and admin activities within your Microsoft 365 environment through detailed audit reports.
  • Efficiently manage tasks such as bulk user creation, deletion, and password resets, and automate them for time and labor savings.
  • Empower technicians with delegated tasks without requiring elevated native privileges.
  • Ensure constant monitoring of your organization's health and performance around the clock.
  • Reduce the administrator workload by delegating custom roles to help desk technicians.

Manage users, guest users, contacts, and groups in bulk.

Try now for free

  • Streamline your Microsoft 365 governance and administration with M365 Manager Plus

Related Resources

A holistic Microsoft 365 administration and security solution
 
x