External guest user of google domain shows access denied after domain logic

Question

Hi Team,

Please find below when google domain user try to access files as external guest user. Verified all guest sharing is enabled , verified it works with other domain users.

If this problem persists, contact your support team and include these technical details:

Correlation ID: [Moderator note: personal info removed]

Date and Time: 3/2/2026 10:29:35 AM

User: [Moderator note: personal info removed]

Issue Type: User does not have permissions.

Thanks

[Moderator note: personal info removed]

Answer 1

Hi @Rama Dayakar,

Thank you for reaching out to Microsoft Q&A Forum.

The error indicates that the Google domain guest account was successfully invited and authenticated, but authorization failed after sign‑in. This usually happens when Conditional Access, domain restrictions, or cross‑tenant policies block access after the guest is recognized.

Please reach out to the IT admin of the organization invited you as guest as request them to check whether any Conditional Access policy:

• Applies to Guest or External Users
• Restricts Browser access, SharePoint Online, or All cloud apps
• Requires device compliance or hybrid join (which Google users cannot meet)

Even a single CA policy can silently block access post‑authentication.

They can use What If tool to narrow down which conditional access affected your issue. Please provide them this article: The Conditional Access What If tool - Microsoft Entra ID | Microsoft Learn

 

The next step review Conditional Access sign‑in logs using the provided Correlation ID

by checking Entra ID > Sign‑in logs for the guest user and identify which policy caused the “Access denied” decision.

The correlation ID you shared is exactly what an Entra admin needs to pinpoint the blocking control.

If the issue persists after you verify everything with the What If tool and sign-in logs, your administrator may need to open a support ticket with Microsoft for backend verification, as this can require intervention beyond tenant‑level controls. They can reach out to Microsoft Support through the Microsoft 365 Admin Center so Microsoft can collect logs and investigate. 

Microsoft also provides customer service phone numbers based on your region. You can find the appropriate contact number here: Customer service phone numbers - Microsoft Support 

This route ensures that a Microsoft support engineer can initiate a remote session to investigate backend configurations, run advanced diagnostic tools, and, if necessary, escalate the case to specialized teams with access to internal systems and logs. These backend resources are essential for resolving issues that go beyond what’s visible in the user interface.

As community moderators, we’re here to guide you, but due to privacy and security limitations, we don’t have access to the backend tools required for a full resolution. For this reason, contacting Microsoft Support via the Admin Center is the most secure and efficient way forward.

 

I hope this helps you resolve the issue quickly. I’m glad to assist and truly hope the information provided has been useful. Please feel free to reach out anytime if you need further assistance.  

Thank you for your kindness and contributions to the forum.

---

Note: Follow the steps in our documentation to enable email notifications if you want to receive email notifications related to this topic.

Answer 2

verified but still get same issue

Correlation ID: [Moderator note: personal info removed]

Date and Time: 3/2/2026 11:29:22 AM

User: [Moderator note: personal info removed]

Issue Type: User does not have permissions.

Answer 3

The error indicates that the Google guest account exists in the tenant but doesn’t have permission to the specific SharePoint resource, or the authentication/guest configuration for Google users isn’t fully in place.

Use these checks and steps in the resource ([Moderator note: personal info removed]) tenant:

1. Confirm the guest user is properly redeemed and identified as Google
   • In Microsoft Entra admin center, open the user [Moderator note: personal info removed]
   • Check Invitation state:
     • If it shows Pending acceptance, the user must redeem the invitation email first. Until redemption, access to resources will fail.
   • After redemption, confirm Identities shows google.com for this user, indicating a Google-federated external identity.
2. Verify Google federation is configured and working
   • Ensure Google is added as an identity provider for B2B collaboration in the workforce tenant and that the user signs in with the same Gmail address that was invited.
   • When the user accesses the resource or common endpoint, they should be able to choose Sign-in options → Sign in to an organization, enter the organization name, and then authenticate with Google.
   • If the user sees a “header too long” or similar sign-in issue, have them clear cookies or use a private/incognito browser session and try again.
3. Confirm the user has SharePoint permissions to the file/site
   • In the SharePoint site or library where the file resides, check Manage access / Permissions.
   • Ensure the guest user (or a group that includes this guest) is granted at least View permission to the site/library/folder/file.
   • The error message “User does not have permissions” is consistent with the guest account existing but not being granted access at the SharePoint level.
4. Check Conditional Access policies for guests and external users
   • In Microsoft Entra Conditional Access, review policies that apply to Guest or external users.
   • If there is a policy such as “Require MFA always for guests and external users,” ensure the Google guest can satisfy MFA or that the policy isn’t blocking access.
   • If there is a policy “Require MFA when sign-in risk is medium or high,” confirm guests are not unintentionally excluded from needed policies or included in blocking policies.
   • Adjust Assignments → Users → Include/Exclude → Guest or external users as needed so that Google guests are allowed and protected but not blocked.
5. Validate external user authentication flow
   • For non-Microsoft Entra ID external users (like Google), the flow is:
     1. User requests the SharePoint resource and is redirected to the resource tenant.
     2. Resource tenant identifies the user as external and redirects to Google for primary authentication.
     3. After Google issues a token, the resource tenant evaluates Conditional Access and then issues its own token if policies and permissions are satisfied.
   • If any step fails (for example, Conditional Access denies, or SharePoint permissions are missing), the user will see “access denied.”
6. Test with a direct tenant-specific endpoint
   • Have the guest user access a tenant-specific endpoint such as:
     • https://myapps.microsoft.com/?tenantid=<your tenant ID> or
     • https://portal.azure.com/<your tenant ID>
   • After successful sign-in with Google, try opening the SharePoint link again. This helps confirm that the guest is correctly recognized in the tenant before hitting SharePoint.

If other external domains work and only this Gmail/Google user fails, focus on:

• Ensuring the invitation is redeemed and Identities shows google.com.
• Confirming SharePoint permissions for this specific guest.
• Reviewing Conditional Access scope for Guest or external users to ensure Google guests are not blocked.

---

References:

• Add Google as an identity provider for B2B guest users
• Sign-in endpoints
• Authentication flow for non-Microsoft Entra ID external users
• Conditional Access for external users
• Understand and manage the properties of B2B guest users
• Policies for allowing guest access and B2B external user access
• Overview of External User Access with Global Secure Access (preview)