![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 82%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
2,019 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
The guest user is always from a different tenant or can be an external user not on Azure Active directory at all . In order to signin to a Virtual machine which is joined to Azure AD domain services instance you need NTLM password hashes to be available for these users . Since the password for these guest users are not stored within the same tenant hence they wont be able to signin in this case and this is by design. Please check the section in FAQ for AAD domain services. For any user who was created locally within your Azure AD instance the password will be stored either on Azure AD or synced from On-premise if they are synced users . When you enabled Azure AD domain services , the NTLM hashes for those users will be generated and it will be synced to your Azure AD domain services instance. Thus the password for local users will always be with you and the system will be able to authenticate them while this wont be the case for any user who was not from within the domain . When you have a Azure VM joined to the Azure AD domain services domain it will authenticate using the NTLM/kerberos auth from users form the domain . Hope this clarified your query . Please find the document reference for the same.
Can guest users be invited to my directory use Azure AD Domain Services?
No. Guest users invited to your Azure AD directory using the Azure AD B2B invite process are synchronized into your Azure AD Domain Services managed domain. However, passwords for these users aren't stored in your Azure AD directory. Therefore, Azure AD Domain Services has no way to synchronize NTLM and Kerberos hashes for these users into your managed domain. Such users can't sign in or join computers to the managed domain.
----------------------------------------------------------------------------------------------------------------------------------------------------------
- Please don't forget to click on
or upvote 
button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how - Want a reminder to come back and check responses? Here is how to subscribe to a notification
- If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 27%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)