365 Guest & App Access - not working - confused and concerned

Question

Hi all,

We have an outstanding case with our MSP who is progressing this with Microsoft - but I'll summarise it here - as I think some community input might be able to help.

Apologies for the attachment mess - it seems the uploader was acting odd but it now all displays fine so I'll leave it - I was directed here when I posted the question in the Community here

This example shows PowerBI Report / app access - but it's the same for any app as none of them show up - in the exact same way this one doesn't.

I've blanked out info and used placeholders for privacy but this should make sense.

Giving guest users access to PowerBI apps – what should happen (I assume)

• We Invite external user as a guest & licence them with a PowerBI Pro licence
• We add them to the relevant security group(s) that give access to the app(s) they need
• They accept the invite
• They can then goto my https://myapps.microsoft.com/ and sign in with their normal Microsoft account that we’ve invited
• Click their name at the top right and Switch Organisation to OurOrg
• This should then use their licenced guest account, and it should show the PowerBI App - happy days

Testing the above

• We Invite external user as a guest & licence them with a PowerBI Pro licence
• We add them to any groups that give access to the app(s) they need
• They accept the invite
• They can then goto my https://myapps.microsoft.com/ and sign in with their normal Microsoft account that we’ve invited
• Click their name at the top right and Switch Organisation to OurOrg
• They then see a blank page with no apps – if they click the squares at the top left it gives an error

If the user then goes to https://app.powerbi.com/ - it appears to throw them back into their original organisation – with no access to OurOrg Apps

I can tell this in my testing – as I have my another 365 tenancy I use outside of work with a custom domain – In that tenancy – I do not have any PowerBI pro licences.

The above screenshot was taken using the account I invited as a guest to the OurOrg tenancy and licenced with a PowerBI pro licence on the OurOrg side – so if I do the above it shows this:

Which would imply that, at this point – I am back in the other tenancy – which we don’t want. There is no option to switch organisation within this webpage oddly

Further Testing with odd results

If I goto https://myapps.microsoft.com and attempted to sign in with the fully qualified guest email – which is xxx_xxx.me#EXT#@OurOrg.onmicrosoft.com – it recognises this and prompts for a password to sign into the OurOrg tenant

Now – at this point – as a user – they would not know the password to this as (nor would they even know the email), in theory – one has not been set as it’s a guest account – the whole point is that it’s integrated - logically they would never even get to this stage as they wouldn't know the fully qualified external email that is given to guests

Resetting this accounts PW via Azure doesn’t work of course – as it gives this error:

Which makes sense to me - obviously

Resetting via the 365 Admin Portal however does work (if I click the key icon on the dropdown):

and I could reset the password (this seems wrong?) – and log into the MyApps url using the Fully qualified guest email and the password I set via resetting it

On doing this – I got the below:

This is exactly how it should look / how I expect it to look when a guest user switches orgs from their primary one to OurOrg – and exactly (I think) how it should work

To verify this – I clicked PowerBI and was presented with the pre-installed App which I had permission for via the relevant security group membership:

And could access it perfectly!

For some reason - when they switch orgs doing it the proper way it doesn’t sign into the actual guest account it seems - and I can get it to work through this weirdly convoluted method - but I'm not about to present this as a solution because it just isn't.

Something in this process is broken – I’m not sure what, nor am I sure how to fix it – but hopefully someone there can shed some light. Any advice, suggestions, tell me I'm doing something wrong or misunderstanding a core concept - all welcomed.

Answer 1

@AutomationNation

Thank you for posting your question in Microsoft Q&A
I have tried the same steps that you had mentioned in my lab. It is working for me without any issues.
I first invited a guest user to my tenant. I accepted the invitation and user is successfully provisioned as guest user.
Now I logged in to myapps portal and changed the organization to guest tenant.
Initially I was unable to see the applications.
Later I assigned one application to guest user in the tenant.
Now, I am able to see assigned application for guest user in my apps portal.

In your scenario it looks like you have missed assigning an application to guest user.
You can go to enterprise apps blade >> click on application you want to assign >> properties >> select "yes" for "assignment required" and save it
Now click on user and groups and assign this application to guest user. Now user will be able to see this application in my apps portal.

Other part of the query where you were unable to login with xxx_xxx.me#EXT#@OurOrg.onmicrosoft.com UPN.
This is by design and this is because xxx_xxx.me#EXT#@OurOrg.onmicrosoft.com is only way of representing guest user in the tenant.

To access this account you will have to use your ******@me.com UPN.

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

I am having the same issue.... I noticed this part about giving permissions to guests on applications, but I dont see Project/Word etc in their to give permissions too.....

"You can go to enterprise apps blade >> click on application you want to assign >> properties >> select "yes" for "assignment required" and save it"