External members & Office 365 groups

Ihab Khiri 21 Reputation points
2022-08-28T17:45:26.277+00:00

I have been breaking my head about a matter I have in a Microsoft 365 tenant.

Case:

  • Due to historical decisions a multi-tenant approach has been chosen.
  • Tenant A & Tenant B.
  • Users from Tenant A have been added to Tenant B as B2B guests. They need to collaborate in SharePoint sites just like they would in Tenant A.
  • License E3 has been assigned.
  • Converted the external guest into an external member by changing userType to 'member'.
  • Azure Guest user restrictions: 'Guest users have the same access as members and grant all member user permissions to guest users by default.' (not true)
  • Guests can Invite --> No
  • Members can Invite --> No
  • basically, the policy should be that only existing guests can collaborate.

Issue: When a guest member is added as a Microsoft 365 group owner thus SharePoint site Owner, they are not able to edit or view the group memberships.

I've run through this several times but the only logical conclusion I can draw is that it is not possible for an external member to adjust group membership because if a guest member would be able to do so he could see all the members in the directory. Which is logically not what you want if you are really dealing with external members.

Is there anything else I could try to elevate external members in the tenant so they are treated exactly the same like internal members? Reason to go with a multi-tenant approach is de-centralized IT, so tenant connections etc. would not be possible.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,630 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Givary-MSFT 27,491 Reputation points Microsoft Employee
    2022-08-29T09:05:46.797+00:00

    @Ihab Thank you for reaching out to us. As I understand you want to leverage external guest into an external member within Azure AD to manage group memberships for SharePoint.

    Wanted to check have you defined any/used Azure AD roles for group membership administration

    Reference:
    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
    https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-group-permissions

    Let me know if the above information doesnt help, we can connect offline and troubleshoot further on the same.

    0 comments No comments

  2. Ihab Khiri 21 Reputation points
    2022-08-29T19:33:25.81+00:00

    Hi there, @Givary-MSFT Thanks a lot for thinking along.

    • I have been testing this in a demo tenant and I found that the user now can indeed read permissions within the SharePoint with the directory reader role.
    • But the user cannot administer members (remove members, or add members) of that group. Something that a normal group owner would be able to do.
      • Then I tried adding 'Groups Administrator' but that gives the user too much access.
    • So what I need is to grant the user Group Administrator role, but only limited to the 365 Groups in which the user is the owner. I checked administrative units, but that apparently also does not work like that.