Prerequisites for guest accounts

External collaboration settings

Microsoft Managed Desktop recommends the following configuration in your Azure AD organization for guest account access. You can adjust these settings at the Azure portal under External Identities / External collaboration settings:

Setting Set to
Guest access Guests have limited access to properties and memberships of directory objects.
Guest invite settings Member users and users assigned to specific admin roles can invite guests including guests with member permissions

Microsoft Managed Desktop requires the following configuration in your Azure AD organization for guest account access. You can adjust this setting at the Azure portal under External Identities / External collaboration settings:

Setting Option
Collaboration restrictions Select any of these options:
  • If you select Allow invitations to be sent to any domain (most inclusive), no other configuration required.
  • If you select Deny invitations to the specified domains, make sure that Microsoft.com isn't listed in the target domains.
  • If you select Allow invitations only to the specified domains (most restrictive), make sure that Microsoft.com is listed in the target domains.

    If you set restrictions that interact with these settings, ensure to exclude the Azure Active Directory Modern Workplace Service Accounts. For example, if you have a conditional access policy that prevents guest accounts from accessing the Intune portal, exclude the Modern Workplace Service Accounts group from this policy.

    For more information, see Enable B2B external collaboration and manage who can invite guests.

    Unlicensed Intune admin

    The Allow access to unlicensed admins setting must be enabled. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

    To enable this setting:

    1. Go to the Microsoft Endpoint Manager admin center.
    2. Navigate to Tenant administration, select Roles. Then, select Administrator licensing.
    3. In the Allow access to unlicensed admins section, select Yes.

    Important

    You cannot undo this setting after you select Yes.

    For more information, see Unlicensed admins in Microsoft Intune.

    Steps to get ready for Microsoft Managed Desktop

    1. Review prerequisites for Microsoft Managed Desktop.
    2. Run readiness assessment tools.
    3. Buy Company Portal.
    4. Review prerequisites for guest accounts (this article).
    5. Check network configuration.
    6. Prepare certificates and network profiles.
    7. Prepare user access to data.
    8. Prepare apps.
    9. Prepare mapped drives.
    10. Prepare printing resources.
    11. Address device names.