Guest account prerequisites
External collaboration settings
Microsoft Managed Desktop recommends the following configuration in your Azure AD organization for guest account access. You can adjust these settings at the Azure portal under External Identities / External collaboration settings:
|Guest access||Guests have limited access to properties and memberships of directory objects.|
|Guest invite settings||Member users and users assigned to specific admin roles can invite guests including guests with member permissions|
Microsoft Managed Desktop requires the following configuration in your Azure AD organization for guest account access. You can adjust this setting at the Azure portal under External Identities / External collaboration settings:
|Collaboration restrictions||Select any of these options:
If you set restrictions that interact with these settings, ensure to exclude the Azure Active Directory Modern Workplace Service Accounts. For example, if you have a conditional access policy that prevents guest accounts from accessing the Intune portal, exclude the Modern Workplace Service Accounts group from this policy.
For more information, see Enable B2B external collaboration and manage who can invite guests.
Unlicensed Intune admin
The Allow access to unlicensed admins setting must be enabled. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.
To enable this setting:
- Go to the Microsoft Endpoint Manager admin center.
- Navigate to Tenant administration, select Roles. Then, select Administrator licensing.
- In the Allow access to unlicensed admins section, select Yes.
You cannot undo this setting after you select Yes.
For more information, see Unlicensed admins in Microsoft Intune.