A Quick Approach to Manage Guest Users in Microsoft 365 Using PowerShell

A Quick Approach to Manage Guest Users in Microsoft 365 Using PowerShell

In the current interlinked world, effective collaboration with external partners, stakeholders, and clients is vital for business and project development. So, it is necessary to manage guest users and secure guest sharing in Microsoft 365. While the Azure portal offers ways to manage guest users, PowerShell provides advanced capabilities for Azure AD administration.

In this blog, I am going to show the process of managing Microsoft 365 guest users using Microsoft Graph PowerShell.

What are Guest Users in Office 365?

In Office 365, guest users are categorized into two types based on their organization. The two categories of guest users are:

External Guest Users: External guest users are external people who have (limited) access to Microsoft 365 resources in your tenant. They can have their own email domains or personal email accounts, and they don’t need their own Microsoft 365 subscription to be invited as guest users.

Internal Guest Users: Internal guest users refers to user accounts that is created within your Microsoft 365 environment but they are not a full-fledged member of your organization. This type of user account is typically used to provide limited access to temporary individual users.

Manage Microsoft 365 Guest Users Using PowerShell

Here are the major operations to manage guest users in Microsoft 365 using PowerShell. By the way, make sure to connect to the Microsoft Graph PowerShell module with the scopes: Directory.ReadWrite.All, User.Invite.All, User.ReadWrite.All, Policy.ReadWrite.Authorization, AuditLog.Read.All.

Note: To facilitate these processes, the Azure AD module is also available. However, it is recommended to use the Microsoft Graph module as the Azure AD module is going to deprecate.

Invite an External Guest User to Microsoft 365 Tenant

To invite a guest user from an external domain to your Microsoft 365 tenant, run the following PowerShell cmdlet. You can invite any type of account, including a social account such as a Gmail or Outlook account.

New-MgInvitation -InvitedUserDisplayName <DisplayName> -InvitedUserEmailAddress <EmailAddress> -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$true

Here, replace <DisplayName> with the display name of the guest user and <EmailAddress> with the email address of the guest user. For example,

New-MgInvitation -InvitedUserDisplayName "Chris Moris" -InvitedUserEmailAddress [email protected] -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$true

After the execution of the above cmdlet, an invitation for guest will be sent to Chris Moris‘s email address.

Note: Once guest users accept the invitations, they gain access to your Microsoft 365 services. To monitor their activities, you can export Office 365 external user activities using PowerShell scripting. You can also refer audit external user file access in SharePoint Online blog to monitor SharePoint file access activity by external guests.

Bulk Invite Guest Users Using Graph PowerShell

To invite bulk guest users, first, create a CSV file like the below format with the display name and the email address.

Bulk Invite Guest Users Using Graph PowerShell - CSV file

After the creation of the CSV, execute the following cmdlet to invite bulk users to your Microsoft 365 tenant.

Import-Csv <FileLocation> | foreach {New-MgInvitation -InvitedUserDisplayName $_.DisplayName -InvitedUserEmailAddress $_.EmailAddress -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$true}

Replace <FileLocation> with the appropriate file path of the created CSV file.

Create an Internal Guest User in Microsoft 365

As well all know, internal guest members are created to provide limited access to temporary individual users. To create an internal guest user in Microsoft 365 using PowerShell, you can utilize the ‘New-MgUser cmdlet.

New-MgUser  -UserType "Guest" -DisplayName <DisplayName> -PasswordProfile @{Password = <Password>} -AccountEnabled -UserPrincipalName <NewInternalGuestUserUPN> -MailNickname <MailNickName>

Here’s an example cmdlet to create an internal guest user:

New-MgUser  -UserType "Guest" -DisplayName "Jack Jill" -PasswordProfile @{Password = 'y-loJ65WH-j4'} -AccountEnabled -UserPrincipalName 'JackJill@contoso.com' -MailNickname "JackJill"

The execution of the cmdlet creates a new internal guest user with the display name “Jack Jill”.

Convert a User from Guest to Member in Microsoft 365

Converting guest users to members gives them the level of access and capabilities of internal members. You can make use of the following cmdlet to change guests into members.

Update-MgUser -UserId <GuestUserUPN> -UserType Member -UserPrincipalName <NewUPN> -UsageLocation <UsageLocation>

For example,

Update-MgUser -UserId cmoris_fabrikam.com#EXT#@contoso.com -UserType member -UserPrincipalName "[email protected]" -UsageLocation US

This converts the guest user ‘Chris Moris’ to an Office 365 member in your tenant.

Get All Guest Users in Microsoft 365 Using PowerShell

To view all the Microsoft 365 guest users in your tenant, run the below cmdlet.

Get-MgUser -All -Filter "UserType eq 'Guest'"

Get All Guest Users in Microsoft 365 Using PowerShell

Note: You can also easily export the list of guest users along with their group membership and other essential attributes using the power of PowerShell scripting. As an admin, you can also detect who created guest users using PowerShell.

You can also utilize AdminDroid Microsoft 365 administration tool to manage guests and their activities effortlessly.

Assign Licenses to a Guest User in Microsoft 365

To assign guest users a license using MS Graph you must know the “SKUid” of the particular license. You can use the ‘Get-MgSubscribedSku cmdlet to list the licenses available in your organization with “SKUid”.

After the identification of “SKUid” for the particular license, you can assign a license to a guest user using the following cmdlet.

Set-MgUserLicense -UserId <UPN> -AddLicenses @{SkuId= <SKUid>} -removeLicenses @()

Replace the “UPN” with the user identity and ”SKUId” with the license id. For example,

Set-MgUserLicense -UserId cmoris_fabrikam.com#EXT#@contoso.com -AddLicenses @{SkuId = "bea4c11e-220a-4e6d-8eb8-8ea15d019f90"} -removeLicenses @()  

In the above example, In the given example, the guest user “Chris Moris” is assigned a license with the SKU ID “bea4c11e-220a-4e6d-8eb8-8ea15d019f90” (Microsoft 365 Enterprise Pack E5).

Point to Remember: The guest user must be assigned a usage location before allocating a user license.

Bulk Assign License to Guest Users in Microsoft 365 Tenant

To bulk assign licenses to guest users, first, create a CSV file like the below format with the guest users’ UPN.

Bulk Assign License to Guest Users in Microsoft 365 Tenant - CSV File Format

After the creation of the CSV file, execute the following cmdlet to assign licenses to bulk guest users in your Microsoft 365 tenant.

Import-Csv <FileLocation> | foreach { 
    $guestUserUPN = $_.GuestUsersUPN 
    Set-MgUserLicense -UserId $guestUserUPN -AddLicenses @{SkuId = <SkuId>} -RemoveLicenses @() 
}

Replace <FileLocation> with the appropriate file path of the created CSV file and <SkuId> with the appropriate license subscription Id.

Add Guest User to a Microsoft 365 Group Using PowerShell

Adding guest users to Microsoft 365 groups can enable their collaboration and participation within the organizations granting access to group mailboxes, Microsoft Teams, and SharePoint sites.

To add a gust user to a Microsoft 365 group, you can use the Microsoft Graph PowerShell module. First, retrieve the user Id of the desired guest using the ‘Get-MgUser’ cmdlet, and the group ID using the ‘Get-MgGroup’ cmdlet.

After that, execute the below cmdlet with the appropriate User Id and Group Id.

New-MgGroupMember -GroupId <GroupId> -DirectoryObjectId <UserId>

Add Bulk Guest Users to a Microsoft 365 Group Using MS Graph

To add bulk guest users to a Microsoft 365 group, first, create a CSV file with the guest users’ User Id like the below format.

Add Bulk Guest Users to a Microsoft 365 Group Using MS Graph - CSV File Format

After the creation of the CSV file, execute the following cmdlet to add bulk guest users to a Microsoft 365 group.

Import-Csv <FileLocation>| foreach {New-MgGroupMember -GroupId <GroupId> -DirectoryObjectId $_.UserId}

Replace <FileLocation> with the appropriate file path of the created CSV file and <GroupId> with the appropriate Group Id.

Remove Guest User from a Microsoft 365 Group Using PowerShell

Similarly, you can use the ‘Remove-MgGroupMemberByRef cmdlet to remove a guest user from a Microsoft 365 group.

Remove-MgGroupMemberByRef -GroupId <GroupId> -DirectoryObjectId <UserId>

Remove Microsoft 365 Licenses from Guest Users

You can remove the particular license from a guest user using the following cmdlet.

Set-MgUserLicense -UserId cmoris_fabrikam.com#EXT#@contoso.com -AddLicenses @() -removeLicenses @(<SkuId>)

For example,

Set-MgUserLicense -UserId cmoris_fabrikam.com#EXT#@contoso.com -AddLicenses @() -removeLicenses @("bea4c11e-220a-4e6d-8eb8-8ea15d019f90")

In the above example, In the given example, a license with the SKU ID “bea4c11e-220a-4e6d-8eb8-8ea15d019f90” (Microsoft 365 Enterprise Pack E5) is removed from the guest user “Chris Moris”.

Check Office 365 Guest User’s Last Logon Time

The last logon time of the guests helps to identify and manage inactive, stale, and unused accounts. This also helps to ensure the ensuring and streamlined Microsoft 365 environment. You can get the last login details of the guest users using the following cmdlet.

Get-MgUser -All -Filter "UserType eq 'Guest'" -Property SignInActivity | Select-Object userprincipalname -ExpandProperty SignInActivity | Format-List

Check Office 365 Guest User’s Last Logon Time

While PowerShell simplifies retrieving guest users’ last logon time, calculating inactive days demands additional processing, which can be time-consuming. To address these concerns, we have crafted a user-friendly PowerShell script to export guest users’ last login time report.

Note: By the way, for enhanced monitoring of Microsoft 365 external guest users, you can easily export the inactive external users report with the capability of PowerShell scripting.

Remove Guest User from Microsoft 365 Using MS Graph

To remove a guest user from Microsoft 365 using PowerShell, you can utilize the following graph cmdlet. Simply specify the user principal name (UPN) of a guest user as a parameter to remove them from the environment.

Remove-MgUser -UserId <UPN>

For example,

Remove-MgUser -UserId jabezdavid_fabrikam.com#EXT#@contoso.com

The given example will delete the guest user Jabez David from your Office 365 tenant.

Restrict Guest Access Permissions Using Graph PowerShell

Microsoft 365 guest user access can be categorized into three levels based on the level of inclusiveness and the access permissions granted.

Role Name Level Description Guest User Role Id
User Most Inclusive Guest users have the same access as members. Guests have the same access to Azure AD resources as member users. a0b1b346-4d3e-4e8b-98f8-753987be4970
Guest User Limited Access (Default) Guest users have limited access to properties and members of directory objects. Guests can see membership of all non-hidden groups. 10dae51f-b6af-4016-8d66-8c2a99b929b3
Restricted Guest User Most Restrictive Guest user access is restricted to properties and memberships of their own directory objects. Guests can’t see membership of any groups. 2af84b1e-32c8-42b7-82bc-daa82404023b

To change the level of guest access permission in your Office 365 tenant, you can use the following cmdlet.

Update-MgPolicyAuthorizationPolicy -GuestUserRoleId <GuestUserRoleId>

Replace <GuestUserRoleId> with the appropriate guest user role id listed in the above table.

Also, you can determine the current permission level of guest users by retrieving their role Id. To view the guest user role id, you can execute the following cmdlet.

Get-MgPolicyAuthorizationPolicy | Select GuestUserRoleId

Simplify Your Guest User Management Using AdminDroid!

Managing guest users in Microsoft 365 can be time-consuming and cumbersome when relying solely on PowerShell and Azure Portal. That’s where AdminDroid comes to the rescue! With AdminDroid’s powerful features and intuitive interface, you can effortlessly streamline your guest user management process.

AdminDroid’s report board is a comprehensive tool that consolidates reports for specific categories, including inactive users, admins, M365 usage, external users, and more. With the report board, admins can easily download or schedule multiple reports at once. The External Users category under the security section of the report board offers 30+ reports specifically related to Microsoft 365 guest users.

External Users Report Board in AdminDroid

Discover a comprehensive range of guest user reports offered by AdminDroid, empowering effective management and facilitating seamless collaboration:

  • Guest User Info Reports
    • External Guest User
    • Internal Guest User
    • Recently Created/Deleted Guest Users
    • SharePoint Guest Users
    • Groups by External Users Count
  • Guest User Audit
    • All External and Internal Guest User Logins
    • Audit Guest Creation, Deletion, and Updation
    • External Members Added/Removed from Groups
    • Teams External Users Login Activities
    • Users Signing into External Organizations
  • File/Folder/Page Activities by Guest Users
    • Files Shared with Guest Users
    • Files/Pages Access by Guest Users
    • File/Folder Sharing by Guest Users in Teams
  • Guests Mailbox Permission Reports
    • Guest Users with Access to Other Mailboxes
    • Mailboxes Accessed by Guest Users
  • Guest User Membership Reports
    • Guest User Group Membership
    • Channels/Private Channels with Guest Members
    • Guest Members Added/Removed to SharePoint Groups
    • Site Invitations Shared to Guest Users

Microsoft 365 External Guest Users Report Using AdminDroid

Overall, AdminDroid Office 365 reporting tool offers 1800+ pre-built reports and 30+ dashboards for managing Microsoft 365 services. With comprehensive features like reporting, auditing, analytics, and security & compliance, it simplifies management across Azure AD, Security, Exchange Online, SharePoint Online, Microsoft Teams, Yammer, OneDrive, and more.

The free AdminDroid Azure AD management tool offers 75+Auditing Reports, 45+Statistical Reports, and 10+Insightful Dashboards, allowing admins to visualize key information and enhance security measures.

Thus, this tool can elevate your Office 365 management game to the next level! Try the demo of AdminDroid now to explore all the features it offers.

I hope that this blog will help you to manage guest users in Microsoft 365 effectively using PowerShell. Feel free to reach us in the comments section for any assistance.

A Quick Approach to Manage Guest Users in Microsoft 365 Using PowerShell

by Thiraviam time to read: 9 min
0