This is a first of a few article that I will write about Office 365/Azure AD Guest Access.

Allowing access to Office 365 content (OneDrive, SharePoint, Teams, Groups, Planner, PowerBi, etc) is a cool, but it can become a nightmare when you deal with highly confidential or sensitive documents.

Don’t get me wrong some people were making nightmare about these documents before the venue of Office 365.

In the series of article, I will try to demystify guest access and help you understand the different settings/options available to grant access to Office 365 to Guest or External Users.

Let’s start with guest access control in Azure AD.

In the Azure Active Directory Admin Center, you have some control of what External users/Guest can do.

One of the setting allows you to make sure that Guest users permissions are limited.

The description says:

Yes means that guests do not have permission for certain directory tasks, such as enumerate users, groups or other directory resources, and cannot be assigned to administrative roles in your directory.

No means that guests have the same access to directory data that regular users have in your directory.


In fact, an administrator can go to Azure AD and assign an administrative role to a guest even if you say Yes to Guest users permissions are limited.

I have opened a ticket with Microsoft Support and they told me that this is a design behavior as of now.

Don’t be mislead by this setting and make sure your Azure AD administrator understand that it does not do as it says, yet…