-
Notifications
You must be signed in to change notification settings - Fork 288
/
add-users-administrator.yml
197 lines (138 loc) · 12.2 KB
/
add-users-administrator.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
### YamlMime:HowTo
---
metadata:
title: Add B2B collaboration users in the Microsoft Entra admin center
description: Shows how an admin can add guest users to their directory from a partner organization using Microsoft Entra B2B collaboration.
author: csmulligan
ms.author: cmulligan
manager: celestedg
ms.date: 12/14/2023
ms.service: entra-external-id
ms.topic: how-to
ms.collection: M365-identity-device-management
ms.custom:
- ge-structured-content-pilot
# Customer intent: As a user with limited administrator directory roles, I want to add B2B collaboration users in the Microsoft Entra admin center, so that I can invite guest users to the directory, group, or application and manage their access to resources.
title: |
Add Microsoft Entra B2B collaboration users in the Microsoft Entra admin center
introduction: |
[!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
As a user who is assigned any of the limited administrator directory roles, you can use the Microsoft Entra admin center to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Microsoft Entra ID, with a user type of *Guest*. The guest user must then redeem their invitation to access resources. An invitation of a user doesn't expire.
After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can select the redemption URL in the invitation email. For more information about the redemption process, see [B2B collaboration invitation redemption](redemption-experience.md).
> [!IMPORTANT]
> You should follow the steps in [How-to: Add your organization's privacy info in Microsoft Entra ID](~/fundamentals/properties-area.yml) to add the URL of your organization's privacy statement. As part of the first time invitation redemption process, an invited user must consent to your privacy terms to continue.
Instructions in this topic provide the basic steps to invite an external user. To learn about all of the properties and settings that you can include when you invite an external user, see [How to create and delete a user](~/fundamentals/how-to-create-delete-users.yml).
prerequisites:
summary: |
Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. By default, all users and admins can invite guests. But your organization's external collaboration policies might be configured to prevent certain types of users or admins from inviting guests. To find out how to view and set these policies, see [Enable B2B external collaboration and manage who can invite guests](external-collaboration-settings-configure.md).
procedureSection:
- title: |
Add guest users to the directory
summary: |
[!INCLUDE [portal updates](~/includes/portal-update.md)]
To add B2B collaboration users to the directory, follow these steps:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator).
2. Browse to **Identity** > **Users** > **All users**.
:::image type="content" source="media/add-users-administrator/all-users-page.png" alt-text="Screenshot of the All users page.":::
3. Select **New user** > **Invite external user** from the menu.
:::image type="content" source="media/add-users-administrator/invite-external-user-menu.png" alt-text="Screenshot of the invite external user menu option.":::
### Basics
In this section, you're inviting the guest to your tenant using *their email address*. If you need to create a guest user with a domain account, use the [create new user process](~/fundamentals/how-to-create-delete-users.yml#create-a-new-user) but change the **User type** to **Guest**.
- **Email**: Enter the email address for the guest user you're inviting.
- **Display name**: Provide the display name.
- **Invitation message**: Select the **Send invite message** checkbox to customize a brief message to the guest. Provide a Cc recipient, if necessary.
:::image type="content" source="media/add-users-administrator/invite-external-user-basics-tab.png" alt-text="Screenshot of the invite external user Basics tab.":::
Either select the **Review + invite** button to create the new user or **Next: Properties** to complete the next section.
### Properties
There are six categories of user properties you can provide. These properties can be added or updated after the user is created. To manage these details, go to **Identity** > **Users** > **All users** and select a user to update.
- **Identity:** Enter the user's first and last name. Set the User type as either Member or Guest. For more information about the difference between external guests and members, see [B2B collaboration user properties](user-properties.md)
- **Job information:** Add any job-related information, such as the user's job title, department, or manager.
- **Contact information:** Add any relevant contact information for the user.
- **Parental controls:** For organizations like K-12 school districts, the user's age group may need to be provided. *Minors* are 12 and under, *Not adult* are 13-18 years old, and *Adults* are 18 and over. The combination of age group and consent provided by parent options determine the Legal age group classification. The Legal age group classification may limit the user's access and authority.
- **Settings:** Specify the user's global location.
Either select the **Review + invite** button to create the new user or **Next: Assignments** to complete the next section.
### Assignments
You can assign external users to a group, or Microsoft Entra role when the account is created. You can assign the user to up to 20 groups or roles. Group and role assignments can be added after the user is created. The **Privileged Role Administrator** role is required to assign Microsoft Entra roles.
**To assign a group to the new user**:
1. Select **+ Add group**.
1. From the menu that appears, choose up to 20 groups from the list and select the **Select** button.
1. Select the **Review + create** button.
:::image type="content" source="media/add-users-administrator/invite-external-user-assignments-tab.png" alt-text="Screenshot of the add group assignment process.":::
**To assign a role to the new user**:
1. Select **+ Add role**.
1. From the menu that appears, choose up to 20 roles from the list and select the **Select** button.
1. Select the **Review + invite** button.
### Review and create
The final tab captures several key details from the user creation process. Review the details and select the **Invite** button if everything looks good. An email invitation is automatically sent to the user. After you send the invitation, the user account is automatically added to the directory as a guest.
:::image type="content" source="media/add-users-administrator/guest-user-type.png" alt-text="Screenshot showing the user list including the new Guest user.":::
### External user invitations
<a name="resend-invitations-to-guest-users"></a>
When you invite an external guest user by sending an email invitation, you can check the status of the invitation from the user's details. If they haven't redeemed their invitation, you can resend the invitation email.
steps:
- |
Go to **Identity** > **Users** > **All users** and select the invited guest user.
- |
In the **My Feed** section, locate the **B2B collaboration** tile.
- If the invitation state is **PendingAcceptance**, select the **Resend invitation** link to send another email and follow the prompts.
- You can also select the **Properties** for the user and view the **Invitation state**.
:::image type="content" source="media/add-users-administrator/external-user-invitation-state.png" alt-text="Screenshot of the My Feed section of the user overview page.":::
> [!NOTE]
> Group email addresses aren’t supported; enter the email address for an individual. Also, some email providers allow users to add a plus symbol (+) and additional text to their email addresses to help with things like inbox filtering. However, Microsoft Entra doesn’t currently support plus symbols in email addresses. To avoid delivery issues, omit the plus symbol and any characters following it up to the @ symbol.
The user is added to your directory with a user principal name (UPN) in the format *emailaddress*#EXT#\@*domain*. For example: *john_contoso.com#EXT#\@fabrikam.onmicrosoft.com*, where fabrikam.onmicrosoft.com is the organization from which you sent the invitations. ([Learn more about B2B collaboration user properties](user-properties.md).)
- title: |
Add guest users to a group
summary: |
If you need to manually add B2B collaboration users to a group after the user was invited, follow these steps:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator).
- |
Browse to **Identity** > **Groups** > **All groups**.
- |
Select a group (or select **New group** to create a new one). It's a good idea to include in the group description that the group contains B2B guest users.
- |
Under **Manage**, select **Members**.
- |
Select **Add members**.
- |
Complete the following set of steps:
- *If the guest user is already in the directory:*
a. On the **Add members** page, start typing the name or email address of the guest user.
b. In the search results, choose the user, and then choose **Select**.
You can also use dynamic groups with Microsoft Entra B2B collaboration. For more information, see [Dynamic groups and Microsoft Entra B2B collaboration](use-dynamic-groups.md).
- title: |
Add guest users to an application
summary: |
To add B2B collaboration users to an application, follow these steps:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator).
- |
Browse to **Identity** > **Applications** > **Enterprise applications**.
- |
On the **All applications** page, select the application to which you want to add guest users.
- |
Under **Manage**, select **Users and groups**.
- |
Select **Add user/group**.
- |
On the **Add Assignment** page, select the link under **Users**.
- |
Complete the following set of steps:
- *If the guest user is already in the directory:*
a. On the **Users** page, start typing the name or email address of the guest user.
b. In the search results, choose the user, and then choose **Select**.
c. On the **Add Assignment** page, choose **Assign** to add the user to the app.
- |
The guest user appears in the application's **Users and groups** list with the assigned role of **Default Access**. If the application provides different roles and you want to change the user's role, do the following:
a. Select the check box next to the guest user, and then select the **Edit** button.
b. On the **Edit Assignment** page, choose the link under **Select a role**, and select the role you want to assign to the user.
c. Choose **Select**.
d. Select **Assign**.
relatedContent:
- text: How users in your organization can invite guest users to an app
url: add-users-information-worker.md
- text: The elements of the B2B collaboration invitation email
url: invitation-email-elements.md
- text: B2B collaboration user properties
url: user-properties.md