Επεξεργασία

How users in your organization can invite guest users to an app

  • Άρθρο

After a guest user has been added to the directory in Microsoft Entra ID, an application owner can send the guest user a direct link to the app they want to share. Microsoft Entra admins can also set up self-service management for gallery or SAML-based apps in their Microsoft Entra tenant. This way, application owners can manage their own guest users, even if the guest users haven’t been added to the directory yet. When an app is configured for self-service, the application owner uses their Access Panel to invite a guest user to an app or add a guest user to a group that has access to the app.

Self-service app management for gallery and SAML-based apps requires some initial setup by an admin. Follow the summary of the setup steps (for more detailed instructions, see Prerequisites later on this page):

  • Enable self-service group management for your tenant
  • Create a group to assign to the app and make the user an owner
  • Configure the app for self-service and assign the group to the app

Note

Invite a guest user to an app from the Access Panel

After an app is configured for self-service, application owners can use their own Access Panel to invite a guest user to the app they want to share. The guest user doesn't necessarily need to be added to Microsoft Entra ID in advance.

  1. Open your Access Panel by going to https://myapps.microsoft.com.
  2. Point to the app, select the ellipses (...), and then select Manage your application.

Screenshot showing the Manage app sub-menu for the Salesforce app.

  1. At the top of the users list, select + on the right-hand side.

  2. In the Add members search box, type the email address for the guest user. Optionally, include a welcome message.

Screenshot showing the Add members window for adding a guest.

  1. Select Add to send an invitation to the guest user. After you send the invitation, the user account is automatically added to the directory as a guest.

Invite someone to join a group that has access to the app

After an app is configured for self-service, application owners can invite guest users to the groups they manage that have access to the apps they want to share. The guest users don't have to already exist in the directory. The application owner follows these steps to invite a guest user to the group so that they can access the app.

  1. Make sure you're an owner of the self-service group that has access to the app you want to share.
  2. Open your Access Panel by going to https://myapps.microsoft.com.
  3. Select the Groups app.

Screenshot showing the Groups app in the Access Panel.

  1. Under Groups I own, select the group that has access to the app you want to share.

Screenshot showing where to select a group under the Groups I own.

  1. At the top of the group members list, select +.

Screenshot showing the plus symbol for adding members to the group.

  1. In the Add members search box, type the email address for the guest user. Optionally, include a welcome message.

Screenshot showing the Add members window for adding a guest.

  1. Select Add to automatically send the invitation to the guest user. After you send the invitation, the user account is automatically added to the directory as a guest.

Prerequisites

Self-service app management requires some initial setup by a Global Administrator and a Microsoft Entra administrator. As part of this setup, you'll configure the app for self-service and assign a group to the app that the application owner can manage. You can also configure the group to allow anyone to request membership but require a group owner's approval. (Learn more about self-service group management.)

Note

You cannot add guest users to a dynamic group or to a group that is synced with on-premises Active Directory.

Enable self-service group management for your tenant

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Browse to Identity > Groups > All groups.
  3. Under Settings, select General.
  4. Under Self Service Group Management, next to Owners can manage group membership requests in the Access Panel, select Yes.
  5. Select Save.

Create a group to assign to the app and make the user an owner

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Browse to Identity > Groups > All groups.
  3. Select New group.
  4. Under Group type, select Security.
  5. Type a Group name and Group description.
  6. Under Membership type, select Assigned.
  7. Select Create, and close the Group page.
  8. On the Groups - All groups page, open the group.
  9. Under Manage, select Owners > Add owners. Search for the user who should manage access to the application. Select the user, and then click Select.

Configure the app for self-service and assign the group to the app

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.

  2. Browse to Identity > Applications > Enterprise applications.

  3. Select All applications, in the application list, find and open the app.

  4. Under Manage, select Single sign-on, and configure the application for single sign-on. (For details, see how to manage single sign-on for enterprise apps.)

  5. Under Manage, select Self-service, and set up self-service app access. (For details, see how to use self-service app access.)

    Note

    For the setting To which group should assigned users be added? select the group you created in the previous section.

  6. Under Manage, select Users and groups, and verify that the self-service group you created appears in the list.

  7. To add the app to the group owner's Access Panel, select Add user > Users and groups. Search for the group owner and select the user, click Select, and then click Assign to add the user to the app.

Next steps

See the following articles on Microsoft Entra B2B collaboration: