Add or remove role assignments for external guest users using Azure RBAC and the Azure portal

Azure role-based access control (RBAC) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. You can use the capabilities in Azure Active Directory B2B to collaborate with external guest users and you can use RBAC to grant just the permissions that guest users need in your environment.

Prerequisites

To add or remove role assignments, you must have:

  • Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner

When would you invite guest users?

Here are a couple example scenarios when you might invite guest users to your organization and grant permissions:

  • Allow an external self-employed vendor that only has an email account to access your Azure resources for a project.
  • Allow an external partner to manage certain resources or an entire subscription.
  • Allow support engineers not in your organization (such as Microsoft support) to temporarily access your Azure resource to troubleshoot issues.

Permission differences between member users and guest users

Native members of a directory (member users) have different permissions than users invited from another directory as a B2B collaboration guest (guest users). For example, members user can read almost all directory information while guest users have restricted directory permissions. For more information about member users and guest users, see What are the default user permissions in Azure Active Directory?.

Add a guest user to your directory

Follow these steps to add a guest user to your directory using the Azure Active Directory page.

  1. Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. For more information, see Enable B2B external collaboration and manage who can invite guests.

  2. In the Azure portal, click Azure Active Directory > Users > New guest user.

    New guest user feature in Azure portal

  3. Follow the steps to add a new guest user. For more information, see Add Azure Active Directory B2B collaboration users in the Azure portal.

After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the redemption URL in the invitation email.

Guest user invite email

For the guest user to be able to access your directory, they must complete the invitation process.

Guest user invite review permissions

For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

Add a role assignment for a guest user

In RBAC, to grant access, you assign a role. To add a role assignment for a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity. Follow these steps add a role assignment for a guest user at different scopes.

  1. In the Azure portal, click All services.

  2. Select the set of resources that the access applies to, also known as the scope. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  3. Click the specific resource.

  4. Click Access control (IAM).

    The following screenshot shows an example of the Access control (IAM) blade for a resource group. If you make any access control changes here, they would apply to just to the resource group.

    Access control (IAM) blade for a resource group

  5. Click the Role assignments tab to view all the role assignments at this scope.

  6. Click Add > Add role assignment to open the Add role assignment pane.

    If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    Add menu

  7. In the Role drop-down list, select a role such as Virtual Machine Contributor.

  8. In the Select list, select the guest user. If you don't see the user in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

    Add role assignment pane

  9. Click Save to assign the role at the selected scope.

    Role assignment for Virtual Machine Contributor

Add a role assignment for a guest user not yet in your directory

To add a role assignment for a guest user, you follow same steps as you would for a member user, group, service principal, or managed identity.

If the guest user is not yet in your directory, you can invite the user directly from the Add role assignment pane.

  1. In the Azure portal, click All services.

  2. Select the set of resources that the access applies to, also known as the scope. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  3. Click the specific resource.

  4. Click Access control (IAM).

  5. Click the Role assignments tab to view all the role assignments at this scope.

  6. Click Add > Add role assignment to open the Add role assignment pane.

    Add menu

  7. In the Role drop-down list, select a role such as Virtual Machine Contributor.

  8. In the Select list, type the email address of the person you want to invite and select that person.

    Invite guest user in Add role assignment pane

  9. Click Save to add the guest user to your directory, assign the role, and send an invite.

    After a few moments, you'll see a notification of the role assignment and information about the invite.

    Role assignment and invited user notification

  10. To manually invite the guest user, right-click and copy the invitation link in the notification. Don't click the invitation link because it starts the invitation process.

    The invitation link will have the following format:

    https://invitations.microsoft.com/redeem/...

  11. Send the invitation link to the guest user to complete the invitation process.

    For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

Remove a guest user from your directory

Before you remove a guest user from a directory, you should first remove any role assignments for that guest user. Follow these steps to remove a guest user from a directory.

  1. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.

  2. Click the Role assignments tab to view all the role assignments.

  3. In the list of role assignments, add a checkmark next to the guest user with the role assignment you want to remove.

    Remove role assignment

  4. Click Remove.

    Remove role assignment message

  5. In the remove role assignment message that appears, click Yes.

  6. In the left navigation bar, click Azure Active Directory > Users.

  7. Click the guest user you want to remove.

  8. Click Delete.

    Delete guest user

  9. In the delete message that appears, click Yes.

Troubleshoot

Guest user cannot browse the directory

Guest users have restricted directory permissions. For example, guest users cannot browse the directory and cannot search for groups or applications. For more information, see What are the default user permissions in Azure Active Directory?.

Guest user cannot browse users in a directory

If a guest user needs additional privileges in the directory, you can assign a directory role to the guest user. If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Azure AD. For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

Assign Directory Readers role

Guest user cannot browse users, groups, or service principals to assign roles

Guest users have restricted directory permissions. Even if a guest user is an Owner at a scope, if they try to add a role assignment to grant someone else access, they cannot browse the list of users, groups, or service principals.

Guest user cannot browse security principals to assign roles

If the guest user knows someone's exact sign-in name in the directory, they can grant access. If you really want a guest user to have full read access to your directory, you can add the guest user to the Directory Readers role in Azure AD. For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

Guest user cannot register applications or create service principals

Guest users have restricted directory permissions. If a guest user needs to be able to register applications or create service principals, you can add the guest user to the Application Developer role in Azure AD. For more information, see Grant permissions to users from partner organizations in your Azure Active Directory tenant.

Guest user cannot register applications

Guest user does not see the new directory

If a guest user has been granted access to a directory, but they do not see the new directory listed in the Azure portal when they try to switch in their Directory + subscription pane, make sure the guest user has completed the invitation process. For more information about the invitation process, see Azure Active Directory B2B collaboration invitation redemption.

Guest user does not see resources

If a guest user has been granted access to a directory, but they do not see the resources they have been granted access to in the Azure portal, make sure the guest user has selected the correct directory. A guest user might have access to multiple directories. To switch directories, in the upper left, click Directory + subscription, and then click the appropriate directory.

Directories + Subscriptions pane in Azure portal

Next steps