Chat now with support
Chat with Support

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 26, 2025

On Demand Migration Current - Active Directory User Guide

Guest Users

What is a Guest User?  

A guest user is an Microsoft Entra ID Business-to-Business account which is utilized to provide seamless collaboration between the Microsoft Cloud organizations.

For more context and details check out Microsoft’s document on the topic, What is guest user access in Microsoft Entra ID B2B?

 

Can I create, update and delete Guest user objects with Directory Sync?  

Yes, Directory Sync provides create, update and delete capabilities to keep your multiple identities, objects and properties in sync for short-term and long-term integration needs.

There are two (2) new additional options to create users in a target cloud directory, highlighted below. The image shows the Template wizard where you may manage how users are created.

Figure 1: Example Template Wizard - Create New Users – Guest Options

Figure 1: Example Template Wizard - Create New Users – Guest Options

 

What does the Guest User option do?  

The Guest User option (see figure 1) will create a user object with the type of Guest within the destination directory configured in the workflow. This user’s password will be set and managed within the target directory management controls. This user’s UPN, Display Name and email address will be constructed based on the template mapping controls configured within the workflow.

 

What does the Guest Invite option do?  

The Guest Invite option (see figure 1) will create a user object with the type of Guest within the destination directory configured in the workflow and immediately send an invitation to the source email user account. This user’s UPN will be constructed automatically by Microsoft to meet their requirements for B2B functionality. This user’s password will not be set and will continue to be managed from the source directory management tools and administrators. All other attributes set during creation will be determined by the template mapping controls configured within the workflow.

 

Can I send an invitation later if I didn’t send one during creation?  

Yes, Microsoft provides numerous methods for managing invitations. For more details, see the Microsoft Entra ID B2B documentation.

 

Can I match to an existing Guest user and update it?  

Yes, Directory Sync can match and update existing Guest user types in Active Directory and Microsoft Entra ID.

 

What is the recommend matching attribute for Guest Users?  

To match a source user object to a target Guest user object can sometimes be challenging because depending on the type of target Guest user object, there may not be a readily available attribute or property that can be used for an exact match to ensure an accurate match.

How to identify unique attributes for Matching to Guest Users

Before synchronization, you must first decide how to derive the matching attribute pairs between the source user object and target guest object. In other words, what parameters in your environment are unique to your external collaborators? Determine a parameter that distinguishes these external collaborators from members of your own organization.

A common approach to resolve this is to:

  • Designate an unused attribute (for example, extensionAttribute1) to use as the source attribute that will match to a unique identifier attribute, such as email, in the target.
  • Next construct the value for that attribute from other source properties, to create a unique identifier that will be found in the target. For example, use the email address of the source user to construct the extensionAttribute1 value as Source Local Part @ Target Domain.

 

Can I create a local user, so it is ready to be synchronized up to Microsoft Entra ID as a Guest?  

Yes, Directory Sync supports the creation of local user objects for this purpose. Simply configure the template mappings to set the attribute value of the predetermined attributed which will be used by Microsoft Entra Connect to set the UserType = Guest in the cloud object. If you are using a different method within Microsoft Entra Connect, adjust your mapping rules to fit your needs.

You can use Microsoft Entra Connect to sync the accounts to the cloud as Microsoft Entra B2B users (that is, users with UserType = Guest). This enables your users to access cloud resources using the same credentials as their local accounts, without giving them more access than they require.

For more information about How to grant local users access to cloud apps read this Microsoft article on the topic.

For details on How to enable synchronization of UserType for Microsoft Entra Connect then please read this Microsoft document.

 

Additional Information  

How To Use Guest Users in Directory Sync

What is guest user access in Microsoft Entra ID B2B?

Microsoft Entra ID B2B best practices

Microsoft Entra ID B2B documentation

Properties of an Microsoft Entra ID B2B collaboration user

Quickstart: Add guest users to your directory in the Azure portal

Add guests to the global address list

Product Licensing

The product licensing is based on the number of unique source accounts processed by a Directory Sync Workflow. The licenses are consumed when the Directory Sync Workflow creates or updates the target objects.

The following object types do not consume any license:

  • Distribution Group

  • Security Group

  • Mail Enabled Security Group

  • Teams

  • M365 Group mailboxes

  • Contacts

  • Computer accounts

  • Guest

 

Licensing for bi-directional, one to many and many to one scenario.

Since product licensing is based on unique source accounts, there will only be one license consumed per account in a bi-directional sync or in a one-to-many scenario. Additional licenses are consumed in a many-to-one scenario.

Refer to the below examples for details.

One to One Environment Pair with bi-directional sync

  • User1@Contoso.com matched to User1@fabrikam.com

  • User1@fabrikam.com matched to User1@Contoso.com

Only consumes one license because it is a bi-directional sync for source account User1@Contoso.com

One to Many Environment Pair

  • User1@Contoso.com matched to User1@fabrikam.com

  • User1@Contoso.com matched to User1@foo.dom

Only consumes one license, because even though the target users are from two different environments, the syncs are for the same source account User1@Contoso.com

Many to One Environment Pair

  • User1@fabrikam.com matched to User1@Contoso.com

  • User1@foo.dom matched to User1@Contoso.com

Consumes two licenses because User1@fabrikam.com and User1@foo.dom are two unique source accounts.

 

Licensing related to the Write To workflow task

Including at least one Write To environment is required. After data has been matched, mapped, and filtered, you must determine your target and where to place the new objects and/or sync objects that were matched.

The Write To workflow task is also where you need to configure the license consumption. From The Write To task screen, select the license subscription to use. You may select one or more licenses from the same subscription. The license that expires earliest will be consumed.

AI Features

Note: By default, AI features are enabled in your organization. To opt-out, please read this article.

On Demand Migration for Active Directory uses Artificial Intelligence to generate summary reports from logging data produced during directory synchronization operations.

  • All data stays within your On Demand Region and reports are only available to view in the On Demand organization where they were generated.

  • AI generated reports are cached for a period and then subsequently removed on the same schedule as the logs used to generate the report.

  • Data is consumed by AI only when you request a report be generated.

  • Data is used only to generate the summary report and will never be used for AI training.

  • AI does not have access to privileged accounts or application consents and is not provided with the rights to perform any migration activities. All user-initiated AI activities are recorded for auditing purposes via the Activity Trail module in On Demand.

Workflow Run History AI Reports

Workflow run history reports generated by AI are available in Directory Sync.

To generate a Workflow run history AI report:

  1. Select a Workflow from the Workflows list and click the History button.

  2. Select the Generate AI Report link next to a run in the run history list.

  3. Once generation is complete, click on View AI Report link.

The generated report contains a Migration Summary and an Issue Summary. Knowledge Base Articles may be suggested to assist in correcting issues. AI reports are available to view for 30 days.

Settings

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating