This post is part of the Secure External Sharing Series.

In the earlier post, we have seen how you can block Azure Portal access for Guest Users aka External Users. On the flip side, if you wanted the Guest Users to access Azure Portal to perform specific role of inviting other guest users or if you wanted to delegate any user – internal to the organisation to be able to invite guest users from partner organisations, this blog post is for you. These permission roles need to be applied per user in Azure Active Directory.

This blog post is divide in to 2 sections:

First section is about giving user permission role to members (internal users) and should you choose to – even allow existing guest users to invite other guest users.

Second section is about restricting non-administrators from inviting external users – including from SharePoint Online. Only Azure Active Directory administrators will have permissions to invite guest users to the organisation.


  • Global Administrator
  • User settings set to Yes in Admins and users in the guest inviter role can invite
  • User settings set to Yes in Members can invite

1. Configure Role Based Access Control for Guest Inviter User(s)

  1. Navigate to Users and groups > All users (Link)
  2. Select a user
  3. Navigate to Directory role for the user
  4. In Directory role page, click Limited administrator
  5. Assign Guest Inviter role
  6. Save

Now this user has limited administrative rights on your Azure Active Directory – that of a guest inviter.

This user can invite other guest users from Azure Active Directory Users and groups > All Users page by clicking on New Guest User

In the next section of this post, you could restrict Guest Invite capability for the users – Members of your own organisation and Guest Users (already existing in your tenancy)

2. Configure Restrictions for Guest Inviter

  1. Navigate to Users and groups > All users (Link)
  2. Navigate to Users and groups > User settings (Link)
  3. User settings set to No in Members can invite (in which case only the Azure Active Directory administrators can invite guests and this includes SharePoint Online)
  4. User settings set to No in Guest can invite (this will restrict guest users from inviting other guest users to your organisation’s Azure Active Directory and connected services)

In the following blog posts, I will cover more on securing Azure Portal for external users and internal users, in addition to configuring settings to securely enable external sharing – in your Azure AD and Office 365 tenancy.

Stay tuned – subscribe to RSS – for post updates or email newsletter (for regular updates and zero spam) to get updates as I post blog posts.