How to add new guest users with 3rd party email address to Azure AD and subscription with or without full permissions?
Well you can add user with different domain email id (guest) or another option is you can create user with azure domain suffix. adding user with 3rd party suffix(non azure verified domain) may add user as guest in azure ad. you can check add custom domain article for more detail on domain name.
Whenever you enter username with 3rd party email address azure will consider this as guest account with limited access (by default and can be change)
but if in case you want to give then full permission on azure AD (NOT SUBSCRIPTION) like normal azure ad user then there is setting you need to disable. if you just want user permission on azure subscription then create guest account and check –
Set guest user access policies
The Configure tab of a directory includes options to control access for guest users. These options can be changed only in Azure classic portal by a directory global administrator. Currently, there’s no PowerShell or API method.+
To open the Configure tab in the Azure classic portal, select Active Directory, and then select the name of the directory.+
Then you can edit the options to control access for guest users.
The same setting is available on azure RM portal as well..
go to azure ad on RM portal -> select directory -> go to user setting- > set no for “guest users permissions are limited”
if you are disabling “limit guest access” make sure that you dont have any other guest who can harm to your directory 🙂 ..
Lets go ahead with add user wizard.
step 1 – Log in to azure portal with global admin user -> go to azure active directory -> click on add user
Step 2 – enter all required detail and email id of user to whom you want to add in azure then click on create button
step 3 – Once you added user with different domain email then he/she will get mail invite like below and has to accept the invite.
User will see below screen once he finished with the verification process.
Step 4 – Now you will be able to see the user in your azure ad (you need to login with azure ad global admin)
step 5 – click on user name -> click on directory role – > now you will be able to add whatever role you want. if you dont want user to perform any action like creating new user , managing user, exchange admin, billing then its better to assign “user” role or again “guest invite” under “limited administrator”
So far we have just created user, now the main part is to add permission on subscription so that user can create any resources in azure subscription