Defining Guest Account Sponsors with GUI and PowerShell
Microsoft released a new preview feature in July 2023 that enables businesses to designate “sponsors” for Entra ID guest accounts. The concept is that a company should be able to designate specific individuals or teams as the sponsors of guest accounts. The sponsor must be “a responsible individual,” which is to say, someone who is aware of the reasons why a guest account exists in the directory, how it is utilized, and what access it has to data. A guest account may have up to five sponsors (a combination of accounts and organizations), each of which may be either an individual account or a group.
Sponsors may argue for the retention of the guest account or request its removal when the time comes to review guest accounts and make that decision. The sponsor can be contacted for extra information, for example, if a group owner utilizes a tool like Entra ID Access examine to periodically examine the membership of a group (team) and doesn’t recognize a guest account. It depends on the sponsor whether or not the group owner receives any benefit.
Defining Entra ID Guest Account Sponsors
According to Microsoft’s documentation, “If you don’t specify a sponsor, the inviter will be added as a sponsor.” They then go on to explain how to invite an external user and add a sponsor to the new Entra ID guest account.
The sponsor information, however, is not filled out with the identity of the account used to create and issue the invitation if a sponsor is not added to the new external account. It’s possible that my tenant is missing a few pieces.
If you add a guest account by including a third-party user in a team or sharing a document with them, the sponsor information isn’t filled in either. The sponsored feature is still in preview, so it will take some time for programs like Teams, Outlook, SharePoint Online, and OneDrive for Business to catch up and populate the new guest account properties.
In conclusion, the only option to amend a guest account’s sponsor using a GUI is to edit the account properties in the Entra ID admin centre.
The sponsor information, however, is not filled out with the identity of the account used to create and issue the invitation if a sponsor is not added to the new external account. It’s possible that my tenant is missing a few pieces.
If you add a guest account by including a third-party user in a team or sharing a document with them, the sponsor information isn’t filled in either. The sponsored feature is still in preview, so it will take some time for programs like Teams, Outlook, SharePoint Online, and OneDrive for Business to catch up and populate the new guest account properties.
In conclusion, the only option to amend a guest account’s sponsor using a GUI is to edit the account properties in the Entra ID admin centre.
Programmatic Updates for Guest Account Sponsors
For listing, updating, and removing guest account sponsors, a beta Graph API is offered. The Graph Explorer is, as usual, a crucial tool for understanding how a Graph API functions.
The Microsoft Graph PowerShell SDK (now at version 2.3)’s Get-MgBetaUser cmdlet can retrieve data on sponsors. This code, for instance, retrieves details about a visitor account, including the sponsors. The list of user identifiers is then resolved into display names using the Get-MgUser cmdlet.
- $User = Get-MgBetaUser -UserId 7bfd3f83-be63-4a5a-bbf8-c821e2836920 -Property Id, displayName, Sponsors -ExpandProperty Sponsors
- ForEach ($Id in $User.Sponsors.Id) { Get-MgUser -UserId $Id | Select-Object DisplayName }
Of course, the code doesn’t handle the situation where a sponsor is a group, but that’s easily added if needed.
If you wanted to scan all guest accounts that don’t have sponsors defined and add a default sponsor, you could do something like this. The code:
- Defines an account to be the default sponsor.
- Builds a payload to use when updating the guest accounts.
- Finds guest accounts in the tenant.
- Checks each guest account for sponsors. If none are found, the script applies the default sponsor.
– Connect-MgGraph -Scopes User.ReadWrite.All
– $DefaultSponsorId = (Get-MgUser –UserId James.Ryan@office365itpros.com).Id
– $Body = ‘{“@odata.id”: “https://graph.microsoft.com/beta/users/’ + $DefaultSponsorId + ‘”}’
– [array]$Guests = Get-MgBetaUser -Filter “userType eq ‘Guest'” -All -Property Id, displayName, Sponsors –ExpandProperty Sponsors | Sort-Object displayName
– If ($Guests) {
Write-Host “Scanning for sponsors”
ForEach ($Guest in $Guests) {
If ($Null -eq $Guest.Sponsors.Id) {
Write-Host (“Guest {0} has no sponsors – updating with default sponsor” -f $Guest.displayName)
$Uri = (“https://graph.microsoft.com/beta/users/{0}/sponsors/`$ref” -f $Guest.Id)
Invoke-MgGraphRequest -Uri $Uri -Method Post -Body $Body
}
}
Auditing Updates to Guest Account Sponsors
I reported last week about how Entra ID auditing does not record information about modifications made to the usage location attribute for user accounts. As it turns out, adding sponsor information to a guest account results in the creation of an audit record without any indication of the change. Once more, time may be the issue here, and an upgrade to ensure that audit log events for account modifications accurately collect sponsor information is on the way.
Tracking Guest Additions
Since the introduction of guest accounts in Azure B2B Collaboration in the summer of 2016, administrators have kept track of the creation of guests in a variety of methods (for example, here’s how to track the addition of guests to teams). In many instances, the goal of doing so was to identify the person(s) who created a guest account. That requirement might disappear with sponsors, or at the very least, it might be simpler to find out “who created that account information” by using the sponsor data that is saved for accounts. Once the apps secure record sponsors, that is.
