🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Export the List of Guest Users in Microsoft 365

When your organization frequently onboards external collaborators who require limited access to Microsoft 365 resources, managing them as guest users is the preferred solution. These accounts provide secure collaboration without granting full membership to your organization. This guide will help you export a list of all Microsoft 365 guest users while ensuring their access is managed to align with specific project needs.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft Entra admin center.
  • Navigate to Identity»Users»All users, select the Add Filter option, set the filter to ‘User type == Guest’, and click Apply.
  • All internal and external guest users in your Microsoft 365 tenant will be listed here, along with details such as identities, creation type, and more.
Using Microsoft Entra Admin Center
  • Note: Click Download users to export a list of all guest users in your organization.

Using Windows PowerShell

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • Connect to the Microsoft Graph PowerShell module using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes "User.Read.All"
  • Run the cmdlet below to retrieve a list of Microsoft 365 guest users in your organization.
  • Windows PowerShell Windows PowerShell 
     Get-MgUser -All -Filter "UserType eq 'Guest'"
Using Windows PowerShell
  • The execution will list all the all Microsoft 365 guest users along with their object ID, mail, and UPN.

Using PowerShell Script

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • While the above cmdlet retrieves basic guest user details, we've prepared a PowerShell script that provides detailed guest user information, including company name, group memberships, creation time, account age, and invitation status.
  • Download and run the following script in the PowerShell.
Using PowerShell Script
GuestUserReport.ps1
AdminDroid Microsoft 365 User Reporting Tool

Effortlessly find all guest user details in Microsoft Entra ID: The key to effective management!

The AdminDroid's Microsoft 365 user reporting tool offers a comprehensive solution for admins by providing a simple interface to effortlessly export a list of all guest users with their details. This streamlines guest user management and strengthens security compliance.

Dedicated Report on Microsoft 365 Internal Guest Users

Gain visibility into all internal guest users within your domain to identify those who need to be converted to members and ensure they are properly categorized with appropriate access to organizational resources.

Visualize Microsoft 365 Guest User Activities

Obtain a visual summary of external user activities, including actions, success rates, and failures, to monitor usage and revoke access when unauthorized activities are detected.

Audit Deleted External Users in Entra ID

Track accidentally or prematurely deleted external user accounts to enhance user management and prevent unintended access loss.

Get Instant Alerts on Microsoft 365 Guest User Sign-ins

Receive real-time notifications for guest user sign-ins using AdminDroid's alerting feature, which helps you detect risky access and secure your M365 environment.

Get Up-to-date Details on M365 Guest's Group Membership

Schedule the guest user group membership report based on your need to get regular updates and maintain compliance with access policies.

Monitor Guest Users with Access to Other Mailboxes

Periodically audit the mailboxes accessible to guest users in your organization to maintain oversight and prevent unauthorized access to sensitive data.

AdminDroid simplifies exporting guest users in Microsoft 365 while providing insights into external user activities. Its intuitive interface and audit trails help admins monitor and maintain compliance, ensuring better control over external user management.

Explore a full range of reporting options
Download Live Demo

Important Tips

Enable self-service sign-up for guests in Microsoft Entra ID to streamline secure access to your organization's applications for external users.

Configure authentication strength for external users through Conditional Access policies to enhance security and enforce multi-factor authentication methods.

Monitor external user activity in M365 to ensure secure collaboration and safeguard data by detecting unusual patterns of sign-ins or abnormal file access.

Common Errors and Resolution Steps

Here are the common errors and their corresponding resolution tips while dealing with Microsoft 365 guest users.

Error Get-MgUser : Insufficient privileges. To complete the operation. Status: 403 (Forbidden).

This error occurs when the 'Connect-MgGraph' cmdlet is executed without specifying the required scopes or necessary privileges.

Fix Define the necessary scopes when connecting to the Microsoft Graph PowerShell module as shown below. 
#To retrive guest user account details.
Connect-MgGraph -Scopes "User.Read.All"
#To update guest user properties.
Connect-MgGraph –Scopes "User.ReadWrite.All"

Error ./GuestUserReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run a script in PowerShell and the system's execution policy restricts running unsigned scripts.

Fix To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script. 
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.

The error occurs when converting an external user to an internal user. This happens if the new user principal name provided in the ‘Update-MgUser’ cmdlet contains a domain that is not verified in your Microsoft 365 tenant.

Fix Verify that the domain mentioned in the user principal name is listed as a verified domain in your Microsoft 365 tenant. You can check this in the Microsoft 365 admin center under Settings»Domains.

Error User invitation failed. Insufficient privileges to complete the operation.

This error occurs when attempting to add a guest user to your tenant and the guest invite settings do not have sufficient privileges.

Fix To resolve this, update the external collaboration settings in the Microsoft Entra admin center to allow guest invitations, then try adding the guest user again.
Azure AD
Frequently Asked Questions

Optimize External Access and Maintain a Clear Overview of Guest Users in Microsoft 365

How to convert a user from guest to member in Microsoft 365?
How to find who invited a guest user in Microsoft 365?
How to manage guest user access restrictions and leaving settings in Microsoft 365?
How to manage guest user invite settings in Microsoft 365?
What are the limitations of guest users in Microsoft 365?

1. How to convert a user from guest to member in Microsoft 365?

When managing guest users in Microsoft Entra ID, there may be instances when a guest user needs to be converted to a member of your organization. Specifically, when a trainee transitions from a guest user to a permanent employee, converting them to a member is essential. This ensures full access to organizational resources and internal systems.

Convert Azure B2B guest users to members using Entra portal

  • Sign in to the Microsoft Entra admin center and navigate to Identity»Users»All users.
  • Locate and select the desired external guest user.
  • In the B2B collaboration tile under 'My feed', click Convert to internal user.
  • Fill in the necessary details, such as the new UPN, password, and optionally the email address if needed. Then click Convert.
convert-external-user-to-member
convert-external-user-to-member-2

After converting the external user to internal user, manually update their attributes in Azure AD and assign the appropriate license to complete the migration.

Note: To convert an internal guest user to a member, simply change the 'User Type' attribute to Member using the Edit properties option available in the user profile within the Entra portal.

Convert guest users to members in Microsoft 365 using PowerShell

Connect to the Microsoft Graph PowerShell with the required permission using the cmdlet below.

Connect-MgGraph -Scopes "User.Read.All"

Run the following cmdlet to convert an external guest user to a member in Microsoft 365.

Update-MgUser -UserId <GuestUserUPN> -UserType Member -UserPrincipalName <NewUPN> -UsageLocation <UsageLocation>

Similarly, to convert an internal guest user to a member in Microsoft 365, skip the -UserPrincipalName parameter in the above cmdlet.

2. How to find who invited a guest user in Microsoft 365?

While guest users enhance collaboration between organizations, they can pose security risks if unauthorized users are invited and given access to resources. By regularly auditing guest user invitations, you can maintain control over external access and strengthen security within your environment. For instance, when an unexpected guest user appears, tracking the person who invited ensures accountability.

Find who invited a guest user in Microsoft Entra ID

  • In the Microsoft Entra admin center, navigate to the Audit logs tab under Identity»Users»All Users.
  • Click on the Activity filter and select Invite external user to view the guest user invitation in the past 30 days.
  • Click on a specific log entry to view detailed information about the external user invitation.
entra-admin-center-guest-invitation-logs

Get the invitation state of an Azure AD guest user

  • In the Entra admin center, locate the invited user and click on their account to view their profile.
  • On the user profile's Overview page, you can check whether the invitation has been accepted under the B2B Invitation tile.
entra-admin-center-guest-invitation-status

Eliminate the hassle of manual checks and effortlessly get real-time alerts on external user additions to your M365 tenant!

  • Utilize the external user addition policy template to generate an alert when an external user is added to your organization.
  • Click on Preview & Deploy to generate alerts separately for each external user addition.
admindroid-external-user-addition-alert

Pro-tip: Set the Threshold property when creating the alert policy to get notified when a specific number of external user creations occurs within a short period.

3. How to manage guest user access restrictions and leaving settings in Microsoft 365?

Guest access in Microsoft 365 allows people outside your organization to access resources such as Teams, SharePoint sites, and more within your M365 environment. Configuring their access settings is crucial to ensure secure collaboration and prevent unauthorized access to sensitive information.

To manage guest access settings, navigate to Identity»External Identities»External collaboration settings in the Microsoft Entra admin center and adjust the options as needed.

Configure Guest User Access Permissions in Entra ID

This setting controls what information guests can see in your Microsoft Entra.

→ Guest users have the same access as members (most inclusive)

This option allows the guest users to have the same level of access to all directory information and Microsoft Entra resources as regular members.

→ Guest users have limited access to properties and memberships of directory objects (default setting)

This option restricts guest users from performing certain directory tasks, such as listing users, groups, or other resources. However, they can view the membership of all non-hidden groups.

→ Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

This option allows guest users to access only their own profiles while restricting them from viewing other users' profiles, groups, or group memberships.

Configure external user leaving settings in Entra ID

Toggle the “External user leave settings” option to Yes to allow external users to remove their accounts from your organization. Switching it to No disables this feature and prevents guests from removing themselves.

4. How to manage guest user invite settings in Microsoft 365?

You can control how guest users are invited to your Microsoft 365 organization by configuring invitation settings in Entra ID. These settings allow you to restrict who can send invitations and specify allowed or blocked domains.

To manage guest user invite settings in Microsoft 365, navigate to the External collaboration settings page in the Entra admin center and adjust the following options as needed.

Configure guest invite settings in Entra ID

This section decides who has the authority to invite guests through SharePoint Online, Teams, and the Entra portal.

→ Anyone in the organization can invite guest users including guests and non-admins (most inclusive - default setting)

This setting allows your organization members, internal guests, and external guests to invite other guests to your organization.

→ Member users and users assigned to specific admin roles can invite guest users including guests with member permissions

This setting allows only regular members of your organization and guests assigned specific admin roles to send guest invitations.

→ Only users assigned to specific admin roles can invite guest users

This option allows only users with the User Administrator or Guest Inviter roles to invite guests to your organization.

→ No one in the organization can invite guest users including admins (most restrictive)

This setting completely disables the ability to invite guest users across the organization, even for administrators.

Configure external collaboration restrictions across domains

Under this section, you can manage B2B invitations across the domains with an allowlist or blocklist.

→ Allow invitations to be sent to any domain (most inclusive - default setting)

This setting enables unrestricted B2B collaboration, by allowing users in your organization to invite guests from any external domain without limitations.

→ Deny invitations to the specified domains

With this setting, guest user invitations to the specified domains are blocked.

→ Allow invitations only to the specified domains (most restrictive)

With this setting, invitations can only be sent to external users whose domains are explicitly listed in the allowlist.

Regularly reviewing and updating these settings ensures that your organization's collaboration with external users remains secure and aligns with your internal policies.

5. What are the limitations of guest users in Microsoft 365?

Guest users in Microsoft 365 provide a convenient way to collaborate with external partners, but by default they have some limitations. Understanding these restrictions is essential for effective management and secured collaboration.

  • Limited access to properties and memberships of direct objects By default, guest users have limited access to properties and memberships of directory objects in Entra ID. They can view only their own user profile and cannot view other directory objects.
  • Restrictions for guest users in Microsoft Teams In Microsoft Teams, guests don't have the same capabilities as members. Guest users have access to the team's communication and resources (channels, files, join meetings) but can't control the team itself (manage teams, settings, members).
  • Guest user restrictions in SharePoint Online and OneDrive By default, SharePoint and OneDrive content sharing is limited to people within the organization. Admins must configure permissions to share a specific SharePoint site with external users. It's important to note that guests cannot be site collection administrators, so users cannot share OneDrive access with them.
  • Guest user restrictions in Exchange Online In Exchange Online, guest users are hidden from the Global Address List (GAL) by default. External users also can't send emails to Microsoft 365 groups unless an admin adjusts the group settings to allow it.

The above listed are some of the common limitations for guest accounts. However, these restrictions can be addressed by configuring the appropriate settings.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Export the List of Guest Users in Microsoft 365
Azure AD Guides 56 Guides
1Get the Group Membership of a Microsoft 365 User2Find Guest Membership in Microsoft 365 Groups3Get the Storage used by Microsoft 365 Groups4Check if MFA is Enabled in Microsoft 365 5Check Microsoft 365 License Expiry Date6Check Licenses Assigned to Microsoft 365 Users7Export Users Without MFA in Microsoft 3658Optimize Microsoft 365 Group Management in M3659Check Microsoft 365 License Usage10Find Inactive Users in Microsoft 36511Monitor Risky Sign-ins in Microsoft Entra ID12Get User Password Expiration Date in Microsoft 36513Manage Users with Admin Roles in M36514Manage Contact Information in M36515Get Last Logon Time of Users in Microsoft 36516Audit Groups in Microsoft 36517Export a List of All Disabled Users in M36518Get Microsoft 365 Users with Weak Passwords19Get a List of Users from Azure AD20Get All Managers & Direct Reports in M36521List All the Group Owners in Microsoft 36522Track All the External User Activities in M36523Track All the User Activities in M36524Audit License Changes to Microsoft 365 Users25Check Users Last Password change date time in M36526Audit Deleted Users in Microsoft Entra ID27Get Azure Sign-in Logs in Microsoft 36528M365 License Management & Usage Insights29Track Microsoft 365 Groups with External Users30Export Conditional Access Policies Report31Audit Failed Sign-in Attempts in M36532Audit Admin Activity in Microsoft 36533Analyze Conditional Access Sign-ins Report in M36534Export Microsoft 365 Security Groups Report35Get MS Office Activations Report36Track Your Microsoft 365 Secure Score37Audit Entra ID Applications in M36538Audit Password Changes in M365 39Audit All the Policy Operations in M36540Get Entra ID App Usage Report in M36541Audit Power BI Activity Log in Microsoft 36542Monitor Forced Password Changes in M36543Audit Administrative Units in M36544Track Users Without Groups in M36545List All Deleted Groups in Microsoft 36546List All Nested Groups in Microsoft Entra ID47Find all Unlicensed Users in Microsoft 36548Track Groups with Disabled Users in M36549List All Role-assignable Groups in Microsoft 36550Monitor Empty Groups in Microsoft 36551Monitor Guest User Sign-ins in Microsoft 36552Audit User Creations in Microsoft 36553Get Guest Users List in Microsoft 36554Find Microsoft 365 Groups with Expiration Policies55Export a List of Expired M365 Subscriptions56List All Microsoft 365 Users with No Manager
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo