SharePoint Online Guest User Troubles and How to Get Past Them
Last updated on October 16, 2021
The modern SharePoint Online sites allow us to put together some very fancy looking user experiences. And what would be nicer than to invite some users from other organizations to collaborate with us on those beautiful sites? You might think that guest users see everything the same way as you do. Unfortunately, that is not the case. I’ve recently been working with guest users in SharePoint Online environments, and in this blog post, I take you through, what problems we encountered and how you too can get past them.
Table of Contents
- News thumbnails are not visible for guest users
- The News web part doesn’t display news from other sites to guest users
- Custom SharePoint apps (e.g., web parts) don’t load for guest users by default
- Search API queries don’t work for guest users from communication sites
- Guests can’t see information about users or groups
News thumbnails are not visible for guest users
The first thing I noticed when testing SharePoint Online sites on guest users was that the news thumbnails were not visible to them. For a normal user, the News web part looks like this:
But for a guest user, the thumbnails were not available:
I opened the developer tools on my browser and checked where the thumbnails were coming from.
As you can see from the image above, the URL is referencing to an ashx (ASP.NET web handler) file on the SharePoint root site. Guests don’t have access to the root site by default, and hence they don’t have permission to open the ashx file. And that is also the reason why they can’t see the thumbnails.
We can fix this issue by granting our guest users access to the site. But what if we don’t want the guests actually to be able to browse the root site? After all, it has a very different look-and-feel compared to the modern sites we are mostly using these days.
To grant users access to the web handler file while still preventing them from browsing the site, we first need to create a custom permission level on the root site. The permission level needs to have enough permissions for guests to access the ashx file, but not enough permissions to view pages.
When creating the custom permission level, we can basically just click on Select All permissions and then remove the View Pages permission. This gets rid of a lot of other dependant permissions too but leaves enough permissions for the users to access the web handler file. At the end, the permissions that remain are the following:
- View Application Pages
- Browse User Information
- Use Remote Interfaces
- Use Client Integration Features
- Open
- Edit Personal User Information
Now you need to assign that permission level to your guest users. I recommend you create a group for your guests if you haven’t already, and attach the permissions to that group. After that, the thumbnails will be visible to guests, too.
News web part doesn’t display news from other sites to guest users
Another thing I noticed with the News web part was that it did not return news for guests from any other site except for the current site the web part was on. Not even if the guests had access to those sites. You had to select This site in the news web part settings for guests to see any news. If you click Selected sites and tick the current site, guests won’t see any news, even though it is the same site.
Normal users see news from other sites in the web part:
Guest users won’t see any news, even though they have access to them:
The web part doesn’t utilize search for fetching the news. If you check Fiddler while the web part loads, there’s no request to the search API that’d get the news. In fact, the web part makes a request to https://northeurope3-sphomep.svc.ms/api/v1/news/sites?start=0&count=13 to fetch the news, which doesn’t return anything for guests. This was also confirmed by the premier support: The issue that you see here on the news web part is not related to overall search but to a specific call that is made by the web part. It uses a call that does not work with guest users. The current behavior is by design. The required code changes to change the behavior are outside the scope of a fix and can only be considered for the long term. At the moment there is no timeframe when this behavior will change.
Countering the issue using the Highlighted Content web part
Luckily, there is another way for you to display news to guests: the highlighted content web part. The highlighted content web part uses the search API for fetching the web part content.
The web part works pretty well for displaying news from modern team sites. You can use the Selected sites setting to choose which sites you want to show news from. However, it does not work for displaying news from communication sites.
There is another thing you need to do with the highlighted content web part for it to show news from communication sites to guest users: use the filter options to select which sites to show news from. In the Content section of the web part settings, you need to select Source: All sites, and Type: News. In the filter and sort section, you need to add a filter for SPSiteURL that contains the relative URL of the site you want to return news from (e.g., /sites/catnews/). You can add multiple filters like this to return results from several sites, including team sites.
Note that for news articles that are coming from a team site, the guest user needs to be a member of the group to be able to see the news on the web part. It is not enough if they only have permissions on the SharePoint site. However, you can always change the group members to have Read permissions on the SharePoint site, if the default Edit permission members get by default is too much.
Custom SharePoint apps (e.g., web parts) don’t load for guest users by default
I made a simple SPFx web part a while back which utilizes the SharePoint Search API. When testing the web part with a guest user, I noticed it didn’t load up correctly. So, I fired up Fiddler and started debugging.
When a guest goes to a page that contains a custom web part, instead of seeing the web part contents, they will see a not-so-nice looking error message. This happens because guest users are getting an access denied error when trying to access some of the web part’s resources within app catalogue’s ClientSideAssets directory.
By default, guests don’t have access to the SharePoint app catalogue (where the custom web parts are installed) like regular users do. To get the custom web part to work for them, you need to apply one of the following fixes.
- Grant them read permissions either to the whole app catalogue (this way guests will be able to use all custom web parts) or just the individual web part you want them to be able to use, or
- Add the web part resources to Microsoft’s public CDN (content delivery network).
Which method should you choose, then?
When you add the web part resources to the CDN, they (the minified script files etc.) will become accessible by anyone anonymously without the need to authenticate to your tenant. If you have a very productized solution which source code you want to protect, keep the resources in the app catalogue and grant the guests access there.
If you are not concerned about someone potentially looking into the web part resources, then the CDN is the better option. It offers a couple of benefits:
- Faster loading time for the web part. When the web part is loaded, the files are fetched from the most optimal location in relation to current end-user.
- You should also use the CDN if you want your guest users to be able to use your web parts by using a mobile browser. Even if you grant guests access to the app catalogue, they will still get an access denied error, when browsing the web parts using a mobile device. Apparently, some authentication related cookie is not usable in mobile. I heard that a ticket has been made about this bug by an organization, but Microsoft is yet to fix this issue (update! I have not checked if it has been fixed or not recently). In the meanwhile, you can get around it by using the CDN.
You can enable the public CDN by running the following PowerShell script. The ClientSideAssets directory is included in the CDN automatically.
$adminSiteUrl = "https://mytenant-admin.sharepoint.com" Connect-SPOService $adminSiteUrl -Credential (Get-Credential) Set-SPOTenantCdnEnabled -CdnType Public -Enable $true
Search API queries don’t work for guest users from communication sites
After granting guests access to the app catalog, the next thing I noticed with my web part was that there was an access denied error when executing the search query via the Search API. To my surprise, this was because the guest user didn’t have access to the search center. I fixed the issue by granting them Read access there. You might also need to do this to get the out-of-the-box search results page to work for guests (reported by a reader in the comments).
Even though the search queries were no longer giving an error, guests were still not able to see any content within the custom web part. Fiddler revealed that the underlying issue was that the search query wasn’t returning any results for guests, even though the same query worked flawlessly for regular users with the same permissions.
I started testing if the query would work via other sites, and it did! I did some further testing and noticed that the search API queries worked via any other site type except for communication sites. When making the query via a communication site, the result set was always lacking.
I had previously set up my web part to always make the search query via the site the web part was placed on because then the user would always have access to that site (e.g., https://tenant.sharepoint.com/sites/currentSite/_api/search/query?querytext=%27WebTemplate:GROUP%27&selectproperties=%27path,title,groupid%27&rowlimit=100). So, to go around this issue, I had to think if there was one site where all my guest users would have access to, and always make the query via that site.
Because granting access to the search center was required when I originally faced this issue, I changed my web part to always execute the query via the search center. Today, a good candidate is the root site, if you created the custom permission level earlier to get the thumbnails working. The permission level grants the user enough permissions to call the search API. But basically, any site will do as long as the users have access to it and the site is not a communication site.
Guests can’t see information about users or groups
This section hasn’t always been in this blog post, but I wanted to add it after several people came to me with the same problem: guest users are not able to view user information or populate group lists.
This can occur if you, for example, have a custom SPFx web part that attempts to get a list of users or groups via Microsoft Graph. To allow guests to view the information, you need to allow them to enumerate users, groups, and other directory resources. This can be done through Azure AD user settings.
- Go to https://portal.azure.com
- Navigate Azure Active Directory -> Users -> User settings -> Manage external collaboration settings
- Change “Guest users permissions are limited” to “No”.
It can take a little while (15 mins or so) for the setting to come into effect, after which viewing the user and group information should work the same way for guests as it does for regular users.
Before flipping the switch, have a brief conversation with your customer about the risks related to the setting. If you allow guests to enumerate groups and users, it means they can browse the basic information about all of those entities in the Azure Active Directory. If the group names contain classified information (e.g., about current or future projects or customers) or guests should not know the names of all the users (including other guests), it is probably for the best to leave the setting as is and live with the limited functionality guests have.
The Conclusion
There are quite a lot of differences between regular and guest users in SharePoint Online; a lot more than was covered in this article. Many of them are by design — after all, who would be paying for licenses if guest users worked exactly the same way as licensed users? But on the other hand, you can’t expect organizations to buy licenses for the employees of other organizations just so that they can have a good user experience. And it is often those user experience related issues we end up troubleshooting.
For some of the issues we can implement workarounds as described in this article, but for some, we need Microsoft’s help. Microsoft has been very active and helpful in solving these issues via premier tickets. They’ve for example promised to fix the site logos on communication sites so they will also show for guest users, and display the logout menu for guest users on regular pages too (currently guests need to navigate to Site Contents to be able to log out). In order for guests to get the best possible user experience within those “by design” limitations, be active and let your voice be heard. Tell Microsoft about your experiences by providing feedback and filing bug reports. Only this way things can be improved.
Have you encountered issues with guest users? What kind? Let me know in the comments below (and preferably also make a bug report to Microsoft 😉 )! Also, if you found this article useful and would like to read similar content in the future, make sure to follow me on Twitter to get notified of future posts.
Laura
PS: Did you like the multi-colored theme displayed in the images? If yes, check out my blog post for instructions on how you can create one just like it or similar yourself!
i was able to make it work on a Communication Site just by deploying the webpart (search webpart of Pnp) with CDN enabled and giving the guest users Read permission on the Search center site collection
Hi Pierre,
Great to hear that you got things working. 🙂
Laura
Hi Laura, Thank you for this interesting article.
As you experienced on your sharepoint, we had some design issues needing adapting css.
But one of our concerns is that guests can’t search users witin sharepoint because this funcionality uses MS Graph, Any workaround for guests to look for users? We also have troubles with MS Flow and we can’t add photo and details for guests.
Thanks, regards.
Hi Emma,
If you want your guest users to be able to populate user lists from the AD, you can enable the functionality via Azure AD.
1. Go to https://portal.azure.com
2. Navigate: Azure Active Directory -> Users -> User settings -> Manage external collaboration settings
3. Change “Guest users permissions are limited” to “No”.
How are you trying to update the guest user photos (and details) and where are you trying to get them to show?
Laura
Thank you so much for this, especially the “News thumbnails are not visible for guest users” part. We are launching a communication site to some 500-600 guest users next week; I found out yesterday that guest users don’t see the news thumbnails (had seen it before but thought it was linked to permissions to the image back then). This really saved my day!
Hi Filip, hearing that that makes me so happy! It’s great if I’m able to save someone’s day. 🙂
Laura
Update for SEARCH API QUERIES DON’T WORK FOR GUEST USERS FROM COMMUNICATION SITES – the Communication Site specific issue appears to be resolved. Our tenant did require read access to the search center be granted to guests for the OOTB search results page to work.
Hi Bryan,
Great to hear that the issue with communication sites and search API has been fixed! And thank you for the confirmation that you still need to grant guests access to the search center. 🙂
Laura
Hi I recently having a problem with the user profile API on SharePoint Online, It seems that it does not work with guest users, can you please confirm?
Thanks!
Hi Joshua,
What are you trying to do exactly? Are you trying to enumerate users? There’s a setting in Azure AD that might be preventing that. Does it help if you go to Azure AD -> Users -> User settings -> Manage external collaboration settings and change the “Guest user permissions are limited” option to no? Note that allowing guest users to browse the directory resources the same way as internal users can be considered a security risk.
Laura