SharePoint Online Guest User Troubles and How to Get Past Them
Last updated on October 16, 2021
The modern SharePoint Online sites allow us to put together some very fancy looking user experiences. And what would be nicer than to invite some users from other organizations to collaborate with us on those beautiful sites? You might think that guest users see everything the same way as you do. Unfortunately, that is not the case. I’ve recently been working with guest users in SharePoint Online environments, and in this blog post, I take you through, what problems we encountered and how you too can get past them.
Table of Contents
- News thumbnails are not visible for guest users
- The News web part doesn’t display news from other sites to guest users
- Custom SharePoint apps (e.g., web parts) don’t load for guest users by default
- Search API queries don’t work for guest users from communication sites
- Guests can’t see information about users or groups
News thumbnails are not visible for guest users
The first thing I noticed when testing SharePoint Online sites on guest users was that the news thumbnails were not visible to them. For a normal user, the News web part looks like this:
But for a guest user, the thumbnails were not available:
I opened the developer tools on my browser and checked where the thumbnails were coming from.
As you can see from the image above, the URL is referencing to an ashx (ASP.NET web handler) file on the SharePoint root site. Guests don’t have access to the root site by default, and hence they don’t have permission to open the ashx file. And that is also the reason why they can’t see the thumbnails.
We can fix this issue by granting our guest users access to the site. But what if we don’t want the guests actually to be able to browse the root site? After all, it has a very different look-and-feel compared to the modern sites we are mostly using these days.
To grant users access to the web handler file while still preventing them from browsing the site, we first need to create a custom permission level on the root site. The permission level needs to have enough permissions for guests to access the ashx file, but not enough permissions to view pages.
When creating the custom permission level, we can basically just click on Select All permissions and then remove the View Pages permission. This gets rid of a lot of other dependant permissions too but leaves enough permissions for the users to access the web handler file. At the end, the permissions that remain are the following:
- View Application Pages
- Browse User Information
- Use Remote Interfaces
- Use Client Integration Features
- Open
- Edit Personal User Information
Now you need to assign that permission level to your guest users. I recommend you create a group for your guests if you haven’t already, and attach the permissions to that group. After that, the thumbnails will be visible to guests, too.
News web part doesn’t display news from other sites to guest users
Another thing I noticed with the News web part was that it did not return news for guests from any other site except for the current site the web part was on. Not even if the guests had access to those sites. You had to select This site in the news web part settings for guests to see any news. If you click Selected sites and tick the current site, guests won’t see any news, even though it is the same site.
Normal users see news from other sites in the web part:
Guest users won’t see any news, even though they have access to them:
The web part doesn’t utilize search for fetching the news. If you check Fiddler while the web part loads, there’s no request to the search API that’d get the news. In fact, the web part makes a request to https://northeurope3-sphomep.svc.ms/api/v1/news/sites?start=0&count=13 to fetch the news, which doesn’t return anything for guests. This was also confirmed by the premier support: The issue that you see here on the news web part is not related to overall search but to a specific call that is made by the web part. It uses a call that does not work with guest users. The current behavior is by design. The required code changes to change the behavior are outside the scope of a fix and can only be considered for the long term. At the moment there is no timeframe when this behavior will change.
Countering the issue using the Highlighted Content web part
Luckily, there is another way for you to display news to guests: the highlighted content web part. The highlighted content web part uses the search API for fetching the web part content.
The web part works pretty well for displaying news from modern team sites. You can use the Selected sites setting to choose which sites you want to show news from. However, it does not work for displaying news from communication sites.
There is another thing you need to do with the highlighted content web part for it to show news from communication sites to guest users: use the filter options to select which sites to show news from. In the Content section of the web part settings, you need to select Source: All sites, and Type: News. In the filter and sort section, you need to add a filter for SPSiteURL that contains the relative URL of the site you want to return news from (e.g., /sites/catnews/). You can add multiple filters like this to return results from several sites, including team sites.
Note that for news articles that are coming from a team site, the guest user needs to be a member of the group to be able to see the news on the web part. It is not enough if they only have permissions on the SharePoint site. However, you can always change the group members to have Read permissions on the SharePoint site, if the default Edit permission members get by default is too much.
Custom SharePoint apps (e.g., web parts) don’t load for guest users by default
I made a simple SPFx web part a while back which utilizes the SharePoint Search API. When testing the web part with a guest user, I noticed it didn’t load up correctly. So, I fired up Fiddler and started debugging.
When a guest goes to a page that contains a custom web part, instead of seeing the web part contents, they will see a not-so-nice looking error message. This happens because guest users are getting an access denied error when trying to access some of the web part’s resources within app catalogue’s ClientSideAssets directory.
By default, guests don’t have access to the SharePoint app catalogue (where the custom web parts are installed) like regular users do. To get the custom web part to work for them, you need to apply one of the following fixes.
- Grant them read permissions either to the whole app catalogue (this way guests will be able to use all custom web parts) or just the individual web part you want them to be able to use, or
- Add the web part resources to Microsoft’s public CDN (content delivery network).
Which method should you choose, then?
When you add the web part resources to the CDN, they (the minified script files etc.) will become accessible by anyone anonymously without the need to authenticate to your tenant. If you have a very productized solution which source code you want to protect, keep the resources in the app catalogue and grant the guests access there.
If you are not concerned about someone potentially looking into the web part resources, then the CDN is the better option. It offers a couple of benefits:
- Faster loading time for the web part. When the web part is loaded, the files are fetched from the most optimal location in relation to current end-user.
- You should also use the CDN if you want your guest users to be able to use your web parts by using a mobile browser. Even if you grant guests access to the app catalogue, they will still get an access denied error, when browsing the web parts using a mobile device. Apparently, some authentication related cookie is not usable in mobile. I heard that a ticket has been made about this bug by an organization, but Microsoft is yet to fix this issue (update! I have not checked if it has been fixed or not recently). In the meanwhile, you can get around it by using the CDN.
You can enable the public CDN by running the following PowerShell script. The ClientSideAssets directory is included in the CDN automatically.
$adminSiteUrl = "https://mytenant-admin.sharepoint.com" Connect-SPOService $adminSiteUrl -Credential (Get-Credential) Set-SPOTenantCdnEnabled -CdnType Public -Enable $true
Search API queries don’t work for guest users from communication sites
After granting guests access to the app catalog, the next thing I noticed with my web part was that there was an access denied error when executing the search query via the Search API. To my surprise, this was because the guest user didn’t have access to the search center. I fixed the issue by granting them Read access there. You might also need to do this to get the out-of-the-box search results page to work for guests (reported by a reader in the comments).
Even though the search queries were no longer giving an error, guests were still not able to see any content within the custom web part. Fiddler revealed that the underlying issue was that the search query wasn’t returning any results for guests, even though the same query worked flawlessly for regular users with the same permissions.
I started testing if the query would work via other sites, and it did! I did some further testing and noticed that the search API queries worked via any other site type except for communication sites. When making the query via a communication site, the result set was always lacking.
I had previously set up my web part to always make the search query via the site the web part was placed on because then the user would always have access to that site (e.g., https://tenant.sharepoint.com/sites/currentSite/_api/search/query?querytext=%27WebTemplate:GROUP%27&selectproperties=%27path,title,groupid%27&rowlimit=100). So, to go around this issue, I had to think if there was one site where all my guest users would have access to, and always make the query via that site.
Because granting access to the search center was required when I originally faced this issue, I changed my web part to always execute the query via the search center. Today, a good candidate is the root site, if you created the custom permission level earlier to get the thumbnails working. The permission level grants the user enough permissions to call the search API. But basically, any site will do as long as the users have access to it and the site is not a communication site.
Guests can’t see information about users or groups
This section hasn’t always been in this blog post, but I wanted to add it after several people came to me with the same problem: guest users are not able to view user information or populate group lists.
This can occur if you, for example, have a custom SPFx web part that attempts to get a list of users or groups via Microsoft Graph. To allow guests to view the information, you need to allow them to enumerate users, groups, and other directory resources. This can be done through Azure AD user settings.
- Go to https://portal.azure.com
- Navigate Azure Active Directory -> Users -> User settings -> Manage external collaboration settings
- Change “Guest users permissions are limited” to “No”.
It can take a little while (15 mins or so) for the setting to come into effect, after which viewing the user and group information should work the same way for guests as it does for regular users.
Before flipping the switch, have a brief conversation with your customer about the risks related to the setting. If you allow guests to enumerate groups and users, it means they can browse the basic information about all of those entities in the Azure Active Directory. If the group names contain classified information (e.g., about current or future projects or customers) or guests should not know the names of all the users (including other guests), it is probably for the best to leave the setting as is and live with the limited functionality guests have.
The Conclusion
There are quite a lot of differences between regular and guest users in SharePoint Online; a lot more than was covered in this article. Many of them are by design — after all, who would be paying for licenses if guest users worked exactly the same way as licensed users? But on the other hand, you can’t expect organizations to buy licenses for the employees of other organizations just so that they can have a good user experience. And it is often those user experience related issues we end up troubleshooting.
For some of the issues we can implement workarounds as described in this article, but for some, we need Microsoft’s help. Microsoft has been very active and helpful in solving these issues via premier tickets. They’ve for example promised to fix the site logos on communication sites so they will also show for guest users, and display the logout menu for guest users on regular pages too (currently guests need to navigate to Site Contents to be able to log out). In order for guests to get the best possible user experience within those “by design” limitations, be active and let your voice be heard. Tell Microsoft about your experiences by providing feedback and filing bug reports. Only this way things can be improved.
Have you encountered issues with guest users? What kind? Let me know in the comments below (and preferably also make a bug report to Microsoft 😉 )! Also, if you found this article useful and would like to read similar content in the future, make sure to follow me on Twitter to get notified of future posts.
Laura
PS: Did you like the multi-colored theme displayed in the images? If yes, check out my blog post for instructions on how you can create one just like it or similar yourself!
Hi Laura. First of all, congrats for your article, it’s very useful and interesting. Regarding my problem, we use web api of SharePoint Online to get some info of a document library and draw a tag cloud on a content editor. Unfortunately, guest users get a 403 Access denied error when calling the api via Ajax. What could we do? Do you think it could be fixed changing “Guest users permissions are limited” to “No”? We have asked an user with permissions to do that in Azure, but in the mean time, if you have another idea, it’s more than welcome. Thanks in advance.
Hi Julio,
You should check that the guest users have permissions to the site you are using to call the API (the URL address before “_api”). If you don’t want them to be able to browse the site, you can create a custom permission level as described in the section “News thumbnails are not visible for guest users.”
Laura
Hi Julio. I had the same problem on classic sites. Calls to https://mytenant/sites/intranet/_api/….. were blocked (403 Forbidden). On site collection level in Site collection features you have to disable “Limited-access user permission lockdown mode” and wait. In my case it took 3 hours to start working. Hope you will find it useful.
Thanks a lot for the info, Lukasz!
Laura
Hi Laura.
Great article! I am having some issues with a custom organization theme (company logo and navigation bar color) not being visible to external guest users. Is there a powershell command I can run that will allow the external users to see my custom organization theme? I don’t want to have to add a custom css to all guest user pages. Look forward to your feedback soon.
Thanks,
Ernie
Office365 Consultant
Hi Ernie,
I remember having similar issues in the past. I filed bug reports about them, and Microsoft acknowledged that they are bugs. They are yet to fix them, it seems. I recommend you also create bug reports about about them — should speed things up.
Laura
Hi Laura,
i have a powerapps application that will be shared to 100 guest user,
should i share the app to the 100 guest user by adding thier email address 1 by one or sahring to everyone is enough?
Hi Vino,
If everyone in the organization is allowed to use the application (not only guests), then I’d share it with everyone. If only guests are allowed to use it, I’d create an Azure AD group for them, and use that for granting permissions. Maintenance wise, using groups is generally better than giving permissions individually.
Laura
Great post, Laura!
Do you know if changing the “Guest users permissions are limited” to “No” has any impact on the ‘personalization’ options for the Sites web part (“Frequent sites for current user” ) and News web part (“Recommended for current user”)?
The hope is to allow guests to access the top-level site and see content from the other site(s) in our tenant that they have been invited to…
Hi Jim,
No, I don’t, but if I were you, I’d definitely test it and see how it behaves. Note that it might take a little while for the change to come into effect.
Laura
Hi Laura
I have a question for you:
I already have guest user under my tenant and I want to grant the access to a site using a group 365 and not by invite it again. Is it possibile? right now I saw that it work only with the users from the organization
thanks
Hi Stefano,
As you’ve been able to invite the guest to your tenant, it sounds like external sharing is allowed in your organization tenant wide. However, if you are unable to add the guest to a specific Office 365 group, it can be that external sharing is disabled in that particular group.
Laura