SharePoint Online Guest User Troubles and How to Get Past Them

SharePoint Online Guest User Troubles and How to Get Past Them

Last updated on October 16, 2021

The modern SharePoint Online sites allow us to put together some very fancy looking user experiences. And what would be nicer than to invite some users from other organizations to collaborate with us on those beautiful sites? You might think that guest users see everything the same way as you do. Unfortunately, that is not the case. I’ve recently been working with guest users in SharePoint Online environments, and in this blog post, I take you through, what problems we encountered and how you too can get past them.

Table of Contents

News thumbnails are not visible for guest users

The first thing I noticed when testing SharePoint Online sites on guest users was that the news thumbnails were not visible to them. For a normal user, the News web part looks like this:

But for a guest user, the thumbnails were not available:

I opened the developer tools on my browser and checked where the thumbnails were coming from.

As you can see from the image above, the URL is referencing to an ashx (ASP.NET web handler) file on the SharePoint root site. Guests don’t have access to the root site by default, and hence they don’t have permission to open the ashx file. And that is also the reason why they can’t see the thumbnails.

We can fix this issue by granting our guest users access to the site. But what if we don’t want the guests actually to be able to browse the root site? After all, it has a very different look-and-feel compared to the modern sites we are mostly using these days.

To grant users access to the web handler file while still preventing them from browsing the site, we first need to create a custom permission level on the root site. The permission level needs to have enough permissions for guests to access the ashx file, but not enough permissions to view pages.

When creating the custom permission level, we can basically just click on Select All permissions and then remove the View Pages permission. This gets rid of a lot of other dependant permissions too but leaves enough permissions for the users to access the web handler file. At the end, the permissions that remain are the following:

  • View Application Pages
  • Browse User Information
  • Use Remote Interfaces
  • Use Client Integration Features
  • Open
  • Edit Personal User Information

Now you need to assign that permission level to your guest users. I recommend you create a group for your guests if you haven’t already, and attach the permissions to that group. After that, the thumbnails will be visible to guests, too.

News web part doesn’t display news from other sites to guest users

Another thing I noticed with the News web part was that it did not return news for guests from any other site except for the current site the web part was on. Not even if the guests had access to those sites. You had to select This site in the news web part settings for guests to see any news. If you click Selected sites and tick the current site, guests won’t see any news, even though it is the same site.

Normal users see news from other sites in the web part:

Guest users won’t see any news, even though they have access to them:

The web part doesn’t utilize search for fetching the news. If you check Fiddler while the web part loads, there’s no request to the search API that’d get the news. In fact, the web part makes a request to https://northeurope3-sphomep.svc.ms/api/v1/news/sites?start=0&count=13 to fetch the news, which doesn’t return anything for guests. This was also confirmed by the premier support: The issue that you see here on the news web part is not related to overall search but to a specific call that is made by the web part. It uses a call that does not work with guest users. The current behavior is by design. The required code changes to change the behavior are outside the scope of a fix and can only be considered for the long term. At the moment there is no timeframe when this behavior will change.

Countering the issue using the Highlighted Content web part

Luckily, there is another way for you to display news to guests: the highlighted content web part. The highlighted content web part uses the search API for fetching the web part content.

The web part works pretty well for displaying news from modern team sites. You can use the Selected sites setting to choose which sites you want to show news from. However, it does not work for displaying news from communication sites.

There is another thing you need to do with the highlighted content web part for it to show news from communication sites to guest users: use the filter options to select which sites to show news from. In the Content section of the web part settings, you need to select Source: All sites, and Type: News. In the filter and sort section, you need to add a filter for SPSiteURL that contains the relative URL of the site you want to return news from (e.g., /sites/catnews/). You can add multiple filters like this to return results from several sites, including team sites.

Note that for news articles that are coming from a team site, the guest user needs to be a member of the group to be able to see the news on the web part. It is not enough if they only have permissions on the SharePoint site. However, you can always change the group members to have Read permissions on the SharePoint site, if the default Edit permission members get by default is too much.

Custom SharePoint apps (e.g., web parts) don’t load for guest users by default

I made a simple SPFx web part a while back which utilizes the SharePoint Search API. When testing the web part with a guest user, I noticed it didn’t load up correctly. So, I fired up Fiddler and started debugging.

When a guest goes to a page that contains a custom web part, instead of seeing the web part contents, they will see a not-so-nice looking error message. This happens because guest users are getting an access denied error when trying to access some of the web part’s resources within app catalogue’s ClientSideAssets directory.

By default, guests don’t have access to the SharePoint app catalogue (where the custom web parts are installed) like regular users do. To get the custom web part to work for them, you need to apply one of the following fixes.

  • Grant them read permissions either to the whole app catalogue (this way guests will be able to use all custom web parts) or just the individual web part you want them to be able to use, or
  • Add the web part resources to Microsoft’s public CDN (content delivery network).

Which method should you choose, then?

When you add the web part resources to the CDN, they (the minified script files etc.) will become accessible by anyone anonymously without the need to authenticate to your tenant. If you have a very productized solution which source code you want to protect, keep the resources in the app catalogue and grant the guests access there.

If you are not concerned about someone potentially looking into the web part resources, then the CDN is the better option. It offers a couple of benefits:

  • Faster loading time for the web part. When the web part is loaded, the files are fetched from the most optimal location in relation to current end-user.
  • You should also use the CDN if you want your guest users to be able to use your web parts by using a mobile browser. Even if you grant guests access to the app catalogue, they will still get an access denied error, when browsing the web parts using a mobile device. Apparently, some authentication related cookie is not usable in mobile. I heard that a ticket has been made about this bug by an organization, but Microsoft is yet to fix this issue (update! I have not checked if it has been fixed or not recently). In the meanwhile, you can get around it by using the CDN.

You can enable the public CDN by running the following PowerShell script. The ClientSideAssets directory is included in the CDN automatically.

$adminSiteUrl = "https://mytenant-admin.sharepoint.com"

Connect-SPOService $adminSiteUrl -Credential (Get-Credential)

Set-SPOTenantCdnEnabled -CdnType Public -Enable $true

Search API queries don’t work for guest users from communication sites

After granting guests access to the app catalog, the next thing I noticed with my web part was that there was an access denied error when executing the search query via the Search API. To my surprise, this was because the guest user didn’t have access to the search center. I fixed the issue by granting them Read access there. You might also need to do this to get the out-of-the-box search results page to work for guests (reported by a reader in the comments).

Even though the search queries were no longer giving an error, guests were still not able to see any content within the custom web part. Fiddler revealed that the underlying issue was that the search query wasn’t returning any results for guests, even though the same query worked flawlessly for regular users with the same permissions.

I started testing if the query would work via other sites, and it did! I did some further testing and noticed that the search API queries worked via any other site type except for communication sites. When making the query via a communication site, the result set was always lacking.

I had previously set up my web part to always make the search query via the site the web part was placed on because then the user would always have access to that site (e.g., https://tenant.sharepoint.com/sites/currentSite/_api/search/query?querytext=%27WebTemplate:GROUP%27&selectproperties=%27path,title,groupid%27&rowlimit=100). So, to go around this issue, I had to think if there was one site where all my guest users would have access to, and always make the query via that site.

Because granting access to the search center was required when I originally faced this issue, I changed my web part to always execute the query via the search center. Today, a good candidate is the root site, if you created the custom permission level earlier to get the thumbnails working. The permission level grants the user enough permissions to call the search API. But basically, any site will do as long as the users have access to it and the site is not a communication site.

Guests can’t see information about users or groups

This section hasn’t always been in this blog post, but I wanted to add it after several people came to me with the same problem: guest users are not able to view user information or populate group lists.

This can occur if you, for example, have a custom SPFx web part that attempts to get a list of users or groups via Microsoft Graph. To allow guests to view the information, you need to allow them to enumerate users, groups, and other directory resources. This can be done through Azure AD user settings.

  1. Go to https://portal.azure.com
  2. Navigate Azure Active Directory -> Users -> User settings -> Manage external collaboration settings
  3. Change “Guest users permissions are limited” to “No”.

It can take a little while (15 mins or so) for the setting to come into effect, after which viewing the user and group information should work the same way for guests as it does for regular users.

Before flipping the switch, have a brief conversation with your customer about the risks related to the setting. If you allow guests to enumerate groups and users, it means they can browse the basic information about all of those entities in the Azure Active Directory. If the group names contain classified information (e.g., about current or future projects or customers) or guests should not know the names of all the users (including other guests), it is probably for the best to leave the setting as is and live with the limited functionality guests have.

The Conclusion

There are quite a lot of differences between regular and guest users in SharePoint Online; a lot more than was covered in this article. Many of them are by design — after all, who would be paying for licenses if guest users worked exactly the same way as licensed users? But on the other hand, you can’t expect organizations to buy licenses for the employees of other organizations just so that they can have a good user experience. And it is often those user experience related issues we end up troubleshooting.

For some of the issues we can implement workarounds as described in this article, but for some, we need Microsoft’s help. Microsoft has been very active and helpful in solving these issues via premier tickets. They’ve for example promised to fix the site logos on communication sites so they will also show for guest users, and display the logout menu for guest users on regular pages too (currently guests need to navigate to Site Contents to be able to log out). In order for guests to get the best possible user experience within those “by design” limitations, be active and let your voice be heard. Tell Microsoft about your experiences by providing feedback and filing bug reports. Only this way things can be improved.

 

Have you encountered issues with guest users? What kind? Let me know in the comments below (and preferably also make a bug report to Microsoft 😉 )! Also, if you found this article useful and would like to read similar content in the future, make sure to follow me on Twitter to get notified of future posts.

Laura

PS: Did you like the multi-colored theme displayed in the images? If yes, check out my blog post for instructions on how you can create one just like it or similar yourself!

Congratulations, you’ve just finished reading one of my blog post classics! Please note that I’ve personally stopped answering questions left in the comments section of this article because I no longer actively work with the topic. Still, you are more than welcome to comment and ask questions as other readers also often offer their help.


54 thoughts on “SharePoint Online Guest User Troubles and How to Get Past Them”

  • The “add shortcut to onedrive” button is only visible to users that are native to my tenant. Can some suggest how to make this available?

  • Hi Laura,
    Great article. We are looking at this and we are glad that you highlight some challenges.

    We are wondering if you have some insight into guests using the Communication sites. When we create a Communications site, we are not able to invite guests to the site. We can invite guests to any other type of sites such as a MS Group site, or a Teams site. For the Comm site, the error says our organization has turned off this ability and will not allow us to share the site, or manually add them to the SharePoint groups. Interestingly, we can fiddled with it, and have successfully registered the guest account in the tenant and added them to the Comm site. But, they still receive an access denied error message when they try to load the site. MS Docs does say guests cannot access a Comm site, so I should take their word for it…. But I am not giving up yet.

    Do you know if it is possible to have guests use the Communications sites? Have you found a workaround for this?

    Thanks,
    Mark

    • Mark, I have not had an issue giving guest (#EXT#) users access to a communication (hub) site.

  • Interesting twist spotted: News web part does not show items from different site to guest from edu-tenant but other guests see them in web part accross the sites.

  • Hi, I am having issues with Search for Guests, no matter what permissions they have, there are no search results? Do they need specific permission in search somewhere?

  • I have found that guest users do not get the Edit link on the site navigation, even when they are added to the site’s Owners group. They are allowed to modify the navigation through the Site Settings page, but this doesn’t let you create multiple levels of hierarchy like you can do with the modern navigation editor.
    If the site is a hub site it lets them edit the hub-level navigation, though.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.