Microsoft Entra ID · Remaining Built-in Roles

Guest Inviter

Can invite guest users independent of the member invitation settings. This is the most limited guest invitation role.

Scope: Guest user invitation with standard user read capabilities

Permissions

  • Guest Invitation - Invite B2B guest users
  • User Properties - Read standard user properties
  • App Roles - Read user app role assignments
  • Device Access - Read device for resource account
  • Reports - Read direct reports
  • Licensing - Read license details
  • Management - Read user manager
  • Group Membership - Read group memberships
  • OAuth - Read OAuth2 grants
  • Guest Invitation - Bypass "members can invite guests" restrictions
  • Limitation - Cannot manage invited guest properties after invitation
  • Limitation - Cannot remove or disable guest users

Common use cases

  • External collaboration coordinators
  • Partner relationship managers
  • Project teams needing external contractors
  • Vendor onboarding coordinators
  • Training program facilitators with external trainers
  • Cross-organizational project leads
  • External audit coordination

Best practices

  • Use when member invitations are restricted organization-wide
  • Combine with access packages for controlled onboarding
  • Document business justification for guest invitations
  • Coordinate with External Identity Provider Admin for B2B config
  • Implement guest invitation approval workflows where possible
  • Review guest invitation patterns regularly
  • Use access reviews to manage guest lifecycle
  • Consider time-limited assignments via PIM

Security considerations

  • Cannot modify or remove guests after invitation
  • Guest users get access based on sharing policies
  • Monitor for excessive guest invitations
  • Review guest user activity regularly
  • Coordinate with compliance for external data sharing
  • Consider conditional access for guest users
  • Alert on unusual guest invitation patterns

Common questions

When should I assign the Guest Inviter role?

Assign Guest Inviter when you need to: External collaboration coordinators; Partner relationship managers; Project teams needing external contractors; Vendor onboarding coordinators; and Training program facilitators with external trainers. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Guest Inviter role do?

The Guest Inviter role grants permissions including: Guest Invitation - Invite B2B guest users; User Properties - Read standard user properties; App Roles - Read user app role assignments; Device Access - Read device for resource account; Reports - Read direct reports; and Licensing - Read license details. See the Permissions section above for the full list.

What are the security risks of the Guest Inviter role?

Key considerations when assigning Guest Inviter: Cannot modify or remove guests after invitation; Guest users get access based on sharing policies; Monitor for excessive guest invitations; and Review guest user activity regularly. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →