Microsoft Entra ID · Remaining Built-in Roles
Guest Inviter
Can invite guest users independent of the member invitation settings. This is the most limited guest invitation role.
Scope: Guest user invitation with standard user read capabilities
Permissions
- Guest Invitation - Invite B2B guest users
- User Properties - Read standard user properties
- App Roles - Read user app role assignments
- Device Access - Read device for resource account
- Reports - Read direct reports
- Licensing - Read license details
- Management - Read user manager
- Group Membership - Read group memberships
- OAuth - Read OAuth2 grants
- Guest Invitation - Bypass "members can invite guests" restrictions
- Limitation - Cannot manage invited guest properties after invitation
- Limitation - Cannot remove or disable guest users
Common use cases
- External collaboration coordinators
- Partner relationship managers
- Project teams needing external contractors
- Vendor onboarding coordinators
- Training program facilitators with external trainers
- Cross-organizational project leads
- External audit coordination
Best practices
- Use when member invitations are restricted organization-wide
- Combine with access packages for controlled onboarding
- Document business justification for guest invitations
- Coordinate with External Identity Provider Admin for B2B config
- Implement guest invitation approval workflows where possible
- Review guest invitation patterns regularly
- Use access reviews to manage guest lifecycle
- Consider time-limited assignments via PIM
Security considerations
- Cannot modify or remove guests after invitation
- Guest users get access based on sharing policies
- Monitor for excessive guest invitations
- Review guest user activity regularly
- Coordinate with compliance for external data sharing
- Consider conditional access for guest users
- Alert on unusual guest invitation patterns