Microsoft Entra ID · Remaining Built-in Roles
Guest Inviter
Can invite guest users independent of the member invitation settings. This is the most limited guest invitation role.
Scope: Guest user invitation with standard user read capabilities
Permissions
- Guest Invitation - Invite B2B guest users
- User Properties - Read standard user properties
- App Roles - Read user app role assignments
- Device Access - Read device for resource account
- Reports - Read direct reports
- Licensing - Read license details
- Management - Read user manager
- Group Membership - Read group memberships
- OAuth - Read OAuth2 grants
- Guest Invitation - Bypass "members can invite guests" restrictions
- Limitation - Cannot manage invited guest properties after invitation
- Limitation - Cannot remove or disable guest users
Common use cases
- External collaboration coordinators
- Partner relationship managers
- Project teams needing external contractors
- Vendor onboarding coordinators
- Training program facilitators with external trainers
- Cross-organizational project leads
- External audit coordination
Best practices
- Use when member invitations are restricted organization-wide
- Combine with access packages for controlled onboarding
- Document business justification for guest invitations
- Coordinate with External Identity Provider Admin for B2B config
- Implement guest invitation approval workflows where possible
- Review guest invitation patterns regularly
- Use access reviews to manage guest lifecycle
- Consider time-limited assignments via PIM
Security considerations
- Cannot modify or remove guests after invitation
- Guest users get access based on sharing policies
- Monitor for excessive guest invitations
- Review guest user activity regularly
- Coordinate with compliance for external data sharing
- Consider conditional access for guest users
- Alert on unusual guest invitation patterns
Common questions
When should I assign the Guest Inviter role?
Assign Guest Inviter when you need to: External collaboration coordinators; Partner relationship managers; Project teams needing external contractors; Vendor onboarding coordinators; and Training program facilitators with external trainers. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Guest Inviter role do?
The Guest Inviter role grants permissions including: Guest Invitation - Invite B2B guest users; User Properties - Read standard user properties; App Roles - Read user app role assignments; Device Access - Read device for resource account; Reports - Read direct reports; and Licensing - Read license details. See the Permissions section above for the full list.
What are the security risks of the Guest Inviter role?
Key considerations when assigning Guest Inviter: Cannot modify or remove guests after invitation; Guest users get access based on sharing policies; Monitor for excessive guest invitations; and Review guest user activity regularly. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.