Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: 
Workforce tenants 
External tenants (learn more)
This article describes how guest users can access your resources and the consent process they encounter. If you send an invitation email to the guest, the invitation includes a link that the guest can redeem to access your app or portal. The invitation email is just one way guests can access your resources. Alternatively, you can add guests to your directory and give them a direct link to the portal or app you want to share. Regardless of the method they use, guests are guided through a first-time consent process. This process ensures that your guests agree to privacy terms and accept any terms of use you've set up.
When you add a guest user to your directory, the guest user account has a consent status (viewable in PowerShell) that’s initially set to PendingAcceptance. This setting remains until the guest accepts your invitation and agrees to your privacy policy and terms of use. After that, the consent status changes to Accepted, and the consent pages are no longer presented to the guest.
Redemption process through a direct link
As an alternative to the invitation email or an application's common URL, give a guest a direct link to your app or portal. First, add the guest user to your directory via the Microsoft Entra admin center or PowerShell. Then use any of the customizable ways to deploy applications to users, including direct sign-on links. When a guest uses a direct link instead of the invitation email, they’re still guided through the first-time consent experience.
Note
A direct link is tenant-specific. In other words, it includes a tenant ID or verified domain so the guest can be authenticated in your tenant, where the shared app is located. Here are some examples of direct links with tenant context:
- Microsoft Entra admin center:
https://entra.microsoftonline.cn/<tenant id>
Here are some things to note about using a direct link versus an invitation email:
Email aliases: Guests who use an alias of the email address that was invited need an email invitation. (An alias is another email address associated with an email account.) The user must select the redemption URL in the invitation email.
Conflicting contact objects: The redemption process has been updated to prevent sign-in issues when a guest user object conflicts with a contact object in the directory. Whenever you add or invite a guest with an email that matches an existing contact, the proxyAddresses property on the guest user object is left empty. Previously, External ID searched only the proxyAddresses property, so direct link redemption failed when it couldn’t find a match. Now, External ID searches both the proxyAddresses and invited email properties.
Redemption process through the invitation email
When you add a guest user to your directory by using the Microsoft Entra admin center, an invitation email is sent to the guest. You can also choose to send invitation emails when you’re using PowerShell to add guest users to your directory. Here’s a description of the guest’s experience when they redeem the link in the email.
- The guest receives an invitation email that's sent from Microsoft Invitations.
- The guest selects Accept invitation in the email.
- The guest is guided through the consent experience described below.
Consent experience for the guest
When a guest signs in to a resource in a partner organization for the first time, they're presented with the following consent experience. These consent pages are shown to the guest only after sign-in, and they aren't displayed at all if the user has already accepted them.
The guest reviews the Review permissions page describing the inviting organization's privacy statement. A user must Accept the use of their information in accordance with the inviting organization's privacy policies to continue.
By agreeing to this consent prompt, you acknowledge that certain elements of your account will be shared. These include your name, photo, and email address, as well as directory identifiers which might be used by the other organization to better manage your account and improve your cross-organization experience.
Note
For information about how you as a tenant administrator can link to your organization's privacy statement, see How-to: Add your organization's privacy info in Microsoft Entra ID.
If terms of use are configured, the guest opens and reviews the terms of use, and then selects Accept.
You can configure terms of use in External Identities > Terms of use.
Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.
In your directory, the guest's Invitation accepted value changes to Yes. For more information about guest user account properties, see Properties of a Microsoft Entra B2B collaboration user. If you see an error that requires admin consent while accessing an application, see how to grant admin consent to apps.