Using guest users in EntraID - Best practices

[flavioPBadmin]

This is more of a question that an issue regarding implementation that might affect my use case. I have read, on of the issues here, to use guests you have to enable multitenant support on the IdP azure app. That works on my testing with personal accounts added as guests to out tenant. My question is this, we have a number of guests from other company tenants, which have varied configurations and due contract reasons we can't really ask them to make any changes to their IT (and is a office politics minefield to ask them to act as guinea pigs ;D). They are fully invited to our tenant, personal information on the guest is updated. So, my questions: Will they be able login with their account using OpenID? Is the information, fields, synced into Moodle from my tenant (i.e the guest information)?

Thanks!

[ImmortalTreearms]

External Guests on your tenant with appropriate app permissions should be able to. That was how we initially set up users on our tenant. Multi-tenancy does not work particularly well for this plugin imo, and thus the guest account actually works pretty seamlessly in comparison. Going back to a split tenant like I'm trying to do now is proving to be a headache though because all the guest accounts take precedence when logging back into Moodle, and their fields are populated with the Guest Account settings.

In my case I admin both tenants, but for you, guests should be the better option if you can't get an app registered on their tenant.

[flavioPBadmin]

I have found as much, even going even forward into deciding the best way to deal with them would be to create accounts for them on Moodle (using API automations and Moodle webservices), due to the very variable set of security rules on external tenants. That keeps it simple, our users (and apprentices and learners that can be onboarded to our tenant) use OpenID (and as such have their 2factor and security, etc., guests (which are apprentices and learners that cannot be onboarded due to their IT policies) get their own account created on Moodle, with 2 factor auth through Moodle. Seems the sanest way, especially because my life has been trying to streamline how we deal with our apprentices, that comes from dozen different companies and gov agencies and as such will not be able to randomly access Microsoft features because their tenant blocks them.

[weilai-irl]

Hi @flavioPBadmin

I can confirm all points made by @ImmortalTreearms in comment https://github.com/microsoft/o365-moodle/issues/2549#issuecomment-2080087084.

• Multi tenancy feature in these plugins only allow users from additional tenants to login. The roaming users don't have permission to use the Azure app in the hosting tenant, therefore user sync features using Graph APIs are not available to them.
• Guest users may provide more functionalities in regard to user sync / field mapping on the other hand. Once an account is added to your hosting tenant SSO should work; Graph API calls made using the Azure app can access the guest users, therefore should work too.

There was a proposal to add full multi-tenant support to the plugins, but there are a lot of complexities in this work and it will probably not be implemented any time soon. So for the time being, guest users is probably the best approach to go.

Regards, Lai

[MURBASLMS]

hi, hijacking this as is related to guest user sync.

on mdl4.1 latest local and oidc commits for that mdl version.

we want to sync guest users that belong to a specific group. We don't care about the teams side of things, just to sync particular guests.

have added an external email to an o365 group in usersync checked Create accounts in Moodle for users in Microsoft Entra ID checked Sync guest users set usersynccreationrestriction as MS group membership (have tried correct group name and object id)

run the \local_o365\task\usersync task

user is not picked up and created.

run the task with Perform a full sync each run and it ends up pulling in every single guest account in the tenant.

I expected the logic to be: create users, including guest users if they are in the specified group.

with the full forced sync, this user was eventually created but i'm not sure via what criteria:

tried deleting and re syncing, nothing. Only got the guy in with a full forced sync.

noticed this in task output

......... Syncing user itslmstech_gmail.com#ext#@murdochunitest2.onmicrosoft.com ......... User doesn't exist in Moodle ......... Cannot create user because they do not meet the configured user creation restrictions.

then later ......... Syncing user itslmstech_gmail.com#ext#@murdochunitest2.onmicrosoft.com ......... User doesn't exist in Moodle ......... Created user #270563 ......... Assigning Moodle user 270563 (objectid 91692597-86cb-492c-9e83-b530ca046088) to application ......... User assigned to application.

Any clues?

cheers