Add guest users
You can invite people that are not part of your organization to collaborate with you in WorkZone as guest users. You can, for example, collaborate on cases and documents with users across organizations, or you can share access to a WorkZone instance with, for example, subject matter experts or consultants to collaborate on and share the information that they need for specific purposes.
To set up guest users, follow these steps:
-
Set up SCIM provisioning of guest users from Azure AD to your WorkZone tenant.
-
Invite the guest users into your tenant.
-
Assign WorkZone groups to the guest users.
Set up SCIM provisioning of guest users
Guest users do not have a UPN (User Principal Name) as part of their token as internal WorkZone users do when they sign in to your WorkZone tenant, see Enroll WorkZone in Azure and set up SCIM provisioning. When provisioning guest users to WorkZone, Microsoft Azure Object ID is used instead of UPN to identify users.
To make sure that guest users can log in to WorkZone after SCIM provisioning, you need to map Azure Object ID to the ExternalId attribute.
Map Azure Object ID
-
Sign in to the Azure Portal as an Azure AD administrator.
-
Go to Enterprise Applications and select your "SCIM provisioning" app.
-
Go to Provisioning and then click Edit attribute mappings.
-
Expand Mappings and click Provision Azure Active Directory Users.
-
On the Attribute Mapping page, click the ExternalId attribute, and change the source attribute to ObjectId. If the ExternalId attribute does not exist, you can add it.
Invite guest users
Invite guest users in to your tenant from the Azure Portal. Guest users use their own accounts. You must have a role as an Azure AD administrator to be able to add guest users. Read more about adding guest users and sending invitations in the Microsoft Azure AD documentation, for example in the Microsoft article Quickstart: Add a guest user and send an invitation.
Assign groups to a guest user
-
Sign in to the Azure Portal as an Azure AD administrator.
-
Navigate to the external users, you have invited.
-
Go to Groups to add WorkZone groups that represent security codes, access codes, and profiles. See Provision Azure AD to WorkZone.
Remove a guest user
Delete a user from Azure AD
When you delete a guest user from your WorkZone tenant, the guest user will be able to work and refresh an already opened WorkZone session for some time, depending on the lifetime of the token. The user will not be able to log in to WorkZone on a new tab.
Close a contact in WorkZone
If you set an end date on guest users in WorkZone, the users will be deleted from Azure AD. See Close a contact.
Re-add a guest user
If you re-add a guest user, the guest user's UPN (email) is used to see if the user has had access to WorkZone previously.