Due to the fact that External User Manager is built around existing Administrative Structures from Microsoft, there are certain aspects of your tenant that directly affect its functionality.
In this article, we'll discuss the most common settings, features, and workarounds that should be applied before you actually install External User Manager.
Performing these procedures will help you avoid common issues and serve as a solid foundation for your new guest user infrastructure.
1. Exchange and Service Accounts
Within External User Manager, there are several places where you might need to add an Exchange/Service Account. These accounts serve a crucial role in sending out Email Notifications and performing different actions that are not possible solely through the Graph API.
For instance, during the Initial Setup, you might consider adding a Service Account that will enable you to utilize Organization Functionality to its fullest extent.
Or you might choose to opt for an Exchange Account for Mailing, instead of utilizing our built-in service.
π‘ Feel free to check out our dedicated Notifications article for more information about mailing options.
Either way, these accounts will serve an important role in the daily actions performed by EUM. Which is why it's incredibly important that you utilize accounts that are Cloud Only (Not OnPrem Synced), since OnPrem Synced Accounts tend to experience issues when communicating with the Graph API and will most likely cause hiccups during these daily activities.
π‘ If you're experiencing issues with Email delivery or Organization functionality, make sure to check the type of account you're using. If it's an OnPrem Synced Account, swapping it out for a Cloud Only one will most likely resolve the issue.
2. M365 Group Permissions
As discussed earlier, we built our entire system around Microsoft's existing infrastructure, which comes with some interesting quirks.
For instance, if the tenant-wide M365 Group Invitation Settings are not configured correctly, EUM will be unable to invite Guests, which defeats the entire purpose of the application (Guest Management).
In order to ensure that EUM can actually invite users into your organization, you must make sure that Group Owners are allowed to Invite Guests into the enterprise.
Here's how it's done:
Navigate to Settings > Org settings in your M365 Admin Center.
βFind Microsoft 365 Groups and open the corresponding settings panel.
βEnable the Let group owners add people outside your organization to Microsoft 365 Groups as guests setting.
βClick Save to apply the changes.
Now EUM will be able to add guests to your organization without any unexpected issues.
π‘ If you're experiencing an issue where EUM cannot add Guests to your organization, check if this setting is disabled; if so, enabling it should resolve the issue.
3. External Identities
Staying on the Guest Invite topic, there's another setting in M365 that might cause Guest Invitation issues when misconfigured.
If the Guest Invite Settings in Azure are configured to only allow Admins to invite Guests into the organization, and your Service Account doesn't have at least a Guest Inviter role, you might run into the issue of being unable to invite guests through EUM.
In order to ensure that EUM can freely invite Guests, we need to either relax this restriction or simply grant the Service Account a Guest Inviter role.
Here's how you can loosen the restrictions:
Navigate to Microsoft Azure > Microsoft Entra ID.
βSelect External Identitites > External collaboration settings.
βMake sure that Guest invite restrictions are NOT set to No one in the organization can invite guest users including admins (most restrictive).
βThis is the only setting that will outright prevent Guest Invitations and render EUM unable to do its job.
βYou're free to choose between the other three options, making sure to grant the appropriate role to your Service Account to ensure that it functions as intended.
π‘ If you're experiencing Guest Invitation issues, it's worth checking if you have a blanket restriction for all inviters or whether your Service Account is lacking the appropriate role.
4. Domain Management
Microsoft allows you to have Domain Blacklists/Whitelists, which supersede EUM's capabilities.
Meaning that if you have a Domain Blacklist, EUM will be unable to add users with those Domains to your organization. If you have a Domain Whitelist, EUM will be unable to add users that don't fall under those Domains.
Keep in mind that the Whitelist is tied into Organization Functionality within EUM; more on that here.
The state of this setting will depend on your current organizational standards; however, it's highly advised to either clear them out (black/whitelists) or simply keep them and be mindful of their impact on invites prior to installing EUM.
Here's how you can do that:
Navigate to Microsoft Azure > Microsoft Entra ID.
βSelect External Identitites > External collaboration settings.
βScroll all the way down until you find Collaboration restrictions.
βFeel free to either remove them entirely or take a mental note of your setup to know how it will interact with EUM.
π‘ If you're experiencing issues with adding Guests with certain Domain Names and not others, it's most likely resolvable by adjusting these Collaboration Settings.
βοΈ Need more help?
Get further assistance with Teams Manager through our support chat widget within the app, or reach out to us at [email protected]