Introduction
Depending on your organization's needs, you may want to give external users access to the workspace via a guest account, or allow internal users to login using an alias instead of UPN. Both are possible, and in this article we explain how you can do this.
Note that there are some limitations for guest users:
Guest users cannot use email or the calendar.
Guest users are not automatically assigned the correct permissions for applications. If you want to give access to the Documents app, for example, access must be granted in SharePoint under site permissions.
SSO app Manifest
As of v2.4.5 of our create environment script, this step is already performed when creating the environment.
First step is to make a change to the SSO app registration in Azure.
Sign into the Azure Portal as a Global Admin.
Go to App registrations.
Select your Workspace SSO App Registration.
Select Manifest.
Look for the "optionalClaims": null, rule.
ββReplace it with:β
"optionalClaims": { "idToken": [ { "name": "upn", "essential": false, "additionalProperties": ["include_externally_authenticated_upn"] } ] },Click Save.
You can now add guest users from your Entra ID to Workspace using SCIM or the Azure AD synctool. Guest users can log in with their own UPN and password.
To let users login with an alias, additional configuration is required. Continue reading below.
Email as alternate login ID (required for login via alias)
To ensure users can login with an alias, you must enable the Email as alternate login ID functionality in Microsoft Entra ID.
Sign into the Azure Portal as a Global Admin.
Go to Microsoft Entra ID > Microsoft Entra Connect > Connect Sync.
Under User Sign-In, click Email as alternate loginID.β
Check the Email as an alternate login ID checkbox and click Save.
Wait for the policy to take effect. We have no control over how long this takes.