Using guest users in EntraID - Best practices

[flavioPBadmin]

This is more of a question that an issue regarding implementation that might affect my use case.
I have read, on of the issues here, to use guests you have to enable multitenant support on the IdP azure app. That works on my testing with personal accounts added as guests to out tenant.
My question is this, we have a number of guests from other company tenants, which have varied configurations and due contract reasons we can't really ask them to make any changes to their IT (and is a office politics minefield to ask them to act as guinea pigs ;D). They are fully invited to our tenant, personal information on the guest is updated.
So, my questions:
Will they be able login with their account using OpenID?
Is the information, fields, synced into Moodle from my tenant (i.e the guest information)?

Thanks!

[ImmortalTreearms]

External Guests on your tenant with appropriate app permissions should be able to. That was how we initially set up users on our tenant. Multi-tenancy does not work particularly well for this plugin imo, and thus the guest account actually works pretty seamlessly in comparison. Going back to a split tenant like I'm trying to do now is proving to be a headache though because all the guest accounts take precedence when logging back into Moodle, and their fields are populated with the Guest Account settings.

In my case I admin both tenants, but for you, guests should be the better option if you can't get an app registered on their tenant.

[flavioPBadmin]

I have found as much, even going even forward into deciding the best way to deal with them would be to create accounts for them on Moodle (using API automations and Moodle webservices), due to the very variable set of security rules on external tenants. That keeps it simple, our users (and apprentices and learners that can be onboarded to our tenant) use OpenID (and as such have their 2factor and security, etc., guests (which are apprentices and learners that cannot be onboarded due to their IT policies) get their own account created on Moodle, with 2 factor auth through Moodle. Seems the sanest way, especially because my life has been trying to streamline how we deal with our apprentices, that comes from dozen different companies and gov agencies and as such will not be able to randomly access Microsoft features because their tenant blocks them.

[weilai-irl]

Hi @flavioPBadmin

I can confirm all points made by @ImmortalTreearms in comment #2549 (comment).

• Multi tenancy feature in these plugins only allow users from additional tenants to login. The roaming users don't have permission to use the Azure app in the hosting tenant, therefore user sync features using Graph APIs are not available to them.
• Guest users may provide more functionalities in regard to user sync / field mapping on the other hand. Once an account is added to your hosting tenant SSO should work; Graph API calls made using the Azure app can access the guest users, therefore should work too.

There was a proposal to add full multi-tenant support to the plugins, but there are a lot of complexities in this work and it will probably not be implemented any time soon. So for the time being, guest users is probably the best approach to go.

Regards,
Lai