by Chad Olson, MCTS, MCSE, MCP at Sensei Project Solutions
External users within Project Online will allow organizations to add guest accounts, such as vendors, partners, etc. to participate in their Project Online environment. Previously, organizations would have to create an account in their Azure Active Directory and maintain the user account and password policies. This new functionality will allow these users to connect to Project Online using their existing accounts and work seamlessly within Project Online.
Microsoft released the ‘External users support for Project Online’ feature recently without much exposure or formal announcements. It now shows up in the Office 365 Roadmap as ‘Launched’ as of January 04, 2018.
Figure 1: Office 365 Roadmap
There was an article posted by Microsoft recently on this feature. The intention of this blog post is intended to give a more detailed procedure for getting this to work in your environment.
The guest user will need to have either an account in their own Azure Active Directory (AAD) or have a Microsoft Account (MSA). You can obtain a free Microsoft account that is tied to any email address or phone number at https://login.live.com/login.srf?lw=1 and select No account? Create one!
Figure 2: Create a Microsoft Account
Tenant Sharing Prerequisite
Within the Office 365 tenant, your global administrator will need to allow Sharing to have this functionality enabled. This is done from the Office 365 Admin Center portal > Settings > Security & privacy > Sharing.
Figure 3: Tenant Level Sharing Setting
Configure Sharing for Project Web App
Next, your site collection instance for Project Online needs to have Sharing turned on. Your Office 365 global administrator or SharePoint administrator will need to perform this action. To access the site collection settings, go to the Office 365 Admin Center portal > Admin Centers > SharePoint. Then select the checkbox for the site collection for your Project Web App instance and click the Sharing button in the ribbon.
Figure 4: Site Collection Sharing Setting
You then are presented with several sharing options for people outside your company. We think most organizations would want to control which guest users are invited, so selecting the second option, “Allow sharing only with the external users that already exist in your organization’s directory,” will make the most sense for typical organizations. For other organizations that want to allow their users to invite guests you can use the “Allow external users who accept sharing invitations and sign in as authenticated users.” Once the user accepts the invite, the account gets added to Azure Active Directory as a guest account.
Figure 5: Site Collection Sharing Options
Note: The last option to “Allow sharing with all external users, and by using anonymous access links” only applies for documents and folders within SharePoint Online and thus cannot be used for sharing the Project Web App (PWA) site.
Adding a Guest Account
A guest account is an account for an individual that is not a member of your organization. Typically, Office 365 global or user administrators would add a user to Azure Active Directory (AAD) either by using the Office 365 Admin Portal or have the account synchronized from their on-premises Active Directory using Azure AD Connect. As of this writing, the Office 365 Admin Portal or Azure AD Connect do not support adding guest accounts. To do this, you will need to connect to the Azure AD Portal at https://portal.azure.com. After logging into the portal, access the Azure Active Directory link from the left-hand navigation.
Figure 6: Azure Active Directory Portal
Then go to Users and groups under the Manage section.
Figure 7: Users and groups
Click on All users and then New guest user.
Figure 8: New guest user
Enter the email address of the external user and optionally a personal message with the invitation and then click the Invite button at the bottom of the screen.
Figure 9: Invite a guest
You will see a success notification at the top right of the screen and then see the user listed as a Guest account in your directory.
Click on the username and go to the Profile link under the Manage section. You will need to fill out the display Name, First name, Last name, Usage location, and upload a photo and then click Save. You will get an error if any of these actions are not completed.
Figure 10: Editing Profile Details
The guest user will then be sent an invitation email that will look similar to what is shown below.
Figure 11: Invitation Email
The guest user then needs to click the Get Started button link to start the process of accepting the invite.
After clicking the Get Started button, the user is presenting with a webpage stating you need to have an account tied to that email address and the organization will have access to your display name and email address in their directory.
Figure 12: Invitation Acceptance
The user then clicks the Next button and is presented with the following screen that shows any Apps that are shared with the user.
Note: Project Online will not be added to this screen so it can be ignored and closed for this purpose.
Figure 13: Organizational Apps for Guest Users
The guest user will need to be assigned a Project Online license to participate in Project Online and the related project sites. At a minimum, a Project Online Essential license is required. Please refer to the Project Online Service Description page for more details on licensing requirements. To assign a license, go to the Licenses section within the same screen for editing the user in the Azure Active Directory Admin Portal.
Figure 14: Manage Licenses
Click the Assign button.
Figure 15: Assign Licenses
Choose the Products flyout menu and then click the checkbox for Project Online Essential (or Project Online Professional or Premium based on your needs) and click the Select button.
Figure 16: Available Office 365 Licenses
Choose the Assignment Options flyout and turn on the various subplans that come with the subscription and click OK.
Figure 17: Available related subplan licenses
Then click the Assign button at the bottom of the screen.
Figure 18: Assign License
You will now see the licenses are assigned to the user.
Figure 19: Allocated Licenses
Adding the guest user to Project Online
The next step is your Project Online Administrator would add the user to your Project Online instance. This step would be dependent on if you are using Project Permission Mode or SharePoint Permission Mode. More info on differences can be found here.
Project Permission Mode
Although Project Permission Mode is not the default in Project Online, we encourage all our clients to use it as it offers more flexibility. If you are using Project Permission Mode, you can also leverage Active Directory Sync with security groups or manually add the user.
Active Directory Sync
If you have Active Directory Sync set up for your security groups, you can just add the guest user to the proper group and it will provision the account for you in the Project Online instance at the next scheduled sync time. To see if you have this set up, go to your PWA site and go to the Gear > PWA Settings > Manage Groups. If you don’t see Manage Groups, this means you are running in SharePoint Permissions Mode, and you can skip below for those instructions.
Figure 20: Manage Groups
Here you see I have the Team Members group connected to the ‘O365 Project Online – Team Members’ Active Directory group. For this configuration, I would simply add the guest user to this group. You can do this either back at the Azure Active Directory portal under Groups, or at this point you will see the user in the Office 365 Admin Portal under Users > Active Users and use the dropdown for Views and change to Guest users. You can then click on the user and edit the group memberships there.
Figure 21: Edit Group Memberships
If you want to assign the user to tasks, then you need to add the user to the Enterprise Resource Pool. To do this, you’ll need to include them in the group that is tied to the Enterprise Resource Pool, or have a group that has nested groups of your security groups. This setting can be found by clicking the Gear > PWA Settings > Active Directory Resource Pool Synchronization.
Figure 22: Active Directory Enterprise Resource Pool Synchronization
Manually Adding the User
If you aren’t using Active Directory Sync, you can manually add the user by going to the Gear > PWA Settings > Manage Users. Click the New User button and fill out the form as shown.
Fill out the User Logon Account first by typing in the email address of the guest user. Notice, that ‘No results found’, which means that it hasn’t been added to the User Profile Service in SharePoint Online at this time, however it will accept it once you click Save.
Figure 23: User logon account
Fill out other information such as the checkbox for User can be assigned as a resource to add the user to the Enterprise Resource Pool and add the proper security group(s). Optionally, you can fill out other information as required by your organization. Click Save and you will notice the user account will be accepted and it will also fill in the display name and email address associated with that user.
You will notice the user is added to your list of users and the User Logon Account will have the #ext# notation that indicates it is an external guest account.
Figure 24: Manage User Details
If you are running in Project Permission Mode we recommend enabling Project Web App Sync to the root site. To check this, go to the Gear > PWA Settings > Manage User Sync Settings and verify that Enable Project Web Sync is checked. This will then sync the guest user account to the root site and allow access.
Figure 25: Project Permission Sync Settings
At this point, you will need to email the user the URL to your Project Web App site. The user will click on the link and be prompted for their account (either AAD or in my case a MSA account).
Figure 26: Microsoft Account Sign-In
After entering in the password, they are presented with Project Web App and can interact with Project Online just as an internal user can.
SharePoint Permission Mode
If you are running in SharePoint Permission Mode, the provisioning process is simpler but more restrictive. The steps to add a user in this mode is to go the root of the PWA site and click the Share button in the top right-hand section of the screen.
Figure 27: Share Button
Enter in the email address and it should resolve to the display name of the guest account. Note, that is identifies the user as being outside of your organization. Click Show Options and select one of the permission levels that says “…for Project Web App”, optionally enter in a personal message, and check the box to send an email invitation and click the Share button.
Figure 28: Share ‘Project Web App’
If you need to add the user into the Enterprise Resource Pool, the administrator will need to add them manually by going to PWA > Resources > and clicking the Resources tab and the New button.
Figure 29: Add New Resource
Alternatively, you can set up Active Directory sync by clicking the click here to synchronize with an existing group link.
The guest user will get an email saying the site has been shared with them. They would click the Go to Project Web App link to access the site and log in with their existing Microsoft Account (MSA) or Azure Active Directory (AAD) account.
Figure 30: Sharing Invitation Email
The Project Web App site is then presented for the guest account and they can interact with Project Online just like an internal user. Notice, however, there is no App Launcher for guest users, which is good since you don’t want to have the external user think they can navigate to other Office 365 services.
Figure 31: Project Web App Home Page
If you need to bulk add many guest users, you can set up Azure Active Directory B2B Collaboration. This configuration is out of scope for this blog post but worth looking into if you have several guest accounts to manage.
Also, Brian Smith of Microsoft, wrote a great blog post on how to use PowerShell to assign licenses. This would be really helpful for the automation of assigning Project Online licenses.
I hope you enjoyed this more detailed post on how to set up and configure external user support for Project Online. This feature will really help organizations share projects and collaborate with vendors, partners, and other external users. It really simplifies it for the external user as they can now use their existing credentials to access your environment. It is a feature we were eagerly anticipating and looking forward to helping our customers get it up and running to get more use and value from Project Online.
About Chad Olson, MCTS, MCSE, MCP at Sensei Project Solutions
Chad has been involved in the Microsoft PPM platform and related products since 2001. He has focused on the technical aspects of installation, design, architecture, configuration, and customized reporting. Chad has completed hundreds of different customer engagements utilizing Microsoft Project that has spanned across many different vertical industries. He is very involved in keeping up to date with the latest technical news related to Microsoft Project, is connected with the Microsoft Project product team, and has presented at the Microsoft Project Users Group (MPUG). He has conducted training classes for administrators, report authors, and project managers on the toolset with processes and procedures for several clients.
About Sensei Project Solutions
Sensei Project Solutions, a Finalist for the 2017 Microsoft Project and Portfolio Management (PPM) Partner of the Year, focuses on bringing Instant Productivity to your team. Our mission is to help individuals and organizations be more productive so that they can achieve their greatest potential. As a Gold certified Microsoft Partner and Registered Education Provider (R.E.P.) with the Project Management Institute (PMI®), Sensei offers a complete set of services and products for a successful Microsoft PPM deployment. Our guiding principles for Proactive PPM follow best practices and industry standards aligned with the Project Management Institute (PMI) and Gartner, enabling organizations to manage resource demand, obtain business intelligence that facilitates better decision making, increase business effectiveness by easily connecting people, and become self-sufficient with PPM processes and solutions. In short, Sensei helps organizations achieve Instant Productivity.