Share via

Change owner of External account

Balwant Jadhav (Admin Cloud) 0 Reputation points
2026-04-30T11:01:28.8833333+00:00

There is external account created in Azure Entra id. now i want to change that external account owner.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator
    2026-04-30T11:21:01.87+00:00

    Hello Balwant Jadhav (Admin Cloud)

    Thank you for reaching out to Microsoft Q&A.

    In Microsoft Entra ID (Azure AD), you cannot directly change the owner of an external (guest) user account the way you might expect. This is because:

    • Users (including external/guest users) do NOT have an “owner” property.
    • Ownership in Entra ID applies to objects like applications, groups, or service principals, not to user accounts.

    https://docs.azure.cn/en-us/entra/identity/enterprise-apps/overview-assign-app-owners

    Depending on your scenario

    Most cases that sound like “change owner of external account” fall into one of the below scenarios:

    Scenario 1: You want to assign responsibility for a guest user

    Use Sponsor (recommended approach)

    Entra ID provides a concept called“Sponsor” for guest users.

    A sponsor is the person responsible for the guest (similar to “owner”).

    Resolution

    Go to Microsoft Entra Admin Center

    Navigate to:

    Entra ID → Users → Select Guest User

    Add or change the Sponsor

    Key point

    Sponsors help manage lifecycle and access reviews of guest accounts

    This is the closest equivalent to “owner of a guest user”

    Scenario 2: You want the external user to be “Owner” of resources (subscription/app/etc.)

    In this case, you don’t change the user — you assign roles/ownership at resource level

    Example 1: Make guest user Owner of Azure Subscription

    Steps:

    Go to Azure Portal

    Navigate to Subscriptions

    Select your subscription

    Open Access Control (IAM)

    Click Add role assignment

    Choose Owner

    Select the external (guest) user

    Click Review + Assign

    Example 2: Make guest user Owner of an Enterprise Application

    Use this official doc:

    Assign enterprise application owners

    Steps:

    Go to Entra ID → Enterprise applications

    Select the app

    Go to Owners

    Click Add

    Select the guest user

    Save

    The owner can manage SSO, provisioning, and assignments for that app

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-app-owners?pivots=portal

    Scenario 3: You want to “convert” or modify external user identity

    This is NOT supported:

    You cannot change identity type or underlying ownership of guest users

    If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.
  2. Q&A Assist
    2026-04-30T11:01:42.5433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In Microsoft Entra ID, a guest account itself does not have an “owner” property that can be reassigned like an application or group. What can be changed or managed for a guest user is:

    1. The guest’s lifecycle and governance
      • Go to Microsoft Entra admin centerID GovernanceEntitlement managementAccess packages.
      • Open the relevant access package → Assignments.
      • Select the guest user and choose Mark guest as governed if the guest should be lifecycle‑managed through entitlement management.
      • This affects how the guest is governed (for example, via access packages and policies), not an “owner” field on the guest account.
    2. The guest’s relationship type (Member vs Guest)
      • If the intent is to change how the user is treated in the tenant (for example, move them from Guest to Member for broader access), the UserType property can be changed:
        • Either by editing the user in the Microsoft Entra admin center, or
        • By using Microsoft Graph PowerShell to update UserType from Guest to Member.
      • This should only be done if the relationship of the user to the organization has actually changed.
    3. Reset or re‑target the guest’s sign‑in identity
      • If the goal is effectively to “hand over” the guest’s access to another person or change which external identity is used (for example, the guest moved to a different company), reset the guest’s redemption status instead of creating a new guest:
        • Use the Microsoft Entra admin center, PowerShell, or Microsoft Graph invitation API to reset the guest’s redemption status.
        • This keeps the same guest object ID, group memberships, and app assignments, but lets the guest redeem a new invitation with a different email/identity.

    If “owner” refers to who is responsible for the guest (for example, business sponsor), that is typically tracked in internal processes or custom attributes, not via a built‑in Entra ID “owner” field on the guest user object. In that case, update the relevant internal metadata (such as a custom attribute or access package configuration) rather than the guest account itself.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.