Skip to main content

Provisioning Scoped Entra ID Accounts for Guests

Audience: IT administrators, identity managers

Purpose: Create temporary accounts for devices using group-based licensing and automation

Under Development

This guide is a work in progress and may be incomplete or subject to change.

Overview

Intended Use

This process is for very short-term temporary accounts (typically less than 30 days). For longer-term guest access, use the official Sponsored NetID Process.

This guide explains how to provision temporary user accounts for devices managed by Intune that leverage Entra ID logins (guest or kiosk accounts) using:

  • Group-Based Licensing/Policies — Assign licenses and policies via Entra ID groups
  • Power App + Power Automate — Self-service or admin-assisted account creation
  • Lifecycle Workflows — Automatic account expiration (default 2 weeks)

Quick Reference

TL;DR
  • Group-Based Licensing — New accounts inherit access when added to the appropriate group
  • Power Platform — Front-end for account creation with multiple scenario pages
  • Lifecycle Workflow — Automatically disable/delete accounts after set duration

Background

Organizations need short-term accounts for guests, kiosks, or events with:

  • Limited license and policy sets
  • Automatic cleanup after a set period

Temporary "Experiences"

An experience is a category of temporary account with defined access and lifespan:

ExperienceAccess LevelDuration
Library GuestLibrary computer access1 day
General GuestCampus Wi-Fi and lab access2 weeks
Event GuestEvent-specific resourcesCustom

Each experience corresponds to a security group with bundled licenses and policies.

Prerequisites

RequirementDetails
Entra ID Premium P1Required for group-based licensing and dynamic groups
Entra ID Premium P2Required for Lifecycle Workflows (automatic expiration)
Power PlatformPower Pages site and Power Automate licenses
Security GroupsOne group per experience with licenses/policies assigned
License AvailabilitySufficient M365 license seats for group members

Solution Architecture

Implementation Steps

Step 1: Prepare Groups

Create Experience Groups

Create security groups for each experience type:

Group NamePurpose
TS-SG-Temp-LibraryLibrary kiosk guest accounts
TS-SG-Temp-GuestGeneral guest accounts (14-day)
TS-SG-Temp-EventEvent-specific temporary users

Use consistent naming conventions per IT policies.

Assign Licenses to Groups
  1. In Entra ID admin center, select the group
  2. Configure Group-Based Licensing
  3. Assign required product SKUs
  4. Disable unneeded service plans (e.g., turn off Exchange if no email needed)

All group members automatically receive the assigned licenses.

Assign Policies to Groups

Target policies to experience groups:

Policy TypeExample
Intune profilesLock down library PC when temp account logs in
Conditional AccessBlock sensitive apps or require MFA
Terms of UseRequire acceptance before access

Group membership governs all access—no individual configuration needed.

Step 2: Build Power Automate Flow

Design Power Pages Front-End

Create pages for different audiences:

Library Kiosk Page:

  • Accessible without login (IP-restricted to kiosks)
  • Minimal info collection
  • Auto-creates Library Guest account

Admin Provisioning Page:

  • Requires staff authentication
  • Dropdown to select experience type
  • Creates account in corresponding group
Configure Account Creation Flow

The Power Automate flow should:

  1. Receive form inputs (name, experience type, etc.)
  2. Create user account in Entra ID
  3. Set temporary password
  4. Add user to appropriate experience group
  5. Set employeeLeaveDateTime for Lifecycle Workflow
  6. Return credentials (securely)

Step 3: Configure Lifecycle Workflow

Set Up Automatic Expiration

Use Entra ID Lifecycle Workflows to automatically disable/delete accounts:

  1. Navigate to Entra ID → Identity Governance → Lifecycle Workflows
  2. Create workflow triggered by employeeLeaveDateTime
  3. Configure actions:
    • Disable account
    • Remove from all groups
    • (Optional) Delete account after grace period

Default: 14 days, adjustable per experience.

Security Considerations

ConsiderationImplementation
Network restrictionsLimit kiosk page access by IP range
Credential deliverySecure channel for temporary passwords
Audit trailAll account creation logged via Power Automate
Access reviewRegular review of experience group membership