Skip to main content

Overview

Many MSPs co-manage Microsoft 365 tenants alongside their clients. Petra makes it easy to give those clients direct access to their own security data without exposing your other tenants or internal operations. This is done by inviting the client as an External Guest and scoping them to one or more specific tenants. You control exactly what they can see and whether they can take action.

Inviting a Client as an External Guest

Only Admins can invite new members.
  1. Go to Settings > Access.
  2. Click Invite.
  3. Enter the client’s name and email address.
  4. Select External Guest as the role.
  5. Check the tenants this client should have access to.
  6. Optionally, check Prevent this user from taking any actions (read only) to restrict them to view-only access.
  7. Click Save Changes.
The client will receive a magic link email to sign in. Once authenticated, they will only see the tenants you selected.
External Guests must be scoped to at least one tenant. You can add or change tenant assignments at any time by editing the member from Settings > Access.
For a full breakdown of roles, permissions, and what each one controls, see Member Roles and Permissions.

What External Guests Can See

External Guests have full visibility into the tenants they are scoped to, including:
  • Incidents and incident timelines
  • Failed attacks and attacker details
  • Identity activity and sign-in logs
  • Uncommon activity detections
  • Tenant security reports via the Report Builder
They cannot see any other tenants in your organization, and they do not have access to organization-level pages like the Marketing tab, Partner Portal, or tenant onboarding.

Read-Only Mode

When you check the read only option during invite (or edit it later), the External Guest is restricted to viewing content only. Read-only members cannot:
  • Perform remediation actions (revoke sessions, reset passwords, recover phish, etc.)
  • Toggle Petra Response on or off
  • Update tenant settings or notification methods
  • Manage other members
  • Configure PSA integrations or branding
Read-only mode is ideal for clients who want visibility into their security posture without the ability to make changes. It gives them peace of mind while keeping your team in full control of response actions.

Setting Up Tenant-Level Alerts for Guests

You can add your client’s email address or phone number as a tenant-level alert recipient so they are notified directly when incidents occur on their tenant.
  1. Navigate to the tenant’s page by clicking on the tenant from the Homepage.
  2. Click the Settings (gear) icon to open the Tenant settings modal.
  3. Under Tenant-Specific Incident Alerts, add the client’s email address or phone number.
These alerts are scoped to that specific tenant and are separate from your organization-wide notification methods configured in Settings > Notifications.
Tenant-specific alerts support both email and phone notification methods. These fire in addition to any organization-level alerts you have configured.

Adding Guests as Monthly Report Recipients

Petra can automatically send monthly security reports directly to your clients. You can add a client’s email as a recipient of the report for their specific tenant.
  1. Navigate to the tenant’s page by clicking on the tenant from the Homepage.
  2. Click the Settings (gear) icon to open the Tenant settings modal.
  3. Under Tenant-Specific Monthly Reports, add the client’s email address.
Reports are sent at the end of every month from reports@petrasecurity.com. Only email recipients are supported for monthly reports.
Monthly reports are a great way to demonstrate ongoing value to your clients. For full details on automated report delivery, including how to send reports to your own organization, see Scheduling Automated Monthly Reports.

Editing or Removing Guest Access

Admins can update an External Guest’s permissions or remove them at any time.
  1. Go to Settings > Access.
  2. Find the member in the table. External Guests are shown with their scoped tenant names (e.g., “External (Contoso Ltd)”).
  3. Click Edit to change their tenant access, toggle read-only mode, or update their name.
  4. To remove the guest entirely, click Delete.
If a tenant is removed from Petra or moved to another organization, any External Guests scoped exclusively to that tenant are automatically removed. Guests who have access to other tenants will have the removed tenant taken out of their scope.

FAQs

Can a client see other tenants in my organization?

No. External Guests can only see the specific tenants you assign to them. They have no visibility into your other clients or your own internal tenant.

Can I scope a guest to multiple tenants?

Yes. When inviting or editing an External Guest, you can check as many tenants as you want. This is useful if a single client has multiple Microsoft 365 tenants.

Can guests take remediation actions?

By default, yes. If you want to prevent a guest from taking actions like revoking sessions or resetting passwords, enable the read only option when inviting or editing the member.

What does a guest’s experience look like?

Guests see the same Petra interface as your team, but limited to their scoped tenants. They can browse incidents, view the timeline, explore identity activity and sign-in logs, and use the Report Builder. They will not see the Marketing tab, Partner Portal, or any tenant management options.

Can guests manage their own notification settings?

External Guests can manage tenant-specific notification methods for the tenants they are scoped to. They cannot access or modify organization-wide notification settings.

Do guests count toward billing?

No. Petra billing is based on the number of monitored Microsoft 365 identities, not on the number of portal members or guests.

Can I invite a guest with a non-Microsoft email?

Yes. Guest invitations use magic link authentication, so the client does not need a Microsoft account. Any email address works.

Who can invite or manage External Guests?

Only members with the Admin role can invite, edit, or remove members of any type, including External Guests.