Share via

Guest users hitting 403s on Private CDN assets

Vikram Shivar Nehala 60 Reputation points
2026-03-10T11:30:32.1066667+00:00

I’ve got a weird one: our SharePoint site looks great for internal staff, but Guest users are seeing a completely broken UI. It turns out all our custom CSS and JS in the Private CDN are returning 403 Forbidden only for them.  I’ve triple-checked that "Everyone except external users" has Read access to the Site Assets library, but the CDN doesn't seem to care. It feels like a CORS or Token Validation failure where the guest's home tenant identity isn't being "exchanged" correctly for the CDN's private origin.

So my question is:

​Does the Private CDN specifically require guests to have a User Profile synced in the host tenant to successfully fetch the Bearer token for asset requests?

Microsoft 365 and Office | SharePoint | Development
0 comments
Answer accepted by question author
  1. Michelle-N 13,175 Reputation points Microsoft External Staff Moderator
    2026-03-10T12:52:28.7166667+00:00

    Hi @Vikram Shivar Nehala

    Thank you for posting question to Microsoft Q&A forum.

    Based on the information you shared, I understand that your SharePoint site renders correctly for internal users, but guest users see a broken UI because custom CSS/JS files hosted in the Private CDN return 403 Forbidden.

    After reviewing similar scenarios, the behavior you are seeing is not typically related to user profile synchronization. The SharePoint Online Private CDN does not require guest users to have a synced User Profile in the host tenant to obtain the token used for asset requests. Instead, it relies on standard SharePoint permissions and Azure AD authentication tokens to determine whether a user can access the origin library (usually Site Assets).

    A common cause of this issue is the permission configuration. In particular, the group “Everyone except external users” explicitly excludes guest users. This means that even if that group has Read access to the Site Assets library, external users will still be denied access, which results in the 403 responses you are seeing from the CDN.

    You may want to review the following points:

    1. Grant direct read permissions to guest users or to a group that includes them for the library used as the CDN origin (for example, the Site Assets library).
    2. Ensure that the guest users have properly accepted the invitation and exist as guest identities in your tenant.
    3. Confirm that the assets being served through the CDN are located in a library where external sharing and guest access are allowed.

    If granting permissions directly to guest users is not feasible for your scenario, another approach is to host those static assets using the Public CDN instead of the Private CDN. Public CDN content does not require authentication and therefore avoids permission-related 403 errors for external users.

    I hope this helps clarify the behavior.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-10T11:30:43.1966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    No. Private Microsoft 365 CDNs do not require guest users to have a synchronized user profile in the host tenant in order to obtain a bearer token for CDN asset requests.

    For the Microsoft 365 SharePoint CDN:

    • Access to data in the Microsoft 365 SharePoint CDN is secured by Microsoft 365 user permissions and token authorization.
    • Requests for data in the Microsoft 365 SharePoint CDN must be referred (redirected) from the Microsoft 365 tenant or an authorization token will not be generated.
    • Any assets within the configured document libraries (origins) are then available according to those permissions; for public CDN endpoints, assets are available anonymously, and for private CDN endpoints, access is controlled by standard Microsoft 365 permissions and tokens.

    The documentation does not state any requirement that guest users must have a fully synced user profile beyond having valid permissions and a valid token issued by the host tenant. Issues such as 403 errors for guests are therefore more likely related to:

    • How the CDN is configured (public vs. private origins, allowed file types, and policies).
    • Whether the request is correctly referred from the tenant so that a token can be generated.
    • The permissions on the origin library and items, not the existence of a synchronized user profile.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.