Ask Downloads
Domain 1 β€” Module 5 of 8 63%
5 of 27 overall
Domain 1: Implement and Manage User Identities Free ⏱ ~13 min read

External Identities: Guest Access & B2B

Invite contractors, partners, and vendors to collaborate securely with Microsoft Entra External ID β€” without creating internal accounts.

What are external identities?

Simple explanation

External identities are like visitor passes for your office building.

You don’t give visitors a permanent employee badge. Instead, they sign in at reception (using their own ID), get a visitor pass, and can access only the meeting rooms you’ve booked for them. When the visit ends, the pass expires.

Microsoft Entra External ID works the same way. External users sign in with their own identity (their work account, Google account, or even just an email code) and get limited access to the resources you share with them.

External collaboration settings

External collaboration settings are the master controls for guest access. Find them at: Entra admin center β†’ External Identities β†’ External collaboration settings.

SettingWhat It ControlsRecommendation
Guest user accessWhat guests can see in your directory (all properties, limited, or most restrictive)Limited properties for most orgs
Guest invite settingsWho can invite guests β€” everyone, members+admins, admins only, or nobodyMembers + specific admins
Collaboration restrictionsAllow/deny invitations to specific domainsDeny known-bad domains; allow specific partners
Enable guest self-service sign-upGuests can request access via user flowsUse for customer-facing apps
Scenario: Priya locks down guest access at Meridian Health

Healthcare data requires strict controls. Priya configures:

  • Guest user access: Most restrictive β€” guests can’t enumerate directory users or groups
  • Guest invite settings: Only admins and the Guest Inviter role can invite
  • Collaboration restrictions: Allow list with only approved partner domains (medical suppliers, consulting firms)

This prevents random employees from inviting personal contacts as guests, which could expose patient-adjacent systems.

Inviting external users

Individual invitations

  1. Entra admin center β†’ Users β†’ Invite external user
  2. Enter their email address and a personal message
  3. The guest receives an email with a redemption link
  4. They click the link, authenticate with their home identity, and gain access

Bulk invitations

For inviting many guests at once:

  • Entra admin center β†’ Users β†’ Bulk invite β†’ download CSV template β†’ upload
  • PowerShell β†’ New-MgInvitation in a loop
$guests = Import-Csv -Path "Partners.csv"
foreach ($guest in $guests) {
    New-MgInvitation -InvitedUserEmailAddress $guest.Email `
                     -InviteRedirectUrl "https://myapps.microsoft.com" `
                     -SendInvitationMessage $true
}

Redemption β€” how guests sign in

When a guest redeems their invitation, they authenticate using (in priority order):

  1. Their own Entra ID tenant (if they have one)
  2. A configured external identity provider (Google, Facebook, SAML/WS-Fed)
  3. Microsoft account (personal Outlook/Hotmail)
  4. Email one-time passcode (OTP) β€” a 6-digit code sent to their email
Exam tip: redemption order matters

The exam tests that you understand the identity provider priority. If a guest’s organisation has an Entra tenant, they’ll use that β€” even if you’ve also configured Google federation. The order is: Entra ID tenant β†’ configured external IdP β†’ Microsoft account β†’ email OTP.

Email OTP is the fallback when nothing else matches. It’s enabled by default and works for any email address.

Managing guest accounts

Guest users appear in your directory with a UserType of β€œGuest” (vs β€œMember” for internal users).

Key management tasks:

TaskHow
Convert guest to memberChange UserType in user properties
Block guest sign-inSet accountEnabled to false
Set expirationAccess reviews or entitlement management (covered in Domain 4)
Remove guestDelete the guest user object
Restrict guest permissionsUse external collaboration settings or CA policies
Scenario: Jake manages freelancer guest access

Coastline Creative works with 15 freelance designers. Jake invites them as guests and:

  • Assigns them to a β€œFreelancers” security group
  • Grants group access to the shared design SharePoint site
  • Creates a Conditional Access policy: guests must use MFA
  • Sets a quarterly access review to clean up stale accounts

When a freelancer’s project ends, the access review catches their inactive account and triggers removal. No orphaned guest accounts cluttering the directory.

External identity providers

By default, guests use their own Entra tenant or email OTP. You can add external identity providers for a smoother sign-in experience:

ProviderProtocolUse Case
GoogleOAuth 2.0 / OpenID ConnectPartners with Google Workspace
FacebookOAuth 2.0Customer-facing B2C apps
SAML/WS-Fed identity providerSAML 2.0 or WS-FederationEnterprise partners with non-Microsoft IdPs (Okta, Ping, etc.)

SAML/WS-Fed federation

For enterprise partners using non-Microsoft identity providers (Okta, Ping Identity, ADFS):

  1. Configure the partner’s IdP as a SAML or WS-Fed identity provider in your tenant
  2. Map the partner’s domain to the federation
  3. When guests from that domain are invited, they authenticate via their own IdP
Exam tip: SAML vs WS-Fed

Both SAML 2.0 and WS-Federation achieve the same goal β€” federated authentication with external IdPs. The exam may ask which to choose:

  • SAML 2.0 β€” industry standard, works with almost any IdP (Okta, Ping, OneLogin)
  • WS-Federation β€” older Microsoft protocol, primarily for ADFS and legacy Microsoft environments

Default guidance: Use SAML 2.0 unless the partner specifically requires WS-Fed.

🎬 Video walkthrough

Flashcards

Question

What is the redemption priority order for guest users in Entra External ID?

Click or press Enter to reveal answer

Answer

1) Their own Entra ID tenant, 2) Configured external identity provider (Google, SAML/WS-Fed), 3) Microsoft account, 4) Email one-time passcode (OTP). The first matching option is used.

Click to flip back
Question

What are the guest invite settings options in External collaboration settings?

Click or press Enter to reveal answer

Answer

Who can invite guests: 1) Anyone in the org (including guests), 2) Members and specific admin roles, 3) Only admin roles, 4) No one. Controls who can send B2B invitations to external users.

Click to flip back
Question

How do you configure federation with a partner using Okta as their identity provider?

Click or press Enter to reveal answer

Answer

Add a SAML 2.0 identity provider in Entra β†’ External Identities β†’ All identity providers. Map the partner's domain to the SAML federation. When guests from that domain are invited, they authenticate via Okta.

Click to flip back

Knowledge Check

Knowledge Check

Anika's client needs to invite 200 consultants from a partner firm that uses Okta as their identity provider. The client wants consultants to sign in with their existing Okta credentials. What should Anika configure?
Knowledge Check

A guest user from a partner company reports they can't sign in. The partner doesn't have an Entra tenant or Microsoft accounts. What authentication method will Entra use as a fallback?

Next up: Cross-Tenant Access & Synchronisation β€” control how your tenant trusts and shares with other Entra ID tenants using cross-tenant access settings and sync.