Microsoft identityBeginner31 min read

What Does External identity Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

An external identity is a login credential that comes from outside your own system. It means you can sign in to a service using an account you already have with a different provider, like your Google or Facebook account. This removes the need for companies to create and manage a separate username and password for you. In IT, this is often managed through federation and identity providers.

Commonly Confused With

External identityvsFederated identity

Federated identity is a broader concept that encompasses the trust relationship between two or more identity domains. External identity is a specific use case of federated identity where one party's identity is managed by an external IdP. Federated identity can also apply to internal trust (e.g., between forests). External identity is always about identities from outside the organization's directory.

Two departments in the same company using federation is federated identity but not external identity. A partner company using their own IdP to access your app is both federated identity and external identity.

External identityvsGuest user

A guest user is the representation of an external identity within your directory, commonly created by B2B collaboration. Not all external identities result in a guest user object. For example, direct federation with a SAML IdP does not create a user object. A guest user is a type of external identity, but the term external identity refers to the broader concept of the identity itself, not just its local representation.

When you invite a user via B2B, they become a guest user in your tenant. That guest user is a local representation of their external identity. But if you use direct federation, no guest user is created; their external identity is used directly for access.

External identityvsIdentity provider (IdP)

An identity provider is the service that creates, manages, and authenticates identities. External identity is about the identity itself, not the provider. The IdP is the source of truth for that identity. So the external identity exists in the external IdP, but the external identity is the digital representation of the person, while the IdP is the system that verifies it.

Google is an identity provider. Your Google account is an external identity. When you log into a third-party site with Google, your external identity (your Google account) is used, and Google is the IdP.

Must Know for Exams

For certification exams, especially those in the Microsoft identity and security track, external identity is a recurring and highly testable topic. In the Microsoft SC-300 (Identity and Access Administrator) exam, external identity is a major domain. You are expected to understand how to plan and implement external identities using Microsoft Entra ID B2B and B2C. The exam objectives include configuring identity providers for external identities, managing guest users and their access rights, implementing conditional access policies for external users, and troubleshooting federation issues. Questions can be scenario-based, asking you to choose the correct configuration to allow a partner organization to access a specific SharePoint site. You might also be asked to identify the difference between B2B collaboration and direct federation. The AZ-900 (Azure Fundamentals) exam includes higher-level understanding of external identity, often focusing on the benefits of using Azure AD B2B and B2C as part of a cloud solution. You should know that Azure AD B2B allows external users to access your resources using their own corporate or social identities, and that it involves an invitation and redemption process. The exam may ask which feature allows you to give a partner access to a specific app without creating a user object in your directory. While AZ-900 does not look at protocols, understanding the basic flow is important.

The MS-101 (Microsoft 365 Administrator) exam also touches on external identity, particularly in the context of Microsoft 365 workload management. You may need to know how to configure external sharing in SharePoint Online, Teams, and OneDrive. This directly depends on the external identity settings in Entra ID. The exam might ask you to plan for guest access in Microsoft Teams, including how external users are authenticated and what permissions they have. The MS-500 (Microsoft 365 Security Administration) exam integrates external identity with security topics. You must understand how to secure external access using conditional access policies, how to monitor guest user sign-in logs, and how to implement access reviews for guest users. Security-focused questions can involve identifying a misconfiguration that allows external users to bypass multi-factor authentication. Going beyond Microsoft, the CompTIA Security+ exam includes external identity concepts under identity and access management. While not using the specific term external identity, it covers federated identity, SAML, OAuth, and OpenID Connect. You need to understand how federation allows identity portability across organizations. The exam may present a scenario where two companies merge and need to allow users from one company to access resources in the other without re-authentication. The solution involves federated identity, which is essentially external identity management. For the CISSP exam, the concept is covered under the Identity and Access Management domain. You must understand the trust relationship models, the difference between SAML and OAuth, and the security implications of relying on an external identity provider. The CISSP exam is more conceptual and policy-focused, so you need to be able to discuss the risk and control considerations for external identities.

Question types vary. Multiple-choice questions might ask which protocol is used for external identity federation (e.g., SAML, OAuth, OpenID Connect). Scenario-based questions describe a business requirement, such as giving external auditors access to a financial application for 90 days. You must choose the best approach, such as using B2B collaboration with an expiration policy. Drag-and-drop questions might ask you to order the steps of the token flow for external authentication. Case study questions, common in advanced exams, can integrate external identity with other topics like conditional access, role-based access control, and identity protection. You must be able to troubleshoot why a guest user cannot access a resource, often because of a missing claim mapping, an incorrect trust configuration, or a conditional access policy blocking the user. Understanding the nuances of external identity will help you distinguish between similar-sounding answers. For example, B2B collaboration creates a guest user object in your directory, while direct federation does not create a user object but relies on the external token. Knowing this distinction can be the key to getting the correct answer. External identity is a high-yield topic across multiple exams. It links together directories, authentication protocols, security policies, and user management. Dedicate study time to the specific features of your target exam's platform (like Microsoft Entra ID), as implementation details are often tested.

Simple Meaning

Think of an external identity like using your driver's license to get into a bar. The bar itself doesn't know who you are, but it trusts the government-issued ID to prove your age and name. The bar doesn't need to issue you a special membership card because it accepts the ID from an outside source. An external identity works the same way digitally. When you log into a website using your Google account, you are using an external identity. The website trusts Google to verify who you are. Your actual user profile, password, and security settings live with Google, not with the website. This is very convenient for you because you don't have to remember yet another password. For the company running the website, it is also beneficial because they don't have to build and secure their own login system. They just outsource that trust to a big, established identity provider like Google, Microsoft, or Facebook. The external identity usually carries some information, like your email address and name, which the website uses to create your local profile. This whole process is managed by standards like OAuth and OpenID Connect, which allow different systems to communicate securely about who you are. In a business IT context, external identities are often used to give partners, vendors, or customers access to internal resources without creating full internal accounts. For example, a company might allow a contractor to log in with their own company's Microsoft 365 account. This saves administrative work and improves security because the contractor's home organization manages the password policies and multi-factor authentication. The key point is that the organization does not have full control over that external identity. They rely on the external identity provider to manage and secure the credentials. This is a fundamental shift from the old model where every user had a local account in a company's Active Directory. External identities are now a core part of modern identity and access management (IAM).

In everyday life, you already do this. When you use your Apple ID to log into a third-party app, you are using an external identity. When you log into a travel site using your Facebook account, that is an external identity. It is a bridge between different digital worlds. For IT professionals, understanding external identities is crucial because it touches security, user experience, and compliance. The management of these external identities often falls under terms like B2B collaboration, B2C authentication, and federation. While it simplifies life for users, it also creates new attack surfaces. If the external identity provider is compromised, attackers may gain access to your systems. That is why you must carefully choose which external identity providers you trust and configure exactly what information they can share.

Another way to think about it is as a guest entering a private club. The club can either issue its own membership card (internal identity) or accept a passport from a trusted country (external identity). Both prove the person is who they say they are, but the trust is managed differently. The club has to trust the passport's issuing government to have verified the person correctly. Similarly, your IT system must trust the external identity provider to have done proper identity verification. This is why selecting a reputable identity provider is critical. External identities are not just for consumers. In enterprise scenarios, they enable seamless collaboration between different organizations, such as when two companies merge or when a company hires an external auditor. Instead of creating a separate account for each external person, you can invite them to use their existing corporate identity. This is a concept heavily used in Microsoft Entra ID (formerly Azure AD) through features like B2B collaboration. The external user's identity remains in their home tenant, but they get a shadow representation in your tenant giving them access to resources. This decoupling of identity and access is a powerful and flexible model for modern IT environments.

Full Technical Definition

In a technical context, an external identity is a digital representation of a person or entity that is maintained by an external identity provider (IdP) and is used to authenticate and authorize access to resources in a separate, relying-party system. The core mechanism enabling this is identity federation, which is built on open standards such as SAML 2.0, OAuth 2.0, and OpenID Connect (OIDC). These protocols allow the exchange of identity assertions and claims between the external IdP and the local service without requiring the user to present separate credentials to the local system. The process typically begins with the user attempting to access a resource. The relying party (the application or service) redirects the user to the external IdP's login page. The user authenticates with the IdP using whatever method the IdP supports, which could include passwords, multi-factor authentication, or passwordless methods. Upon successful authentication, the IdP generates a signed token, often in JSON Web Token (JWT) format for OIDC or an XML-based assertion for SAML. This token contains claims about the user, such as their email, name, group memberships, and a unique identifier. The token is digitally signed using the IdP's private key. The relying party then validates the signature using the IdP's public key, which is obtained from the IdP's metadata endpoint or a pre-configured trust relationship. Once validated, the token is trusted, and the relying party can use the claims within it to make authorization decisions and create a local session or user object.

From an implementation standpoint, external identity management in Microsoft's ecosystem is primarily handled through Microsoft Entra ID (formerly Azure Active Directory). Entra ID supports several models for external identities. The B2B (business-to-business) collaboration model allows you to invite users from other Entra ID tenants or other identity providers to access your applications. The invited user authenticates with their home organization's credentials, and a guest user object is created in your tenant. This guest object has a UserType property set to Guest. Authorization can be managed through conditional access policies, which can evaluate the user's trust level, device compliance, and location. The B2C (business-to-customer) model is a separate service for consumer-facing applications. It allows customers to sign in with social identities like Google, Facebook, or local accounts. B2C provides extensive customization options for user flows, sign-up pages, and token customization. Another important concept is direct federation, where you establish a trust relationship with an external IdP that does not use Entra ID, such as a SAML 2.0 compliant IdP. This is configured in Entra ID by uploading the IdP's metadata XML and mapping claims.

A crucial technical detail is the distinction between authentication and authorization in the context of external identities. The external IdP handles authentication, meaning it verifies the user's identity. The relying party handles authorization, meaning it decides what the authenticated user is allowed to do. However, the token from the external IdP can include claims that are used for authorization, such as roles or group memberships. This is where claim mapping becomes important. The relying party may need to transform or map the claims from the external IdP to its own internal roles and permissions. This is often done through attribute mapping configuration on both sides. In SAML, this is done through attribute statements. In OIDC, it is done through scopes and custom claims. Security considerations are paramount. The relying party must always validate the token's signature, the issuer, the audience (the intended recipient), and the token's expiration time. It must also protect against token replay attacks by using features like nonce and timestamps. The external identity model fundamentally shifts the security boundary. You must trust the external IdP's security practices, including its authentication strength, its session management, and its compliance with regulations. This is why many enterprises implement gradual consent and access reviews for guest users.

external identities can be synchronized using directory synchronization tools like Microsoft Entra Connect, though this is more common for internal identities. For external identities, the lifecycle is often managed dynamically through invitations and self-service. When an invitation is sent, a redemption process occurs where the guest user must accept the invitation and, in some cases, complete multi-factor authentication on the external IdP side. The guest user account typically has a limited set of permissions by default, and an administrator can assign more specific roles. Auditing is also critical. Both the external IdP and the relying party audit authentication events. The relying party can monitor when guest users access resources, and the external IdP logs authentication attempts. This creates a distributed audit trail that must be correlated for incident investigation. External identity is a mature, standards-based approach to extending digital trust across organizational boundaries. It relies on cryptographic trust, federation protocols, and careful configuration to provide seamless and secure access for users who are not part of the organization's core directory.

Real-Life Example

Imagine you are attending a conference at a large convention center. You are not an employee of the convention center, so you do not have a staff badge. Instead, you have a conference badge that was issued by the event organizer (an external organization). To enter the conference hall, you show your conference badge to a security guard. The guard does not know you personally, but she recognizes the badge as official and trusts that the event organizer verified your registration. The guard lets you in. In this analogy, your conference badge is your external identity. The event organizer is the external identity provider (IdP). The convention center is the relying party, the system that needs to let you in. The convention center trusts the event organizer's badge-making process. Similarly, in IT, a website trusts Google's login process. Now, extend this analogy. Suppose the convention center has multiple rooms. Your conference badge might have a sticker that says Gold Pass, allowing you into the VIP lounge. The badge not only proves who you are, but also carries attributes (the Gold Pass sticker) that determine your access rights. In the digital world, this is like the claims in a token. Your badge is signed with a hologram that makes it hard to counterfeit. This is like the digital signature on a token. The security guard checks the hologram to confirm it is genuine. In IT, the relying party checks the token's signature. If someone tries to use a fake badge from another event, the security guard will reject it because it does not have the correct hologram or valid issuer information. That is like token validation failing because the issuer is not trusted.

Now consider a more complex scenario. You are a contractor working for a company that uses a software service. Your own company's HR system, which is external to the software service, manages your identity. You do not have a username and password for the software service. You simply click a button that says Log in with my company account. This redirects you to your company's login page. You prove your identity there, and your company sends a digital message to the software service saying you are authenticated. This is exactly like the conference analogy, but the collaboration is between organizations, not an event. The software service trusts your company's authentication. This is a real-life example of external identity in enterprise B2B collaboration. The key difference between this and the earlier conference example is that in the conference, the badge is a physical object. In IT, the identity is a digital token, but the underlying trust relationship is the same. The external identity model is so powerful because it allows seamless access across different administrative domains. It is the reason you can use your Microsoft account to log into a third-party app without giving that app your Microsoft password. The app never sees your password; it only receives a token. This protects your credentials and reduces the risk of password theft. In everyday terms, you are constantly using external identities whether you realize it or not. Every time you see Sign in with Google or Sign in with Apple, you are experiencing external identity in action. The companies that implement this do so to reduce friction for users and to offload the complexity and liability of credential management.

Why This Term Matters

For IT professionals, understanding external identity is not just a nice-to-have, it is a core competency in modern identity and access management. With the rise of cloud computing, SaaS applications, and hybrid work, organizations frequently need to grant access to people who are not inside their corporate directory. These people include contractors, vendors, partners, customers, and even temporary employees. Managing a separate username and password for each of these external users is inefficient, insecure, and creates a poor user experience. External identity provides a scalable and secure alternative. By leveraging federation, organizations can trust identities that are already managed by other systems, such as a partner's Azure AD or a consumer's Google account. This reduces the administrative burden of password resets, account provisioning, and lockout management. It also improves security because the external identity provider often has stronger authentication mechanisms, including multi-factor authentication and risk-based access policies. When you externalize authentication, you reduce the attack surface on your own systems because you are not storing those external users' credentials.

external identity directly supports zero-trust security principles. In a zero-trust model, no user or device is automatically trusted based on location. Instead, every access request must be verified and authorized. External identity enables this by allowing you to impose conditional access policies on guest users. For example, you can require that external users authenticate with multi-factor authentication from their home organization, and you can block access from untrusted IP addresses. This granular control is impossible if you manage external users with separate local accounts that lack advanced authentication capabilities. Compliance is another major reason why external identity matters. Regulations like GDPR, HIPAA, and SOC 2 require organizations to control and audit who has access to sensitive data. External identity allows you to track exactly when external users accessed resources, and you can deprovision their access quickly when the collaboration ends. You can also enforce access reviews to periodically confirm that external users still need access. Without a structured external identity model, you risk having orphaned accounts that remain in your directory for years, creating a security liability.

From a user experience perspective, external identity eliminates the friction of creating yet another account. Users can use the credentials they already trust, which reduces sign-up abandonment rates for consumer applications and increases productivity for business partners. In an era where user experience is a competitive differentiator, seamless authentication is a business advantage. For IT professionals preparing for certification exams, external identity concepts frequently appear in exams like Microsoft SC-300, AZ-900, and MS-101. These exams test your understanding of how to configure external collaboration settings in Entra ID, how to manage guest users, how to set up federation with external IdPs, and how to secure external access with conditional access policies. Knowing the difference between B2B collaboration and B2C, the token flow, and the security implications is essential for both the exam and real-world job performance. External identity is the backbone of modern cross-organizational collaboration. It solves the problem of trust across boundaries, making it possible to work securely with partners and customers without duplicating identity management efforts. For any IT professional working with cloud services, it is a fundamental concept that affects everything from architecture to operations.

How It Appears in Exam Questions

Exam questions about external identity typically fall into several patterns: conceptual understanding, configuration steps, scenario-based decision making, and troubleshooting. Here are concrete examples of how questions appear.

Conceptual questions often ask you to define the term or distinguish it from related concepts. You might see a question like: What is the primary purpose of Azure AD B2B collaboration? The answer is to allow external users to access your organization's resources using their own identity provider. A distractor might say to synchronize on-premises users to the cloud, which is incorrect. Another question: Which protocol is commonly used for external identity federation? Correct answer: SAML or OpenID Connect. This tests your knowledge of the underlying technology. A more nuanced question: What is the difference between Azure AD B2B and Azure AD B2C? The expected answer is that B2B is for business partners and typically uses organizational accounts, while B2C is for customer-facing applications and supports social identities like Google and Facebook. These questions assess whether you understand the target audience for each solution.

Configuration questions simulate real-world tasks. For example: An administrator needs to allow external users from a partner company to access a confidential SharePoint site. The partner company uses its own Azure AD tenant. Which of the following should the administrator configure? The correct answer is to create a B2B collaboration invitation and send it to a user in the partner company. The administrator might also need to set up an access package with access reviews. Another configuration question: You need to set up a trust relationship with an external identity provider that uses SAML 2.0. Where in the Entra ID portal do you upload the IdP's metadata? The answer is in the External Identities | All identity providers blade under SAML/WS-Fed identity providers. These questions test your familiarity with the administrative interface.

Scenario-based decision questions are common. You get a business requirement and must choose the best technical solution. Example: A company hires a temporary external auditor who needs access to a financial reporting system for three months. The auditor's organization uses Microsoft 365. What is the most cost-effective and secure way to grant access? The best answer is to invite the auditor as a B2B guest user and configure an access review that automatically removes access after three months. A less ideal answer would be to create a federated domain or to create a regular internal user account. Another scenario: A SaaS application needs to allow users to sign in with their Facebook accounts. What should the application developer configure? The answer is to integrate with an external identity provider that supports OAuth 2.0, such as Azure AD B2C with Facebook as a social identity provider. This tests your ability to map business needs to specific features.

Troubleshooting questions require you to diagnose failures. For example: A guest user reports that they can accept the invitation but cannot access the application. The sign-in logs show that the user passed authentication but authorization failed. What is the most likely cause? Possible answers include: the user was not assigned to the application, the application does not trust the guest user's token, or a conditional access policy requiring device compliance is blocking the non-compliant guest device. The correct answer depends on the details, but this type of question assesses your understanding of the authentication vs. authorization flow. Another troubleshooting question: The federated authentication with an external partner is failing. The error message indicates that the token signature is invalid. What should the administrator check first? The answer is to verify that the partner's public key metadata is up to date in the federation trust configuration. This checks your knowledge of token validation mechanics.

Some questions integrate external identity with other topics like conditional access. Example: You have configured a conditional access policy that requires multi-factor authentication for all guest users. However, guest users are not being prompted for MFA. What is the likely reason? The answer might be that the guest user's home organization does not support MFA, or that the policy is configured for only cloud apps and the guest user is accessing a different app. This tests your ability to troubleshoot policy application. Finally, be prepared for questions about licensing. For example: Guest users in Azure AD B2B are subject to the same Microsoft Entra ID licensing as users in the partner tenant for the purpose of accessing Microsoft services. A question might ask how many guest users are free versus requiring an Azure AD P1 license. Knowing the licensing model is often tested in exam questions related to external identity. Exam questions will repeatedly test your grasp of the difference between identity providers, the token flow, the configuration steps in the admin center, and the security implications. Practice with scenario-based questions to solidify this knowledge.

Practise External identity Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you work for a company called TechSolutions, which uses Microsoft 365. Your company is partnering with another company called DesignPro to work on a joint project. DesignPro has its own Microsoft 365 tenant. You need to give a designer from DesignPro, named Alice, access to a shared document library in your company's SharePoint Online site. The goal is to allow Alice to view and edit documents without creating a new username and password for her in your system. Here is how you would use external identity to solve this. First, you, as the IT administrator for TechSolutions, go to the Microsoft Entra ID admin center. Under External Identities, you select B2B collaboration, then New guest user. You enter Alice's email address from her DesignPro account, which is alice@designpro.com. You also enter a personalized invitation message. The system sends an email invitation to Alice. The invitation email contains a link. When Alice clicks the link, she is redirected to her DesignPro login page (her home identity provider). She logs in with her DesignPro credentials. Because DesignPro is also using Microsoft Entra ID, the authentication happens seamlessly. Once she authenticates, she is asked to accept the permissions that TechSolutions is requesting, such as reading her email address and display name. After she accepts, she is redirected to the shared document library. The exchange of identity information was handled securely in the background.

In this scenario, Alice's identity is external to TechSolutions. TechSolutions never stored Alice's password. The trust was established through the B2B invitation process. Alice is now a guest user in TechSolutions' tenant. Her user object has a UserType of Guest. When Alice accesses the SharePoint site, TechSolutions' system trusts the token issued by Alice's home tenant (DesignPro). The token is signed by DesignPro's Microsoft Entra ID. TechSolutions' Entra ID validates the signature and then issues a local token for the SharePoint app. If Alice leaves DesignPro, her account will be disabled there, and she will automatically lose access to TechSolutions' resources without any action from TechSolutions' admin. This demonstrates the convenience and security of external identity. Now, imagine a slight variation. If DesignPro used a different identity provider, like Google or a SAML-based IdP, the process would involve configuring a direct federation trust in TechSolutions' tenant. The administrator would need to set up the external IdP metadata, including the signing certificate and endpoint URLs. This adds complexity but still provides the same core benefit: Alice uses her existing credentials. The scenario can also go wrong. Suppose Alice tries to access the document library but gets a denial error. The sign-in logs in TechSolutions show that the authentication succeeded but authorization failed. This could be because the SharePoint site was not assigned to guest users, or because a conditional access policy required the device to be compliant, and Alice's device is not managed by TechSolutions. Understanding these details is crucial for troubleshooting.

This scenario is a classic example of B2B collaboration. It is a frequent topic in exam questions because it demonstrates the real-world application of external identity. The invitation and redemption process, the trust relationship, and the assignment of resources are all testable elements. By practicing this scenario, you can understand the core workflow and the potential pitfalls. In an exam, you might be asked to identify the steps or to choose the correct configuration option that allows this to work. Understanding the simple scenario is the foundation for answering more complex questions.

Common Mistakes

Assuming external identity means the user must have a local account created in your directory.

The whole point of external identity is to avoid creating a local account. The identity is managed by an external provider, and only a lightweight guest representation or no user object at all is created, depending on the model (e.g., B2B vs. direct federation). Requiring a local account defeats the purpose of federation.

Understand that external identity relies on trust between your system and an external IdP. The user authenticates at their home IdP, and your system accepts the token. You do not manage their password or full profile.

Confusing authentication with authorization in the external identity flow.

Many learners think that once a user successfully authenticates with the external IdP, they automatically have full access to all resources. In reality, authentication only proves who the user is. Authorization is a separate step done by the relying party, often based on claims in the token or local role assignments.

Remember the two steps: first, the external IdP authenticates the user. Second, your application or service decides what the user can do. You must explicitly grant access to resources for guest users.

Thinking B2B and B2C are the same and interchangeable.

B2B collaboration is designed for business partners and organizational accounts, while B2C is for customer-facing applications and supports social identities. Using B2B for a consumer app would miss social login capabilities, and using B2C for internal partner access would lack features like deep integration with Entra ID policies.

Assess the audience. If the users are from other organizations with their own directories, use B2B. If the users are consumers logging in with Google or Facebook, use B2C.

Neglecting to validate the token's audience and issuer.

A token that is not validated for the correct audience (your application) can be used in another context, leading to access bypass. If you do not check the issuer, you could accept tokens from a malicious IdP impersonating the trusted one.

Always configure your application to validate the token. Check the 'aud' claim to ensure it matches your application ID, and check the 'iss' claim to ensure it matches the expected external IdP. This standard practice prevents token reuse attacks.

Assuming external identities are automatically covered by your data loss prevention (DLP) policies.

External users may not be subject to the same DLP controls as internal users unless explicitly configured. For example, a guest user might be able to download sensitive files that an internal DLP policy would block, if the DLP policy is scoped only to internal users.

Extend your security policies to cover guest users. Apply conditional access policies, labeling, and DLP rules to include external identity objects. Regularly review guest access with access reviews.

Exam Trap — Don't Get Fooled

{"trap":"External identity is often tested with a trick about 'direct federation' vs 'B2B collaboration'. The trap question asks: 'You need to allow external users from a partner organization that uses a SAML 2.0 IdP.

What should you configure?' The distractor answer is 'B2B collaboration', which is plausible but not always correct for non-Azure AD IdPs.","why_learners_choose_it":"Learners know that B2B collaboration is for external users, so they assume it works for any external IdP.

They forget that B2B collaboration is optimized for users from other Azure AD tenants or Microsoft accounts. For a custom SAML IdP, you must use direct federation (SAML/WS-Fed identity provider configuration) if you want to avoid creating guest user objects, or you must configure B2B with the external IdP as an identity provider.","how_to_avoid_it":"Read the scenario carefully.

If the partner uses a non-Microsoft SAML IdP and the requirement is to not create guest user objects, the answer is direct federation. If the requirement is to create guest user objects for easier management (like access reviews), then you configure a SAML/WS-Fed identity provider in Entra ID, which still supports B2B but requires that step. Always distinguish between the identity provider type and the collaboration model."

Step-by-Step Breakdown

1

User requests access to a resource

The process begins when a user attempts to access an application or service that is configured to accept external identities. The user might be a partner, vendor, or customer. They are presented with a login screen that offers an option like Sign in with your corporate account or Sign in with Google.

2

Relying party redirects to external identity provider

The application, acting as the relying party, initiates an authentication request. It redirects the user's browser to the external identity provider's (IdP) authentication endpoint. The URL includes parameters like the redirect URI, the requested scopes, and a state parameter to prevent CSRF attacks.

3

User authenticates with the external IdP

The user interacts directly with the external IdP's login page. They enter their credentials, which could be a password, biometrics, or a hardware token. The external IdP validates these credentials against its own directory. This step is invisible to the relying party.

4

External IdP issues a signed token

Upon successful authentication, the external IdP creates a token (e.g., a SAML assertion or a JWT in OIDC). The token contains claims about the user, such as their email, name, and group memberships. The token is digitally signed using the IdP's private key, ensuring integrity and non-repudiation.

5

Token is sent to the relying party

The external IdP sends the token to the relying party through the user's browser, typically via an HTTP POST (SAML) or a redirect to the relying party's callback URL (OIDC). The browser plays a passive role as a carrier.

6

Relying party validates the token

The relying party receives the token and performs validation. It checks the token's signature using the external IdP's public key. It also validates the issuer, the audience, the timestamp, and the nonce if present. Any failure in validation causes the request to be rejected.

7

Authorization decision and access granted

After validating the token, the relying party extracts the claims and uses them to make authorization decisions. It may look up local roles, check group memberships, or apply policies. If the user is authorized, a session is created (e.g., a cookie) and the user is granted access to the requested resource.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

MS-101MS-102(current version)

Related Glossary Terms