This chapter covers Azure AD External Identities, specifically B2B collaboration—how to invite external users (partners, vendors, contractors) to access your Azure AD-integrated applications without managing their credentials. For the AZ-104 exam, this topic appears in roughly 5–10% of questions under Domain 1: Manage Azure AD Identities (Objective 1.1). You must understand the difference between B2B and B2C, how invitations work, guest user properties, access review requirements, and licensing implications. Mastering this ensures you can design secure cross-organizational access without overprovisioning or exposing your tenant.
Jump to a section
Think of your Azure AD tenant as a private office building with a security guard at the front desk. Only employees with company badges can enter. But you occasionally need external contractors, vendors, or partners to access specific rooms (apps) without giving them a permanent badge. Azure AD B2B collaboration is like issuing a digital guest pass. When you invite a guest, the guard (Azure AD) sends a one-time link to the guest's email. The guest clicks the link, presents their own government ID (their home identity provider—Microsoft, Google, Facebook, or any SAML/WS-Fed IdP), and the guard verifies it. Once verified, the guard issues a temporary badge (a guest user object in your tenant) that allows access only to the rooms you specified (apps/groups). The guard doesn't copy the guest's ID—they just record that the guest was authenticated by their home IdP. The guest can come and go using their own credentials; the guard checks the badge each time. If the guest's employment ends, you simply delete the badge from your directory—their home IdP is unaffected. This is fundamentally different from B2C, where you'd build your own registration portal and manage identities yourself—like running a public hotel where anyone can check in with a credit card.
What is Azure AD External Identities?
Azure AD External Identities is a set of capabilities that allow people outside your organization to access your apps and resources using their own identity. It comes in two flavors: B2B (business-to-business) collaboration and B2C (business-to-consumer) customer access. The AZ-104 exam focuses almost exclusively on B2B collaboration, where you invite external users from partner organizations into your Azure AD tenant as guests.
B2B collaboration is not federation in the traditional sense—there is no trust relationship established between two Azure AD tenants. Instead, each guest user is represented as a user object in your tenant with UserType set to "Guest." The guest authenticates against their home identity provider (IdP), and Azure AD issues a token for your tenant based on that authentication. This is sometimes called "bring your own identity" (BYOI).
How B2B Invitation and Redemption Works
The process involves two phases: invitation and redemption.
Invitation: An administrator or user with the Guest Inviter role sends an invitation email or direct link to the external user. The invitation contains a link pointing to https://login.microsoftonline.com/redeem?tenantID=...&invitationToken=... The invitation token is valid for 30 days by default (configurable via the InvitationRedeemTimeout property, range 1–30 days). The invited user does not need to have an existing Azure AD account; they can use any email address.
Redemption: When the user clicks the link, Azure AD checks the invitation token. If valid, the user is redirected to their home IdP for authentication. The user authenticates using credentials managed by their home organization (e.g., Microsoft account, Google, or corporate SAML/WS-Fed IdP). After successful authentication, Azure AD creates a guest user object in your tenant (if one doesn't already exist) and issues a token scoped to your tenant. The guest user object includes:
UserPrincipalName (UPN): Typically constructed as emailaddress#EXT#@tenant.onmicrosoft.com
DisplayName: From the home IdP
UserType: Guest
SignInName: The external email address
TenantId: Your tenant's ID
Once redeemed, the guest can access resources directly without clicking the invitation again, as long as the guest user object exists in your tenant.
Guest User Properties and Management
Guest users have a restricted set of directory permissions by default. They can read own profile but cannot browse the tenant directory (unless you enable "Guest users have limited access" or assign the Directory Readers role). Key properties:
UserType: Can be Member or Guest. This determines default permissions.
ExternalUserState: PendingAcceptance, Accepted, or Rejected.
ExternalUserStateChangeDateTime: Timestamp of last state change.
You can manage guest users via:
Azure Portal: Azure AD > Users > New guest user
Microsoft Graph API: POST /users with "userType": "Guest"
PowerShell: New-AzureADMSInvitation
Azure CLI: az ad user create with --user-type Guest
Access Control for Guests
Guests can be assigned to: - Azure AD applications (SaaS apps, custom apps integrated with Azure AD) - Azure AD security groups (including dynamic groups—but dynamic groups for guests require special rules) - Azure RBAC roles (e.g., Contributor on a subscription)
Important: By default, guests can be added to Azure AD roles only if they have an Azure AD P1 or P2 license assigned to them in your tenant. This is a common exam trap—guests need a license for privileged roles.
B2B Collaboration vs. B2C Customer Access
B2B is for external partners who authenticate using their own organization's identity system. B2C is a separate service (Azure AD B2C) for customers who authenticate using social identities (Google, Facebook) or local accounts (email/password). B2C is a completely different Azure resource (Azure AD B2C tenant) and is not covered in the AZ-104 exam except to contrast it with B2B.
Cross-Tenant Access Settings (Newer Feature)
As of 2023, Azure AD supports cross-tenant access settings that replace the old B2B direct connect. You can configure: - Inbound access: Allow specific external tenants to access your apps via B2B collaboration or B2B direct connect. - Outbound access: Allow your users to access apps in external tenants. - Trust settings: Trust MFA, trusted devices, or compliant devices from the external tenant.
These settings are found under Azure AD > External Identities > Cross-tenant access settings. The exam may ask about the difference between B2B collaboration (invitation-based) and B2B direct connect (used for Teams shared channels).
Licensing Requirements for B2B
Guest users can access Azure AD-integrated apps without any license in your tenant (they use their home tenant's license for their own IdP).
However, if you want guest users to benefit from Azure AD Premium features (like Conditional Access, MFA, or Identity Protection), you need to assign an Azure AD P1 or P2 license to each guest in your tenant.
The ratio is 1:5 for Azure AD P1/P2 licenses—for every paid license you own, you can cover up to 5 guest users. This is called the Guest User Licensing Model.
Conditional Access and MFA for Guests
Conditional Access policies can be applied to guest users by targeting the "External users" exclusion or by including "Guest or external users" in the policy scope. However, to enforce MFA for guests, you must either:
Trust MFA from the guest's home tenant (via cross-tenant access settings), or
Require MFA using your tenant's MFA capabilities (requires Azure AD P1 license for the guest).
If you trust MFA from the home tenant, the guest's home tenant must have MFA enabled and the user must have completed MFA there. This is a common exam scenario: you can avoid assigning licenses to guests by trusting their home tenant's MFA.
Access Reviews for Guests
To maintain security and compliance, Azure AD Entitlement Management and Access Reviews can be used to periodically review guest access. Access reviews can be configured to expire guest accounts after a set number of days (e.g., 30, 60, 90). This is a key exam point—guests are often overprovisioned and access reviews help automate cleanup.
PowerShell and CLI Commands
Invite a guest using Azure CLI:
az ad user create --display-name "Jane Doe" --user-principal-name janedoe#EXT#@contoso.onmicrosoft.com --user-type Guest --mail-nickname janedoeInvite a guest using Microsoft Graph (PowerShell):
New-MgInvitation -InvitedUserEmailAddress "jane@partner.com" -InviteRedirectUrl "https://myapps.microsoft.com" -SendInvitationMessage:$trueList guest users:
az ad user list --query "[?userType=='Guest']"Convert guest to member:
Set-AzureADUser -ObjectId <objectid> -UserType Member(This changes the user type but does not change authentication method.)
Defaults and Timers
Invitation token validity: 30 days (configurable)
Guest user object lifetime: indefinite unless deleted or expired via access review
Default guest permissions: Can read own profile, cannot browse directory
Maximum guest users per tenant: 1 million (hard limit)
Interaction with Related Technologies
Azure AD B2B + Teams: Guests can be added to Teams as external participants. They appear with a guest label.
Azure AD B2B + SharePoint Online: Guest access to SharePoint sites requires site-level sharing settings.
Azure AD B2B + Azure Files: Guest access to Azure Files via identity-based authentication is not supported directly; you need to use Azure AD Kerberos or SAS tokens.
Exam-Relevant Details
The exam often tests the difference between inviting a guest via email vs. direct link. Both work, but the email includes a link.
Guests do not count toward the 50,000 object directory quota for free Azure AD; they count toward the 1 million guest limit.
Deleting a guest user from your tenant does not delete the user from their home tenant.
You cannot convert a guest to a member if the user's UPN is in a domain not verified in your tenant. You must first add the domain.
The "Guest Inviter" role allows non-admins to invite guests. This role can be assigned to users to delegate invitation rights.
1. Initiate Invitation
An admin or user with the Guest Inviter role navigates to Azure AD > Users > New guest user. They enter the external email address and optionally a personal message. Azure AD generates an invitation token (a cryptographically signed JWT) with a 30-day expiry by default. The token contains the tenant ID, invited user email, and a unique redemption code. The system sends an email with a redemption link (https://login.microsoftonline.com/redeem?tenantID=...&invitationToken=...). Alternatively, the admin can copy the direct link and send it via another channel. The invitation is recorded in the audit log.
2. User Clicks Redemption Link
The external user receives the email and clicks the link. Their browser navigates to the Microsoft login page. The invitation token is validated: Azure AD checks that the token is not expired (within 30 days) and that the email in the token matches the authenticated user's email after login. If the token is valid, the user is redirected to their home IdP for authentication. If the user does not have a home IdP (e.g., they use a consumer email), they can create a Microsoft account or use Google/Facebook if enabled.
3. Home IdP Authentication
The user authenticates against their home identity provider. For a Microsoft account, this is the Microsoft account authentication service. For a Google account, it's Google's OAuth 2.0 endpoint. For a corporate Azure AD tenant, it's the home tenant's login page. Azure AD receives a token from the home IdP containing the user's email, display name, and unique identifier. Azure AD does not store the user's password or credentials—it only stores the external user object reference.
4. Guest User Object Creation
After successful authentication, Azure AD checks if a guest user object with the same email already exists in the tenant. If not, it creates one. The UPN is set to `email#EXT#@tenant.onmicrosoft.com`. The UserType is set to Guest. The SignInName attribute stores the external email. The ExternalUserState is set to Accepted. If the user already exists (e.g., from a previous invitation), the state is updated. The user is now visible under Azure AD > Users.
5. Token Issuance and Access
Azure AD issues an access token scoped to the resource the user is trying to access (e.g., the My Apps portal). The token includes claims indicating the user is a guest. The user is redirected to the target application (e.g., https://myapps.microsoft.com). The application validates the token and grants access based on the user's group memberships and application assignments. For subsequent logins, the user can go directly to the application or use the tenant-specific login URL (https://login.microsoftonline.com/tenantname). They will be redirected to their home IdP automatically.
Scenario 1: Partner Access to SaaS Applications
A mid-size company, Contoso, uses Salesforce and Dynamics 365 integrated with Azure AD. They need to give their external accounting firm access to specific Salesforce records. The accounting firm uses Office 365. Contoso's admin invites the accounting firm's users as guests via Azure AD B2B. They assign the guests to an Azure AD security group that is synchronized to Salesforce. The accounting firm's users authenticate with their own Office 365 credentials. Contoso does not need to manage passwords or create local accounts. A common mistake: the admin forgets to assign the guests to the group, so they can authenticate but see no data. Another pitfall: the admin enables Conditional Access requiring MFA but does not trust the home tenant's MFA, forcing guests to register for MFA in Contoso's tenant (which requires a license). The correct approach is to configure cross-tenant access settings to trust MFA from the partner tenant, avoiding license costs. Performance is not an issue; B2B authentication adds minimal latency (a few hundred milliseconds). The main concern is guest account sprawl—without access reviews, guest accounts accumulate. Contoso sets up quarterly access reviews to remove inactive guests.
Scenario 2: Vendor Access to Azure Resources
A large enterprise, Fabrikam, uses Azure DevOps and an internal web app hosted on Azure App Service. External contractors need Contributor access to a specific resource group for deployment. Fabrikam invites the contractors as guests and assigns them the Contributor RBAC role on the resource group. The contractors authenticate using their personal Microsoft accounts. The challenge: Fabrikam wants to enforce MFA for all external access. They configure a Conditional Access policy targeting "Guest or external users" that requires MFA. Since the contractors use Microsoft accounts (which support MFA), and Fabrikam trusts MFA from Microsoft accounts, no extra license is needed. However, if the contractors used a corporate SAML IdP that does not support MFA, Fabrikam would need to assign Azure AD P1 licenses to the guests to enforce MFA with their own tenant. This scenario highlights the importance of understanding MFA trust and licensing. A common error: the admin assigns the Contributor role at the subscription level instead of the resource group, giving the contractors broader access than intended.
Scenario 3: Shared Channels in Microsoft Teams
An organization uses Teams with external partners via shared channels. This feature uses B2B direct connect, not B2B collaboration. The admin must configure cross-tenant access settings to allow B2B direct connect with the partner's tenant. The partner also needs to configure outbound settings. Unlike B2B collaboration, B2B direct connect does not create guest user objects in the tenant—the external user remains external and is not visible in Azure AD Users. This is a common exam trap: the exam may ask which method to use for Teams shared channels. The answer is B2B direct connect, not B2B collaboration. If misconfigured, users may see a "no access" error. The admin must ensure both tenants have the correct inbound and outbound settings.
What AZ-104 Tests on External Identities
The exam objective 1.1 includes "Manage external identities" under "Manage Azure AD objects." Specifically, you need to know:
How to invite external users (B2B collaboration)
Guest user properties and limitations
Licensing requirements for guests
Access review and conditional access for guests
Differences between B2B collaboration and B2B direct connect
Cross-tenant access settings
Top 4 Wrong Answers Candidates Choose
"Guests must have an Azure AD account in the same tenant." This is false. Guests use their own identity from a home IdP (Microsoft, Google, corporate AD). The exam loves to present this as a distractor.
"You need to assign an Azure AD P1 license to every guest." This is false for basic access. Licenses are only needed for premium features like MFA (if not trusted from home tenant) or Conditional Access. The exam may present a scenario where you can trust MFA from the home tenant to avoid licensing.
"B2B collaboration and B2C are the same." This is false. B2C is a separate service for customer-facing apps. The exam may ask which to use for a partner scenario—B2B is correct.
"Deleting a guest user deletes the user from their home tenant." This is false. The guest user object is only in your tenant; deletion does not affect the external identity.
Specific Numbers and Terms
Invitation token expiry: 30 days (default, configurable 1-30)
Guest user limit: 1 million per tenant
Guest to paid license ratio: 5:1 (5 guests per P1/P2 license)
UserType: Guest or Member
ExternalUserState: PendingAcceptance, Accepted, Rejected
Guest Inviter role: allows non-admins to invite guests
Cross-tenant access settings: Inbound/Outbound, Trust settings (MFA, compliant device, hybrid Azure AD join)
Edge Cases the Exam Loves
Guest with same UPN as a member: If a guest has the same email as an existing member, the invitation fails. You must first remove the member or change the email.
Dynamic groups for guests: You must use a rule like (user.userType -eq "Guest") to include guests. The default dynamic group rule does not include guests.
B2B direct connect (Teams shared channels): No guest user object is created. The user appears as an external participant in Teams only.
How to Eliminate Wrong Answers
If a question asks about licensing for B2B guests, ask: "Does the scenario require Azure AD Premium features?" If no (e.g., just access to SaaS apps), no license needed. If yes (e.g., MFA or Conditional Access), check if MFA can be trusted from home tenant. If the home tenant supports MFA and trust is configured, no license needed. Only assign licenses if you must enforce your own MFA or Conditional Access.
If a question asks about creating guest users, look for the method: Azure Portal, PowerShell New-AzureADMSInvitation, or Graph API. The exam may ask which command to use for a bulk invitation—the answer is the Graph API with the invitations endpoint.
If a question mentions Teams shared channels, immediately think B2B direct connect, not B2B collaboration. The two are often confused.
Azure AD B2B collaboration allows external users to access your apps using their own identity—no need to manage external credentials.
Guest users are represented as user objects in your tenant with UserType = Guest and a UPN in the format email#EXT#@tenant.onmicrosoft.com.
Invitation tokens expire after 30 days by default (configurable 1–30 days).
Guests do not require a license for basic access; Azure AD P1/P2 licenses are needed only for premium features like MFA (unless trusted from home tenant) or Conditional Access.
The Guest Inviter role allows non-admins to invite guests—delegate this role carefully.
Access reviews can automatically expire guest accounts after a set number of days (e.g., 30, 60, 90) to prevent account sprawl.
Cross-tenant access settings control inbound and outbound B2B collaboration and B2B direct connect, including trust of MFA and device compliance.
B2B direct connect (used for Teams shared channels) does not create guest user objects; it is a separate feature from B2B collaboration.
You cannot convert a guest to a member if the UPN domain is not verified in your tenant.
Deleting a guest user from your tenant does not affect their account in their home tenant.
These come up on the exam all the time. Here's how to tell them apart.
B2B Collaboration
Creates guest user objects in your Azure AD tenant
Used for granting access to applications, groups, and Azure resources
Requires invitation and redemption process
Guests appear in Azure AD Users list with UserType = Guest
Supports Conditional Access and MFA (with licensing or trust)
B2B Direct Connect
Does not create guest user objects; user remains external
Used exclusively for Teams shared channels (and some other Microsoft 365 workloads)
No invitation; requires cross-tenant access settings on both sides
Users do not appear in Azure AD Users; they are only visible in Teams
Supports trust settings (MFA, device compliance) but not full Conditional Access
Mistake
B2B collaboration requires the guest to have an Azure AD account.
Correct
Guests can authenticate using any identity provider supported by Azure AD, including Microsoft accounts (Outlook.com), Google, Facebook, or any SAML/WS-Fed IdP. They do not need an Azure AD account in your tenant or their own.
Mistake
You must assign a license to every guest user.
Correct
Guests can access Azure AD-integrated apps without any license in your tenant. Licenses (Azure AD P1/P2) are only required if you want to apply premium features like Conditional Access, MFA (unless trusted from home tenant), or Identity Protection. The 1:5 ratio applies.
Mistake
B2B collaboration and B2B direct connect are the same thing.
Correct
B2B collaboration creates guest user objects in your tenant and is used for inviting users to apps and groups. B2B direct connect is used for Teams shared channels and does not create guest user objects—the user remains external and is not visible in Azure AD.
Mistake
Deleting a guest user from your tenant deletes their account in their home tenant.
Correct
Deleting a guest object only removes the user's access to your tenant. The user's account in their home IdP is unaffected. This is a critical security and compliance distinction.
Mistake
Guests can browse the entire Azure AD directory by default.
Correct
By default, guests have limited directory permissions—they can only read their own profile. They cannot see other users, groups, or devices unless you explicitly grant them the Directory Readers role or change the external collaboration settings.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD B2B (business-to-business) is for granting external partners access to your organization's apps using their own work or social identities. B2C (business-to-consumer) is a separate Azure service for customer-facing apps where you manage user registration and sign-in with social or local accounts. For AZ-104, focus on B2B; B2C is rarely tested except to distinguish it.
No, not for basic access to Azure AD-integrated applications. However, if you want to apply Azure AD Premium features like Conditional Access, MFA (if not trusted from home tenant), or Identity Protection to guests, you must assign an Azure AD P1 or P2 license to each guest (or use the 5:1 guest-to-license ratio). If you trust MFA from the guest's home tenant via cross-tenant access settings, no license is needed.
Use the Microsoft Graph API with the `invitations` endpoint or PowerShell cmdlet `New-AzureADMSInvitation`. You can also use Azure AD Entitlement Management to automate guest invitations via access packages. The Azure Portal allows only single invitations. For bulk, use the Graph API or PowerShell.
The invitation token expires after 30 days (default). The user can request a new invitation from the admin, or the admin can resend the invitation. The guest user object is not created until redemption; if the token expires, no object exists. If the user had previously redeemed and the object exists, they can still sign in without a new invitation.
Yes. You can target Conditional Access policies to "Guest or external users" in the assignment scope. However, to enforce MFA, you must either trust MFA from the guest's home tenant (via cross-tenant access settings) or require MFA using your tenant's MFA (which requires an Azure AD P1 license for the guest).
You can delete the guest user object from Azure AD Users. This immediately revokes access to all resources in your tenant. Alternatively, you can remove the guest from groups or disable the account. Access reviews can also automatically expire guest accounts after a set period.
The UPN is constructed as `email#EXT#@tenant.onmicrosoft.com`. For example, if the guest's email is jane@partner.com and your tenant is contoso.onmicrosoft.com, the UPN becomes jane_partner.com#EXT#@contoso.onmicrosoft.com.
You've just covered External Identities and B2B Collaboration — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?