This chapter covers Microsoft Entra External ID security, the cornerstone of identity management for external users in Azure. For the AZ-500 exam, this topic is critical — approximately 10-15% of Identity and Access Management questions focus on external identity scenarios, including B2B collaboration, B2C, and Entra External ID configuration. You will be tested on securing external identities, configuring identity providers, managing guest user access, and implementing conditional access for external users. Mastery of these concepts is essential for the 'Manage identities' domain.
Jump to a section
Imagine a country (your Azure AD tenant) that wants to allow foreign visitors (external users) to enter for specific purposes. Instead of giving every visitor a permanent passport (direct user account in your tenant), the country sets up an embassy network (External ID). Each embassy (identity provider like Google, Facebook, or a SAML/WS-Fed IdP) verifies the visitor's identity using their own passport (their existing credentials). The visitor requests a visa (access token) for a specific purpose (application or API). The embassy issues a visa with strict conditions: validity period (token lifetime), allowed entry points (specific apps), and restrictions (conditional access policies). The country's border control (Azure AD) checks the visa against its policies before granting access. Importantly, the visitor never gets a permanent residency (user object in your tenant) unless you explicitly convert them to a guest user (B2B collaboration). This model ensures trust is delegated to the external identity provider while you retain full control over access policies. If a visitor's passport is revoked by their home country, they automatically lose access — you don't have to manually remove them.
What is Microsoft Entra External ID?
Microsoft Entra External ID (formerly known as Azure AD External Identities) is a set of capabilities that allow organizations to securely interact with users outside their tenant. It encompasses two primary scenarios: Business-to-Business (B2B) collaboration and Business-to-Customer (B2C) identity management. For AZ-500, the focus is heavily on B2B collaboration security, but B2C concepts also appear.
B2B Collaboration enables you to invite external users (partners, vendors, contractors) to access your organization's applications as 'guest' users. These guests authenticate using their own identity provider (e.g., Microsoft, Google, or any SAML/WS-Fed IdP) and are represented in your directory as user objects with UserType = 'Guest'. B2B collaboration is the primary mechanism for sharing applications and resources with external partners without managing their credentials.
B2C Identity Management is a separate Azure service (Azure AD B2C) for customer-facing applications. It allows customers to sign up and sign in using social identities (Google, Facebook) or enterprise identities, with customizable user journeys. While B2C is a distinct product, AZ-500 may test its security configuration, such as token settings and identity providers.
How External ID Works Internally
When an external user is invited via B2B collaboration, the following occurs:
Invitation: An admin or user sends an invitation via email, Azure portal, or API. The invitation contains a redemption URL and a unique invitation code.
Redemption: The user clicks the link and is redirected to their own identity provider (IdP) for authentication. After successful authentication, Azure AD creates a guest user object in the tenant and issues an access token.
Token Issuance: The guest user receives a token that includes claims like tid (tenant ID of the resource tenant), oid (object ID of the guest user in the resource tenant), and iss (issuer, which is the guest's home tenant or external IdP).
Access Control: Conditional access policies and application permissions are evaluated based on the guest user's attributes and the resource tenant's policies.
Key Components and Defaults
Guest User Object: Created with UserType = 'Guest'. Default settings allow guests to see other users and group memberships (limited). You can restrict guest access via 'External collaboration settings'.
External Identity Providers: By default, Microsoft accounts and Azure AD tenants are enabled. You can add other IdPs like Google, Facebook, or SAML/WS-Fed IdPs.
Invitation Settings: You can control who can invite guests (admins, users in specific roles, or all users). Default: Admins and users in the Guest Inviter role can invite.
Entitlement Management: Part of Azure AD Identity Governance. It allows creating access packages that govern guest access with time-limited assignments and approvals.
Conditional Access for External Users: Policies can be scoped to 'Guest or external users'. You can enforce MFA, device compliance, or location-based policies for guests.
Token Lifetime: Default token lifetimes for guest users are the same as for members (e.g., 1 hour for access tokens, 1-14 days for refresh tokens). These can be configured via Conditional Access session controls or token lifetime policies.
Cross-Tenant Access Settings: This is a critical security feature. It allows you to control inbound (guests coming into your tenant) and outbound (your users going to other tenants) access. You can block or allow specific tenants, apply trust settings (e.g., trust MFA from the home tenant), and configure access controls.
Configuration and Verification Commands
To configure External ID settings via PowerShell or Azure CLI:
Azure AD PowerShell (AzureAD module)
# Get current external collaboration settings
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
# Update settings to restrict guest invitations to admins
$setting = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
$setting.Values["AllowToAddGuests"] = $false
Set-AzureADDirectorySetting -Id $setting.Id -Values $setting.ValuesMicrosoft Graph PowerShell SDK
# Get cross-tenant access policy
Get-MgPolicyCrossTenantAccessPolicyDefault
# Update default inbound trust settings
$params = @{
inboundTrust = @{
IsMfaAccepted = $true
IsCompliantDeviceAccepted = $false
IsHybridAzureADJoinedDeviceAccepted = $false
}
}
Update-MgPolicyCrossTenantAccessPolicyDefault -BodyParameter $paramsAzure CLI
# Get Azure AD directory settings
az rest --method GET --uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default"Interaction with Related Technologies
Azure AD Identity Protection: Can detect risky sign-ins from external users. However, risk policies (like requiring password change) cannot be applied to guest users because they don't have credentials in your tenant. Instead, you can block access or require MFA via Conditional Access.
Privileged Identity Management (PIM): Can be used to manage just-in-time access for guest users assigned to roles. Guest users can be eligible for Azure AD roles (but not Azure resource roles by default).
Azure AD Access Reviews: Essential for reviewing guest access periodically. You can create access reviews for guest users only, with automatic removal of denied guests.
Azure AD Identity Governance: Entitlement management uses access packages to bundle resources and assign them to guests with time limits. This is a key tool for governing external access.
Security Best Practices
Restrict Guest Invitations: Limit who can invite guests to reduce the risk of unauthorized access. Use the 'Guest Inviter' role or disable self-service invitations.
Use Cross-Tenant Access Policies: Explicitly block unknown tenants and trust only verified external organizations. Trust MFA and device compliance from trusted tenants.
Implement Conditional Access for Guests: Require MFA for guest access, especially for sensitive apps. Use session controls to limit token lifetime.
Regularly Review Guest Access: Use access reviews to audit and remove stale guest accounts.
Limit Guest Permissions: Use 'Guest user access restrictions' in external collaboration settings to restrict guest visibility of the directory.
Exam Note
AZ-500 expects you to know the differences between B2B and B2C, how to configure cross-tenant access settings, and how to secure guest access with Conditional Access. Be familiar with the default settings and common misconfigurations. The exam often tests scenarios where an admin needs to allow external users to authenticate with their own credentials while maintaining security policies.
Configure External Identity Providers
Navigate to Azure AD > External Identities > All identity providers. By default, 'Microsoft Account' and 'Azure AD' are enabled. To add Google, you need to configure a Google developer project and obtain a client ID and secret. For SAML/WS-Fed, you provide metadata URL or manually enter endpoints. Each IdP must be enabled at the directory level. Once configured, when a guest user redeems an invitation, they will see the option to sign in with that IdP. Exam tip: You can add up to 50 identity providers per tenant. The order of IdPs in the sign-in page is determined by the order they are listed in the portal.
Set External Collaboration Settings
In Azure AD > External Identities > External collaboration settings, you can control: (1) 'Guest user access' — set to 'Guest users have limited access to properties and memberships of directory objects' (default) or 'Guest users have same access as members' (not recommended). (2) 'Guest invite settings' — choose who can invite: 'Anyone in the organization' (default), 'Member users and users assigned to specific admin roles', 'Only users assigned to specific admin roles', or 'No one in the organization'. (3) 'Allow self-service sign up' — enable for B2C scenarios. (4) 'Collaboration restrictions' — allow invitations to any domain or deny specific domains. Exam tip: The default setting allows any user to invite guests, which is a common security gap. On the exam, look for questions that ask how to restrict invitations to only admins.
Configure Cross-Tenant Access Settings
Cross-tenant access settings allow granular control over inbound and outbound access. Go to Azure AD > External Identities > Cross-tenant access settings. You can set defaults for all tenants and add specific organizations. For each partner tenant, you can: (1) 'Inbound access' — allow or block users from that tenant. (2) 'Outbound access' — allow or block your users to that tenant. (3) 'Trust settings' — trust MFA, compliant devices, or hybrid Azure AD joined devices from the partner tenant. These settings override the defaults. Exam tip: Trust settings are crucial — if you trust MFA from the home tenant, your Conditional Access policy can skip MFA for those users, reducing friction. However, this trusts the partner's MFA implementation, which may be weaker.
Create Conditional Access Policy for Guests
Conditional Access policies can target 'Guest or external users' as the user assignment. For example, create a policy that requires MFA for all guest users accessing the Azure Management portal. In the policy, under 'Users', select 'Guest or external users'. Under 'Cloud apps', select 'Microsoft Azure Management'. Under 'Grant', select 'Require multi-factor authentication'. Save the policy. Exam tip: Policies targeting guests apply to all guest users regardless of their home tenant. You can also use 'Session' controls to set token lifetime for guests, e.g., force sign-in every 1 hour. Remember that Conditional Access policies for guests evaluate based on the resource tenant's policies, not the home tenant's.
Set Up Entitlement Management Access Packages
Entitlement management allows you to create access packages that bundle resources (groups, apps, SharePoint sites) and assign them to internal and external users with approval workflows and time limits. To configure: (1) Create a catalog. (2) Add resources to the catalog. (3) Create an access package with policies that define who can request (e.g., users from specific organizations), approval settings, and access duration. (4) Users request access via the My Access portal. (5) Once approved, the user is automatically added to the resource. Access reviews can be configured to expire access. Exam tip: Entitlement management is the recommended way to govern external access because it provides time-bound, approved, and auditable access. The exam may ask about the difference between direct invitation and access packages.
Perform Access Reviews for Guests
Access reviews ensure that guest access is still needed. Create an access review in Azure AD > Identity Governance > Access reviews. Select 'Teams + Groups' or 'Applications'. Choose 'Guest users only' as the scope. Set the frequency (e.g., weekly, monthly, quarterly). Configure auto-apply results to remove denied users. When the review starts, reviewers (e.g., resource owners) review each guest's access and approve or deny. After the review ends, denied guests are automatically removed. Exam tip: Access reviews are a key governance tool. The exam tests that access reviews can be scoped to guest users only and can automatically remove guests. Remember that guests can also be reviewers for other guests.
Enterprise Scenario 1: Partner Collaboration with Cross-Tenant Access
A large manufacturing company, Fabrikam, collaborates with dozens of suppliers. Each supplier uses their own Azure AD tenant. Fabrikam wants to allow supplier employees to access a shared procurement application. Previously, Fabrikam created local user accounts for each supplier employee, leading to password fatigue and security risks. They migrated to Entra External ID B2B collaboration. They configured cross-tenant access settings to trust MFA from the supplier tenants, so supplier employees use their own MFA. They also created a Conditional Access policy that requires device compliance for the procurement app. However, they discovered that not all suppliers enforce device compliance. To handle this, they set the policy to require MFA as a fallback. Performance is seamless — users authenticate via their home tenant and are redirected back. Common misconfiguration: forgetting to update cross-tenant access settings when a new supplier is onboarded, causing access failures. Solution: Use automated scripts via Microsoft Graph to add new partner tenants to the allowed list.
Enterprise Scenario 2: B2C for Customer-Facing App
A retail company, Contoso, built a customer loyalty app using Azure AD B2C. They configured sign-up with email, Google, and Facebook. They needed to collect customer consent for marketing emails. They used custom policies to add a consent screen during sign-up. Security requirements included blocking sign-ins from anonymous IP addresses and requiring email verification. They used Identity Protection for B2C to detect risky sign-ins. However, they faced a challenge: customers frequently forgot their passwords. They implemented self-service password reset (SSPR) using email verification. Scale: They handle 100,000 active users with no performance issues. Common issue: Misconfigured token lifetimes caused users to be logged out too frequently. They set session token lifetime to 24 hours and refresh token lifetime to 14 days. Exam note: B2C token settings are configured in the 'Token, session, and SSO configuration' blade.
Enterprise Scenario 3: Entitlement Management for External Consultants
A consulting firm, ProConsult, frequently brings in external consultants for projects. Each consultant needs access to specific project sites and applications. Previously, admins manually created guest accounts and added them to groups. This led to orphaned accounts. They implemented Entitlement Management with access packages. Each project has an access package containing the relevant SharePoint site and a Teams group. Consultants request access via the My Access portal, which triggers approval from the project manager. Access is time-limited to the project duration (e.g., 6 months). After the project ends, access automatically expires. They also set up quarterly access reviews to catch any oversight. This reduced administrative overhead by 80%. Common pitfall: Not configuring auto-expiration, leading to indefinite access. Solution: Always set an expiration date in the access package policy.
What AZ-500 Tests on External ID Security
AZ-500 objective 1.1 includes 'Manage identities' and specifically tests 'External identities' and 'Azure AD Identity Governance'. Expect 2-4 questions on this topic. Key areas: - Cross-tenant access settings: Understand inbound, outbound, and trust settings. Know the difference between default and organization-specific settings. - Conditional Access for external users: Know that 'Guest or external users' is a user assignment option. Policies can require MFA, compliant device, or terms of use. - Entitlement management: Access packages, catalogs, policies, and approval workflows. Know that access packages can include multiple resources. - Access reviews: Can be scoped to guest users only. Auto-apply can remove denied users automatically. - External collaboration settings: Restricting guest invitations to specific roles, limiting guest permissions.
Common Wrong Answers and Why Candidates Choose Them
'Use B2C for partner collaboration': B2C is for customer-facing apps, not B2B. Candidates confuse B2B and B2C. The exam expects B2B for partner access.
'Create local user accounts for external users': This defeats the purpose of external identity. The correct answer is to use B2B collaboration.
'Trust settings apply to all external users': Trust settings in cross-tenant access are per-organization or default. Candidates often think they apply globally, but specific tenant settings override defaults.
'Conditional Access policies for guests require the guest's home tenant to enforce them': Actually, Conditional Access policies are evaluated by the resource tenant. The guest's home tenant does not enforce the resource tenant's policies.
Specific Numbers and Terms That Appear on the Exam
Default guest invite settings: 'Anyone in the organization can invite guest users'.
Maximum identity providers: 50 per tenant.
Guest user access restriction default: 'Guest users have limited access to properties and memberships of directory objects'.
Cross-tenant access trust options: MFA, compliant device, hybrid Azure AD joined device.
Access review auto-apply: After review ends, changes take effect after 24-48 hours.
Edge Cases and Exceptions
Guest users cannot be assigned Azure resource roles (e.g., subscription contributor) by default. They can be assigned Azure AD roles.
B2B users can use their own MFA if trust is configured. If not, they must register for MFA in the resource tenant.
External users cannot use Azure AD Identity Protection's risky sign-in policy because they don't have credentials in the resource tenant. Instead, use Conditional Access to block or require MFA.
Self-service sign-up for B2B is different from B2C. B2B self-service sign-up creates guest accounts, while B2C creates local accounts in the B2C tenant.
How to Eliminate Wrong Answers
If the scenario involves partners accessing your apps, eliminate B2C options.
If the question asks about trust settings, look for specific tenant names vs. 'all tenants'.
If the question involves time-limited access, look for Entitlement Management answers.
If the question involves reviewing guest access, look for Access Reviews.
Entra External ID B2B creates guest user objects in your tenant; B2C uses a separate tenant.
Default guest invite setting allows any user to invite guests — restrict to specific roles for security.
Cross-tenant access settings allow per-tenant inbound/outbound controls and trust settings (MFA, device compliance).
Conditional Access policies can target 'Guest or external users' and enforce MFA, device compliance, or terms of use.
Entitlement management access packages provide time-limited, approved access for external users.
Access reviews can be scoped to guest users only and can auto-remove denied users.
Guest users cannot be assigned Azure resource roles by default (only Azure AD roles).
Trusting MFA from a partner tenant requires the partner to have MFA enabled for their users.
Maximum of 50 identity providers per tenant.
B2B self-service sign-up creates guest accounts; B2C self-service sign-up creates local accounts in the B2C tenant.
These come up on the exam all the time. Here's how to tell them apart.
B2B Collaboration
Used for business partners and external organizations.
Creates guest user objects in your Azure AD tenant.
Supports authentication with Azure AD, Microsoft accounts, Google, and SAML/WS-Fed IdPs.
Managed via Azure AD portal under External Identities.
Guest users can be assigned to apps and groups, but have limited directory access by default.
B2C Identity Management
Used for customer-facing applications (e.g., retail, banking).
Creates local accounts in a separate B2C tenant, not your primary Azure AD tenant.
Supports social identities (Google, Facebook, LinkedIn) and local accounts with email/password.
Managed via Azure AD B2C portal, a separate service.
Customers have their own profiles and can sign up and sign in with customizable user journeys.
Direct Invitation
Simple one-time invitation via email or portal.
No expiration or approval workflow by default.
Admin manually manages group membership.
Auditing is limited to sign-in logs.
Best for ad-hoc, short-term access.
Entitlement Management Access Package
Structured access with approval workflows and time limits.
Access can automatically expire after a set duration.
Resources (groups, apps, sites) are bundled in access packages.
Built-in access reviews and auto-removal of denied users.
Recommended for governed, long-term external access.
Mistake
B2B collaboration creates a new identity in the resource tenant's directory.
Correct
B2B collaboration creates a guest user object that references the external identity. The actual authentication still happens in the user's home tenant or external IdP. The guest object is a representation, not a full identity.
Mistake
Conditional Access policies for external users are enforced by the user's home tenant.
Correct
Conditional Access policies are evaluated by the resource tenant (the tenant hosting the app). The home tenant only authenticates the user; the resource tenant applies its own policies based on claims in the token.
Mistake
Cross-tenant access settings apply uniformly to all external users.
Correct
You can configure default settings that apply to all tenants, and then override them for specific tenants. Organization-specific settings take precedence over defaults.
Mistake
Entitlement management is only for internal users.
Correct
Entitlement management supports both internal and external users. Access packages can be configured to allow users from specific organizations to request access.
Mistake
B2C can be used for B2B scenarios.
Correct
B2C is designed for customer-facing applications with sign-up and social identity support. B2B collaboration is for business partners using their own enterprise identities. They are separate services.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
B2B (Business-to-Business) collaboration allows you to invite external users from partner organizations to access your applications as guests. They authenticate using their own work or social accounts. B2C (Business-to-Customer) is a separate service for customer-facing apps, where users sign up and sign in using social identities or local accounts. B2C uses its own tenant, not your primary Azure AD tenant. On the exam, if the scenario involves partners, choose B2B; if customers, choose B2C.
Go to Azure AD > External Identities > External collaboration settings. Under 'Guest invite settings', you can choose from four options: 'Anyone in the organization' (default), 'Member users and users assigned to specific admin roles', 'Only users assigned to specific admin roles', or 'No one in the organization'. For security, it's recommended to restrict to specific admin roles. The 'Guest Inviter' role can also be assigned to non-admin users to allow them to invite guests without granting broader permissions.
Yes. When creating a Conditional Access policy, under 'Users', you can select 'Guest or external users' as the user assignment. This applies the policy to all guest users in your tenant. You can also exclude specific guest users if needed. The policy is evaluated by your tenant (the resource tenant) based on claims in the token. For example, you can require MFA for all guest users accessing sensitive apps.
Cross-tenant access settings allow you to control inbound and outbound access between your tenant and other Azure AD tenants. You can set defaults for all tenants and configure specific settings for individual tenants. For inbound access, you can allow or block users from a specific tenant. For outbound access, you can allow or block your users from accessing apps in other tenants. You can also trust claims from the partner tenant, such as MFA or device compliance. These settings are found under Azure AD > External Identities > Cross-tenant access settings.
Use Azure AD Access Reviews. Create an access review scoped to 'Guest users only' for a specific group or application. Set the frequency and enable auto-apply. When the review completes, denied guests are automatically removed from the resource and can optionally be deleted from the directory. Alternatively, use Entitlement Management access packages with expiration dates — when the access expires, the user is removed from the resource.
Direct invitation is a simple one-time process where an admin or user invites a guest via email. The guest is added to the directory and can be assigned to apps/groups manually. There is no built-in expiration or approval. Entitlement management provides a governed process: admins create access packages that bundle resources, set approval workflows, and define access durations. Users request access via the My Access portal, and their access automatically expires after the defined period. Entitlement management is recommended for managing external access at scale.
By default, guest users cannot be assigned Azure resource roles (e.g., Contributor, Reader on a subscription). They can be assigned Azure AD roles (e.g., Global Administrator, User Administrator). To assign Azure resource roles to guests, you must first enable 'External users' access to Azure resources via the directory's external collaboration settings. After that, you can assign roles at the subscription or resource group level. However, this is not recommended for security reasons.
You've just covered Microsoft Entra External ID Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?