This chapter covers Azure AD B2B guest user policies and external collaboration, a critical topic for the AZ-500 exam. You will learn how to securely invite external users, manage their access through Conditional Access and entitlement management, and enforce governance via access reviews and lifecycle policies. This area typically accounts for 10-15% of the Identity Access domain questions. Mastering these concepts will help you design secure collaboration solutions that meet compliance requirements while enabling productivity.
Jump to a section
Imagine a corporate office building with a strict security guard at the front desk. Employees have permanent badges that grant access to the entire building, including sensitive areas like the server room. The company wants to collaborate with external consultants who need temporary access to specific floors for a limited time. Instead of issuing them a permanent badge, the security guard creates a 'guest pass' that is valid only for certain days and times, and only for the floor the consultant is working on. The consultant must sign in at the front desk, receive the guest pass, and then sign out when leaving, at which point the pass is deactivated. The security guard maintains a log of all guest visits, including who sponsored them (an internal employee), when they entered and left, and which areas they accessed. This log can be audited later. Crucially, the guest pass cannot be used to enter the server room or any other area not explicitly authorized. If the consultant tries to use the pass outside of the permitted hours, the turnstile beeps and denies entry. This system mirrors how Azure AD B2B guest users are invited by an internal sponsor, granted specific permissions via Conditional Access policies and access reviews, and have a lifecycle that includes expiration and revocation. The guest user object is created in Azure AD, but it is not a full member—it has limited privileges and can be removed automatically after a review period.
What is Azure AD B2B Collaboration?
Azure AD B2B (Business-to-Business) collaboration allows you to securely share your organization's applications and services with guest users from any other organization. A guest user is an external identity that can access resources in your tenant. They are represented as a user object in Azure AD, but with a UserType of 'Guest'. The guest user authenticates with their home organization or with a one-time passcode (for users without Azure AD or Microsoft Account).
Why Use B2B Instead of Creating Local Accounts?
Creating local accounts for external users is a security risk—you have to manage their passwords, and if their employment ends at their company, you might not know. B2B delegates authentication to the external identity provider, reducing your credential management burden. Also, B2B users can be governed with Azure AD features like Conditional Access, access reviews, and entitlement management, just like internal users.
How Guest User Invitation Works
Invitation: An internal user with the Guest Inviter role can invite an external user. The invitation is an email to the user with a link to accept. The invited user must accept the invitation within 30 days (default) or it expires. The expiration can be set from 1 to 365 days via the Invitation Lifetime policy.
Redemption: When the user clicks the link, they are redirected to Azure AD. If their email domain matches an Azure AD tenant, they authenticate there. If not, they can create a Microsoft Account or use a one-time passcode (OTP). The OTP feature is enabled by default for invitations sent to email addresses not associated with an Azure AD or Microsoft account.
User Object Creation: After redemption, a guest user object is created in your tenant. The object includes attributes like UserPrincipalName (typically the email address), DisplayName, and UserType='Guest'.
Guest User Properties and Defaults
UserType: 'Guest' vs 'Member'. This is a key attribute used by policies. You can change it to 'Member' but that is not recommended for external users.
ExternalUserState: 'PendingAcceptance' before redemption, 'Accepted' after.
Invitation Redeem URL: The link sent in the email.
Home Tenant: The tenant ID of the user's home organization, if applicable.
Guest User Permissions
By default, guest users have limited permissions in the directory. They can read their own profile, but cannot browse other users or groups. They can be granted access to applications and groups. The default guest user permissions can be changed in External Identities > External collaboration settings. The two main settings are: - Guest user access restrictions: Choose between 'Guest users have the same access as members' (not recommended), 'Guest users have limited access to properties and memberships of directory objects' (default), or 'Guest user access is restricted to properties and memberships of their own directory objects' (most restrictive). - Guest invite settings: Who can invite guests. Options: 'Anyone in the organization can invite guest users including guests and admins' (default), 'Member users and users assigned to specific admin roles can invite guest users including guests with member role', or 'Only users assigned to specific admin roles can invite guest users'.
Conditional Access for Guest Users
Conditional Access policies can apply to guest users. You can target the policy to 'Guest or external users' identity. Common scenarios:
Require multi-factor authentication for guest users.
Block access from untrusted locations.
Require device compliance (but guest users often don't have managed devices; you can require terms of use instead).
Session controls like sign-in frequency.
Important Exam Point: When you apply a Conditional Access policy to guest users, the policy is evaluated at the resource tenant, not the home tenant. The guest user must satisfy the policy in the resource tenant. If MFA is required, the guest user must register for MFA in the resource tenant (they can use their own MFA method if they have one, but it's easier to register again).
Entitlement Management and Access Packages
Entitlement management allows you to create access packages that bundle resources (groups, apps, SharePoint sites) and grant time-limited access to internal and external users. For external users, you can define: - Access package with a policy that allows users not yet in your directory to request access. This triggers an invitation and creates a guest user. - Access review: After a set period, the guest user's access must be reviewed by a designated reviewer (e.g., the manager who sponsored them). If the review is denied, the guest user loses access and their account can be deleted (via the 'Remove guest user from directory' option). - Lifecycle: You can set an expiration for the access package assignment (e.g., 30 days). After expiration, the guest user's access is removed, and the account can be automatically deleted after a grace period (default 30 days).
Azure AD Access Reviews for Guest Users
Access reviews are a key governance tool. You can create a review of all guest users or guest access to specific groups/apps. The review can be periodic (e.g., monthly) or one-time. The reviewer can be the guest themselves (self-review) or a designated manager. At the end of the review, you can automatically remove access or delete the guest user if not approved.
Guest User Lifecycle Policies
You can set a guest user expiration policy via the Azure portal: External Identities > External collaboration settings > Guest user expiration. You can set a time period (days) after which guest users who have not logged in will be automatically removed. This is a cleanup mechanism.
Cross-Tenant Access Settings
Cross-tenant access settings allow you to control inbound and outbound B2B collaboration. You can configure: - Inbound settings: Which external tenants can invite your users as guests? Default is all tenants allowed. You can block specific tenants or allow only specific tenants. - Outbound settings: Which external tenants your users can be invited to? Default is all tenants allowed. - Trust settings: You can trust MFA, compliant devices, and hybrid Azure AD join claims from external tenants. This is important for Conditional Access—if you trust the external tenant's MFA, your policy can skip requiring MFA again.
Exam Tip: Cross-tenant access settings are new (as of 2022) and often tested. Remember that trust settings are one-way: you can trust claims from an external tenant, but that external tenant must also trust your claims for mutual trust.
Azure AD B2B vs. Azure AD B2C
B2B: For business partners, employees of other companies. The external user has an existing identity (work or social).
B2C: For customers of your application. You manage their identities (social or local accounts). B2C is a separate service, not part of Azure AD.
Guest User Sign-in Logs
You can monitor guest user sign-ins in Azure AD sign-in logs. Look for the 'Guest' user type. Failed sign-ins due to Conditional Access or policy violations are logged.
Common Configuration Steps for Secure External Collaboration
Restrict guest user permissions to the most limited setting.
Restrict who can invite guests to only admins.
Enable MFA for guest users via Conditional Access.
Use access packages to grant time-limited access.
Schedule periodic access reviews for guest users.
Configure guest user expiration to remove inactive guests.
Use cross-tenant access settings to block untrusted tenants.
Monitor sign-in logs for suspicious activity.
PowerShell and Graph API Examples
Invite a guest user using Microsoft Graph:
POST https://graph.microsoft.com/v1.0/invitations
Content-type: application/json
{
"invitedUserEmailAddress": "user@contoso.com",
"inviteRedirectUrl": "https://myapp.contoso.com",
"sendInvitationMessage": true
}Get guest users using Azure AD PowerShell:
Get-AzureADUser -Filter "UserType eq 'Guest'"Set guest user invitation lifetime policy:
Set-AzureADPolicy -Id <policyId> -DisplayName "InvitationLifetimePolicy" -Definition @('{"InvitationLifetimeInDays":30}')Configure External Collaboration Settings
Navigate to Azure AD > External Identities > External collaboration settings. Here you set the baseline: guest user access restrictions (choose 'Guest users have limited access to properties and memberships of directory objects' for least privilege), guest invite settings (recommend 'Only users assigned to specific admin roles can invite guest users'), and enable/disable guest self-service sign-up. Also set the guest user expiration policy (e.g., 90 days of inactivity). These settings apply tenant-wide and are the foundation of your external collaboration security.
Define Cross-Tenant Access Settings
Go to Azure AD > External Identities > Cross-tenant access settings. Here you can block all tenants by default and then allow only specific trusted tenants (whitelist approach). Configure inbound and outbound settings separately. Under 'Trust settings', you can trust MFA, compliant devices, and hybrid Azure AD join claims from external tenants. This allows your Conditional Access policies to accept the external tenant's security claims, reducing friction for guest users.
Create Conditional Access Policy for Guests
In Azure AD > Security > Conditional Access, create a policy targeting 'Guest or external users'. Typical requirements: require MFA, block access from unknown or untrusted locations, and require terms of use. Note that guest users may not have managed devices, so avoid requiring device compliance unless you have a device registration process. Also set session controls like sign-in frequency (e.g., 1 hour) to force reauthentication.
Set Up Entitlement Management Access Packages
In Azure AD > Identity Governance > Entitlement management, create a catalog and add resources (groups, apps, SharePoint sites). Create an access package with a policy that allows external users not yet in your directory to request access. Configure the request approval process (e.g., require manager approval), set an expiration (e.g., 30 days), and enable access reviews (e.g., weekly review by the sponsor). This ensures time-limited, approved access.
Schedule Access Reviews for Guest Users
In Azure AD > Identity Governance > Access reviews, create a review of all guest users or guest access to specific groups. Choose frequency (e.g., monthly), set reviewers (e.g., the guest's manager or the guest themselves), and configure auto-apply settings. At the end of the review, you can automatically remove access and delete the guest user if not approved. This enforces ongoing governance.
Monitor and Audit Guest Activity
Regularly review Azure AD sign-in logs, filtering by user type 'Guest'. Look for failed sign-ins due to Conditional Access or policy violations. Use Azure Monitor workbooks for guest user analytics. Also review the 'Invitations' log in Azure AD to see who invited whom. Set up alerts for suspicious guest activity, such as multiple failed MFA attempts or access from unusual locations.
Scenario 1: Consulting Firm Access to Project Resources A large enterprise hires a consulting firm for a 6-month project. The consultants need access to a specific SharePoint site, a custom app, and a group for collaboration. The enterprise uses Azure AD B2B to invite the consultants as guest users. They create an access package containing the SharePoint site and the app, with a policy that requires approval from the project manager and expires in 6 months. They also set up an access review every month where the project manager confirms the consultant still needs access. Cross-tenant access settings are configured to block all tenants except the consulting firm's tenant, and they trust the consulting firm's MFA claims so consultants don't need to re-register MFA. This setup provides secure, time-limited access with governance.
Scenario 2: Partner Access to Sales Portal A software company wants to give its resellers access to a sales portal. They use Azure AD B2B to invite the resellers. Because resellers may not have Azure AD, they enable the one-time passcode feature. They create a Conditional Access policy that requires MFA for all guest users (resellers must register MFA using the Microsoft Authenticator app). They also set a guest user expiration policy of 90 days of inactivity to automatically clean up stale accounts. The resellers' access is reviewed quarterly by the partner manager. This ensures that only active partners have access and that MFA protects against credential theft.
Common Pitfalls:
Not restricting guest invite permissions: Anyone can invite guests, leading to sprawl and shadow IT.
Not applying Conditional Access: Guest users bypass MFA and security controls.
Not setting expiration: Guest accounts accumulate indefinitely.
Not using cross-tenant access settings: All tenants can invite your users, or you trust all tenants' claims, which may include untrusted MFA.
Misconfiguring trust settings: If you trust the external tenant's MFA but the external tenant does not enforce MFA, you are trusting an untrustworthy claim.
Objective Codes: This material aligns with AZ-500 objective 1.1: 'Manage identity and access', specifically sub-topics: 'Manage Azure AD external identities', 'Manage B2B collaboration', 'Manage conditional access for external users', and 'Manage Azure AD identity governance'.
Common Wrong Answers: 1. 'Guest users have the same permissions as members by default' — WRONG. Default guest permissions are limited. The exam tests that you know the default is limited, not same as members. 2. 'You can only invite users from Azure AD tenants' — WRONG. You can invite anyone with an email address; they can use a Microsoft account or OTP. 3. 'Conditional Access policies for guest users are evaluated at the guest's home tenant' — WRONG. They are evaluated at the resource tenant. 4. 'Guest users cannot be required to do MFA' — WRONG. They can, via Conditional Access. 5. 'Access reviews cannot delete guest user accounts' — WRONG. They can, if configured to do so.
Specific Numbers and Terms:
Default invitation lifetime: 30 days.
Guest user expiration policy: can be set from 1 to 365 days of inactivity.
Access package expiration: up to 365 days (or custom duration).
Grace period for account deletion after access removal: default 30 days.
One-time passcode: enabled by default for emails not associated with Azure AD or Microsoft account.
Edge Cases:
If a guest user is invited but never redeems, the invitation expires after 30 days (default). The user object is not created until redemption.
If you change a guest user's UserType to 'Member', they are no longer considered a guest and may bypass guest-specific policies. This is a common misconfiguration.
Cross-tenant trust settings are one-way. If you trust Tenant A's MFA, Tenant A must also trust your MFA for mutual trust.
Guest users can be added to groups that allow external members. If the group is used for access to sensitive resources, ensure the group has the correct membership type.
How to Eliminate Wrong Answers:
If a question asks about default guest permissions, remember 'limited' not 'same as members'.
If a question mentions MFA for guests, think Conditional Access targeting 'Guest or external users'.
If a question asks about removing guest access automatically, think access reviews or entitlement management expiration.
If a question mentions cross-tenant settings, remember they control inbound/outbound invitations and trust claims.
Default guest user permissions are limited — they cannot browse the directory.
Guest invitation lifetime defaults to 30 days (configurable 1-365).
Conditional Access policies for guests are evaluated at the resource tenant.
One-time passcode is enabled by default for guest users without Azure AD or Microsoft accounts.
Access reviews can automatically delete guest accounts if not approved.
Cross-tenant trust settings are one-way — you must configure both sides for mutual trust.
Entitlement management access packages can grant time-limited access to external users.
Guest user expiration policy removes inactive guests (set in days, e.g., 90).
Only admins should be allowed to invite guests to prevent sprawl.
MFA for guests is enforced via Conditional Access, not by default.
These come up on the exam all the time. Here's how to tell them apart.
Azure AD B2B Collaboration
For external business partners (employees of other companies).
Guest users authenticate with their existing work or social identity.
User objects are created in your Azure AD tenant with UserType 'Guest'.
Governance features like access reviews and entitlement management apply.
No separate service; part of Azure AD.
Azure AD B2C
For customers of your application (consumers).
You manage their identity (social or local accounts).
User objects are created in a separate B2C tenant, not your main Azure AD.
Limited governance features; focus on customer identity management.
Separate Azure AD B2C service with its own tenant.
Guest User Default Permissions
UserType = 'Guest'.
Limited: can read own profile, cannot browse directory.
Cannot read other users or groups unless explicitly assigned.
Cannot manage directory objects.
Default setting can be changed to more restrictive or same as members.
Member User Default Permissions
UserType = 'Member'.
Full read access to directory (unless restricted by policy).
Can read most directory objects.
Can manage directory objects if assigned roles.
Default setting is full access.
Mistake
Guest users have the same access as internal users by default.
Correct
Default guest user permissions are limited. They can only see their own profile and cannot browse the directory. The default setting is 'Guest users have limited access to properties and memberships of directory objects'.
Mistake
Only Azure AD users can be invited as guests.
Correct
You can invite any user with an email address. If the email is not associated with an Azure AD or Microsoft account, the user can use a one-time passcode to sign in.
Mistake
Conditional Access policies for guest users are evaluated at the guest's home tenant.
Correct
Conditional Access policies are evaluated at the resource tenant (the tenant that hosts the application). The guest user must satisfy the policy in the resource tenant.
Mistake
Access reviews cannot automatically delete guest user accounts.
Correct
Access reviews can be configured to automatically remove guest user access and delete their account from the directory if the review result is 'Deny'.
Mistake
Cross-tenant trust settings are mutual.
Correct
Trust settings are one-way. You can trust claims from an external tenant, but that external tenant does not automatically trust your claims unless they configure it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You can invite a guest user via the Azure portal (Azure AD > Users > New guest user), via PowerShell (New-AzureADMSInvitation), or via Microsoft Graph API (POST /invitations). The invitation sends an email with a redemption link. The user must accept within the invitation lifetime (default 30 days).
Yes. Create a Conditional Access policy that targets 'Guest or external users' and requires MFA. The guest user will be prompted to register for MFA in your tenant (if not already registered). The policy is evaluated in the resource tenant.
Use Azure AD access reviews: create a review of guest users or guest access to groups/apps. Set the review to auto-apply results and remove access/delete accounts if denied. Alternatively, use entitlement management access packages with expiration or use the guest user expiration policy for inactivity.
B2B is for business partners (employees of other companies) and uses your existing Azure AD tenant. B2C is for customers and requires a separate Azure AD B2C tenant. B2B guest users have UserType 'Guest' and can be governed with Azure AD features. B2C users are managed in the B2C tenant with different APIs.
Cross-tenant access settings control inbound and outbound B2B collaboration. You can block or allow specific tenants. Under trust settings, you can trust MFA, compliant devices, and hybrid Azure AD join claims from external tenants. This affects Conditional Access evaluation—if you trust the external tenant's MFA, your policy can skip requiring MFA again.
The one-time passcode (OTP) feature allows guest users who do not have an Azure AD or Microsoft account to sign in by entering a code sent to their email. It is enabled by default for invitations. You can disable it in External Identities > External collaboration settings.
Yes, you can change the UserType attribute from 'Guest' to 'Member' in Azure AD. However, this is not recommended because the user will lose guest-specific policies (e.g., Conditional Access targeting guests) and may gain member permissions. Use this only if the user is actually an internal employee who was misclassified.
You've just covered Guest User Policies and External Collaboration — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?