1. Overview
Microsoft Entra External Identities allows organizations to enable secure access for users outside their directory.
This includes:
Business partners, vendors, and suppliers.
Users authenticating with corporate, government, or social accounts (Google, Facebook, etc.).
Flexible control over collaboration policies, invitations, and permissions.
External users bring their own identities, while the host organization manages access, security, and compliance.
2. How the Invitation Redemption Flow Works
When an external user receives an invitation, Microsoft Entra ID follows a logical flow to determine how the user should authenticate.
Let’s break down the process step by step:
User receives invitation via email with a redemption link.
Microsoft Entra checks whether the user already exists in another Entra tenant.
If yes → It uses that tenant as the user’s home directory.
If the email domain matches a configured SAML/WS-Fed identity provider, the user is redirected there for authentication.
If the user’s domain is gmail.com or googlemail.com and Google federation is enabled → redirect to Google sign-in.
If no IdP is found and email one-time passcode (OTP) is enabled → user receives a temporary passcode via email.
If OTP is disabled → user is prompted to create a Microsoft account (MSA).
Once authenticated, the user is redirected back to Microsoft Entra ID to complete consent and access setup.
In short:
Microsoft Entra intelligently determines the right identity provider and ensures a secure sign-in for each invited user.
3. External Identity Scenarios
Scenario Type Purpose Examples
B2B Collaboration Invite external users into your tenant as guests, assign permissions and manage access. Partner companies (e.g., suppliers, agencies).
Self-Service Sign-Up Allow external users to register for specific apps themselves. Customers signing up for a portal.
Entitlement Management Automate access requests and approvals for external users. Contractors requesting access to a project team site.
4. B2B Collaboration Capabilities
Capability Details
Authentication External users can use Microsoft, Google, or social accounts.
Authorization Managed through groups, roles, and policies in your tenant.
Single Sign-On (SSO) Applies to Microsoft 365, SaaS, or on-prem apps connected via Entra.
Security & Compliance Governed by Conditional Access, MFA, and audit logging.
Branding Guest users see your organization’s branding during sign-in.
5. Managing External Collaboration Settings
Admins can finely control who can invite guests and what guests can access.
Invitation Policies
You can configure one of the following:
No invitations allowed – External collaboration disabled.
Only admins and Guest Inviter role – Tightest control.
Admins, Guest Inviter role, and members – Standard enterprise setting.
All users, including guests, can invite – Suitable for open collaboration environments.
Guest Access Permissions
By default:
Guests can’t enumerate users or groups.
They can only see groups they belong to.
Admins can restrict them further to view only their own profile.
6. Real-World Example
Scenario:
Contoso’s marketing team collaborates with an external design agency.
Only users with the Guest Inviter role are allowed to send invitations.
Guests can only view their own profiles (most restrictive mode).
Domain restrictions ensure only @fabrikamdesign.com can be invited.
This setup maintains security while allowing necessary collaboration.
7. Exam Tip
Expect questions on:
Guest invitation roles and permissions.
Difference between collaboration and self-service sign-up.
Default guest restrictions (can’t enumerate directory data).
Supported IdPs — Microsoft, SAML/WS-Fed, Google, Facebook.
Summary
Unit 3 explained the mechanics of external collaboration — from how invitations are redeemed to the policies controlling who can invite and what guests can see.
Microsoft Entra ID provides powerful, flexible controls that balance security and accessibility for external users.