In Azure Entra ID (Formerly Azure AD), you have the option to create different types of users, including internal users and inviting external users as guests. Internal users exist in your internal organisation, for example, employees on your payroll.
However, there is also the option to invite external users (B2B collaboration) to use your Azure resources. This is a great benefit, as long as it’s done in a secure method. Why would you want to invite external users to your Entra ID tenant? Inviting external users in Entra ID can help you collaborate with people outside your organisation. Once invited, you can assign external users to roles and groups. For example, you may wish to invite a contractor to help you with a project such as a Sharepoint project, a migration project or invite guests into your Microsoft Teams conversations.
In this post, I will go through the options available on how to enable secure B2B collaboration in Azure Entra ID and I will take you through what permissions guests are assigned by default (out of the box) when you first setup an Azure tenant.
What permissions are guests granted by default?
A great place to start is to understand what guests can do by default. By default, guest users are set to a limited permission level that blocks them from enumerating users (find out information about other users in the same tenant by using their object IDs or UPNs) and groups, or other directory resources. However, the default setting allows them to manage their own profile and retrieve some information about other users, groups, and apps, such as read display name, email, sign-in name, photo, user principal name, read manager and direct report information, search for groups by display name, read properties of registered and enterprise applications and list permissions granted to applications. By default, Internal users have more access compared to guest users. For a complete list of permissions allowed by default and a comparison of permissions between internal and guest users, visit the following link, Default user permissions
The default configuration for guest users can be located by following the instructions below,
1. Access Entra ID (Formerly Azure AD)
2. Click User settings from the left pane
3. Three radio buttons appear under guest user access in the right pane, see image below.
4. You can also access these settings by scrolling to the bottom and clicking the link manage external collaboration settings
Below is the default configuration for guest users as explained above,
What are the additional two options?
– Guest users have the same access as members (most inclusive): This option will give guests the same permissions as internal users.
– Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): This is the most restrictive and only allows guests to access their own profiles and they can not view other user profiles or group membership.
Who can invite guests by default?
A default configuration allows all users (including non-admins) and guests in your directory to invite guests. However, built in external collaboration settings will allow you to control who can invite guests in your environment. Let’s take a look where to locate this configuration.
- Access Entra ID
- Click user settings from the left pane
3. Scroll to the bottom of the page and click, manage external collaboration settings
4. Here is the default option allowing anyone to invite guests,
What are the additional three options?
– Member users and users assigned to specific admin roles can invite guest users including guests with member permissions: only allow members or any users with admin roles to invite guests.
– Only users assigned to specific admin roles can invite guest users: Only allow users with administrator roles assigned including Global Administrator, User Administrator and Guest Inviter roles.
– No one in the organization can invite guest users including admins (most restrictive): You’re not allowing anyone to invite guests in your organisation.
What is the option External user leave settings?
This option allows external users to remove themselves from your organisation without approval. The guest user can remove access via account.microsoft.com, clicking manage organization and clicking the option to leave under other organization you collaborate with.
If the option shown in the image above is set to no, the external user will not be allowed to leave your organisation and will have to email the privacy contact in your organisation.
The external user leave settings option is enabled by default and can be located on the external collaboration settings page. If you’re not still on that page. Here is a reminder of how to get there,
1. Access Entra ID
2. Click User Settings
3. Scroll down
4 Click external collaboration settings which appears below guest invite settings as shown below
Where is the Privacy email contact set?
1. Access Entra ID
2. Click Properties
Note: Microsoft strongly recommend you add both your global privacy contact and your organisation’s privacy statement, so your internal employees and external guests can review your policies. Because privacy statements are uniquely created and tailored for each business, Microsoft strongly recommend you contact a lawyer for assistance. More info at the following link Your organization’s privacy info
What is the option Enable guest self-service sign up via user flows?
The option guest self-service sign up via user flows allows an organisation to create user flows that allow a user in a partner organisation to sign up for an app and create a new guest account in your tenant. A self service sign up user flow defines the series of steps the user will follow during sign up, such as adding name, telephone number and any other attributes you wish to collect at the sign up stage. You can also configure the identity provider you’ll allow guests to use when signing into your application.
Note: You can associate user flows with apps built by your organisation. User flows can’t be used for Microsoft apps, like SharePoint or Teams.
If you wish to publish a customer facing application, an Azure AD B2C instance is one you may want to look at.
This option enable guest self-service sign up via user flows is disabled by default.
Once the above option is switched to Yes it will automatically create you a registered app which will be used by Entra ID and should not be modified. This automatically created app is visible by accessing Entra ID > App Registrations and clicking all applications to view the newly created app registration, as shown below.
A number of custom attributes are also enabled. Here are the default ones, however you can add your own custom user attributes which can be presented to the guest user at sign up.
Let’s look at how to create a user flow to allow partners to sign up,
1. Click user flows
2. Here I configure the flow my partner will go through to sign up for my company app I want to make available to guests. If I specified any custom attributes they would appear here.
3. There are also two identity providers which appear by default. Identity providers are the different types of accounts the users signing up can use to log/authenticate into my application.
3. We could configure additional identity providers my partner guests can use to sign into my app, such as Google and Facebook. Additional identity providers can be configured by following the instructions below,
– Click Entra ID
– Click External Identities
– Click All identity providers
Once configured the additional identity providers would appear in your user flow and be available for you to enable, and depending on which ones you select, will be visible to the guest when signing up to access your app.
4. Once the user flow is created, you can customise it and link it to the application registered in Entra ID. The option to link an application is available after you go through the user flow creation wizard, and is located in the left pane.
Can I control the domains my organisation can invite guests?
Yes, below, however you may wish to use a newer feature which offers granular control, visit my post Cross Tenant Access
Collaboration restrictions by default allows invitations to be sent to all domains, however this can be locked down to allow or deny domains, including non Entra ID organisations such as hotmail, gmail etc
What are cross-tenant access settings displayed as a warning in the image below?
I have documented this feature in a separate post, click the following link Cross Tenant Access
Can external identity controls be configured from anywhere else in the portal?
The option we have already discussed. Here it is again,
– Access Entra ID
– Click User Settings
– Scroll down
– Click the link Manage external collaboration settings
– Access Entra ID
– Click External Identities from the left pane
– Click Set up external collaboration settings (image below)
Slightly off topic. You can also control what guests can do in Microsoft Teams such as being able to delete messages, post memes, video calls and so on.
Instructions on how to access guest settings in Teams are below, but for more info on guest access in Teams, visit the following link Guest access in Microsoft Teams
1. Visit the teams portal, admin.teams.microsoft.com
2. Expand users (left pane)
The options above are where you can control what guests can do once added to your Teams conversations.
SharePoint and One drive restrictions
For more info on guest access in SharePoint and OneDrive, visit the following link Manage sharing settings for SharePoint and OneDrive in Microsoft 365. Instructions below on how to access guest controls for SharePoint and Onedrive.
1. Visit admin.microsoft.com
2. Expand admin centres from the left pane
3. Click SharePoint
4. Expand Policies from the left pane
How are guest users in Entra ID licensed?
Licensing for guests works differently compared to internal accounts. Visit the following page, Pricing – Active Directory External Identities
For further reading on Entra ID External Identities, visit the following link at Microsoft Learn, Microsoft Entra External ID overview | Microsoft Learn
and that’s it. I hope you found this post useful. Please feel free to comment below with any feedback you may have.
Thanks and see you at the next post 🙂