Securing Microsoft Business Premium Part 05: Efficient Identity Management for External Users with Microsoft Entra
- Sebastian F. Markdanner
- May 26
- 9 min read
Managing external users is one of the most tedious—but also critical—challenges in a Microsoft Business Premium environment.
With authentication, authorization, and password security covered in earlier posts, we're now prepared to dive into identity and access management (IAM) specifically for external and guest users. Collaboration beyond organizational boundaries presents unique security challenges, particularly in balancing streamlined access and robust security practices.
Microsoft Entra offers various tools to simplify this daunting task. However, before exploring solutions, it's essential to understand clearly the differences between external user types and recognize common pitfalls organizations frequently encounter.
In this post, I’ll guide you through these fundamentals and introduce practical, license-friendly approaches for effectively managing external user identities within your Microsoft Business Premium environments.
Table of Contents
The Challenges With External Users
Managing lifecycle events for internal users is challenging enough, but adding external users whose lifecycle details, such as role changes or employment dates, which you often lack can significantly complicate user management.
The primary challenge is simply:
Who gets access to what, when, and for how long?
This issue isn’t exclusive to external users, but without the right tools, it becomes particularly difficult. Thankfully, Microsoft Entra provides several options tailored to managing these different external user scenarios.
Understanding User Types: Guest vs. Member Users
Microsoft Entra categorizes users into two main types—Guest and Member—each applicable to both external and internal scenarios:
Type | External User | Internal User |
|---|---|---|
Guest | - Uses external account/IdP (e.g., external Entra tenant, social media) - Most common external type for collaborators - Restricted default access (requires explicit permissions) - Provisioned via direct invitation or Self-Service Sign-Up - Pricing based on MAU (Monthly Active Users) | - Internal account within your tenant - Restricted default access (explicit permissions) - Primarily legacy users from prior B2B setups - Pricing based on MAU |
Member | - External account/IdP sign-in - Common in Multi-Tenant Organizations (MTOs) - Member-level default access - Automated cross-tenant synchronization - Pricing per user license in home tenant | - Internal account within your tenant - Default member-level access - Common internal employee type - Pricing per user license |
Microsoft Business Premium External Identity Management Solutions
With user types clarified, let's explore practical solutions.
IAM Solution 1: Cross-Tenant Access
When collaborating across multiple Microsoft Entra tenants—whether within your organization or with close partner organizations—Cross-Tenant Access (via B2B Collaboration or B2B Direct Connect) offers secure and flexible options for managing access.
This feature allows users from external tenants to access your resources, and vice versa, while maintaining control through Conditional Access and trust configurations.
Key Cross-Tenant Access settings:
Microsoft Entra provides several configurable layers within Cross-Tenant Access. These are accessible from the Cross-tenant access settings section of the Entra portal.
Inbound access settings
Control which users and applications from external organizations can access your environment, and through which method—B2B Collaboration, B2B Direct Connect, or both.
Outbound access settings
This setting mirrors the above, but governs whether your internal users are allowed to access resources in external tenants.
Trust settings
Define whether your tenant will trust key identity claims—such as:
Multifactor authentication (MFA)
Device compliance
Hybrid Azure AD join status
These trusted claims allow for stronger Conditional Access enforcement without requiring users to re-authenticate.
Tenant restrictions
Use this to restrict access to external tenants based on your network or device posture.
Note: This setting requires additional network-level configuration to be effective.
To configure B2B Collaboration and B2B Direct connect, navigate to Cross-tenant access settings within the Entra portal. If no organizations have been added yet, click Add organization, then enter the external tenant’s domain name or tenant ID to get started.
In the Trust settings—whether applied globally or per organization—you can configure which identity claims your tenant will trust from external users.
These settings play a key role in enabling stricter authentication requirements through Conditional Access policies.
✅ Recommendation: Enable trust for Multifactor Authentication (MFA) by default.
As covered in Part 02, trusting the MFA claim is essential to leverage all supported authentication methods. While this enables broader support, access is still tightly controlled using Conditional Access and Authentication Strength policies.
Another valuable option within the Trust settings (at the organization level) is automatic invitation redemption.
When enabled, invited users can sign in immediately—bypassing the usual redemption process, including wait times and manual consent prompts. This greatly streamlines the onboarding experience.
🔄 Note: This setting must be enabled on both sides of the tenant relationship for it to take effect.
Lastly, we have B2B Direct Connect, which enables direct collaboration across Microsoft 365 tenants through Shared Channels in Microsoft Teams. This capability allows users and teams from different organizations to access shared resources without the need to be added as guests. Instead, users can participate using their existing, familiar credentials from their home tenant—streamlining the experience and maintaining organizational boundaries while enabling seamless collaboration.
IAM Solution 2: Entra User Flows
In scenarios where cross-tenant access isn’t practical, but external users—such as customers or partners—still require access to specific apps, solutions, or resources, Microsoft Entra User Flows provide a flexible alternative.
Entra User Flows enable self-service sign-up for external users, allowing organizations to collect both built-in and custom attributes when a user accesses a custom application for the first time.
These flows can be tailored to gather the necessary information upfront and initiate downstream processes. Once triggered, the user flow can send API requests to external systems—such as third-party services, Azure Logic Apps, Azure Functions, or other automation tools—helping to orchestrate onboarding or further access provisioning seamlessly.
Requirements
To configure Microsoft Entra User Flows for external user access, several settings need to be in place:
Enable Guest Self-Service Sign-Up via User Flows
This setting is located in the Entra portal under External Identities > External Collaboration Settings. It must be enabled to allow external users to register through a user flow, enabling self-service onboarding.
Enabling Email OTP for guests
Email One-Time Passcode (OTP) authentication is typically enabled by default for guest users. However, if it has been disabled, it must be re-enabled, as it is required for identity verification during the user flow process.
Example Scenario
Consider a situation where multiple partner organizations require access to a SharePoint site in your environment, but you don’t have visibility into which users from those partners will need access—or when.
To manage this, you can create a custom application that partners use to initiate access. The application guides users through a User Flow, enabling them to create their own guest accounts and gain the necessary permissions to access the site.
For more information, including setup guidance and real-world examples, refer to my dedicated blog post on User Flows:
IAM Solution 3: Cross-Tenant Synchronization
In scenarios where close collaboration with another organization is required—or where multiple tenants exist within the same organization (such as dev/test environments or during mergers)—you may want to automate user synchronization across tenant boundaries. This is where Microsoft Entra Cross-Tenant Synchronization becomes invaluable.
Cross-Tenant Synchronization enables automated user provisioning from one tenant to another. It supports Multi-Tenant Organizations (MTOs) and facilitates efficient lifecycle management by allowing the target tenant to automatically create and maintain users from a source tenant. The synchronized users are enriched with data from their home tenant, improving identity consistency and management across environments.
Overview Diagram
Used with permission from Microsoft. Source: Microsoft Learn: Configure cross-tenant synchronization
Configuring Microsoft Entra Cross-Tenant Synchronization
To set up Cross-Tenant Synchronization, configuration is required in both the source and target tenants.
Target Tenant Configuration
Navigate to Cross-tenant access settings under the External Identity menu in the Entra portal. Add the source tenant by clicking Add organization
Access the Inbound access settings for the added source tenant
Navigate to Cross-tenant sync, and Enable the setting Allow users sync into this tenant.
You will be prompted to enable Automatic Invitation Redemption. This is required for synchronization to function.
Source Tenant Configuration
As in the target tenant, we need to modify the Cross-tenant access settings for the target tenant. Add the tenant and access the Outbound access settings
Within the Outbound access settings, move to the Trust settings menu and enable Automatically redeem invitations with the tenant xxxx
Navigate to Cross-tenant synchronization, choose Configuration and New configuration
Provide a name for the synchronization configuration
Within the new configuration, click on Get started to configure the provisioning
Choose Automatic for the provisioning mode, input the target tenant’s ID, and test the connection
Upon a successful connection, save the configuration. This opens the Mappings interface.
Select Provision Microsoft Entra ID Users to access attribute mappings.
Review the default mappings provided.
Add any custom mappings needed by selecting Add New Mapping at the bottom of the mappings.
Testing & Provisioning
Users can be assigned to the application associated with the provisioning agent.
You can enable automatic provisioning or run an on-demand sync for testing.
Note: Only internal member users are supported. Guest users and external members are not synchronized.
After provisioning, the synchronized users appear in the target tenant as Member-type users, providing a seamless identity experience while maintaining their association with their home tenant.
IAM Solution 4: The boring and tedious way
When the other options aren’t feasible, there’s always the manual method—inviting and managing guest users one by one. While it works, it’s neither scalable nor efficient, especially in dynamic environments, and while it always works and is available - it's also the boring way, and who'd want that?
To manually manage external users:
Navigate to Users in the Entra portal.
Click New user.
Select Invite external user.
Fill in the required information and send the invitation.
While this approach may be sufficient for small-scale or one-off scenarios, it quickly becomes cumbersome as the number of users or partners increases.
These IAM solutions provide various ways to manage external users in a Business Partner (BP) environment. While this series focuses on core capabilities, there are more advanced options available with higher-tier licensing. These include:
These premium features offer more automation, governance, and scalability—ideal for larger or more complex identity environments.
Microsoft Partner Management
In addition to guest users and cross-tenant collaboration, there is a distinct category of external access—Microsoft Partners. Since 2022, Microsoft Partners have been required to use Granular Delegated Admin Privileges (GDAP) to access customer environments.
This model applies to a broad range of partners, including providers, resellers, Managed Service Providers (MSPs), and Managed Security Service Providers (MSSPs). GDAP offers more secure, limited, and role-based access compared to the previous Delegated Admin Privileges (DAP) model.
GDAP User Representation
Partner users accessing your environment via GDAP do not exist in your tenant directory. However, their activity is visible in sign-in and audit logs. These users appear with the display name format:
<Partner> technician
Their User Principal Name (UPN) follows this pattern:
User_<objectID of user object in partner tenant>@partnerdomain.com
Although these users aren’t directly present in your directory, you retain control over their level of access via the GDAP relationship.
To manage and monitor the access that a partner have into our environment, navigate to the Microsoft 365 Admin center, open Settings and choose Partner relationships
To view and manage partner access:
Go to the Microsoft 365 Admin Center.
Navigate to Settings > Partner relationships.
Here, you can view all active partner relationships, including:
GDAP relationship names
Assigned roles
Expiration dates
Relationship status
This view provides full transparency into the permissions granted to partners and helps ensure external access is appropriately scoped and governed.
Authentication, Authorization & Conditional Access for External Users
With external identities in place, the next step is securing their access. This involves addressing both authentication (AuthN) and authorization (AuthZ), as well as implementing effective Conditional Access policies.
While there’s plenty to say about AuthN and AuthZ, I’ve covered these topics in depth in the following posts:
Microsoft Entra Conditional Access Series:
Part 1: The Essentials
Part 2: Managing Privileged Identities
Part 4: Mastering Risk-Based Policies
Part 5: Application-Specific Protections
For general guidance on authentication and authorization best practices, check out these earlier posts in the series:
Conclusion: Securing External Identities – Simplified & Strengthened
Efficiently managing external and guest user identities is crucial for maintaining robust security while enabling productive collaboration. Although Microsoft Business Premium doesn’t include automated governance tools like Access Reviews or Lifecycle Workflows, it still offers robust options—such as Cross-tenant Access, User Flows, and Cross-tenant Synchronization—to keep external collaboration secure and organized.
By clearly differentiating between guest and synchronized member users, and by proactively avoiding common pitfalls such as stale accounts and overly permissive access, you’ll significantly reduce risk and administrative overhead.
And now, it’s time for the obligatory bad joke:
Why did the computer get taken to the veterinarians office?
It had too many bytes in its past. 😎
As always, implement these solutions to enhance your organization’s security posture, and stay tuned as we explore secure collaboration further in the next post.
Be sure to bookmark this series and return often as we continue securing your Microsoft Business Premium environment together!
Comentarios