External Users in Microsoft Entra ID
Episode 1
Concept + WalkthroughAvailable9 minA practical introduction to external users in Microsoft Entra ID, including what they are, why they exist, and how they appear and function in the Entra portal.
Lesson Details
Key Concepts
What this lesson covers
Why It Matters
Why this matters in practice
Follow Along
Video outline
Use this outline while watching to keep track of the flow of the lesson and the major admin concepts being introduced.
Key Takeaways
Make note of these
Inviting an external user creates an identity object in your tenant that can be governed with groups, assignments, and policy.
Guest users are treated differently from internal members and are more restricted by default inside the directory.
Guest invitations may be more permissive than expected in a real tenant, so reviewing invitation permissions is an important first admin step.
It is not enough to allow guest access. Strong administration means deciding what conditions a guest must satisfy before access is granted.
External users can still be placed into groups, assigned access, and governed as part of the organization’s access model.
Classic B2B collaboration is the guest model. Cross-tenant access and B2B Direct Connect are more about trust between Entra organizations.
Lesson companion notes
In this lesson, the focus is not just on what external identities are, but on how an administrator should think about them in practice. Microsoft Entra External Identities is about enabling collaboration with people outside the organization while still keeping authentication, visibility, and access under control.
External Identities and B2B collaboration
The most common model shown in this lesson is B2B collaboration. In that model, an external user is invited into your tenant and represented as a Guest user object. The identity belongs to the external user, but the access is still governed by your organization.
That distinction is one of the most important ideas in the lesson: external user does not mean unmanaged user.
What to pay attention to in the portal
- Who is allowed to invite external users
- How guests are restricted compared to internal members
- How the guest object appears in the directory
- What identity sources can be used during sign-in
- Where Conditional Access and Terms of Use fit into governance
Guest invitation settings
One of the first things worth reviewing in any tenant is guest invitation behavior. It is easy to assume only admins can invite guests, but real environments may be more permissive than expected. This is why the lesson calls attention to invitation permissions and the Guest Inviter role.
Guest restrictions and visibility
Guests are not intended to behave like full internal users. Their default restrictions help limit broad visibility into the directory and reinforce the fact that guest collaboration should stay scoped and intentional.
Guest object and authentication flow
Once invited, a guest becomes a real object in the directory. In many
cases, the user principal name includes the familiar #EXT#
pattern. That object can then be reviewed, grouped, assigned, and secured.
External users may sign in with a Microsoft Entra identity from another organization, a Microsoft account, Google, another federated provider, or an email one-time passcode fallback depending on the scenario.
Governance matters more than the invite
The most practical admin takeaway in this lesson is that guest access should not stop at invitation. Terms of Use and Conditional Access help transform external collaboration from a simple invite flow into a governed access model.
Dynamic groups and cross-tenant access
The lesson also introduces more advanced topics that become more useful as administration matures. Dynamic groups help scale assignment and access management. Cross-tenant access and B2B Direct Connect introduce a related, but different, model based on trust between Entra organizations rather than the classic standalone guest invitation flow.
Review Checklist
Follow along as you watch
References