Manage external users

Manage Microsoft Entra users and group

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What Are External Users?

External users are people outside your organization who need access to your resources. These could be:

  • Contractors
  • Partners
  • Vendors
  • Customers

External users are not part of your internal Entra/Azure AD tenant by default. You can give them access without creating full employee accounts.

Key point for the exam: External users are usually invited using their email address, and they authenticate with their own organization’s identity system (Azure AD, Microsoft Account, or even social identity in some cases).

2. Types of External Users

There are mainly two types:

a. Guest Users

  • Added to your directory using Azure AD B2B (Business-to-Business) collaboration.
  • They can access apps, share documents, and participate in Teams or SharePoint.
  • Their accounts remain managed by their own organization (not your tenant).

b. B2B Direct Federation / Collaboration Users

  • Used when your organization and another organization have a federated trust.
  • Users can sign in using their home credentials without creating a guest account manually.

Exam Tip: Most AZ-104 questions focus on guest users added via B2B collaboration.

3. How to Add External Users

There are a few ways to add external users:

a. Azure Portal

  1. Go to Microsoft Entra Admin Center → Users → New guest user.
  2. Choose Invite user.
  3. Enter:
    • Name
    • Email address
    • Optional personal message
  4. Assign groups, roles, and licenses if needed.
  5. Click Invite.

The user gets an invitation email and can accept to gain access.

b. Bulk Invitation

  • For multiple users, you can use a CSV file and invite them all at once.
  • This is useful for large partner organizations.

c. PowerShell / CLI

  • You can add external users programmatically using Azure AD PowerShell or Azure CLI.

Exam Tip: Know that external users are added as guest accounts, usually with UserType = Guest.

4. Managing Access for External Users

Once invited, you can control their access in several ways:

a. Assign to Groups

  • You can add guests to security groups or Microsoft 365 groups to grant access to apps or resources.

b. Assign to Applications

  • External users can be given access to specific apps:
    • Microsoft 365 apps (Teams, SharePoint, OneDrive)
    • Enterprise applications registered in Azure AD

c. Roles

  • Assign directory roles if the guest needs elevated permissions.
  • Examples: User administrator, Global reader.
  • Tip: Limit roles to only what is necessary for security.

5. Collaboration Settings

You can configure how external users interact with your tenant:

  • Who can invite guests:
    • Only admins or users with permission.
  • Default permissions for guests:
    • Read-only access to certain directory info.
  • Restrictions:
    • Limit access to specific groups or apps.
  • External collaboration settings are found in:
    Microsoft Entra Admin Center → External Identities → External collaboration settings

Exam Tip: Know that these settings control security and collaboration policies for guest users.

6. Monitoring and Reporting

  • Azure AD allows you to monitor guest user activity.
  • You can check:
    • Sign-ins
    • Group memberships
    • Role assignments
  • This ensures that external users are only accessing what they need.

Exam Tip: Be aware that sign-in logs and audit logs help track external user activity.

7. Removing External Users

  • You can delete guest accounts when they no longer need access.
  • Steps:
    1. Go to Users → All Users.
    2. Find the external guest.
    3. Click Delete.
  • Removing a guest revokes all access immediately.

8. Key Exam Points

For AZ-104, you should remember:

  1. External users = guest accounts (UserType = Guest)
  2. Added via Azure AD B2B collaboration
  3. Can be assigned to:
    • Groups
    • Applications
    • Roles
  4. Access can be controlled via external collaboration settings
  5. You can invite:
    • Single users via portal
    • Multiple users via CSV / bulk import
  6. Monitoring = sign-ins and audit logs
  7. Removing external users = revokes access immediately

✅ Summary Table for Quick Exam Revision

FeatureKey Points
External UserUser outside your organization
Guest UserAdded via B2B collaboration, managed in their home tenant
Invite MethodsAzure Portal, Bulk CSV, PowerShell/CLI
Access ControlGroups, Roles, Applications
Collaboration SettingsControl who can invite, what they can access
MonitoringSign-in logs, audit logs
RemovalDeletes account, revokes access
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by