Azure

Microsoft Entra B2B / External ID Complete Guide: Partner Invitations, Customer Auth, Cross-tenant Settings

2026-05-24
NicheeLab Editorial Team

Microsoft Entra B2B Collaboration and External ID for customers are two distinct features for integrating external users into your own / your app's authentication platform. B2B targets cross-organization collaboration, while External ID targets BtoC customer apps — the use cases are clearly different. This article comprehensively contrasts the two, walking through invitation flows, Cross-tenant Settings, and Entitlement Management automation.

B2B vs External ID for customers

ItemB2B CollaborationExternal ID for customers
Target usersUsers in external organizations (partners)End users (customers)
TenantGuests inside your Entra ID tenantIndependent External Tenant
AuthenticationExternal org's Entra ID (federated)Email/Password, Social (Google, Facebook, Apple)
UI customizationLimitedFully customizable via Custom Policy
Use caseMicrosoft 365 collaborationCustomer auth for SaaS custom apps
PricingFree (up to 50,000 guests)MAU-based (free up to 50,000 MAU/month)
Former name-Azure AD B2C (rebranded 2024)

B2B Guest Invitation Flow

  1. The inviter (internal user, as an Entra ID admin or Group Owner) enters the external email address via 'User → Invite external user' in the Entra ID admin center
  2. Microsoft sends an invitation email to the external user (with an Invitation Redemption Link)
  3. The external user clicks the link and authenticates with Entra ID (their org's Entra ID or a personal Microsoft account)
  4. Accepts the Privacy Statement and terms of use
  5. A guest account is created in your Entra ID tenant (UserType: Guest)
  6. Access is granted to the Groups / SharePoint / Teams specified at invitation time
  7. From then on, the guest can access Microsoft 365 / Azure resources like any regular user

You can reduce operational load by automating the Invitation Redemption Process (Self-Service Sign-up, SharePoint Sharing Links, auto-accepted Teams invitations). In enterprises, auto-invitation via Access Package + Entitlement Management is the standard pattern.

Cross-tenant Access Settings

Centralized management of access control between Entra ID tenants (your tenant ↔ external organizations) — GA in 2022.

Three configuration axes

  • Inbound Access: External orgs accessing your tenant (B2B Collaboration / Direct Connect)
  • Outbound Access: Your users accessing external organizations
  • Microsoft Cloud Settings: Cross-cloud with Azure Government, Azure China

Configuration patterns

  • Default Settings: Applied to all external organizations
  • Organizational Settings: Per-organization customization

Typical configurations

  • Default allows all guest invitations with MFA enforced
  • Direct Connect enabled for specific partners (top 5 organizations)
  • Block B2B invitations from untrusted countries (orgs in China, Russia)

Conditional Access for Cross-tenant also enables finer control (require compliant devices, evaluate sign-in risk).

Configuring External ID for customers

Setup steps

  1. Create an External Tenant (independent from the Workforce Tenant; free plan up to 50,000 MAU/month)
  2. Configure User Flows (built-in auth flows: Sign up + Sign in, Password Reset, Profile Edit)
  3. Add identity providers (Email + Password by default; Google / Facebook / Apple ID / GitHub optional)
  4. Customize branding (company logo, background image, custom CSS, custom HTML)
  5. Register an app via Application Registration
  6. Implement authentication with the MSAL library (Authorization Code + PKCE flow)
  7. Define custom attributes (extra fields collected at sign-up)

Additional Premium plan features (MAU pricing)

  • Custom Policy (Identity Experience Framework, highest level of customization)
  • Phone Authentication
  • Risk-based Conditional Access
  • Custom Domain
  • 99.99% SLA

Common use cases

  • BtoC e-commerce sites
  • SaaS customer portals
  • Customer auth for mobile apps
  • User registration platforms for web apps

Automating B2B with Entitlement Management

Standard pattern for automating the B2B invitation process with Access Packages.

Setup steps

  1. Create an Access Package (e.g., 'Partner Portal Access')
  2. Bundle SharePoint sites, Microsoft 365 Groups, and Azure resources under Resources
  3. Configure Policy: for external users, choose Specific connected organizations or All configured connected organizations
  4. Set up an Approval Workflow (1- or 2-stage approval, designated approvers)
  5. Use Auto Assignment Policy to auto-assign to users with specific attributes
  6. Configure lifecycle (expiration, renewal eligibility, integration with Access Review)
  7. Share the Portal URL where partners can request access

Benefits

  • Less manual invitation work for IT
  • Full audit logs of the approval process
  • Automatic access removal on expiration
  • Periodic inventory via Access Review

Essential for large-scale enterprise B2B operations; requires an Entra ID P2 license.

Conditional Access for B2B

Applying Conditional Access policies to guest users is at the heart of B2B security.

Recommended policies

  1. Require MFA for guest users
  2. Require compliant devices for sensitive data access
  3. Block risky sign-ins (integrate with Identity Protection)
  4. Country restrictions (allow-list of permitted countries)
  5. Shorten Sign-in Frequency (e.g., 8 hours → 4 hours)

Cross-tenant Synchronization (B2B Auto Provisioning)

GA in 2023 — automates large-scale B2B synchronization with specific partner organizations.

  • Sync specific Groups from a partner org into your tenant as guests
  • User additions/removals on the partner side automatically propagate to your tenant
  • Eliminates the manual invitation process entirely
  • Especially powerful for large-scale B2B operations with 10+ major partner companies

Operational Best Practices

  1. Explicitly restrict allowed organizations in Cross-tenant Access Settings
  2. Enforce Conditional Access on guests (MFA, compliant devices)
  3. Automate the invitation process with Access Package + Entitlement Management
  4. Inventory guests every 3-6 months via Access Review; auto-remove unneeded ones
  5. Minimize default Guest User Permissions (Restricted)
  6. Ship B2B invitation and sign-in events to Microsoft Sentinel and detect anomalies via KQL
  7. Use Cross-tenant Synchronization for large-scale partner sync
  8. Improve guest experience with External Identity Branding
  9. Auto-clean up departed external org members with Lifecycle Workflows
  10. Restrict guest access to sensitive data with DLP

Related Certifications

Frequently Asked Questions

What is Microsoft Entra B2B Collaboration?

Microsoft Entra B2B Collaboration lets you invite users from external organizations (vendors, partners, contractors) as 'guests' into your own Entra ID tenant, enabling collaboration on Microsoft 365 and Azure resources. It is free (up to 50,000 guests), guests authenticate against their home organization's Entra ID (federated), and appear as Guest User in your tenant. Common scenarios: 1) SharePoint sharing projects with partner companies, 2) granting Azure resource access to contractor engineers, 3) sharing Power BI reports with customers, 4) Teams guest invitations, 5) adding external members to Microsoft 365 Groups. You can scope allowed organizations with Cross-tenant Access Settings. As the core feature of Microsoft Entra External Identity, it is deeply tested in SC-300 and MS-102.

How is B2B different from B2C / External ID for customers?

B2B Collaboration: invite users from external organizations as guests into your Entra ID tenant for Microsoft 365 collaboration; guests authenticate via their home Entra ID (federated); free up to 50,000 guests. Microsoft Entra External ID for customers (formerly Azure AD B2C, rebranded in 2024): customer authentication for custom apps, independent External Tenant, email/password and social authentication (Google, Facebook, Apple), full UI/flow customization via Custom Policy, MAU-based pricing. Decision guide: 1) Microsoft 365 collaboration with partners → B2B, 2) customer authentication for SaaS custom apps → External ID for customers, 3) organizations with both needs run both. Microsoft has been gradually rebranding B2C as External ID for customers since 2024, and new projects should be built under the new brand.

What is the guest invitation flow?

Standard B2B guest invitation flow: 1) the inviter (internal user, acting as an Entra ID admin or Group Owner) enters the external email address via 'User → Invite external user' in the Entra ID admin center, 2) Microsoft sends an invitation email with an Invitation Redemption Link, 3) the external user clicks the link and authenticates with Entra ID (their organization's Entra ID or a personal Microsoft account), 4) accepts the Privacy Statement and terms of use, 5) a guest account is created in your Entra ID tenant (UserType: Guest), 6) access is granted to the Groups / SharePoint / Teams specified at invitation time, 7) the guest can then access Microsoft 365 / Azure resources like any regular user. You can reduce operational load by automating the Invitation Redemption Process (Self-Service Sign-up, SharePoint Sharing Links, auto-accepted Teams invites). In enterprises, auto-invitation through Access Package + Entitlement Management is the standard pattern.

How do you configure Cross-tenant Access Settings?

Cross-tenant Access Settings (GA in 2022) centralizes access control between Entra ID tenants (your tenant ↔ external organizations). Three configuration axes: 1) Inbound Access (external orgs accessing your tenant via B2B Collaboration / Direct Connect), 2) Outbound Access (your users accessing external orgs), 3) Microsoft Cloud Settings (cross-cloud with Azure Government, Azure China). Combine Default Settings (applied to all external orgs) with Organizational Settings (per-org customization) for flexible policies. Typical configurations: 1) default allows all guest invitations with MFA enforced, 2) Direct Connect enabled for specific partners (top 5 organizations), 3) B2B invitations blocked from untrusted countries (e.g., orgs in China or Russia). Conditional Access for Cross-tenant enables finer control (require compliant devices, evaluate sign-in risk). In production, balancing security and business convenience is critical.

How do you configure Microsoft Entra External ID for customers?

Steps to configure External ID for customers: 1) create an External Tenant (independent from the Workforce Tenant; free plan up to 50,000 MAU/month), 2) configure User Flows (built-in auth flows for Sign up + Sign in, Password Reset, Profile Edit), 3) add identity providers (Email + Password by default; Google / Facebook / Apple ID / GitHub optional), 4) customize branding (company logo, background image, custom CSS, custom HTML), 5) register an app via Application Registration, 6) implement authentication with the MSAL library (Authorization Code + PKCE flow), 7) define custom attributes (additional fields collected at sign-up). The Premium plan (MAU-based pricing) unlocks advanced features (Custom Policy, phone auth, risk-based Conditional Access). Common use cases: BtoC e-commerce sites, SaaS customer portals, mobile app customer auth, and user registration platforms for web apps.

How do you automate B2B with Entitlement Management?

Standard pattern for automating B2B invitations with Entitlement Management Access Packages: 1) create an Access Package (e.g., 'Partner Portal Access'), 2) bundle SharePoint sites, Microsoft 365 Groups, and Azure resources under Resources, 3) configure Policy: for external users, choose Specific connected organizations or All configured connected organizations, 4) set up an Approval Workflow (1- or 2-stage approval, designated approvers), 5) use Auto Assignment Policy to auto-assign to users matching specific attributes, 6) configure lifecycle (expiration, renewal eligibility, integration with Access Review), 7) share the Portal URL where partners can request access. Benefits: 1) less manual invitation work for IT, 2) full audit logs of the approval process, 3) automatic access removal on expiration, 4) regular reviews via Access Review. This is essential for large-scale enterprise B2B operations and requires an Entra ID P2 license.

What are the best practices for B2B operations?

Key practices: 1) explicitly restrict allowed organizations in Cross-tenant Access Settings (Allow-all is dangerous), 2) enforce Conditional Access on guest users (require MFA and compliant devices), 3) automate invitations with Access Package + Entitlement Management, 4) run Access Reviews every 3-6 months to inventory guests and auto-remove unneeded ones, 5) minimize default Guest User Permissions (set Guest user access restrictions to Restricted), 6) ship B2B invitation and sign-in events to Microsoft Sentinel and detect anomalies via KQL, 7) automate sync with large partner orgs via Cross-tenant Synchronization (B2B Auto Provisioning, GA 2023), 8) improve guest experience with External Identity Branding, 9) use Lifecycle Workflows to auto-clean up departed external org members, 10) restrict guest access to sensitive data with Data Loss Prevention. In production, balancing convenience and security is the challenge, and ongoing policy review is essential.

Which related certifications cover this area?

SC-300 (Identity and Access Administrator Associate) is the headline certification — Domain 1 (Identity Management, 20-25%) covers B2B / External ID in depth. Also relevant: MS-102 (Microsoft 365 Administrator Expert) Domain 2 (Identity and Access); SC-100 (Cybersecurity Architect Expert) for the Identity pillar of Zero Trust strategy and external identity integration; AZ-204 (Developer Associate) for implementing External ID authentication from a developer perspective; AZ-104 (Administrator) for the basics. Distinguishing and properly choosing between Microsoft Entra B2B Collaboration and External ID for customers is a recurring exam topic and an essential skill for enterprise identity administrators.

Related Articles & Deep Dives

Microsoft Entra ID Governance 完全ガイド|Entitlement Management・Access Review・Lifecycle Workflows【2026 年版】

Microsoft Entra ID Governance の完全ガイド。Entitlement Management (Access Package)・Access Review・PIM・Lifecycle Workflows・Terms of Use・B2B/B2C を網羅解説。SOC2 / ISO 27001 コンプライアンス対応、JML プロセス自動化、関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。

SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。

MS-102 完全ガイド|Microsoft 365 Administrator Expert 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Microsoft 365 Administrator Expert (MS-102) の完全ガイド。4 ドメインの出題範囲、テナント / Entra ID / Defender XDR / Purview を横断的にカバー、SC-300 / SC-200 との重複と差異、Microsoft 365 Developer Program 活用法、3-4 ヶ月の合格ロードマップ、SC-100 / MD-102 への展開ルートを日本語で網羅。

Azure PIM (Privileged Identity Management) 完全ガイド|JIT 特権管理・Access Review・運用ベストプラクティス【2026 年版】

Microsoft Entra Privileged Identity Management (PIM) の完全ガイド。Eligible / Active / Activate の関係・Role Settings 構成・Azure Resource ロール対応・Access Review 連携・運用ベストプラクティス・関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。ゼロトラスト特権アクセス管理の中核。

The technical content of this article is based on the Microsoft Entra External ID Documentation. This article is not an official Microsoft Corporation product and has no partnership or sponsorship with Microsoft. Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies. Information reflects official public materials as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.