External Collaboration Settings in Microsoft Entra ID (SC-300)
Understanding External Collaboration Settings
External collaboration settings in Microsoft Entra ID (formerly Azure AD) control how your organization interacts with external users, partners, and guest accounts. These settings are a critical component of identity governance and are heavily tested on the SC-300 (Microsoft Identity and Access Administrator) exam.
Why Are External Collaboration Settings Important?
Organizations rarely operate in isolation. They need to collaborate with vendors, partners, contractors, and customers. However, allowing external access without proper controls introduces significant security risks, including:
- Data leakage: External users could gain access to sensitive resources if permissions are too broad.
- Compliance violations: Many regulatory frameworks require strict control over who can access organizational data.
- Identity sprawl: Unmanaged guest accounts can accumulate over time, creating a larger attack surface.
- Privilege escalation: Without proper restrictions, guest users might invite other guests, leading to uncontrolled access.
External collaboration settings provide the guardrails that allow organizations to enable productive collaboration while maintaining security and compliance.
What Are External Collaboration Settings?
External collaboration settings are a set of configurations found in the Microsoft Entra admin center under Identity > External Identities > External collaboration settings. These settings govern:
1. Guest User Access Restrictions
This determines what guest users can see in your directory. There are three levels:
- Guest users have the same access as members (most inclusive) — Guests can read all directory data like member users.
- Guest users have limited access to properties and memberships of directory objects (default) — Guests can see their own profile and limited information about other users, groups, and apps.
- Guest user access is restricted to properties and memberships of their own directory objects (most restrictive) — Guests can only see their own profile and cannot discover other users, groups, or applications.
2. Guest Invite Settings
This controls who can invite guest users to the organization. The options from most restrictive to least restrictive are:
- No one in the organization can invite guest users including admins (most restrictive) — Completely disables guest invitations.
- Only users assigned to specific admin roles can invite guest users — Only Global Administrators, User Administrators, and Guest Inviters can send invitations.
- Member users can invite guest users — Any member user can invite guests, but not other guests.
- Anyone in the organization can invite guest users including guests and non-admins (least restrictive) — Even existing guest users can invite other guests.
3. Enable Guest Self-Service Sign-Up via User Flows
When set to Yes, you can create user flows that allow external users to sign up for applications themselves. This leverages External Identities self-service sign-up and can be integrated with API connectors for custom logic during the sign-up process.
4. External User Leave Settings
When enabled, this allows external users to remove themselves from the organization without requiring admin intervention. This is important for self-service lifecycle management of guest accounts.
5. Collaboration Restrictions
This section defines which external domains can be invited. The options are:
- Allow invitations to be sent to any domain (most inclusive) — No domain restrictions are applied.
- Deny invitations to the specified domains — You create a blocklist of specific domains that cannot be invited.
- Allow invitations only to the specified domains (most restrictive) — You create an allowlist, and only users from those domains can be invited.
Important: You can only choose either an allowlist OR a blocklist, not both simultaneously.
How External Collaboration Settings Work
Here is the flow of how these settings interact:
Step 1: Invitation Phase
When someone attempts to invite an external user, the system first checks the Guest invite settings to determine if the inviting user has permission. If the inviter does not have the appropriate role or permission, the invitation is blocked.
Step 2: Domain Validation
If the inviter has permission, the system checks the Collaboration restrictions (allowlist/blocklist) to verify that the guest's email domain is permitted.
Step 3: Guest Account Creation
Once the invitation is accepted, a guest user object is created in the directory with a UserType of Guest. The guest user's access to directory resources is then governed by the Guest user access restrictions.
Step 4: Ongoing Access
The guest user's experience and visibility within the tenant are continuously controlled by the access restriction settings. Their permissions to applications and resources are managed through standard Entra ID access controls (Conditional Access, group memberships, app assignments, etc.).
Relationship with Cross-Tenant Access Settings
It is critical to understand that external collaboration settings work alongside Cross-tenant access settings. Cross-tenant access settings provide more granular B2B collaboration and B2B direct connect controls on a per-organization basis. When both settings are configured:
- Cross-tenant access settings take precedence for specific organizations that are explicitly configured.
- External collaboration settings serve as the default/baseline for organizations not specifically configured in cross-tenant access settings.
Relationship with Conditional Access
Conditional Access policies can target guest and external users specifically. You can create policies that:
- Require MFA for all guest users.
- Block access from certain locations for external users.
- Restrict guest access to specific applications.
- Require compliant devices or specific authentication strengths.
Key Configuration Locations
- Microsoft Entra admin center: Identity > External Identities > External collaboration settings
- PowerShell: Use the Microsoft Graph PowerShell module to configure authorization policies
- Microsoft Graph API: Use the authorizationPolicy resource type
Common Scenarios and Solutions
Scenario 1: Your organization wants to allow collaboration only with specific partner companies.
Solution: Configure collaboration restrictions with an allowlist containing the partner domains.
Scenario 2: You want to prevent guest users from inviting other guests.
Solution: Set guest invite settings to "Member users can invite guest users" or more restrictive.
Scenario 3: A guest user reports they cannot see any other users in the directory.
Solution: Check the guest user access restriction level — it is likely set to the most restrictive option.
Scenario 4: You want external partners to sign up for your application without admin involvement.
Solution: Enable guest self-service sign-up via user flows and create an appropriate user flow for the application.
Scenario 5: You need to block collaboration with a competitor's domain while allowing all others.
Solution: Configure collaboration restrictions with a deny list containing the competitor's domain.
Exam Tips: Answering Questions on External Collaboration Settings
Tip 1: Know the Hierarchy of Guest Invite Permissions
Memorize the four levels of guest invite settings from most restrictive to least restrictive. Exam questions often present scenarios where you need to identify the minimum configuration required to allow a specific user type to invite guests.
Tip 2: Allowlist vs. Blocklist — Never Both
A very common exam trap is presenting an option that configures both an allow and deny list simultaneously. Remember that you must choose one or the other, never both.
Tip 3: Distinguish Between External Collaboration Settings and Cross-Tenant Access Settings
The exam frequently tests whether you know which setting to configure. If the question mentions controlling collaboration with a specific organization, think cross-tenant access settings. If the question is about general/default guest behavior, think external collaboration settings.
Tip 4: Guest User Access Levels
Understand the three levels of guest access restrictions. If a question describes a guest user who cannot enumerate directory objects or discover groups, the most restrictive setting is likely applied.
Tip 5: The Guest Inviter Role
The Guest Inviter role is a specific Entra ID built-in role. When guest invite settings are configured to allow only specific admin roles, the Guest Inviter role is one of the roles that can send invitations, alongside Global Administrator and User Administrator.
Tip 6: Self-Service Sign-Up Requires User Flows
Simply enabling self-service sign-up is not enough. You must also create and configure a user flow and associate it with an application. Exam questions may test whether you know all the required steps.
Tip 7: Read Questions for "Least Privilege" and "Minimum Effort"
Many SC-300 questions ask for the solution that meets requirements with the least administrative effort or least privilege. When configuring external collaboration, always choose the most restrictive setting that still satisfies the business requirement.
Tip 8: External User Leave Settings
This is a newer feature that may appear on the exam. Understand that when enabled, it allows guests to remove themselves from the tenant, which supports compliance with data privacy regulations like GDPR.
Tip 9: Conditional Access for Guests
If a question asks about enforcing MFA or device compliance for guest users, the answer typically involves Conditional Access policies targeting the "Guest or external users" assignment, not external collaboration settings. External collaboration settings control who can be invited and what they can see, not how they authenticate.
Tip 10: Watch for "Member" vs. "Guest" UserType
Remember that UserType (Member or Guest) is separate from the source of the user. You can change a guest's UserType to Member, which would give them member-level access even though they are from an external organization. Some exam scenarios test this distinction.
Quick Reference Summary
| Setting | Purpose |
| Guest user access | Controls what guests can see in the directory |
| Guest invite settings | Controls who can invite guests |
| Self-service sign-up | Enables external users to sign up via user flows |
| External user leave | Allows guests to remove themselves |
| Collaboration restrictions | Controls which domains can be invited (allow/deny list) |
Mastering external collaboration settings requires understanding both the individual settings and how they interact with other Entra ID features like cross-tenant access, Conditional Access, and entitlement management. Focus on scenario-based understanding rather than memorization, as the SC-300 exam heavily emphasizes practical application of these concepts.
