External User Invitation and Account Management

External User Invitation and Account Management (SC-300)

Understanding External User Invitation and Account Management

External user invitation and account management is a critical component of identity administration in Microsoft Entra ID (formerly Azure AD). This topic is essential for the SC-300 exam and for real-world identity governance scenarios where organizations need to collaborate securely with partners, vendors, consultants, and other external stakeholders.

Why Is This Important?

Modern organizations rarely operate in isolation. Businesses must collaborate with external parties while maintaining strict security controls over their resources. External user invitation and account management allows organizations to:

- Enable secure collaboration: Grant external users controlled access to internal applications, SharePoint sites, Teams channels, and other resources without creating local accounts with passwords.
- Maintain governance and compliance: Track who has been invited, by whom, and what access they have — all critical for audit and regulatory compliance.
- Reduce administrative overhead: Leverage the external user's own identity provider rather than managing separate credentials.
- Minimize security risk: Apply Conditional Access policies, multi-factor authentication (MFA), and access reviews specifically to external users.

What Is External User Invitation Management?

External user invitation management refers to the process of inviting users from outside your organization's Microsoft Entra tenant to access your organization's resources using Microsoft Entra External Identities (B2B collaboration).

When you invite an external user, a guest user object is created in your directory with a UserType of Guest. The invited user authenticates using their own identity provider (such as their home Azure AD tenant, Google, Microsoft account, or email one-time passcode) and accesses resources in your tenant based on assigned permissions.

Key Concepts:

- Guest User: An external identity represented as a user object in your tenant with UserType set to Guest.
- B2B Collaboration: The feature within Microsoft Entra External Identities that enables inviting external users.
- Invitation: An email or direct link sent to the external user to redeem access to your tenant.
- Redemption: The process by which the invited user accepts the invitation and authenticates via their identity provider.
- Sponsoring User: The internal user who initiated the invitation.

How Does It Work?

1. Invitation Process
External users can be invited through multiple methods:
- Azure Portal: Navigate to Microsoft Entra ID > Users > New user > Invite external user.
- Microsoft 365 Admin Center: Share files, folders, or Teams and invite external users directly.
- PowerShell: Use the New-MgInvitation cmdlet from the Microsoft Graph PowerShell SDK.
- Microsoft Graph API: POST to the /invitations endpoint programmatically.
- Self-service sign-up flows: Configure user flows that allow external users to sign up for applications themselves.
- Entitlement Management: Create access packages that external users can request.

2. Invitation Settings and Controls
Administrators can configure external collaboration settings under Microsoft Entra ID > External Identities > External collaboration settings:

- Guest invite restrictions: Control who can invite guests — options include: Anyone in the organization, Members and specific admin roles only, Only users assigned to specific admin roles, or No one (completely block invitations).
- Collaboration restrictions: Use allow lists or deny lists to control which domains external users can be invited from.
- Guest user access restrictions: Define the level of directory access guest users have — from the same as members to the most restrictive (limited to their own profile properties only).
- Enable guest self-service sign-up via user flows: Allow or block self-service sign-up for external users.

3. Redemption Order
When an external user redeems an invitation, Microsoft Entra ID follows a specific identity provider order:
- Microsoft Entra ID (if the user has an Azure AD account in another tenant)
- Microsoft Account (MSA)
- Google federation (if configured)
- SAML/WS-Fed identity provider federation (if configured)
- Email one-time passcode (OTP) (if enabled — this is enabled by default)

4. Managing External User Accounts

Once guest users are in your directory, they must be managed throughout their lifecycle:

- Access Reviews: Use Microsoft Entra Access Reviews to periodically review whether guest users still need access. You can configure automatic removal of access if the review is not completed or if access is denied.
- Entitlement Management: Use access packages with expiration policies and periodic reviews. When access packages expire, the guest account can be automatically removed.
- Conditional Access: Create Conditional Access policies that specifically target guest users, requiring MFA, compliant devices, or restricting access by location.
- Bulk Operations: Use bulk invite via CSV upload in the Azure portal or PowerShell scripts to manage invitations at scale.
- Account Cleanup: Identify stale guest accounts using sign-in activity logs and remove them to maintain a clean directory.
- Cross-tenant access settings: Configure inbound and outbound access settings to control B2B collaboration and B2B direct connect on a per-organization basis. You can trust MFA and device claims from external tenants.

5. Cross-Tenant Access Settings
These settings allow fine-grained control over how your organization interacts with other Azure AD organizations:

- Inbound access settings: Control what external users from other organizations can access in your tenant.
- Outbound access settings: Control what your users can access in other organizations.
- Trust settings: Choose to trust MFA claims, compliant device claims, and hybrid Azure AD joined device claims from external organizations — this prevents guests from having to re-register for MFA in your tenant.
- Tenant restrictions: Control which external tenants your users can access from your network.

6. B2B Direct Connect
In addition to traditional B2B collaboration, B2B direct connect allows users from external organizations to access resources (currently Teams shared channels) without creating a guest object in your directory. The user remains authenticated through their home tenant.

Key Differences: B2B Collaboration vs. B2B Direct Connect
- B2B Collaboration: Creates a guest user object in the resource tenant. The guest appears in your directory.
- B2B Direct Connect: No guest user object is created. The user accesses resources directly through mutual trust between tenants. Currently supported primarily for Teams Connect shared channels.

Exam Tips: Answering Questions on External User Invitation and Account Management

Tip 1: Know the invitation restriction levels. Understand the four levels of guest invite settings: Anyone, Members + admins with specific roles, Only admins with specific roles, and No one. Questions often present scenarios where you need to select the most appropriate restriction level to meet a security requirement.

Tip 2: Understand the redemption order. Know the priority order in which identity providers are tried during redemption. If a question asks what happens when a user with a Gmail address redeems an invitation and Google federation is configured, the answer involves Google federation — not email OTP.

Tip 3: Differentiate B2B Collaboration from B2B Direct Connect. If a question mentions Teams shared channels and no guest object creation, think B2B Direct Connect. If a question describes guest user objects appearing in the directory, think B2B Collaboration.

Tip 4: Know cross-tenant access settings deeply. Questions may ask how to trust MFA from a partner organization so guests don't have to re-register for MFA. The answer is to configure inbound trust settings to trust the partner tenant's MFA claims.

Tip 5: Access Reviews and lifecycle management are heavily tested. Know how to configure access reviews for guest users, set up automatic removal of denied users, and use entitlement management with access packages that have expiration policies for external users.

Tip 6: Understand domain allow/deny lists. If a question asks how to allow invitations only to users from specific partner domains, the answer involves configuring collaboration restrictions with an allow list. Conversely, a deny list blocks specific domains.

Tip 7: Email one-time passcode is now enabled by default. If a question asks what happens when an external user without an Azure AD or Microsoft account redeems an invitation and no federation is configured, the answer is email one-time passcode (OTP). This feature is enabled by default for all tenants.

Tip 8: Know the PowerShell and Graph API commands. Be familiar with New-MgInvitation for PowerShell-based invitations and the Microsoft Graph /invitations endpoint. Scenario questions may ask you to choose the right command for bulk invitations.

Tip 9: Guest user access levels matter. Understand the three levels of guest user access: same as member users, limited access (default), and most restrictive. The most restrictive level limits guests to only viewing their own user profile. Know when to apply each setting.

Tip 10: Watch for Conditional Access scenarios. Questions may describe a scenario where you need to require MFA for all guest users accessing a specific application. The solution involves creating a Conditional Access policy targeting guest and external users with the specific cloud app as a condition and MFA as a grant control.

Tip 11: Self-service sign-up user flows. Know that you can create self-service sign-up user flows for external users with custom attributes and API connectors. This is different from a standard invitation — the user initiates the process themselves.

Tip 12: Read the scenario carefully for keywords. Look for terms like partner organization, vendor access, guest user, external collaboration, shared channels, and cross-tenant to determine which feature is being tested. Pay attention to whether the question is about configuration, troubleshooting, or governance of external users.

Summary

External user invitation and account management is a foundational topic in the SC-300 exam. Mastering the configuration of external collaboration settings, understanding the B2B invitation and redemption process, implementing cross-tenant access settings, and applying lifecycle governance through access reviews and entitlement management will prepare you to answer these questions confidently. Always consider the principle of least privilege and the specific security requirements described in each exam scenario.