External User Lifecycle and Connected Organizations

External User Lifecycle & Connected Organizations in Azure AD Identity Governance

Why Is This Important?

In modern enterprise environments, collaboration with external partners, vendors, suppliers, and contractors is essential. However, managing the lifecycle of external (guest) users presents significant security and compliance challenges. Without proper governance, external accounts can remain active long after a business relationship ends, creating stale accounts that pose security risks. The External User Lifecycle and Connected Organizations features in Microsoft Entra ID (Azure AD) Identity Governance provide automated, policy-driven mechanisms to manage these external identities from onboarding through offboarding. For the SC-300 exam, understanding these concepts is critical because they fall squarely within the domain of planning and automating identity governance.

What Are Connected Organizations?

A Connected Organization is a representation of an external organization (such as a business partner or supplier) within your Microsoft Entra ID tenant. It defines a trusted external directory or identity provider from which users can request access to your resources through Entitlement Management.

Connected Organizations can be configured using:
- Another Microsoft Entra ID (Azure AD) tenant — the most common scenario for B2B collaboration
- An AD FS domain with a direct federation trust
- A SAML/WS-Fed identity provider
- A Google or Facebook identity provider (for social identities, where applicable)
- Email one-time passcode (OTP) domains

When you define a Connected Organization, you specify:
- The domain or tenant of the external organization
- Internal sponsors — users in your organization who can approve requests
- External sponsors — users in the external organization who can approve requests
- A state — either Configured (active and usable in policies) or Proposed (discovered but not yet approved)

What Is the External User Lifecycle?

The External User Lifecycle refers to the end-to-end management of a guest user's identity in your tenant, from the moment they are invited or request access, through their active usage period, to the point where their access is reviewed, revoked, and their account is removed. Microsoft Entra ID Governance automates this lifecycle through several interconnected features:

1. Onboarding (Access Request & Assignment)
- External users from Connected Organizations can request access to Access Packages via the My Access portal.
- Access Packages define bundles of resources (groups, apps, SharePoint sites) that external users need.
- Policies within Access Packages determine who can request, who approves, and how long access lasts.
- When a request is approved, the user is automatically invited as a B2B guest user if they don't already have an account in the tenant.

2. Active Usage & Access Reviews
- Access Reviews can be configured to periodically review whether external users still need access.
- Reviewers can be the users themselves (self-attestation), their managers, group owners, or specific reviewers.
- If access is denied during a review, the user's assignment to the Access Package is removed.

3. Expiration & Renewal
- Access Package policies can include expiration dates — for example, access granted for 90 days, 180 days, or a specific date.
- Users can be notified before expiration and given the option to request renewal.
- If not renewed, the assignment is automatically removed.

4. Offboarding (Automatic Removal)
- When an external user loses their last Access Package assignment, their guest account can be automatically blocked from sign-in and subsequently deleted.
- This behavior is controlled by the External User Lifecycle settings in Entitlement Management.
- Specifically, you can configure:
  • Block external user from signing in — Yes/No (when they lose all assignments)
  • Remove external user — Yes/No (after a configurable number of days, e.g., 30 days after being blocked)
- This ensures that stale guest accounts are cleaned up automatically, reducing security risk.

How It All Works Together

Here is the typical flow:

1. An administrator creates a Connected Organization representing an external partner (e.g., Contoso).
2. An Access Package is created with resources the external partner needs (e.g., a SharePoint site and a Teams group).
3. A policy on the Access Package is configured to allow users from the Connected Organization to request access, with a multi-stage approval process and a 180-day expiration.
4. A user from Contoso visits the My Access portal and requests the Access Package.
5. The request goes through the approval workflow (internal sponsor approves → resource owner approves).
6. Upon approval, the user is automatically invited as a guest and granted access to the bundled resources.
7. At 90 days, an Access Review is triggered. The resource owner confirms the user still needs access.
8. At 180 days, the assignment expires. The user is notified but does not renew.
9. The user's last Access Package assignment is removed. After the configured grace period (e.g., 30 days), the guest account is automatically blocked and then deleted.

Key Settings and Configurations to Know

- Entitlement Management → Settings → Manage the lifecycle of external users: This is where you configure automatic blocking and removal of external users.
- Access Package Policies: Define who can request (users in your directory, connected organizations, or all users), approval stages, expiration, and access review schedules.
- Connected Organization State: Configured means users can request access packages that target connected organizations. Proposed means they cannot until an admin changes the state.
- Sponsors: Internal and external sponsors play a role in the approval process and governance oversight.
- Separation of Duties: Access Package policies can enforce incompatible access checks, ensuring external users don't accumulate conflicting permissions.

Exam Tips: Answering Questions on External User Lifecycle and Connected Organizations

Tip 1: Understand the relationship between Connected Organizations and Access Packages.
Exam questions often test whether you know that Connected Organizations are used within Access Package policies to scope who can request access. A Connected Organization alone does not grant access — it must be referenced in an Access Package policy.

Tip 2: Know the automatic cleanup behavior.
A very common exam scenario involves a question about what happens when an external user's last Access Package assignment is removed. The correct answer involves the external user lifecycle settings: the user is blocked from sign-in and then removed after the configured number of days. Remember that this only applies to users whose accounts were created through Entitlement Management, not manually invited guests.

Tip 3: Differentiate between Configured and Proposed states.
If a question mentions that users from a partner organization cannot request access packages even though a Connected Organization exists, check whether the state is Proposed rather than Configured. Only Configured Connected Organizations are active for access requests.

Tip 4: Know the approval workflow options.
Questions may ask about multi-stage approvals. Remember that you can have up to three stages of approval in an Access Package policy. Internal sponsors, external sponsors, specific users, or managers can serve as approvers at each stage.

Tip 5: Access Reviews for external users are key.
Expect questions where the correct solution involves configuring Access Reviews on Access Packages to periodically validate that external users still need access. This is the recommended approach for ongoing governance rather than manual review.

Tip 6: Remember that Entitlement Management handles the B2B invitation automatically.
You do NOT need to manually invite users. When an Access Package request from a Connected Organization user is approved, the B2B guest account is created automatically. This is a frequently tested concept.

Tip 7: Pay attention to which portal external users use.
External users request access through the My Access portal (myaccess.microsoft.com). This is different from the Azure portal or the Microsoft Entra admin center.

Tip 8: Watch for questions about all external users vs. specific Connected Organizations.
Access Package policies can target: (a) users in your directory, (b) users in specific Connected Organizations, or (c) all users including those not in any Connected Organization. Option (c) allows any external user to request access, even if their organization is not pre-configured. The exam may test this distinction.

Tip 9: Understand the role of catalogs.
Resources and Access Packages live in catalogs. A catalog owner or Access Package manager creates and manages packages. External users interact with packages, not catalogs directly. Know that delegated management of catalogs is possible and may appear in governance scenarios.

Tip 10: Scenario-based questions require combining features.
Many SC-300 questions present a business requirement like: "Ensure that external partners from Fabrikam can request access to Project X resources, require manager approval, expire after 90 days, and be automatically removed when no longer needed." The correct answer will involve: (1) Creating a Connected Organization for Fabrikam, (2) Creating an Access Package with the required resources, (3) Configuring a policy with the correct requestor scope, approval, and expiration, and (4) Enabling external user lifecycle management settings. Practice identifying which components satisfy which requirements.