L3. External Identities: B2B Collaboration and Guest Access
Video generating
Check back soon for the video lesson on External Identities: B2B Collaboration and Guest Access
Understand how Entra ID External Identities work for the SC-300 exam: B2B collaboration, B2B direct connect, guest user properties, invitation redemption flows, and cross-tenant access settings that control external access to your organization.
External Identities Overview
Entra ID External Identities enables your organization to securely share resources with people outside your organization. The SC-300 exam tests three external identity models:
| Model | Use Case | Identity Source |
|---|---|---|
| B2B Collaboration | Partners access your apps | Partner's own IdP |
| B2B Direct Connect | Shared Teams channels | Partner's Entra ID |
| External ID for customers | Customer-facing apps | Social/local accounts |
B2B Collaboration (Guest Access)
B2B collaboration is the most heavily tested external identity feature on the SC-300. When you invite an external user, a guest user object is created in your tenant. The guest authenticates using their home organization's identity provider. Invitation flow:
- Admin or authorized user sends invitation (email or direct link)
- External user redeems the invitation
- A guest user object is created in the resource tenant (UserType = Guest)
- Guest user accesses resources according to assigned permissions
Redemption Order
When a guest redeems an invitation, Entra ID attempts authentication in this order:
- Entra ID: If the guest's email domain matches a verified Entra ID tenant
- SAML/WS-Fed federation: If you configured direct federation with the guest's IdP
- Google federation: If configured and the guest has a Gmail account
- One-time passcode (OTP): Fallback when no other method works
Cross-Tenant Access Settings
Cross-tenant access settings let you control inbound and outbound collaboration at a granular level:
- Inbound settings: Control what external users can access in your tenant
- Outbound settings: Control what your users can access in other tenants
- Trust settings: Decide whether to trust MFA, compliant devices, or hybrid-joined device claims from external organizations
You can configure default settings (apply to all organizations) and organization-specific overrides.
B2B Direct Connect
B2B direct connect creates a mutual trust between two Entra ID tenants. Users do not get guest objects in the resource tenant. Instead, they access shared resources (primarily Teams shared channels) using their home identity directly. Key difference from B2B collaboration: No guest object is created. The user is not visible in your directory. This limits the resources they can access to only B2B direct connect-enabled applications.
External Collaboration Settings
Under Entra admin center > External Identities > External collaboration settings, you control:
- Who can invite guests (admins only, members, or everyone including guests)
- Which domains to allow or block for invitations
- Whether guests can be invited to specific groups or apps
- ✓Guest users authenticate at their home tenant: your Conditional Access policies must separately enforce MFA for guests
- ✓Email one-time passcode is the default fallback when no federation or Entra ID tenant matches the guest domain
- ✓B2B direct connect does not create guest objects: users are invisible in your directory
- ✓Cross-tenant access settings control inbound/outbound access and MFA/device trust between organizations
- ✓External collaboration settings control who can invite guests and which domains are allowed or blocked
- ✓Redemption order: Entra ID > SAML/WS-Fed federation > Google federation > Email OTP
1. A guest user from a partner organization without Entra ID or configured federation needs to access your resources. How will they authenticate?
2. What is the key difference between B2B collaboration and B2B direct connect?
3. Your organization trusts MFA claims from a partner organization. Where do you configure this?