TTechclick ⚡ XP 0% All lessons
Microsoft · Identity & Access · External IdentitiesInteractive · L1 / L2 / L3

Microsoft Entra External ID — B2B Collaboration, Guest Lifecycle & CIAM

Microsoft Entra External ID is the single platform for every external-identity scenario: inviting partner users as guests (B2B collaboration), enabling seamless Teams shared-channel access with no guest object (B2B direct connect), controlling exactly which tenants can interact with yours (cross-tenant access settings), and building customer-facing apps with full CIAM (External ID for customers). This lesson maps the whole platform so you can answer any interview or production question about it.

📅 2026-06-20 · ⏱ 17 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Microsoft Entra External ID (2026): B2B collaboration, guest user lifecycle, cross-tenant access settings, B2B direct connect, and the External ID for customers CIAM overview — all in one interactive lesson.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Platform overview

Four external-identity scenarios, one umbrella.

 2

B2B guest lifecycle

Invite, redeem, assign access, remove.

 3

Cross-tenant access

Inbound/outbound controls, trust, direct connect.

 4

CIAM & deploy

External ID for customers, sizing, and gotchas.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does a B2B collaboration guest user get a password in your tenant?

Answered in B2B guest lifecycle.

2. What is the purpose of cross-tenant access settings?

Answered in Cross-tenant access.

3. Which scenario uses no guest user object but still grants Teams access?

Answered in Cross-tenant access.

Most engineers think…

Most people treat 'B2B' and 'External Identities' as the same thing. That mental model breaks in interviews and in production.

Microsoft Entra External ID is a platform with four distinct scenarios, not one feature. B2B collaboration creates a lightweight guest object and lets the partner authenticate with their own identity provider. B2B direct connect enables Teams shared channels with no guest object at all. Cross-tenant access settings give you fine-grained per-tenant control over both. And External ID for customers is the developer-facing CIAM replacement for Azure AD B2C. Knowing which scenario applies to a given problem is what separates a junior engineer from someone who can design an external-collaboration strategy.

① Microsoft Entra External ID — one platform, four scenarios

Microsoft Entra External ID sits under the External Identities section of the Entra admin centre and covers every situation where a user from outside your organisation needs access to something you control. The platform has four distinct scenarios you must be able to name:

The platform-level answer to 'What is Entra External ID?' is: one unified home for partner access (B2B), seamless channel collaboration (direct connect) and consumer-app identity (CIAM).

Figure 1 — Four External ID scenarios at a glance
Every external-identity need maps to one of these four Entra External ID scenarios.Four External ID scenarios at a glanceB2B Collabguest object, own IdPDirect Connectno guest objectCross-tenantinbound/outbound ctrlCIAMconsumer apps, exttenant
Every external-identity need maps to one of these four Entra External ID scenarios.
Quick check · Q1 of 10 · Remember

Which Entra External ID scenario creates no guest user object in the resource tenant?

Correct: b. B2B direct connect enables Teams shared-channel access without creating a guest object in the resource tenant. B2B collaboration always creates a guest object; External ID for customers is CIAM for consumer apps; Application Proxy is for on-prem app publishing.
👉 So far: Entra External ID = four scenarios: B2B collaboration (guest object), B2B direct connect (no guest object, Teams channels), cross-tenant access settings (the control plane), and External ID for customers (CIAM for consumer apps).

② B2B collaboration — the guest user lifecycle end to end

B2B collaboration is the most common External ID scenario. An admin or permitted user sends an invitation email to an external address. The invitation contains a one-time redemption link. On first redemption the guest chooses (or is auto-matched to) an identity provider — their own Microsoft Entra organisation, a Google account, a federation, or email OTP. A lightweight guest user object (UserType = Guest) is created in your tenant; no credentials are stored there.

Lifecycle stages to know

After redemption the guest is assigned to apps, groups, SharePoint sites, or Teams via the normal Entra assignment flow. At any point an admin can review guest access using Access Reviews — automated periodic checks that can remove stale guests automatically. Removal is straightforward: delete the guest object, which revokes all access immediately. The interview trap: guests do not inherit your MFA policy unless your Conditional Access targets them explicitly, and they do not see each other's profiles by default.

External collaboration settings (under External Identities) control who can invite guests (all users, specific roles, or admins only), and the allowed identity providers for redemption. B2B collaboration works across any Microsoft Entra tenant without pre-configuring per-tenant trust — the default cross-tenant access settings allow it, but you can override per org.

Figure 2 — Guest user lifecycle — invite to removal
B2B collaboration guest lifecycle: invitation email, redemption, access assignment, periodic review, removal.Guest user lifecycle — invite to removalInviteemail or APIRedeemlink, choose IdPGuest objectUserType=GuestAccess reviewauto-expire staleRemovedelete guest obj
B2B collaboration guest lifecycle: invitation email, redemption, access assignment, periodic review, removal.
📧
B2B Collaboration
tap to flip

Invite an external user as a guest. A lightweight guest object (UserType=Guest) is created in your tenant; the user authenticates with their own identity provider. No credentials stored in your directory.

🔗
B2B Direct Connect
tap to flip

Bidirectional trust for Teams shared channels. No guest object is created in your directory — the external user's home tenant identity is used. Both tenants must enable it in cross-tenant access settings.

⚙️
Cross-Tenant Access
tap to flip

The policy layer for all cross-tenant traffic. Configures inbound and outbound rules per partner tenant for B2B collaboration and B2B direct connect, including trust for MFA and device compliance claims.

🛍️
External ID for Customers
tap to flip

CIAM for developer-built consumer apps. Lives in a separate external tenant. Supports self-service sign-up, social IdPs, branded user flows, and native auth APIs. Replaces Azure AD B2C for new projects.

Default invite permissions are wide

By default, all users in your tenant can invite external guests — not just admins. If your organisation handles sensitive data, tighten this in External collaboration settings (External Identities ▸ External collaboration settings) to 'Only users assigned to specific admin roles can invite'. This is a common audit finding.

Quick check · Q2 of 10 · Understand

A partner user is invited via B2B collaboration. Where are their credentials stored after redemption?

Correct: b. B2B collaboration guest users authenticate with their own home identity provider. Your tenant holds only a lightweight guest object (UserType=Guest) with no password or credentials. This is a core B2B architecture point.
👉 So far: B2B guest lifecycle: invite ▸ redeem (partner authenticates with their own IdP) ▸ guest object created (UserType=Guest, no credentials in your tenant) ▸ access assignment ▸ periodic Access Review ▸ remove by deleting the guest object.

③ Cross-tenant access settings & B2B direct connect

Cross-tenant access settings are the policy layer governing all cross-tenant traffic. They have two axes: inbound (external users coming into your tenant) and outbound (your users going to other tenants). For each direction you can allow or block B2B collaboration and B2B direct connect, scoped to specific users, groups, and applications. There is no limit to the number of partner tenants you can configure.

The key power feature: you can trust MFA and device-compliance claims from a partner tenant, so your Conditional Access policy does not force re-authentication for a partner user who already satisfied MFA in their home tenant. Similarly, you can trust Hybrid Azure AD Joined or Compliant device claims from a known partner org — essential for zero-trust scenarios.

B2B direct connect

B2B direct connect enables bidirectional collaboration for Teams shared channels. Unlike B2B collaboration, it creates no guest user object in the resource tenant — the external user's identity is their own home tenant object and they appear in the shared channel as a member. Both tenants must configure cross-tenant access settings to allow B2B direct connect inbound and outbound. The primary current use case is Teams Connect shared channels; the feature is not yet available for SharePoint-only access.

Figure 3 — Cross-tenant access settings — control plane
Cross-tenant access settings sit at the centre, governing all inbound and outbound traffic for both B2B collaboration and B2B direct connect.Cross-tenant access settings — control planeCross-TenantAccess SettingsInbound B2B collabOutbound B2B collabInbound direct connectOutbound direct connectTrust MFA claimsTrust device compliance
Cross-tenant access settings sit at the centre, governing all inbound and outbound traffic for both B2B collaboration and B2B direct connect.
Confusing B2B collaboration and B2B direct connect

B2B collaboration and B2B direct connect are separately configured and solve different problems. Collaboration creates a guest object and suits SharePoint, apps, and most resource access. Direct connect creates no guest object and currently suits only Teams shared channels. Enabling one does not enable the other — both must be turned on explicitly in cross-tenant access settings if needed.

▶ Watch a B2B guest invitation travel end to end

Follow one partner user from invitation email to resource access. Press Play for the healthy path, then Break it to see the classic redemption failure.

① Invite sentAn Entra admin or permitted user sends a B2B collaboration invitation to priya@partnerco.com. Entra generates a signed redemption link valid for 30 days.
② RedemptionPriya clicks the link. Entra detects that partnerco.com is a Microsoft Entra tenant and redirects her to sign in at home. On success, a guest object (UserType=Guest) is created in your tenant.
③ Access assignedAn admin adds the guest to a security group that has access to the project SharePoint site. The guest immediately sees the site when they visit it while authenticated.
④ Access review90 days later an automated Access Review runs. Priya is still active, so the reviewer approves. If she had been inactive, the review could auto-remove the guest object.
Press Play to step through the guest invitation path. Then press Break it.
Quick check · Q3 of 10 · Apply

You want partner users from Contoso (another Entra tenant) to satisfy your Conditional Access MFA requirement using the MFA they already completed in Contoso's tenant. What do you configure?

Correct: c. Cross-tenant access settings let you trust MFA (and device compliance) claims from a specific partner tenant. With MFA trust enabled for Contoso, partner users who satisfied MFA in their home tenant are not challenged again by your Conditional Access policy.
👉 So far: Cross-tenant access settings control inbound and outbound traffic per partner tenant for both B2B collaboration and B2B direct connect; you can trust partner MFA and device-compliance claims to avoid double authentication.

④ External ID for customers (CIAM) — and deployment gotchas

External ID for customers is the CIAM face of Entra External ID. Unlike B2B collaboration (designed for known partner users), CIAM is for consumer-facing apps where end users self-register. It lives in a separate external tenant (a dedicated Entra tenant in external configuration). Developers register apps in the external tenant, configure custom sign-up/sign-in user flows (email & password, Google, Facebook, Apple, custom OIDC/SAML IdPs), and brand the experience with company colours and logo.

Key differentiation: Azure AD B2C (the legacy CIAM product) is no longer available for new customers as of May 2025 — all new CIAM projects should use External ID for customers. Migration tooling and documentation is available for existing Azure AD B2C tenants. External ID for customers supports native authentication APIs, giving mobile apps full control over the sign-in UX without redirect flows.

Deployment gotchas you will be asked about

The most common interview questions: (1) Can guests from one B2B collaboration tenant also use B2B direct connect? Yes, but both settings must be independently enabled. (2) Does deleting a guest object in your tenant affect the user in their home tenant? No — only the guest object in your tenant is removed. (3) Who can invite guests by default? All users in the org — tighten to admin-only roles if you have a sensitive tenant.

Figure 4 — B2B collaboration vs External ID for customers
Same External ID umbrella, different audience and architecture — pick the right one before you build.B2B collaboration vs External ID for customersB2B CollaborationFor known partner/vendor usersGuest object in your tenantAuthenticates via home IdPAdmin or user-driven inviteManaged in workforce tenantExternal ID for CustomersFor consumers and app usersUser lives in external tenantSelf-service sign-up / social IdPDeveloper-configured user flowsReplaces Azure AD B2C
Same External ID umbrella, different audience and architecture — pick the right one before you build.

Priya at a Pune-based SaaS company faces this

A vendor partner from a UK company is added as a B2B collaboration guest, but their Teams messages in a shared project workspace are failing and they cannot join any Teams meetings in your tenant.

Likely cause

The partner needs access to a Teams shared channel, but B2B direct connect is not configured — only B2B collaboration is enabled. Teams shared channels require B2B direct connect, not just guest objects.

Diagnosis

Check External Identities in Entra admin centre. The partner is listed as a guest (UserType=Guest) but the cross-tenant access settings for the UK tenant do not have B2B direct connect enabled inbound or outbound.

Entra Admin Centre ▸ External Identities ▸ Cross-tenant access settings ▸ Organisational settings
Fix

Add the UK partner tenant in cross-tenant access settings. Enable B2B direct connect inbound (allows their users into your tenant for shared channels) and ask the partner admin to enable it outbound from their side too. Both sides must opt in.

Verify

The partner user can now join the Teams shared channel under their home-tenant identity. No new guest object is required. Validate in Teams admin centre that the shared channel shows the partner as an external member.

Check the guest UserType before blaming a permission

Many access failures trace to the guest object's UserType or the redemption state. In Microsoft Graph or the Entra admin centre, verify that UserType is 'Guest', that invitationAccepted is true, and that the object is in the expected tenant. A guest whose invitation was never redeemed has very limited access and cannot be assigned to most resources.

Quick check · Q4 of 10 · Analyze

A developer is building a consumer-facing mobile app in 2026 and needs self-service sign-up with Google and Apple social sign-in. Which solution is the correct starting point?

Correct: c. External ID for customers (in an external tenant) is the designated Microsoft CIAM solution for new consumer-facing apps. Azure AD B2C is no longer available to new customers since May 2025. B2B collaboration is for known partner users, not consumer self-service sign-up. A workforce tenant does not support consumer-scale self-service registration with social IdPs.
👉 So far: External ID for customers is the CIAM replacement for Azure AD B2C (unavailable for new customers since May 2025): self-service sign-up, social IdPs, branded user flows, and native auth APIs — all in a separate external tenant.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What UserType value is assigned to a B2B collaboration guest in the resource tenant?

Correct: c. B2B collaboration guests are created with UserType = 'Guest' in the resource tenant. 'Member' is for internal users. 'External' and 'B2BUser' are not valid UserType values in Microsoft Entra ID.
Q6 · Understand

Cross-tenant access settings inbound rules control which of the following?

Correct: a. Inbound rules in cross-tenant access settings control access from external Entra tenants into your tenant — which external users, groups, and apps are allowed. Outbound rules (option b) control the reverse: your users going out. MFA for internal users and invite quotas are separate settings.
Q7 · Apply

A B2B guest says they are not being asked for MFA when accessing your resources, even though your Conditional Access policy requires MFA for all users. What is the most likely cause?

Correct: b. If MFA trust is enabled for the guest's home tenant in your inbound cross-tenant access settings, Conditional Access accepts the partner's MFA claim and does not issue a new MFA challenge. This is intentional behaviour for zero-trust deployments — not a bug.
Q8 · Analyze

Why does B2B direct connect require both tenants to configure cross-tenant access settings, but B2B collaboration does not have this symmetric requirement?

Correct: b. B2B direct connect is a bidirectional trust — both tenants share the Teams channel and users appear under their home identity, so both must agree to the relationship. B2B collaboration only needs the resource tenant to configure inbound settings (or leave defaults); the home tenant does not need to configure anything for collaboration to work.
Q9 · Evaluate

An organisation has hundreds of stale B2B guests from past projects. What is the most scalable way to clean them up?

Correct: a. Access Reviews are the designed mechanism for guest lifecycle management at scale. You can scope a review to all guest users (or a subset), assign reviewers or make it self-review, and configure auto-removal for guests who are not approved. This runs on a recurring schedule without manual effort. Manual deletion and disabling invitations do not address existing stale guests at scale.
Q10 · Evaluate

A startup wants to add social sign-in (Google, Apple) and self-service sign-up for a consumer mobile app built on Azure in 2026. Which Microsoft identity platform should they start with?

Correct: c. Microsoft Entra External ID for customers is the designated CIAM platform for new consumer-facing apps. Azure AD B2C is no longer available to new customers as of May 2025. A workforce tenant does not support consumer self-service sign-up at scale. The Identity Platform v2.0 alone does not provide CIAM user flows or social IdP management.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the key difference between B2B collaboration and B2B direct connect in terms of directory objects? Then compare with the expert version.

Expert version: B2B collaboration creates a guest user object (UserType=Guest) in the resource tenant — the external user has an identity record there that can be assigned to groups and apps. B2B direct connect creates no guest object; the external user accesses a Teams shared channel using only their home-tenant identity. The practical consequence is that B2B collaboration works for any resource (apps, SharePoint, Teams), while B2B direct connect currently only works for Teams shared channels but is lower friction since there is no object to manage or clean up.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

B2B Collaboration
Entra External ID scenario that invites external users as guests. A guest object (UserType=Guest) is created in the resource tenant; the user authenticates with their own identity provider.
B2B Direct Connect
Entra External ID scenario enabling Teams shared channels without creating a guest object. Both tenants must enable it in cross-tenant access settings.
Cross-Tenant Access Settings
Per-partner-tenant policies controlling inbound (external users into your tenant) and outbound (your users into other tenants) B2B collaboration and direct connect traffic, plus optional MFA and device-compliance trust.
Guest User Object
A lightweight Entra ID user record (UserType=Guest) created in the resource tenant when a B2B collaboration invitation is redeemed. No credentials are stored — the user authenticates at home.
External ID for Customers
Microsoft CIAM capability for consumer-facing apps in a dedicated external tenant. Supports self-service sign-up, social IdPs, branded user flows, and native auth APIs. Replaces Azure AD B2C for new projects.
Access Review
An Entra Identity Governance feature that periodically checks whether guest (or member) access is still appropriate. Can auto-remove guests not approved by a reviewer.
Redemption
The process by which an invited B2B guest clicks the invitation link, authenticates with their home identity provider, and completes creation of their guest object in the resource tenant.
MFA Claim Trust
A cross-tenant access setting that instructs your Conditional Access policy to accept an MFA claim satisfied in the guest's home tenant, avoiding a second MFA challenge in your tenant.

📚 Sources

  1. Microsoft Learn — What is Microsoft Entra External ID? learn.microsoft.com/en-us/entra/external-id/external-identities-overview
  2. Microsoft Learn — What is Microsoft Entra B2B collaboration? learn.microsoft.com/en-us/entra/external-id/what-is-b2b
  3. Microsoft Learn — Cross-tenant access overview — Microsoft Entra External ID learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
  4. Microsoft Learn — B2B direct connect overview — Microsoft Entra External ID learn.microsoft.com/en-us/entra/external-id/b2b-direct-connect-overview
  5. Microsoft Learn — External Tenant Overview — External ID for customers (CIAM) learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam
  6. Microsoft Learn — B2B collaboration invitation redemption experience learn.microsoft.com/en-us/entra/external-id/redemption-experience

What's next?

Got External Identities covered? Next, go deep on Entra ID Conditional Access — how policy conditions (user, device, location, risk) combine with grant and session controls to enforce zero-trust access for both internal and external users.

Next · All interview lessons → Practice on exam.techclick.in →