External Identities in Azure Active Directory - Microsoft Entra (2023)

  • Article
  • 15 minutes to read

Azure AD External Identities refers to all the ways you can securely interact with users outside of your organization. If you want to collaborate with partners, distributors, suppliers, or vendors, you can share your resources and define how your internal users can access external organizations. If you're a developer creating consumer-facing apps, you can manage your customers' identity experiences.

With External Identities, external users can "bring their own identities." Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The external user’s identity provider manages their identity, and you manage access to your apps with Azure AD or Azure AD B2C to keep your resources protected.

The following capabilities make up External Identities:

  • B2B collaboration - Collaborate with external users by letting them use their preferred identity to sign in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). B2B collaboration users are represented in your directory, typically as guest users.

  • B2B direct connect - Establish a mutual, two-way trust with another Azure AD organization for seamless collaboration. B2B direct connect currently supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams. B2B direct connect users aren't represented in your directory, but they're visible from within the Teams shared channel and can be monitored in Teams admin center reports.

  • Azure AD B2C - Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.

Depending on how you want to interact with external organizations and the types of resources you need to share, you can use a combination of these capabilities.

External Identities in Azure Active Directory - Microsoft Entra (1)

B2B collaboration

With B2B collaboration, you can invite anyone to sign in to your Azure AD organization using their own credentials so they can access the apps and resources you want to share with them. Use B2B collaboration when you need to let external users access your Office 365 apps, software-as-a-service (SaaS) apps, and line-of-business applications, especially when the partner doesn't use Azure AD or it's impractical for administrators to set up a mutual connection through B2B direct connect. There are no credentials associated with B2B collaboration users. Instead, they authenticate with their home organization or identity provider, and then your organization checks the guest user’s eligibility for B2B collaboration.

There are various ways to add external users to your organization for B2B collaboration:

  • Invite users to B2B collaboration using their Azure AD accounts, Microsoft accounts, or social identities that you enable, such as Google. An admin can use the Azure portal or PowerShell to invite users to B2B collaboration. The user signs into the shared resources using a simple redemption process with their work, school, or other email account.

  • Use self-service sign-up user flows to let external users sign up for applications themselves. The experience can be customized to allow sign-up with a work, school, or social identity (like Google or Facebook). You can also collect information about the user during the sign-up process.

  • Use Azure AD entitlement management, an identity governance feature that lets you manage identity and access for external users at scale by automating access request workflows, access assignments, reviews, and expiration.

A user object is created for the B2B collaboration user in the same directory as your employees. This user object can be managed like other user objects in your directory, added to groups, and so on. You can assign permissions to the user object (for authorization) while letting them use their existing credentials (for authentication).

You can use cross-tenant access settings to manage B2B collaboration with other Azure AD organizations and across Microsoft Azure clouds. For B2B collaboration with non-Azure AD external users and organizations, use external collaboration settings.

B2B direct connect

B2B direct connect is a new way to collaborate with other Azure AD organizations. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, you create two-way trust relationships with other Azure AD organizations to allow users to seamlessly sign in to your shared resources and vice versa. B2B direct connect users aren't added as guests to your Azure AD directory. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Learn more about B2B direct connect in Azure AD.

Currently, B2B direct connect enables the Teams Connect shared channels feature, which lets your users collaborate with external users from multiple organizations with a Teams shared channel for chat, calls, file-sharing, and app-sharing. Once you’ve set up B2B direct connect with an external organization, the following Teams shared channels capabilities become available:

  • Within Teams, a shared channel owner can search for allowed users from the external organization and add them to the shared channel.

  • External users can access the Teams shared channel without having to switch organizations or sign in with a different account. From within Teams, the external user can access files and apps through the Files tab. The user’s access is determined by the shared channel’s policies.

You use cross-tenant access settings to manage trust relationships with other Azure AD organizations and define inbound and outbound policies for B2B direct connect.

For details about the resources, files, and applications, that are available to the B2B direct connect user via the Teams shared channel, refer to .

Azure AD B2C

Azure AD B2C is a Customer Identity and Access Management (CIAM) solution that lets you build user journeys for consumer- and customer-facing apps. If you're a business or individual developer creating customer-facing apps, you can scale to millions of consumers, customers, or citizens by using Azure AD B2C. Developers can use Azure AD B2C as the full-featured CIAM system for their applications.

With Azure AD B2C, customers can sign in with an identity they've already established (like Facebook or Gmail). You can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications.

Although Azure AD B2C is built on the same technology as Azure AD, it's a separate service with some feature differences. For more information about how an Azure AD B2C tenant differs from an Azure AD tenant, see Supported Azure AD features in the Azure AD B2C documentation.

Comparing External Identities feature sets

The following table gives a detailed comparison of the scenarios you can enable with Azure AD External Identities. In the B2B scenarios, an external user is anyone who isn't homed in your Azure AD organization.

B2B collaborationB2B direct connectAzure AD B2C
Primary scenarioCollaborate with external users by letting them use their preferred identity to sign in to resources in your Azure AD organization. Provides access to Microsoft applications or your own applications (SaaS apps, custom-developed apps, etc.).

Example: Invite an external user to sign in to your Microsoft apps or become a guest member in Teams.

Collaborate with users from other Azure AD organizations by establishing a mutual connection. Currently can be used with Teams shared channels, which external users can access from within their home instances of Teams.

Example: Add an external user to a Teams shared channel, which provides a space to chat, call, and share content.

Publish apps to consumers and customers using Azure AD B2C for identity experiences. Provides identity and access management for modern SaaS or custom-developed applications (not first-party Microsoft apps).
Intended forCollaborating with business partners from external organizations like suppliers, partners, vendors. These users may or may not have Azure AD or managed IT.Collaborating with business partners from external organizations that use Azure AD, like suppliers, partners, vendors.Customers of your product. These users are managed in a separate Azure AD directory.
User managementB2B collaboration users are managed in the same directory as employees but are typically annotated as guest users. Guest users can be managed the same way as employees, added to the same groups, and so on. Cross-tenant access settings can be used to determine which users have access to B2B collaboration.No user object is created in your Azure AD directory. Cross-tenant access settings determine which users have access to B2B collaboration. direct connect. Shared channel users can be managed in Teams, and users’ access is determined by the Teams shared channel’s policies.User objects are created for consumer users in your Azure AD B2C directory. They're managed separately from the organization's employee and partner directory (if any).
Identity providers supportedExternal users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers, and social identity providers like Gmail and Facebook.External users collaborate using Azure AD work accounts or school accounts.Consumer users with local application accounts (any email address, user name, or phone number), Azure AD, various supported social identities, and users with corporate and government-issued identities via SAML/WS-Fed-based identity provider federation.
Single sign-on (SSO)SSO to all Azure AD-connected apps is supported. For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.SSO to a Teams shared channel.SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported.
Licensing and billingBased on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about External Identities pricing and billing setup for B2B.Based on monthly active users (MAU), including B2B collaboration, B2B direct connect, and Azure AD B2C users. Learn more about External Identities pricing and billing setup for B2B.Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about External Identities pricing and billing setup for Azure AD B2C.
Security policy and complianceManaged by the host/inviting organization (for example, with Conditional Access policies and cross-tenant access settings).Managed by the host/inviting organization (for example, with Conditional Access policies and cross-tenant access settings). See also the Teams documentation.Managed by the organization via Conditional Access and Identity Protection.
BrandingHost/inviting organization's brand is used.For sign-in screens, the user’s home organization brand is used. In the shared channel, the resource organization's brand is used.Fully customizable branding per application or organization.
More informationBlog post, DocumentationDocumentationProduct page, Documentation

Managing External Identities features

Azure AD B2B collaboration and B2B direct connect are features Azure AD, and they're managed in the Azure portal through the Azure Active Directory service. To control inbound and outbound collaboration, you can use a combination of cross-tenant access settings and external collaboration settings.

Cross-tenant access settings

Cross-tenant access settings let you manage B2B collaboration and B2B direct connect with other Azure AD organizations. You can determine how other Azure AD organizations collaborate with you (inbound access), and how your users collaborate with other Azure AD organizations (outbound access). Granular controls let you determine the people, groups, and apps, both in your organization and in external Azure AD organizations, that can participate in B2B collaboration and B2B direct connect. You can also trust multi-factor authentication (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.

  • Default cross-tenant access settings determine your baseline inbound and outbound settings for both B2B collaboration and B2B direct connect. Initially, your default settings are configured to allow all inbound and outbound B2B collaboration with other Azure AD organizations and to block B2B direct connect with all Azure AD organizations. You can change these initial settings to create your own default configuration.

  • Organization-specific access settings let you configure customized settings for individual Azure AD organizations. Once you add an organization and customize your cross-tenant access settings with this organization, these settings will take precedence over your defaults. For example, you could disable B2B collaboration and B2B direct connect with all external organizations by default, but enable these features only for Fabrikam.

For more information, see Cross-tenant access in Azure AD External Identities.

Microsoft cloud settings for B2B collaboration (preview)

Microsoft Azure cloud services are available in separate national clouds, which are physically isolated instances of Azure. Increasingly, organizations are finding the need to collaborate with organizations and users across global cloud and national cloud boundaries. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following Microsoft Azure clouds:

  • Microsoft Azure global cloud and Microsoft Azure Government
  • Microsoft Azure global cloud and Microsoft Azure China 21Vianet

To set up B2B collaboration between tenants in different clouds, both tenants need to configure their Microsoft cloud settings to enable collaboration with the other cloud. Then each tenant must configure inbound and outbound cross-tenant access with the tenant in the other cloud. See Microsoft cloud settings for details.

External collaboration settings

External collaboration settings determine whether your users can send B2B collaboration invitations to external users and the level of access guest users have to your directory. With these settings, you can:

  • Determine guest user permissions. Azure AD allows you to restrict what external guest users can see in your Azure AD directory. For example, you can limit guest users' view of group memberships, or allow guests to view only their own profile information.

  • Specify who can invite guests. By default, all users in your organization, including B2B collaboration guest users, can invite external users to B2B collaboration. If you want to limit the ability to send invitations, you can turn invitations on or off for everyone, or limit invitations to certain roles.

  • Allow or block domains. Choose whether to allow or deny invitations to the domains you specify. For details, see Allow or block domains.

For more information, see how to configure B2B external collaboration settings.

How external collaboration and cross-tenant access settings work together

External collaboration settings work at the invitation level, whereas cross-tenant access settings work at the authentication level.

Cross-tenant access settings and external collaboration settings are used to manage two different aspects of B2B collaboration. Cross-tenant access settings control whether users can authenticate with external Azure AD tenants, and they apply to both inbound and outbound B2B collaboration. By contrast, external collaboration settings control which of your users are allowed to send B2B collaboration invitations to external users from any organization.

When you're considering B2B collaboration with a specific external Azure AD organization, you’ll want to assess whether your cross-tenant access settings allow B2B collaboration with that organization, and whether your external collaboration settings allow your users to send invitations to that organization's domain. Here are some examples:

  • Example 1: You've previously added adatum.com (an Azure AD organization) to the list of blocked domains in your external collaboration settings, but your cross-tenant access settings enable B2B collaboration for all Azure AD organizations. In this case, the most restrictive setting applies. Your external collaboration settings will prevent your users from sending invitations to users at adatum.com.

  • Example 2: You allow B2B collaboration with Fabrikam in your cross-tenant access settings, but then you add fabrikam.com to your blocked domains in your external collaboration settings. Your users won't be able to invite new Fabrikam guest users, but existing Fabrikam guests will be able to continue using B2B collaboration.

Azure Active Directory B2C management

Azure AD B2C is a separate consumer-based directory that you manage in the Azure portal through the Azure AD B2C service. Each Azure AD B2C tenant is separate and distinct from other Azure Active Directory and Azure AD B2C tenants. The Azure AD B2C portal experience is similar to Azure AD, but there are key differences, such as the ability to customize your user journeys using the Identity Experience Framework.

For details about configuring and managing Azure AD B2C, see the Azure AD B2C documentation.

There are several Azure AD technologies that are related to collaboration with external users and organizations. As you design your External Identities collaboration model, consider these other features.

Azure AD entitlement management for B2B guest user sign-up

As an inviting organization, you might not know ahead of time who the individual external collaborators are who need access to your resources. You need a way for users from partner companies to sign themselves up with policies that you control. If you want to enable users from other organizations to request access, and upon approval be provisioned with guest accounts and assigned to groups, apps, and SharePoint Online sites, you can use Azure AD entitlement management to configure policies that manage access for external users.

Azure AD Microsoft Graph API for B2B collaboration

Microsoft Graph APIs are available for creating and managing External Identities features.

  • Cross-tenant access settings API: The Microsoft Graph cross-tenant access API lets you programmatically create the same B2B collaboration and B2B direct connect policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration to allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.

  • B2B collaboration invitation manager: The Microsoft Graph invitation manager API is available for building your own onboarding experiences for B2B guest users. You can use the create invitation API to automatically send a customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.

Conditional Access

Organizations can enforce Conditional Access policies for external B2B collaboration and B2B direct connect users in the same way that they're enabled for full-time employees and members of the organization. For Azure AD cross-tenant scenarios, if your Conditional Access policies require MFA or device compliance, you can now trust MFA and device compliance claims from an external user's home organization. When trust settings are enabled, during authentication, Azure AD will check a user's credentials for an MFA claim or a device ID to determine if the policies have already been met. If so, the external user will be granted seamless sign-on to your shared resource. Otherwise, an MFA or device challenge will be initiated in the user's home tenant. Learn more about the authentication flow and Conditional Access for external users.

Multitenant applications

If you offer a Software as a Service (SaaS) application to many organizations, you can configure your application to accept sign-ins from any Azure Active Directory (Azure AD) tenant. This configuration is called making your application multi-tenant. Users in any Azure AD tenant will be able to sign in to your application after consenting to use their account with your application. See how to enable multitenant sign-ins.

Next steps

  • What is Azure AD B2B collaboration?
  • What is Azure AD B2B direct connect?
  • About Azure AD B2C


What are external identities in Azure Active Directory? ›

What is Azure AD External Identities? Azure Active Directory (Azure AD) External Identities is a set of capabilities that organizations can use to help secure and manage customers and partners. Azure AD External Identities gives you more ways to interact and share resources or apps with users outside your organization.

What are the 3 main identity types used in Azure AD? ›

Azure AD manages different types of identities:
  • User. User identity is a representation of something that's Azure AD manages. ...
  • Service principal. A service principal is a secure identity that enables an application or service to access Azure resources. ...
  • Managed identity. ...
  • Device.

What are the two types of managed identities that are available in Microsoft Azure? ›

There are two types of managed identities: system-assigned and user-assigned. System-assigned managed identities have their lifecycle tied to the resource that created them. User-assigned managed identities can be used on multiple resources.

What are external factors in identity? ›

Personal identity formation and evolution are impacted by various internal and external factors like society, family, friends, ethnicity, race, culture, location, opportunities, media, interests, appearance, self-expression, and life experiences.

What does external identity mean? ›

External identity refers to how other individuals interpret who you are and what your public image is as a consequence of what you do, say, and how you look. Your external identity comes about as others talk about you, judge you, and treat you.

What are the three types of identity? ›

Mayes presents three levels of human identity that determine how people typically frame human diversity: Individual, Universal, and Social Group.
  • Individual Identity.
  • Universal Human Identity.
  • Social Group Identity.
Jul 19, 2020

What are the four specific components of identity? ›

Marcia (1966) based his theory of adolescent identity development on Erikson's (1950/1980) theory of psychosocial identity development and identified four identity statuses: identity diffusion, identity foreclosure, identity moratorium, and identity achievement.

What are the three components of identity? ›

Therefore, this systematic review provides an overview of theories and empirical studies on three key components of identity: distinctiveness (seeing the self as unique and distinct from others), coherence (perceiving the self as similar across life domains), and continuity (perceiving the self as the same person over ...

What are Microsoft identities? ›

The Microsoft identity platform helps you build applications your users and customers can sign in to using their Microsoft identities or social accounts. It authorizes access to your own APIs or Microsoft APIs like Microsoft Graph.

Which one of the services in Azure is used to manage identities? ›

Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. Using a managed identity, you can authenticate to any service that supports Azure AD authentication without managing credentials.

How external users are managed in Azure AD? ›

In the Azure portal, select Azure Active Directory and then select Identity Governance. In the left menu, in the Entitlement management section, select Settings. Select Edit. In the Manage the lifecycle of external users section, select the different settings for external users.

Which groups can you add an external user to in your Azure Active Directory tenant? ›

You must be a member of the Project Collection Administrators or Project Administrators group for the organization that you want to invite external users to. The Azure AD tenant, to which you want to invite external users, must allow adding new users, per your Azure AD guest policies.

Can you add external users to a security group? ›

Who can be invited to groups? By default, external users can be added to groups.

What are the 4 types of external factors? ›

External factors
  • political - For example, new legislation.
  • economic - For example, inflation and unemployment.
  • social - Changes in taste and fashion or the increase in spending power of one group, for example, older people.
  • technological - For example, being able to sell goods online or using automation in factories.

What are the 5 external factors? ›

There are five main types of external factors:
  • Political factors.
  • Economic factors.
  • Social factors.
  • Technological factors.
  • Environmental factors.
  • Competitive factors.

What are the 7 external factors? ›

The common external environment factors that businesses should consider are political, economic, social and cultural, legal, technological, and environmental/natural. The external environmental factors affect the organization at multiple levels: local, regional, provincial, federal, regional (global), and global.

What is an external user in Azure? ›

Azure AD External Identities refers to all the ways you can securely interact with users outside of your organization. If you want to collaborate with partners, distributors, suppliers, or vendors, you can share your resources and define how your internal users can access external organizations.

What's the difference between internal and external? ›

What is the difference between internal and external communication? Internal communication occurs when the members of an organization exchange information with each other. External communication takes place when those members interact and communicate with an outside party.

What is the difference between the internal identity and the external identity? ›

What is the difference between the inner and outer identity? Inner identity are the thoughts that we keep in mind and don't disclose to everyone. Outer identity is the physical appearance that look like based upon our karma and nature.

What are the 5 types of identity? ›

Multiple types of identity come together within an individual and can be broken down into the following: cultural identity, professional identity, ethnic and national identity, religious identity, gender identity, and disability identity.

What are the 8 major identities? ›

The “Big 8” socially constructed identities are: race, ethnicity, sexual orientation, gender identity, ability, religion/spirituality, nationality and socioeconomic status.

What are the two main types of identity? ›

There are two types of identity, that is, social identity and personal identity. Social identity - When an individual tries to establish identity in their respective society, it is termed social identity.

What is identity examples? ›

Examples of social identities are race/ethnicity, gender, social class/socioeconomic status, sexual orientation, (dis)abilities, and religion/religious beliefs.

What are the two main characteristics of identity? ›

Identity has two important features: continuity and contrast. Continuity means that people can count on you to be the same person tomorrow as you are today. Obviously, people change but many important aspects of social identity remain relatively stable such as gender, surname, language and ethnicity.

What are the main factors of identity? ›

There are many factors that shape identity, and they can be both external and internal factors. Society, family, friends, ethnicity, culture, location, media, interests, self-expression, and life experiences are all common factors that shape identity.

What is external directory object ID? ›

2.311 Attribute msDS-ExternalDirectoryObjectId

This attribute specifies the unique identifier for users and groups and is populated when applicable Windows Server releases of Active Directory are federated with Azure Active Directory.

What is internal and external load balancer in Azure? ›

Internal load balancers, which load balance traffic within a virtual network. External load balancers, which load balance external traffic to an internet connected endpoint.

How do I add an external user to my tenant? ›

Under Manage, select Users. Under New user select Invite external user. On the New user page, select Invite user and then add the guest user's information. Name.

How do I add an external user to a group? ›

In the admin center, go to the Groups > Groups. Select the group you want to add the guest to, and select View all and manage members on the Members tab. Select Add members, and choose the name of the guest you want to add. Select Save.

What are the three types of role Basic Access Control in Microsoft Azure? ›

Azure broadly defines three different roles: Reader, Contributor, and Owner. These roles apply to Subscriptions, Resource Groups, and most all Resources on Azure.

What are identity providers in Azure? ›

An identity provider creates, maintains, and manages identity information while providing authentication services to applications. When sharing your apps and resources with external users, Azure AD is the default identity provider for sharing.

What are the three 3 Active Directory container objects? ›

AD has three main tiers: domains, trees and forests. A domain is a group of related users, computers and other AD objects, such as all the AD objects for your company's head office. Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.

What is external directory? ›

External storage directories: These directories include both a dedicated location for storing persistent files, and another location for storing cache data.

How to use Microsoft Identity Azure AD to authenticate your users? ›

You're now ready to use the Microsoft identity platform for authentication in your app.
Enable Azure Active Directory in your App Service app
  1. Sign in to the Azure portal and navigate to your app.
  2. Select Authentication in the menu on the left. ...
  3. Select Microsoft in the identity provider dropdown.
Nov 17, 2022

Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated: 05/12/2023

Views: 5656

Rating: 4.4 / 5 (75 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.