1. What Are Guest Users?
Guest users are individuals from outside your organization who are invited to access your Microsoft Entra tenant’s apps or resources.
They are stored in your tenant as user objects with UserType = Guest.
Microsoft Entra B2B collaboration is the feature that powers this. It allows:
Secure sharing of apps, files, and services.
External users to use their existing credentials (from Microsoft, Google, or other providers).
Organizations to maintain control over access and auditing.
By default, guest users’ accounts are easily identifiable in your tenant — their User Principal Name (UPN) includes the string #EXT#.
Example:
alex.fabrikam.com#EXT#@contoso.onmicrosoft.com
2. How Guest Users Join Your Tenant
The onboarding process for B2B users follows a simple invitation and redemption flow:
Invitation sent – The host organization sends an email invitation to an external user.
User redeems invitation – The external user accepts the invitation and signs in using their existing credentials.
Account created in host tenant – A user object is created in your directory as a “guest” type.
Access granted – The user gains access to shared apps, Teams, SharePoint sites, etc.
Admins can also use self-service sign-up flows, allowing external users to register themselves for approved resources.
3. B2B Collaboration Overview
B2B collaboration is part of Microsoft Entra External Identities and focuses on secure cross-organization teamwork.
Feature Description
Authentication External users authenticate with their own credentials (Microsoft, Google, SAML IdPs).
Authorization The host organization manages which resources guests can access.
Identity Management Guest accounts are stored and managed within your Entra tenant.
Access Control Guests can be assigned groups, roles, and Conditional Access policies.
Example:
Fabrikam partners with Contoso on a joint project.
Fabrikam users authenticate through their own Entra tenant.
Contoso admins assign permissions in Teams and SharePoint.
All activity is logged and governed under Contoso’s policies.
4. Key Technical Concepts
UserType Property – Indicates whether a user is a member (internal) or guest (external).
Authentication Source – Determines whether the user signs in via Microsoft Entra, Google, or another IdP.
B2B APIs – Developers can automate invitations or customize sign-up flows via Microsoft Graph or Entra APIs.
5. Security Model
By default, guest users have restricted access:
They can’t enumerate directory users or groups.
They can only access resources explicitly shared with them.
Access can be further controlled with Conditional Access or entitlement management policies.
This protects sensitive organizational data while still enabling collaboration.
6. Real-World Example
Scenario:
Fabrikam consultants are hired by Contoso’s HR team to implement a new payroll system.
Contoso sends invitations to their Fabrikam accounts, which they redeem using their own corporate credentials.
They gain access only to the HR project SharePoint site and Teams channel, while all other Contoso resources remain off-limits.
This setup ensures security and compliance without requiring Contoso to provision new accounts.
Exam Tip
B2B collaboration = Secure external access for business partners.
Guest user UPNs = Contain #EXT# to identify external accounts.
Default user type = Guest.
Invitation and redemption = Core mechanism for adding external users.
Summary
B2B collaboration is Microsoft’s solution for managing secure access for external partners.
It allows organizations to invite, manage, and control guest users — all while letting those users use their existing credentials and identity providers.