1. Purpose
After understanding what B2B collaboration is, the next step is to control how it operates within your organization. Microsoft Entra provides a centralized section called External Collaboration Settings, where admins define:
These settings help balance openness for productivity with security and governance.
2. Accessing External Collaboration Settings
To configure these settings:
This page is divided into three major sections:
3. Guest User Access Levels
Microsoft provides three distinct access tiers for external guests. This determines how much of your directory they can view.
| Access Level | Description | Typical Use Case |
|---|---|---|
| Same access as members (Most inclusive) | Guests can access directory data like internal users. | Rarely used; only for trusted partners integrated deeply into internal operations. |
| Limited access to directory objects (Default) | Guests can view membership of non-hidden groups but can’t list all users or groups. | Balanced approach; typical for standard B2B collaboration. |
| Restricted to own objects (Most restrictive) | Guests can only access their own profile and nothing else. | Ideal for strict compliance or zero-trust environments. |
Example: Contoso’s legal department collaborates with an external law firm. To ensure confidentiality, the most restrictive guest access level is applied so the firm can only view its own user objects.
4. Guest Invite Settings
This section controls who can invite external users into your tenant. Inviting users is an important governance control because it determines who expands the directory’s trust boundary.
| Setting | Who Can Invite | Best Use Case |
|---|---|---|
| No one | Disables guest invitations entirely. | For isolated environments (e.g., government networks). |
| Admins only | Only global/admin roles can invite. | For highly controlled collaboration. |
| Admins and users in Guest Inviter role | Delegates limited invitation rights. | Best practice for enterprise control. |
| Admins, Guest Inviter role, and members | Most staff can invite guests. | Flexible collaboration organizations. |
| All users including guests | Everyone can invite others. | Open environments like community tenants or education. |
Exam Note: The Guest Inviter role exists solely to delegate this ability without giving broader admin privileges.
5. Collaboration Restrictions
Collaboration restrictions determine which domains you can collaborate with. This prevents accidental invitations to untrusted or unauthorized organizations.
You can define either:
You can’t use both simultaneously.
Key facts:
Example: Contoso works with Fabrikam and Tailwind Traders only. It configures an allowlist containing fabrikam.com and tailwindtraders.com to prevent accidental invitations to personal or competitor domains.
6. SharePoint and OneDrive Considerations
The domain restriction in Microsoft Entra does not automatically apply to OneDrive or SharePoint Online file-sharing lists. Those platforms have their own allow/block list configuration under their admin centers.
For consistent governance:
7. Practical Example
Scenario: Contoso wants to ensure only trusted partners can join their environment and only administrators can send invitations.
Steps:
Result: External users can collaborate securely, but only via authorized admins — minimizing risk.
8. Exam Tip
Expect scenario questions around:
Summary
This unit focused on configuring and governing B2B collaboration within your organization. By adjusting access, invitation, and domain restrictions, you enforce a secure, policy-driven external access model while maintaining flexibility for real-world teamwork.