1. Overview
While Microsoft Entra ID governs authentication and identity management, Microsoft 365 provides collaboration workloads — such as Teams, SharePoint, and Exchange.
Guest users invited via Entra ID appear in Microsoft 365 as external accounts that can participate in:
Teams chats and meetings.
SharePoint file sharing.
Planner or project collaboration.
However, these users’ permissions must be explicitly granted within each workload.
2. External Collaboration Options in Microsoft 365
Activity Account Type Default Setting
Authenticated file/folder sharing Guest account Enabled
Site sharing Guest account Enabled
Teams guest access Guest account Enabled
Shared Teams channel External Microsoft 365 account Disabled
External chat/meetings External M365 account Enabled
Anonymous meeting join None Enabled
Unauthenticated file sharing None Enabled
You can disable or limit any of these options from Microsoft 365 admin center or Teams/SharePoint admin panels.
3. Governance and Lifecycle Management
External users need ongoing review to ensure they still require access.
Over time, vendors or contractors may leave — stale guest accounts can become security risks.
Best practices:
Conduct periodic access reviews (available with Entra ID Governance).
Use access expiration policies for guests.
Remove unused licenses or redundant accounts.
Regularly audit activity logs.
4. Tools for Managing Microsoft 365 Guest Users
Admins can manage guest accounts via multiple interfaces:
Tool Purpose
Microsoft 365 Admin Center (admin.microsoft.com) General user and license management.
Microsoft Entra Admin Center (entra.microsoft.com) Centralized identity and external collaboration management.
Azure Portal – Entra ID Role management, groups, and Conditional Access.
PowerShell / Graph API Scripting and automation.
Workload Admin Centers (Teams, SharePoint, etc.) Configure guest permissions per service.
5. Real-World Example
Scenario:
Contoso collaborates with an external marketing agency in Teams.
The agency’s users join as guests, access shared files, and attend meetings.
After the project ends, Contoso’s admin reviews guest accounts and removes inactive ones using an access review policy, ensuring no lingering external access remains.
6. Exam Tip
Microsoft 365 guests rely on Entra B2B for authentication.
Access reviews and lifecycle policies are critical for governance.
Guests can be licensed if needed (e.g., Power BI, Project).
Some Teams features (like shared channels) require B2B direct connect (covered in Unit 14).
Summary
Microsoft 365 extends the Entra B2B collaboration model into apps like Teams and SharePoint.
Admins must enforce lifecycle management to ensure guest users retain only necessary access — maintaining both collaboration efficiency and organizational security.