Systems Admin

Microsoft Entra B2B Collaboration

10 min read Part of pathway: Microsoft Entra ID Security

Microsoft Entra B2B Collaboration — part of the Entra External Identities feature set — lets you invite people from outside your tenant (partners, vendors, contractors) to access specific apps and resources without creating internal accounts for them. Authentication is handled by their own organisation or identity provider; your tenant only handles authorisation. Visitor pass, not a new staff badge.

This guide walks the full lifecycle: invite, accept, license, harden with Conditional Access, control who can invite, and (when relevant) promote a guest to an internal member. Tenant in the examples is ezaz2281.onmicrosoft.com. Everything here works on Entra ID Free; the Conditional Access section needs P1.

What B2B actually does

When you invite an external user:

  1. A Guest user object is created in your tenant.
  2. UPN is set to username_outlook.com#EXT#@ezaz2281.onmicrosoft.com — the #EXT# tag is the marker that this identity is federated, not local.
  3. Microsoft mails the invitation to the external address.
  4. The user clicks Accept. Identity field updates to reflect their real home identity (Microsoft Account, Google, partner tenant).
  5. Admin assigns licenses or app access.
  6. When the guest tries to use a resource, the auth round-trip goes to their identity provider. Once authenticated, your tenant decides what they can do.

Critical implication: no password is stored in your tenant. You can’t reset their password (their home org owns it). What you control is what they can access and how.

Prerequisites

Requirement Detail
License Entra ID Free for invitations. P1 for Conditional Access on guests.
Admin role Global Admin or User Admin can invite. Guest Inviter role for non-admins.
External Collaboration Settings Enabled (default).

Step 1 — check External Collaboration Settings

  1. entra.microsoft.com as Global Admin.
  2. Identity > External Identities > External Collaboration Settings.
  3. Confirm Guest Invite Settings — default is Anyone in the organization can invite guest users including guests and non-admins.
Microsoft Entra Admin Center External Identities External Collaboration Settings page showing Guest Invite Settings with the default option Anyone in the organization can invite guest users including guests and non-admins selected
External Identities > External Collaboration Settings — default permission allows anyone to invite guests. Tighten this in environments where partners aren’t routine.

If the default doesn’t suit your risk posture, jump to Step 8 below for how to tighten it.

Step 2 — invite a guest as admin

  1. Users > All Users > New User > Invite External User.
  2. Display Name (e.g. Concepts User), Email (e.g. conceptsuser@outlook.com), optional first / last name.
  3. Personal Message — brief note the guest sees in the invitation email.
  4. Next > Properties — set Usage Location (required before assigning licenses later).
  5. Next > Assignments — optionally add to a group or assign a role now.
  6. Next > Review + Invite > Invite.
Microsoft Entra Admin Center New User Invite External User dialog showing the Display Name email Personal Message and First Last Name fields filled in for inviting a partner user named Concepts User with email conceptsuser@outlook.com
Users > New User > Invite External User. Display name + email + a friendly personal message that the guest will see in the invitation email.
Entra Admin Center Review and Invite confirmation panel showing all the guest user details prior to clicking the Invite button which creates the guest account and emails the invitation to the external user
Review + Invite. Click Invite — account is created instantly with B2B Invitation Status = Pending Acceptance.

What happens immediately

  • Guest account created with User Type = Guest.
  • Microsoft mails the invitation to the address you provided.
  • B2B Invitation Status = Pending Acceptance.
  • Identities field still shows ezaz2281.onmicrosoft.com — this updates when they accept.
Entra Admin Center user properties page for the newly created guest user showing User Type Guest with Identities field still displaying ezaz2281.onmicrosoft.com because the invitation has not yet been accepted by the external user
Pre-acceptance — the Identities field still shows your tenant domain. It will switch to Microsoft Account / Google / partner tenant after the user accepts.

Invitations don’t expire. You can resend from the user’s profile if they lost the email.

Step 3 — let non-admins invite via My Groups

For team-led collaboration, group owners can invite guests through myapps.microsoft.com without involving IT each time:

  1. Group owner opens myapps.microsoft.com, signs in as themselves.
  2. My Groups > Groups I Own > pick the group.
  3. … menu > Add Member.
  4. Type the external email. The system recognises it as external and offers Member or Group Owner. Choose Member.
  5. Optional invitation message > Add.

Same invitation email gets sent. Same accept flow.

Step 4 — the guest accepts

Microsoft Account (Outlook.com)

  1. Open the email from Microsoft Invitations on behalf of [Your Org].
  2. Click Accept Invitation.
  3. Permissions Requested > Accept.
  4. Lands in My Apps. There are no apps to show if you haven’t assigned anything yet — expected.

Gmail / Google account

  1. Same email, click Accept Invitation.
  2. Google steps in for identity verification — click Send Code.
Gmail user receiving the Microsoft B2B invitation email and being prompted by Google to verify identity before accepting the invite by clicking the Send Code button which dispatches a one time passcode to their Gmail address
Gmail invitee — after Accept, Google asks them to Send Code for identity verification (Email OTP).
One time passcode email arriving in the Gmail inbox with the temporary verification code that the guest user copies and pastes back into the Microsoft sign in page to complete the identity verification step before accepting the B2B invitation
OTP arrives in Gmail. Copy the code, paste back into the Microsoft sign-in page.
  1. OTP arrives in Gmail. Copy, paste back into the verification page, click Sign In.
  2. Accept permissions.
  3. Lands in My Apps.
Microsoft permissions consent screen shown to the guest user after they pasted the OTP code asking them to grant the necessary permissions to your organization before they can land in the My Apps portal as an active B2B guest
Permissions Requested — the guest grants consent to your tenant. After this they land on My Apps.

What changes after acceptance

  • B2B Invitation Status: Accepted.
  • Identities: Microsoft Account for Outlook users, Google or partner tenant name otherwise.
  • User Type still shows Guest (correct).
Entra Admin Center user properties for the same guest user after acceptance showing B2B Invitation Status changed to Accepted and the Identities field now displays Microsoft Account or Gmail confirming the external identity provider is now linked
Post-acceptance — Invitation Status flips to Accepted. Identities now reads Microsoft Account / Google — that’s the user’s real home identity.

Step 5 — assign licenses or app access

Acceptance alone gives the guest no apps. Assign deliberately:

  1. Users > All Users > click the guest.
  2. Left rail > Licenses > Assignments.
  3. Tick the SKU (e.g. Microsoft 365 Business Standard) > Save.
Entra Admin Center Licenses Assignments dialog with Microsoft 365 Business Standard checkbox ticked for the accepted guest user about to be saved which gives the guest access to the licensed apps and services in your tenant
Licenses > Assignments — tick the SKU you want the guest to have. They sign in with their own creds; the license controls what they can use.

Guest can now sign in at portal.office.com using their external credentials and see what the license entitles. Reminder: their password lives at home, not here.

Step 6 — require MFA on guests via Conditional Access

Guests are external by definition — you have no idea what device hygiene or password practices they have. Always wrap them in MFA.

  1. entra.microsoft.com > Security > Conditional Access.
  2. New Policy. Name: MFA for Guest Users.
  3. Users or Workload Identities > Select users and groups > tick Guest or external users.
  4. Cloud Apps or Actions > Select Apps > add Office 365 and Microsoft Azure Management.
  5. Grant > Grant Access > tick Require multi-factor authentication.
  6. Enable Policy: On > Create.

Next time the guest opens an app, after their home auth completes they get the standard MFA prompt and walk through enrollment if needed.

Requires Entra ID P1. Free tier can invite guests but can’t apply CA to them.

Step 7 — how guests sign in (the part that confuses Gmail users)

Microsoft Account guest

Easiest case. They go to myapps.microsoft.com, type their Outlook email, type their Outlook password, done.

Non-Microsoft account guest (Gmail, Yahoo, etc.)

If a Gmail user types jane@gmail.com directly at myapps.microsoft.com, they get We couldn’t find an account with that username. That’s expected — Microsoft can’t resolve the address to a tenant without help.

Correct path:

  1. myapps.microsoft.com > click Sign-in options at the bottom.
  2. Sign in to an organization.
  3. Type the host tenant’s domain: ezaz2281.onmicrosoft.com > Next.
Microsoft sign in to an organization page where a Gmail guest user types the host tenant common endpoint domain ezaz2281.onmicrosoft.com to start the federated sign in flow that routes them to Email OTP verification
Gmail guest sign-in — Sign-in options > Sign in to an organization > type ezaz2281.onmicrosoft.com.
  1. Microsoft sign-in page appears. Click Use another account > type the Gmail address.
  2. System routes through Email OTP — code arrives at the Gmail address.
  3. Paste code > Sign In > accept permissions > My Apps.
Microsoft sign in page after the common endpoint where the Gmail guest user clicks Use another account and types their personal Gmail address to authenticate via the Email One Time Passcode flow against the host tenant
Then Use another account > type the Gmail address. Microsoft sees it’s non-Microsoft > routes through Email OTP.
My Apps portal at myapps.microsoft.com loaded successfully for a guest user showing the assigned applications they can launch confirming the end to end B2B sign in flow worked from email invitation through OTP verification to accessing tenant resources
Landed in My Apps. The end-to-end B2B flow worked — assigned apps appear here.

The shortcut

The accept-invitation link from the original email handles all of this routing automatically. Tell guests to bookmark My Apps after first sign-in so they don’t have to repeat the common-endpoint dance.

Step 8 — restrict who can invite guests

Level Who can invite
1 (default) Anyone in the org — including existing guests and non-admins
2 Only Global Admin, User Admin, and Guest Inviter role holders
3 Nobody, including admins. B2B invitations completely off.

Change it: External Identities > External Collaboration Settings > Guest Invite Settings > pick the radio you want > Save.

Delegate the right to specific users via the Guest Inviter role

  1. Users > the user (e.g. Kibria).
  2. Assigned Roles > Add Assignments.
  3. Search Guest Inviter > Add.

From now on only that user (and Global Admins) can invite. Anyone else trying gets User invitation failed — insufficient privileges to complete the operation.

With P1/P2 you can attach the Guest Inviter role to a security group instead of individual users — manage by group membership at scale.

Step 9 — convert a guest to an internal member

The contractor who used to be a guest is now joining as an employee. Or a merger means external partner accounts should become internal. You can promote in place without losing groups or permissions.

What conversion changes

  • User Type: Guest → Member
  • New UPN inside your tenant domain (e.g. kibria.connect@ezaz2281.onmicrosoft.com)
  • New password set in your tenant (they now authenticate against you, not their home org)
  • All existing group memberships and permissions preserved

Requirements

  • User Administrator role minimum
  • Guest must already have accepted the original invitation
  • Account must be externally-authenticated — on-prem-AD-synced accounts can’t be converted this way

Procedure

  1. Users > All Users > Add Filter > User Type = Guest to find them quickly.
  2. Open the user. Confirm B2B Invitation Status = Accepted.
  3. In the B2B Collaboration section, click Convert to Internal User.
  4. Set the new UPN (left side kibria.connect, right side dropdown your domain).
  5. Set a Password — auto-generate or specify.
  6. Optionally tick Change Email Address if you want their email attribute updated to internal too.
  7. Convert.
Entra Admin Center user Overview page showing the Convert to Internal User button highlighted in the B2B Collaboration section ready to promote a guest contractor to a full Member account with a new UPN inside the tenant domain
Convert to Internal User — promote a guest who is becoming an employee. New UPN, new password, all group memberships preserved.

Verify

  • Users > All Users (remove the Guest filter) > search by name.
  • User Type now reads Member.
  • UPN ends in your domain.
  • Group memberships intact.

Things that bite people

Guest can’t sign in — ‘account not found’

Almost always a Gmail / Yahoo guest who typed their address directly at myapps.microsoft.com. Walk them through Sign-in options > Sign in to an organization > <your tenant>.onmicrosoft.com. Or just send them the original invitation link.

Invitation never arrived

Check the guest’s spam folder first. The sender is Microsoft Invitations — corporate spam filters sometimes block it. Resend from the user’s profile in Entra Admin Center if needed.

Forgot the Usage Location, can’t assign a license

Set Usage Location on the guest’s Properties before going to Licenses.

Conditional Access policy that requires MFA created without P1

Policy creation succeeds, enforcement quietly fails. Verify your tenant has P1 licensed and assigned before relying on it.

Guests inviting other guests, unbounded

Default permission lets any guest invite further guests. Useful for partner-led collaboration; bad for tight environments. Tighten via Step 8.

Offboarding

When the partnership ends, just delete the guest like any other user. Their home identity is unaffected; what dies is their access to your tenant. Run a quarterly review of guest accounts to remove stale ones — partners with months of inactivity are usually safe to remove.

What’s next

That covers external identity. The next post in the Entra ID Security pathway closes the device-and-data theme: BitLocker Self-Service Recovery & Testing — how to validate that the BitLocker key visibility setting from the Device Settings post actually does (or doesn’t) let users recover their own keys, end-to-end.

Tags: #B2b #Collaboration #Conditional Access #External Identities #Microsoft Entra ID

Leave a Reply