Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect

Microsoft Entra ID External Identities

   October 29, 2024

Microsoft Entra ID External Identities (formerly part of Azure Active Directory or Azure AD) is a feature that enables organizations to securely collaborate with users outside their organization, such as partners, vendors, contractors, and customers. It’s designed to facilitate secure access to applications and resources for external users while maintaining control, security, and compliance. Microsoft Entra ID External Identities allows organizations to manage external users without creating individual accounts for them in the organization’s primary directory.

In this guide, we’ll cover the core features, functions, and practical usage examples to help beginners understand how Microsoft Entra ID External Identities works and how it can be used effectively.

Key Concepts of Microsoft Entra ID External Identities

  1. External Identities: External Identities allow you to securely manage and grant access to users from outside your organization, such as business partners, contractors, vendors, or even customers.
  2. Guest User Access (B2B Collaboration): External users can be invited as “guest” users with controlled access to specific resources. This approach is known as Business-to-Business (B2B) Collaboration and allows external users to access internal resources with their own existing credentials.
  3. Business-to-Consumer (B2C) Identity: Entra ID External Identities also includes B2C scenarios, where external identities are created for customers accessing consumer-facing applications. These external users can sign up with social accounts or emails and access applications designed for customer use.
  4. Access Control and Conditional Access: Conditional Access policies allow organizations to apply specific security requirements for external users, such as requiring Multi-Factor Authentication (MFA) for high-risk activities.
  5. Self-Service Sign-Up and Custom User Flows: Organizations can set up self-service registration flows, enabling external users to register for access to applications without admin intervention.
  6. User Privacy and Consent Management: Entra ID External Identities includes consent screens and privacy settings, enabling users to control what information they share and ensuring compliance with privacy regulations.

Key Features and Functions of Microsoft Entra ID External Identities

1. Guest User Access (B2B Collaboration)

  • Purpose: Allows organizations to invite external users as guest users, giving them access to specific internal applications and resources, such as Microsoft Teams, SharePoint, and other organizational tools.
  • How It Works: Organizations can send an invitation to an external user’s email address, allowing them to use their own existing credentials (e.g., Microsoft 365 or Google account) to sign in. This reduces the need to create new accounts for external users.
  • Controlled Access: Admins can manage permissions, restrict access, and assign guest users to specific groups to control which resources they can access. Example Usage: A law firm works with external legal consultants on cases. The firm invites the consultants as guest users in Microsoft Teams, granting them access to specific channels and documents related to each case. Consultants can use their existing work credentials to log in and collaborate securely without creating a new account.

2. Self-Service Sign-Up and Custom User Flows

  • Purpose: Enables external users to sign up for access without needing an invitation, streamlining the registration process.
  • How It Works: Organizations can set up custom self-service sign-up pages with branding and customizable fields. Users can register themselves, provide relevant details, and verify their email or phone number.
  • Flexible Customization: Organizations can customize the sign-up experience with their logo, colors, and messages, creating a cohesive brand experience for external users. Example Usage: A software company offers a self-service sign-up for prospective customers who want to try their software product. When customers register, they complete a form, verify their email, and gain limited access to a demo version of the product. The company can manage the users’ access and revoke it when the trial period ends.

3. Conditional Access Policies for External Users

  • Purpose: Enforces security requirements based on specific conditions, such as requiring MFA or blocking access from certain locations or devices.
  • How It Works: Admins can apply Conditional Access policies specifically for external users, defining which resources they can access under certain conditions.
  • Enhanced Security: Conditional Access ensures that external users meet security standards without complicating access for trusted users. Example Usage: A healthcare organization shares sensitive data with external researchers. Conditional Access policies require external users to complete MFA if they are accessing resources from outside the organization’s trusted IP range, ensuring that only verified users can access the data.

4. Multi-Factor Authentication (MFA) for External Identities

  • Purpose: Adds an additional layer of security by requiring external users to authenticate with a second factor (e.g., SMS code, email, or app-based code).
  • How It Works: Admins can enforce MFA policies for guest users, requiring them to verify their identity before accessing sensitive resources.
  • Selective Application: MFA can be configured based on the user group, resource type, or sign-in risk level. Example Usage: A finance company invites external auditors to access financial records. To protect sensitive data, the company enforces MFA for all external users accessing the records, ensuring only verified users can log in.

5. Identity Governance and Access Reviews

  • Purpose: Allows organizations to conduct regular reviews of guest user access, ensuring external users only have access to what they need.
  • How It Works: Admins can set up periodic access reviews, where designated reviewers confirm whether specific guest users still need access to resources.
  • Automated Notifications: Entra ID sends notifications to reviewers, allowing them to approve or deny access for guest users who no longer require it. Example Usage: A consulting company works with multiple partners on different projects. To maintain security, the company performs quarterly access reviews for each project, reviewing access for all external users to ensure only necessary users retain access. This helps reduce unnecessary exposure and enforces the principle of least privilege.

6. User Consent and Privacy Controls

  • Purpose: Ensures that external users understand what information they’re sharing with the organization and helps organizations comply with privacy regulations like GDPR.
  • How It Works: During sign-up or when accessing certain applications, users see a consent screen that outlines what data will be shared and how it will be used. They must agree to these terms before proceeding.
  • Privacy Compliance: This feature supports compliance with privacy laws, as it allows users to control their personal information and consent to data sharing. Example Usage: A non-profit organization invites volunteers to access a scheduling application. During the registration process, volunteers are informed that their contact information and availability will be shared with team managers. Volunteers must accept this consent request to proceed.

7. Custom Branding and Theming

  • Purpose: Allows organizations to customize the look and feel of sign-in and sign-up experiences for external users, making the experience more consistent with the organization’s brand.
  • How It Works: Admins can add a logo, set colors, and add welcome messages on the sign-in and sign-up pages for external users, giving them a branded experience.
  • Benefits: A familiar, branded experience builds trust and reassures external users that they’re signing in through a legitimate organization portal. Example Usage: An online education platform customizes its sign-up page with its logo, colors, and a welcoming message. Prospective students registering for a course see a consistent experience, aligning with the platform’s branding.

8. Reporting and Monitoring of External User Activity

  • Purpose: Provides insights into the behavior and activity of external users, enabling admins to monitor access, detect suspicious activity, and respond to security incidents.
  • How It Works: Entra ID generates reports on external users’ sign-in activities, risky sign-ins, and access history. Admins can track patterns and investigate anomalies.
  • Real-Time Alerts: Administrators can set up alerts to receive notifications for suspicious sign-in attempts by external users. Example Usage: A company collaborates with external vendors on sensitive projects. IT administrators monitor sign-in reports to track the vendors’ access and detect any unusual sign-in attempts, such as logins from unexpected locations or devices.

Step-by-Step Guide: Setting Up External Identities in Microsoft Entra ID

Step 1: Inviting Guest Users

  1. Sign in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Entra ID: In the left-hand menu, select Microsoft Entra ID > Users.
  3. Invite a Guest User:
  • Click + New guest user.
  • Choose Invite user and enter the external user’s email address.
  • Add a Name and a Personal message if desired.
  • Click Invite to send the invitation email.
  1. Assign Access:
  • After inviting the guest user, go to the resource they need access to (e.g., a SharePoint site or Teams channel).
  • Grant them access to the resource with appropriate permissions.

Example: A construction company invites an external architect as a guest user to view project plans on SharePoint. The architect receives an invitation email, logs in with their existing Google account, and accesses the SharePoint folder with view-only permissions.

Step 2: Configuring Conditional Access for External Users

  1. Go to Conditional Access: In Microsoft Entra ID, select Security > Conditional Access.
  2. Create a New Policy: Click + New policy.
  • Name the policy, for example, “External User MFA.”
  1. Configure Assignments:
  • Under Users and groups, select Guest or external users.
  • Specify which applications or resources this policy applies to (e.g., SharePoint, Teams).
  1. Define Conditions:
  • Set conditions based on device type, location, or sign-in risk.
  1. Set Access Controls:
  • Under Grant, select Require multi-factor authentication.
  1. Enable Policy: Toggle the Enable policy switch to On and save the policy.

Example: An engineering company requires external contractors to complete MFA whenever they log in from outside the company’s headquarters. This adds a layer of security for contractors accessing sensitive data.

Step 3: Setting Up Self-Service Sign-Up for External Users

  1. Navigate to External Identities: In Microsoft Entra ID, select External Identities > Self-service sign-up.
  2. Create a User Flow:
  • Choose the application or resource you want external users to access.
  • Configure custom fields in the sign-up form, such as name, company, and email.
  1. Customize Branding:
  • Add your organization’s logo, colors, and custom text to match your branding.
  1. Set Verification Requirements: Require users to verify their email or phone during sign-up.
  2. Publish and Share: Save the self-service sign-up settings and provide the sign-up link to users.

Example: A tech company offers a self-service sign-up for partners interested in its partner portal. The sign-up form includes company name and role fields, and users must verify their email before accessing the portal.

Benefits of Microsoft Entra ID External Identities

  1. Enhanced Security: Conditional Access and MFA ensure external users meet security requirements, reducing the risk of unauthorized access.
  2. Streamlined Collaboration: Guest users can access necessary resources using their own credentials, allowing seamless collaboration without creating new accounts.
  3. Improved User Experience: Self-service sign-up and customized branding offer external users a familiar and streamlined experience.
  4. Compliance and Privacy: User consent, privacy controls, and access reviews enable organizations to meet compliance requirements while respecting user privacy.

Microsoft Entra ID External Identities offers a powerful, secure, and user-friendly way for organizations to manage and secure external access. With guest access, conditional access policies, self-service sign-up, and privacy controls, organizations can collaborate with external users confidently while maintaining control and compliance. This setup not only facilitates secure external collaboration but also strengthens security by applying consistent policies across both internal and external users.

Share: XFacebookPinterestLinkedin
Author: tonyhughes