Lab 05: B2B Guest User Management
Overview
| Attribute | Value |
|---|---|
| Difficulty | Intermediate |
| Time | 45-60 minutes |
| Entra ID License | Free (basic) / P1 (advanced) |
| AZ-104 Relevance | High - External collaboration |
Learning Objectives
After completing this lab, you will be able to:
- Invite external guest users to your Entra ID tenant
- Configure external collaboration settings
- Manage guest user access and permissions
- Apply conditional access policies to guest users
- Understand guest user limitations and capabilities
Scenario
Your organization needs to collaborate with external partners:
- A consultant from a partner company needs access to a specific resource group
- A vendor needs to access a shared Storage Account
- You need to control what guests can see and do in your directory
Prerequisites
- Azure subscription with Owner or User Administrator access
- Access to Microsoft Entra admin center
- An external email address (can be personal email for testing)
- [Optional] Entra ID P1 for conditional access tasks
Tasks
Task 1: Review External Collaboration Settings
Objective: Understand and configure who can invite guests to your tenant.
What to do:
- Navigate to the External Identities settings in Entra ID
- Review the current "Guest invite settings"
- Note the default restrictions for guest users
- Document the current configuration
Validation:
- [ ] You can identify the current guest invite policy (who can invite)
- [ ] You can explain the "Guest user access restrictions" options
- [ ] You understand "Collaboration restrictions" (allow/deny domains)
Task 2: Configure Collaboration Restrictions (Optional)
Objective: Restrict guest invitations to specific email domains.
What to do:
- In External Identities > External collaboration settings
- Under "Collaboration restrictions"
- Configure to allow only specific domains (e.g., partner.com)
- Save the configuration
Validation:
- [ ] Collaboration restrictions show "Allow invitations only to the specified domains"
- [ ] Your allowed domain(s) are listed
Note: For this lab, you may want to keep "Allow invitations to any domain" to proceed with testing
Task 3: Invite a Guest User
Objective: Invite an external user to your tenant via the Azure portal.
What to do:
- Navigate to Microsoft Entra ID > Users
- Invite a new guest user
- Use an external email address (can be personal)
- Add a personal message explaining the invitation
- Send the invitation
Validation:
- [ ] Guest user appears in your user list
- [ ] User type shows as "Guest"
- [ ] User source shows as "Invited user"
- [ ] Invitation state shows as "PendingAcceptance"
Task 4: Examine Guest User Properties
Objective: Understand how guest users differ from member users.
What to do:
- Open the guest user's profile
- Review the Properties tab
- Note the differences from a regular member user
- Check the "Assigned roles" and "Groups" tabs
Validation:
- [ ] User principal name format includes
#EXT# - [ ] Email shows original external email
- [ ] Source shows "External Microsoft Entra ID" or "Microsoft account"
- [ ] No directory roles assigned (by default)
Task 5: Accept the Guest Invitation
Objective: Experience the guest acceptance flow.
What to do:
- Check the email inbox of the invited user
- Find the invitation email from Microsoft
- Click "Accept invitation" in the email
- Complete the consent process
- Verify the user can access the Azure portal
Validation:
- [ ] Invitation email received
- [ ] User can successfully accept invitation
- [ ] User can sign into portal.azure.com
- [ ] User sees your tenant in their directory list
Task 6: Grant Guest User Resource Access
Objective: Give the guest user RBAC permissions to specific Azure resources.
What to do:
- Create a new Resource Group named
rg-guest-collaboration - Navigate to the resource group's Access Control (IAM)
- Add the guest user as a "Reader" on this resource group
- Verify the assignment
Validation:
- [ ] Role assignment shows guest user with Reader role
- [ ] Guest user appears with their external email in the assignment list
- [ ] Guest user (when logged in) can view the resource group
Task 7: Add Guest to a Security Group
Objective: Use group membership to manage guest access.
What to do:
- Create a security group named
sg-external-partners - Add the guest user as a member
- Assign the group "Contributor" role on a Storage Account
- Verify guest inherits access through group membership
Validation:
- [ ] Guest user is a member of sg-external-partners
- [ ] Group has Contributor role on Storage Account
- [ ] Guest user can access the Storage Account (inherited permission)
Task 8: Conditional Access for Guests (Requires P1)
Objective: Create a policy that specifically targets guest users.
What to do:
- Navigate to Conditional Access policies
- Create a new policy named "CA-Guest-MFA-Required"
- Target: All guest and external users
- Conditions: All cloud apps
- Grant: Require MFA
- Enable the policy in Report-only mode
Validation:
- [ ] Policy targets "All guest and external users" specifically
- [ ] Grant control requires MFA
- [ ] Policy is in Report-only mode
- [ ] Check sign-in logs to see policy would apply
Task 9: Review Guest User Activity
Objective: Monitor and audit guest user sign-ins.
What to do:
- Navigate to Microsoft Entra ID > Sign-in logs
- Filter by User type = "Guest"
- Review sign-in attempts from guest users
- Check for any failures or policy applications
Validation:
- [ ] Can filter sign-in logs by guest user type
- [ ] Guest user's sign-in appears in logs
- [ ] Can identify the application accessed
- [ ] Can see if conditional access policies were applied
Task 10: Remove Guest User Access
Objective: Properly offboard a guest user.
What to do:
- Remove the guest user from all groups
- Remove direct role assignments
- Delete the guest user from the directory
- Verify no orphaned permissions remain
Validation:
- [ ] Guest user removed from sg-external-partners group
- [ ] No role assignments remain for the guest
- [ ] Guest user deleted from Entra ID
- [ ] Guest cannot access any resources
Cleanup
- Delete resource group
rg-guest-collaboration - Delete security group
sg-external-partners - Delete conditional access policy "CA-Guest-MFA-Required"
- Delete the guest user (if not done in Task 10)
- Reset external collaboration settings if changed
Key Concepts to Remember
| Concept | Description |
|---|---|
| Guest User | External identity from another tenant or personal account |
| #EXT# | Identifier in UPN indicating external user |
| Invitation Flow | Email invite → Accept → Consent → Access |
| B2B vs B2C | B2B = business partners; B2C = customers/consumers |
| Guest Restrictions | Can limit what guests see in your directory |
| Domain Allow/Deny | Control which external domains can be invited |
Next Steps
- Explore B2B direct connect for cross-tenant Teams collaboration
- Review access reviews to periodically validate guest access
- Implement entitlement management for self-service access requests