Lab 05: B2B Guest Users - Portal Solution

---

Task 1: Review External Collaboration Settings

Step-by-Step Portal Walkthrough

Navigate to External Identities:

1. Go to Microsoft Entra admin center
2. Expand Identity in the left menu
3. Click External Identities
4. Click External collaboration settings

Review Guest Invite Settings:

Setting	Options	Description
Guest invite restrictions	No one / Admins only / Members + specific admin roles / Anyone	Controls who can invite guests

Current options:

• No one in the organization can invite guest users - Most restrictive
• Only users assigned to specific admin roles - Admin-controlled
• Member users and users assigned to specific admin roles - Balanced
• Anyone in the organization can invite guests - Least restrictive

Review Guest User Access Restrictions:

Setting	What Guests Can See
Most inclusive	Same as members (see all users, groups, etc.)
Limited	Only their own profile + members of groups they belong to
Most restrictive	Only their own profile

Document current settings by taking a screenshot or noting:

• Who can invite guests
• What guests can see in the directory
• Any collaboration restrictions

---

Task 2: Configure Collaboration Restrictions

Step-by-Step Portal Walkthrough

1. In External collaboration settings
2. Scroll to Collaboration restrictions
3. Select "Allow invitations only to the specified domains"
4. Click Target domains
5. Add your partner domains:

   partner.com
   contoso.com

6. Click Save

Screenshot what you see:

• Radio button selected for domain restrictions
• List of allowed domains

Lab Note: To continue with tasks below, you may want to temporarily set this back to "Allow invitations to be sent to any domain"

---

Task 3: Invite a Guest User

Step-by-Step Portal Walkthrough

Navigate to Users:

1. Go to Azure Portal
2. Search for "Microsoft Entra ID"
3. Click Users in the left menu
4. Click + New user dropdown
5. Select Invite external user

Fill in the invitation form:

Field	Value
Email	your-external-email@gmail.com (or any external email)
Display name	External Partner User
Personal message	"Welcome! You're being invited to collaborate on Project Alpha"

Additional Settings (expand):

• First name: External
• Last name: Partner
• Job title: Consultant
• Company name: Partner Corp

6. Click Invite

Verify the invitation:

1. Go back to Users > All users
2. Search for the guest user
3. Confirm you see:
   • User type: Guest
   • Source: Invited user

---

Task 4: Examine Guest User Properties

Step-by-Step Portal Walkthrough

1. Click on the guest user to open their profile
2. Review the Properties tab

Key differences from member users:

Property	Guest User Example
User principal name	external_gmail.com#EXT#@yourtenant.onmicrosoft.com
Email	external@gmail.com
User type	Guest
Source	External Microsoft Entra ID or Microsoft account
Creation type	Invitation

3. Click Assigned roles tab

   • Should be empty (no admin roles)

4. Click Groups tab

   • Should be empty (not added to any groups yet)

5. Click Sign-in logs tab (if available)

   • May show "No sign-in activity" since they haven't accepted yet

---

Task 5: Accept the Guest Invitation

Step-by-Step Walkthrough (as the Guest)

Check the invitation email:

1. Log into the email account you invited
2. Find email from "Microsoft Invitations" or "Microsoft on behalf of [Your Company]"
3. Subject: "You've been added as a guest to [Tenant Name]"

Accept the invitation:

1. Click Accept invitation button in the email
2. Sign in with your external account (or create Microsoft account if needed)
3. Review the permissions being requested
4. Click Accept on the consent screen

Verify access as the guest:

1. Go to portal.azure.com
2. Click your profile icon (top right)
3. Click Switch directory
4. You should see the inviting tenant listed
5. Select it to access resources

---

Task 6: Grant Guest User Resource Access

Step-by-Step Portal Walkthrough

Create a resource group:

1. Go to Azure Portal
2. Search for "Resource groups"
3. Click + Create
4. Fill in:
   • Subscription: Your subscription
   • Resource group: rg-guest-collaboration
   • Region: East US
5. Click Review + create > Create

Add role assignment:

1. Open rg-guest-collaboration
2. Click Access control (IAM) in the left menu
3. Click + Add > Add role assignment

Role tab:

1. Search for Reader
2. Select Reader
3. Click Next

Members tab:

1. Keep User, group, or service principal selected
2. Click + Select members
3. Search for your guest user
4. Select them (you'll see their external email)
5. Click Select
6. Click Next

Review + assign:

1. Review the assignment
2. Click Review + assign

Verify:

• Go to IAM > Role assignments tab
• Guest user should appear with Reader role

---

Task 7: Add Guest to a Security Group

Step-by-Step Portal Walkthrough

Create the security group:

1. Go to Microsoft Entra ID > Groups
2. Click + New group
3. Fill in:
   • Group type: Security
   • Group name: sg-external-partners
   • Group description: "External partner access group"
   • Membership type: Assigned
4. Click No members selected
5. Search for and select your guest user
6. Click Select
7. Click Create

Create a Storage Account (for testing):

1. Search for Storage accounts
2. Click + Create
3. Fill in:
   • Resource group: rg-guest-collaboration
   • Storage account name: stguestcollab + random numbers
   • Region: East US
4. Click Review + create > Create

Assign group role on Storage Account:

1. Open the new Storage Account
2. Click Access control (IAM)
3. Click + Add > Add role assignment
4. Select Storage Blob Data Contributor
5. Click Next
6. Click + Select members
7. Search for sg-external-partners (the GROUP, not the user)
8. Select the group
9. Click Select > Next > Review + assign

Verify inherited access:

• Guest user is member of the group
• Group has role on Storage Account
• Therefore, guest inherits access through group membership

---

Task 8: Conditional Access for Guests

Step-by-Step Portal Walkthrough (Requires P1 License)

1. Go to Microsoft Entra ID > Security > Conditional Access
2. Click + Create new policy

Configure the policy:

Setting	Configuration
Name	CA-Guest-MFA-Required

Assignments > Users:

1. Under "Include", select Select users and groups
2. Check All guest and external users
3. Click Done

Assignments > Target resources:

1. Under "Include", select All cloud apps

Grant:

1. Click Grant
2. Select Grant access
3. Check Require multifactor authentication
4. Click Select

Enable policy:

1. Set Enable policy to Report-only
2. Click Create

Verify:

• Policy shows in the policy list
• Status shows "Report-only"
• When guest signs in, check Sign-in logs for "Report-only: Not applied"

---

Task 9: Review Guest User Activity

Step-by-Step Portal Walkthrough

Access Sign-in logs:

1. Go to Microsoft Entra ID > Sign-in logs
2. Click Add filters
3. Select User type
4. Click Apply
5. Select Guest
6. Click Apply

Review guest sign-ins: For each sign-in entry, you can see:

• Date and time
• User (guest email)
• Application accessed
• Status (Success/Failure)
• Conditional Access policies applied

Check a specific sign-in:

1. Click on a sign-in entry
2. Review:
   • Basic info tab: Status, IP, location
   • Location tab: Where they signed in from
   • Device info tab: Browser, OS
   • Conditional Access tab: Which policies were evaluated
   • Authentication Details tab: MFA method used (if any)

---

Task 10: Remove Guest User Access

Step-by-Step Portal Walkthrough

Remove from groups:

1. Go to Microsoft Entra ID > Groups
2. Open sg-external-partners
3. Click Members
4. Select the guest user
5. Click Remove
6. Confirm removal

Remove direct role assignments:

1. Go to rg-guest-collaboration resource group
2. Click Access control (IAM)
3. Click Role assignments tab
4. Find the guest user's Reader assignment
5. Check the box next to it
6. Click Remove
7. Confirm removal

Delete the guest user:

1. Go to Microsoft Entra ID > Users
2. Search for the guest user
3. Click on their name
4. Click Delete in the top menu
5. Confirm deletion

Verify cleanup:

• User no longer appears in Users list
• No orphaned role assignments remain
• Group membership is cleared

---

Cleanup Summary

Resource	How to Delete
Resource Group	Resource groups > rg-guest-collaboration > Delete
Security Group	Entra ID > Groups > sg-external-partners > Delete
CA Policy	Security > Conditional Access > Delete policy
Guest User	Already deleted in Task 10

Delete resource group (removes Storage Account too):

1. Go to Resource groups
2. Click rg-guest-collaboration
3. Click Delete resource group
4. Type the name to confirm
5. Click Delete