3.2 Identity Management Design

Key Takeaways

  • Three external-identity patterns map to three different scenarios: B2B collaboration (named external individual, guest object created), B2B direct connect (peer-to-peer, mostly Teams shared channels, no guest object), and external tenant/CIAM (consumer sign-up apps).
  • All internal users can invite guests by default — restricting invitations to specific roles requires an explicit configuration change.
  • Guest users get restricted directory permissions by default: they can see their own groups and look up users by exact email, but cannot browse the full directory.
  • Cross-tenant access settings control inbound/outbound B2B access and let a tenant trust a partner's existing MFA/device-compliance claims to avoid redundant challenges.
  • B2B direct connect is blocked for all external tenants until an administrator explicitly configures cross-tenant access settings to allow it.
Last updated: July 2026

Why External Identity Design Matters on AZ-305

Almost every enterprise Azure environment eventually needs to grant access to people outside its own tenant — a contractor, an auditor, a partner organization, or an app's own customers. AZ-305 tests whether you can pick the right external-identity pattern for a scenario rather than defaulting to "just invite them as a guest" every time. Over-provisioning guest accounts creates licensing costs and audit sprawl; under-provisioning forces users into shared credentials, which is a security anti-pattern the exam expects you to reject.

Microsoft Entra External ID: Three Patterns

Microsoft Entra External ID is the umbrella term for identity solutions involving people outside your own directory. AZ-305 design questions map to three distinct patterns:

PatternUse caseGuest object created in your tenant?
B2B collaborationInvite a named external user (contractor, partner employee) to sign in with their home organization's credentials and access specific resourcesYes — a guest user object
B2B direct connectEnable seamless, mutual collaboration between two Microsoft Entra tenants, primarily for Teams shared channelsNo — no guest object; trust is tenant-to-tenant
External tenant (CIAM)Build a customer-facing application where end users sign up and sign in with social or local accountsNo — customers live in a separate, dedicated external tenant, not your workforce tenant

B2B collaboration is the default answer whenever a scenario names a specific external person who needs access to internal resources like a SharePoint site, an app, or an Azure resource. The external user authenticates with their own organization's identity provider (or creates a Microsoft account), and a guest user object is created in your tenant to hold their permissions.

B2B direct connect is the correct answer when the scenario is about two organizations collaborating as peers — most commonly through Teams shared channels — without either side managing guest accounts for the other's staff. No B2B direct connect trust exists until an administrator on each side explicitly configures cross-tenant access settings to allow it; by default, Entra ID blocks all inbound and outbound B2B direct connect capability.

External tenant (CIAM) is the answer when the scenario describes consumers or customers signing up for an application — not employees of another company. This uses a dedicated external tenant, separate from your workforce Entra ID tenant, and supports social identity providers (Google, Facebook) and local account sign-up flows that would never be appropriate inside a corporate workforce directory.

Guest User Defaults and Cross-Tenant Access Settings

By default, all internal users in a tenant can invite external guests — this is a common exam trap, since architects often assume invitations require an administrator. If a design requirement states "only HR can invite external users," that requires explicitly restricting the "guest invite settings" (or delegating to a specific role), because the out-of-the-box behavior is permissive.

Guest accounts land with restricted directory permissions by default: a guest can see their own group memberships and look up other users by exact email address, but cannot browse the full directory the way a member can. This default is intentional and rarely needs to change for a compliant design.

Cross-tenant access settings control B2B collaboration and B2B direct connect at a granular, per-partner-organization level. An architect can configure:

  • Inbound access — what external users from a specific partner tenant can access in your tenant.
  • Outbound access — what your users can access when visiting a partner tenant.
  • Trust settings — whether to trust the MFA and device-compliance claims a partner tenant already performed, avoiding a redundant second MFA challenge for federated external users.

Exam Scenario

A hospital network needs a visiting specialist from a partner clinic (a separate Entra ID tenant) to access one internal clinical application for the duration of a six-week rotation, using her existing partner-tenant credentials, with no new password to manage. The correct recommendation is B2B collaboration: invite the specialist as a guest, scope her access to only the clinical application (ideally through an access package in entitlement management with an automatic expiration date matching the rotation), and configure cross-tenant access settings to trust the partner tenant's MFA claim so she is not forced through a second MFA enrollment. B2B direct connect would be the wrong answer here because the requirement is a single named individual accessing a specific app — not a Teams shared-channel collaboration between the two organizations as a whole.

Common Traps

  • Reaching for B2B direct connect whenever "another company" is mentioned — it is scoped almost entirely to Teams shared channels, not general resource access.
  • Assuming CIAM (external tenant) is the answer whenever "external users" appears — CIAM is for consumers of a customer-facing app, not partner-company employees needing internal access.
  • Forgetting that guest accounts still consume Entra ID P1/P2 licensing (at a discounted ratio) once premium features like Conditional Access are applied to them — a design that scales to thousands of external users needs to account for this cost.
  • Assuming an administrator must approve every guest invitation — the tenant-wide default allows any member to invite guests unless explicitly restricted.
Test Your Knowledge

A retail company is building a new mobile app where the general public will create accounts and sign in using their Google or Facebook credentials. Which Microsoft Entra identity pattern should the architecture recommend?

A
B
C
D
Test Your Knowledge

By default, which statement about Microsoft Entra B2B direct connect is accurate?

A
B
C
D