3.2 Identity Management Design
Key Takeaways
- Three external-identity patterns map to three different scenarios: B2B collaboration (named external individual, guest object created), B2B direct connect (peer-to-peer, mostly Teams shared channels, no guest object), and external tenant/CIAM (consumer sign-up apps).
- All internal users can invite guests by default — restricting invitations to specific roles requires an explicit configuration change.
- Guest users get restricted directory permissions by default: they can see their own groups and look up users by exact email, but cannot browse the full directory.
- Cross-tenant access settings control inbound/outbound B2B access and let a tenant trust a partner's existing MFA/device-compliance claims to avoid redundant challenges.
- B2B direct connect is blocked for all external tenants until an administrator explicitly configures cross-tenant access settings to allow it.
Why External Identity Design Matters on AZ-305
Almost every enterprise Azure environment eventually needs to grant access to people outside its own tenant — a contractor, an auditor, a partner organization, or an app's own customers. AZ-305 tests whether you can pick the right external-identity pattern for a scenario rather than defaulting to "just invite them as a guest" every time. Over-provisioning guest accounts creates licensing costs and audit sprawl; under-provisioning forces users into shared credentials, which is a security anti-pattern the exam expects you to reject.
Microsoft Entra External ID: Three Patterns
Microsoft Entra External ID is the umbrella term for identity solutions involving people outside your own directory. AZ-305 design questions map to three distinct patterns:
| Pattern | Use case | Guest object created in your tenant? |
|---|---|---|
| B2B collaboration | Invite a named external user (contractor, partner employee) to sign in with their home organization's credentials and access specific resources | Yes — a guest user object |
| B2B direct connect | Enable seamless, mutual collaboration between two Microsoft Entra tenants, primarily for Teams shared channels | No — no guest object; trust is tenant-to-tenant |
| External tenant (CIAM) | Build a customer-facing application where end users sign up and sign in with social or local accounts | No — customers live in a separate, dedicated external tenant, not your workforce tenant |
B2B collaboration is the default answer whenever a scenario names a specific external person who needs access to internal resources like a SharePoint site, an app, or an Azure resource. The external user authenticates with their own organization's identity provider (or creates a Microsoft account), and a guest user object is created in your tenant to hold their permissions.
B2B direct connect is the correct answer when the scenario is about two organizations collaborating as peers — most commonly through Teams shared channels — without either side managing guest accounts for the other's staff. No B2B direct connect trust exists until an administrator on each side explicitly configures cross-tenant access settings to allow it; by default, Entra ID blocks all inbound and outbound B2B direct connect capability.
External tenant (CIAM) is the answer when the scenario describes consumers or customers signing up for an application — not employees of another company. This uses a dedicated external tenant, separate from your workforce Entra ID tenant, and supports social identity providers (Google, Facebook) and local account sign-up flows that would never be appropriate inside a corporate workforce directory.
Guest User Defaults and Cross-Tenant Access Settings
By default, all internal users in a tenant can invite external guests — this is a common exam trap, since architects often assume invitations require an administrator. If a design requirement states "only HR can invite external users," that requires explicitly restricting the "guest invite settings" (or delegating to a specific role), because the out-of-the-box behavior is permissive.
Guest accounts land with restricted directory permissions by default: a guest can see their own group memberships and look up other users by exact email address, but cannot browse the full directory the way a member can. This default is intentional and rarely needs to change for a compliant design.
Cross-tenant access settings control B2B collaboration and B2B direct connect at a granular, per-partner-organization level. An architect can configure:
- Inbound access — what external users from a specific partner tenant can access in your tenant.
- Outbound access — what your users can access when visiting a partner tenant.
- Trust settings — whether to trust the MFA and device-compliance claims a partner tenant already performed, avoiding a redundant second MFA challenge for federated external users.
Exam Scenario
A hospital network needs a visiting specialist from a partner clinic (a separate Entra ID tenant) to access one internal clinical application for the duration of a six-week rotation, using her existing partner-tenant credentials, with no new password to manage. The correct recommendation is B2B collaboration: invite the specialist as a guest, scope her access to only the clinical application (ideally through an access package in entitlement management with an automatic expiration date matching the rotation), and configure cross-tenant access settings to trust the partner tenant's MFA claim so she is not forced through a second MFA enrollment. B2B direct connect would be the wrong answer here because the requirement is a single named individual accessing a specific app — not a Teams shared-channel collaboration between the two organizations as a whole.
Common Traps
- Reaching for B2B direct connect whenever "another company" is mentioned — it is scoped almost entirely to Teams shared channels, not general resource access.
- Assuming CIAM (external tenant) is the answer whenever "external users" appears — CIAM is for consumers of a customer-facing app, not partner-company employees needing internal access.
- Forgetting that guest accounts still consume Entra ID P1/P2 licensing (at a discounted ratio) once premium features like Conditional Access are applied to them — a design that scales to thousands of external users needs to account for this cost.
- Assuming an administrator must approve every guest invitation — the tenant-wide default allows any member to invite guests unless explicitly restricted.
A retail company is building a new mobile app where the general public will create accounts and sign in using their Google or Facebook credentials. Which Microsoft Entra identity pattern should the architecture recommend?
By default, which statement about Microsoft Entra B2B direct connect is accurate?