Microsoft Entra External Identities – Secure B2B Guest Access for Small Businesses in Berlin
Every Berlin SMB eventually needs to give external users controlled access to internal resources — a client reviewing a project in SharePoint, a partner auditing a shared Teams channel, or a contractor who needs temporary access to a specific application. Microsoft Entra External Identities is the identity platform that enables exactly this without forcing you to create full internal accounts for guests. It includes B2B collaboration, cross-tenant access policies, and the infrastructure to apply the same Zero Trust controls to external users as you do to your own employees.
What Entra External Identities Actually Covers
The umbrella term “External Identities” in the Entra portal encompasses three scenarios:
| Scenario | Use Case | Identity Source |
|---|---|---|
| B2B Collaboration | Share apps/resources with partner org users | Guest’s home tenant or MSA |
| B2B Direct Connect | Shared channels in Teams across tenants | User stays in their own tenant |
| External ID for Customers | Consumer-facing app login (CIAM) | Social IdP, email OTP, custom |
For Berlin SMBs, B2B Collaboration is the primary scenario. B2B Direct Connect is relevant when you use shared Teams channels with a partner who also runs Microsoft 365. Customer-facing CIAM (the former Azure AD B2C) is out of scope for most sub-100-seat businesses unless you run a web application.
How B2B Collaboration Works
When you invite a guest user:
- An invitation email is sent to the external email address (or you share a direct invitation link)
- The guest redeems the invitation and is prompted to consent
- A shadow account (user object with userType = Guest) is created in your Entra tenant — this is not a real account with a password in your directory; it is a reference object pointing to the user’s home identity
- The guest authenticates against their home identity provider (their own Microsoft 365 tenant, Google, or any SAML/OIDC provider), then Entra trusts that assertion and grants access to resources in your tenant
This means you are never managing the guest’s credential. Password resets, MFA state, and authentication method changes all happen in the guest’s home organization. Your responsibility is controlling what that authenticated guest can access once they land in your tenant.
Cross-Tenant Access Policies
Cross-tenant access settings (Entra ID → External Identities → Cross-tenant access settings) give you precise control over which external tenants you trust and at what level:
- Inbound trust settings: Whether to trust MFA claims from the partner tenant (so guests don’t have to re-authenticate with MFA in your tenant), whether to trust compliant device or Hybrid Azure AD Join claims
- Outbound settings: Which of your users can access external tenants and what B2B Direct Connect is permitted
- Tenant-specific overrides: You can define partner-specific policies on top of your default policy — useful for trusted long-term partners versus one-off guests
The key architectural decision is whether to trust your partner’s MFA. If the partner tenant enforces strong MFA, trusting their MFA claim reduces friction for guest users (they don’t get a second MFA prompt in your tenant). If you can’t verify the partner’s MFA posture, requiring MFA in your tenant’s Conditional Access policy for guest users is the safer default.
Conditional Access for Guest Users
Guest users are subject to Conditional Access policies in the resource tenant (your tenant). This is critical. A guest coming from an unmanaged personal Microsoft account bypasses nothing — your CA policies apply to them just as they would to an employee, unless you explicitly exclude them.
Recommended CA posture for B2B guests:
- Require MFA for all guests: Create a CA policy targeting userType = Guest. Require MFA. Exception: if you have a trusted partner with cross-tenant MFA trust configured, you can scope the MFA requirement to guests from non-trusted tenants only
- Block legacy authentication: Guests should not be accessing via IMAP, POP, or basic auth
- Session controls for sensitive apps: Use app-enforced restrictions or Defender for Cloud Apps session policies for guests accessing SharePoint or Teams with sensitive content
- Access reviews: Combine with Entra Identity Governance to periodically review whether guest accounts are still active and warranted
Guest Lifecycle Management
The most operationally neglected aspect of B2B collaboration in SMBs is the accumulation of stale guest accounts. A guest who did a one-off project two years ago still has a shadow account in your tenant unless explicitly removed. Best practices:
- Enable Access Reviews (requires Entra ID P2) for guest users on a quarterly cadence
- Set a guest account expiration policy (Entra ID → External Identities → External collaboration settings → Guest user access expiry)
- Use Lifecycle Workflows (if licensed) to automate guest offboarding when access reviews determine a guest is no longer active
- Monitor the Last Sign-In property in Entra ID to identify guests who haven’t authenticated in 90+ days — these are candidates for removal
External Collaboration Settings
Under Entra ID → External Identities → External collaboration settings, you control the governance guardrails:
| Setting | Recommended Value for SMB |
|---|---|
| Guest invite permissions | Admins and users in specific guest inviter roles (not all users) |
| Guest user access restrictions | Guests have limited access to directory object properties |
| Allow B2B invitations to specific domains | Allowlist known partner domains for controlled environments |
| Collaboration restrictions | Deny invitations to consumer email domains (gmail.com, outlook.com) unless explicitly required |
Licensing Considerations
B2B collaboration itself is included in all Entra ID tiers, including Free. The guest user’s access to Microsoft 365 apps (Teams, SharePoint) does not require you to license the guest — they use their own licensing from their home tenant. However, Entra ID P1/P2 features applied to guests (Conditional Access, Access Reviews, PIM) require that your tenant is licensed at that level. The “5:1 rule” no longer applies after the Entra pricing change — guest users accessing Entra ID P1/P2 features are now billed per monthly active user rather than a ratio.
Implementation Checklist
- Review External collaboration settings — restrict who can invite guests
- Configure cross-tenant access settings for any known partner tenants
- Create a CA policy requiring MFA for all guest users (userType = Guest)
- Set a guest account expiration policy (90–180 days of inactivity)
- Enable quarterly Access Reviews for guest accounts (Entra ID P2)
- Add the Global Reader or User Administrator role to the guest inviter group — avoid giving end-users unrestricted invite capability
- Document a guest offboarding procedure for project completions
Entra External Identities solves a real operational problem for Berlin SMBs: how to give external stakeholders the access they need without creating full employee accounts, without compromising your Zero Trust posture, and without accumulating a graveyard of forgotten guest accounts that represent persistent lateral movement risk.