Microsoft Entra External ID: B2B Guest Access for Small Businesses in Berlin
Every small business in Berlin collaborates with external parties — clients who need to review project documents, vendors who need access to a shared SharePoint site, contractors who need to join Teams calls and access specific files. Managing this access securely has historically required either giving external people company accounts (which creates identity sprawl and offboarding risk) or using insecure workarounds like email attachments and shared drives. Microsoft Entra External ID solves this through B2B collaboration: a governed model for inviting external users to your Microsoft 365 environment with full Conditional Access enforcement and complete audit visibility.
How B2B Collaboration Works
When you invite an external user through Entra External ID, they receive a guest account in your Entra ID directory. This guest account is linked to the user’s existing identity — their Microsoft account, Google account, or their own organization’s Entra ID identity if they have one. The external user authenticates with their own identity provider, and your tenant receives a federated assertion. From your perspective, you have a controlled guest object in your directory with an auditable access record; from the guest’s perspective, they sign in with credentials they already use.
Guest accounts in Entra ID are restricted by default: they cannot enumerate other users in your directory, cannot see organizational chart data, and cannot create or modify resources unless explicitly granted permission. You grant guests access to specific resources — a SharePoint site, a Teams channel, a shared mailbox — and their access is precisely scoped to those resources. When the collaboration ends, you remove the guest account, which immediately revokes all access.
Conditional Access for External Users
The most important security feature of Entra External ID is that guest users are subject to Conditional Access policies. You can require that external users complete MFA before accessing your resources, even if MFA is enforced on their home tenant. You can restrict external access to specific resource types — allowing guests to access Teams and SharePoint, but not Exchange or Azure resources. You can require that guests access your environment only from specific IP ranges if you are working with a known partner organization with a fixed office network.
External user policies in Entra ID also let you configure cross-tenant access settings at the partner organization level. If you regularly collaborate with a specific partner company that also uses Microsoft 365, you can establish a trust relationship that allows their MFA claims to satisfy your Conditional Access requirements — so guests from that organization are not prompted for MFA a second time after already completing it in their home tenant. For all other external users, MFA is required by your policy regardless of their home tenant configuration.
B2B Access Reviews
Guest accounts accumulate over time. A project ends, a vendor relationship changes, a contractor moves on — but the guest account persists in your directory because no one formally offboarded it. Microsoft Entra ID Governance access reviews let you schedule periodic reviews of all guest accounts, requiring designated reviewers to confirm or revoke each guest’s continued access. Guests who are not actively reviewed can be configured to have their access automatically removed after a review period expires without confirmation.
For small businesses, a quarterly access review for all guest accounts is a practical default. The review is automated: Entra ID sends reviewers an email with a list of guests to evaluate, the reviewer approves or denies each one through a simple web interface, and approved denials result in automatic account disabling. This removes the administrative burden of manually tracking external accounts while ensuring that your guest user population remains accurate and current.
External Collaboration Settings
Entra External ID gives you precise control over who can invite guests and to what. In the Entra ID admin center, external collaboration settings let you restrict guest invitations to specific admin roles only, preventing users from self-inviting external parties without IT oversight. You can allow or block guests from specific domains — permitting your known client and partner domains while blocking all others — or maintain a blocklist of competitor and untrusted domains that can never be invited regardless of who initiates the invitation.
SharePoint and OneDrive have their own sharing settings that layer on top of the Entra External ID configuration. SharePoint can be configured to allow external sharing only with users who already have a guest account in your Entra directory — preventing ad-hoc anonymous link sharing while still allowing governed guest access to specific sites. This combination of Entra-level identity governance and SharePoint-level sharing controls gives you a defensible, auditable external collaboration posture.
Practical Setup for Berlin SMBs
A typical B2B collaboration deployment for a small Berlin business involves four configuration steps. First, configure external collaboration settings in Entra ID to restrict guest invitations to Global Admins and User Admins only, and define an allowed-domains list for your key client and partner organizations. Second, create a Conditional Access policy that requires MFA for all guest users accessing Microsoft 365 resources, with session controls that enforce re-authentication after 8 hours. Third, set up a quarterly access review for all guest accounts, with designated reviewers in each business unit responsible for their respective external relationships. Fourth, configure SharePoint to allow external sharing only with existing guest accounts, disabling anonymous link sharing for all sites except those explicitly designated for public content.
This configuration ensures that every external user in your environment was formally invited, authenticated with MFA, and is periodically reviewed for continued access — giving you the audit trail and access hygiene that GDPR data processing agreements and cyber insurance policies increasingly require organizations to demonstrate.
Related Articles
- Conditional Access: Apply Conditional Access policies to B2B guest users — require MFA before external users access Microsoft 365 resources and configure cross-tenant trust settings to honor partner organization MFA claims without double-prompting
- Microsoft Entra ID Governance: Use Entra ID Governance access reviews to periodically review all B2B guest accounts — automate guest access expiry for accounts that are not confirmed by a designated reviewer within the review period
- Microsoft Purview Sensitivity Labels: Control what labeled content guest users can access and forward — Sensitivity Label encryption enforces access restrictions on files shared with B2B guests, preventing forwarding to unauthorized external recipients