Section 3 – Implement an Identity Management Solution – Implement and manage external identities – Azure AD and IdP

B2B collaboration overview - Azure AD | Microsoft Docs

And we reached section 3 on my Study guide, in this section I will cover the following:

  • manage external collaboration settings in Azure Active Directory
  • invite external users (individually or in bulk)
  • manage external user accounts in Azure Active Directory
  • configure identity providers (social and SAML/WS-fed)

Manage external collaboration settings in Azure Active Directory

Azure portal

You can find External collaboration in External collaboration settings – Microsoft Azure

This setting determines whether guests have full access to enumerate all users and group memberships (most inclusive), limited access to other users and memberships, or no access to other users and group memberships including groups they are a member of (most restrictive).

This setting controls who can invite guests to your directory to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources.

Yes means that you can enable self-service sign up for guests via user flows associated with applications in your directory. No means that applications cannot be enabled for self-service sign up by guests and require them to be invited to your directory.

And like said in the last sections of this series, these settings affect the whole tenant and will change some of the SharePoint / OneDrive sharing settings also.

SharePoint Admin Center

You can access the corresponding settings in SharePoint admin center

Invite external users (individually or in bulk)


You can Invite user to Your own Azure AD from the following page

And you can also set.

From this page You can assign roles to the invited user.

When you send the invite.

The external user will get the invite.

Once they hit “Accept Invitation” they will be redirected to the tenant and sent OTP back to their email.

Note! Sign in with a certificate won’t be in the exam but nice feature that is in preview still.

Enter the code to sign in.

And consent for the permissions.

You will redirected to and You will find the resources that You have access in here.

You can leave the organization inside Your own Profile page.

In bulk

Same page but Invite guest users in bulk.

The CSV will be similar to this one.

You must add to all users Email Address and Redirection url and You can optionally add customized message that will be send via Email

The result will be the same than for Individual invite.

Manage external user accounts in Azure Active Directory

Finding users

You can find the Guest users from Azure AD users ex. with filter Creation type == Invitation

Or with User type == Guest

Note the different user types. Mail is a user with Email account and ExternalAzureAD for a user that has External Azure AD account.

If the user hasn’t accepted the invite, You can send it again or revoke the invite. Also Redemption status is currently in Preview.

Managing users

Assigning licenses

You can add a license to a Guest user just like to normal user but You need the Usage location to assign license.

Authentication methods

You can also add authentication methods for external users.

And revoke users sessions.

Dynamic Groups

One really handy feature is to add all the Guest users to a Dynamic Group. You could then use this Group for assigning access, Conditional Access policies or licenses.

Validating the rule.

Configure identity providers (social and SAML/WS-fed)


You will find the External Identities settings here

You can add Google, FB or other SAML/WS-Fed as an Identity provider.


Note! Google federation is designed specifically for Gmail users. To federate with Google Workspace domains, use SAML/WS-Fed identity provider federation.

Deprecation of web-view sign-in support

Google deprecated embedded web-view sign-in support in September 30, 2021. If your apps authenticate users with an embedded web-view and you’re using Google federation with Azure AD B2C or Azure AD B2B for external user invitations or self-service sign-up, Google Gmail users won’t be able to authenticate.

How to setup on Google’s side

First, create a new project in the Google Developers Console to obtain a client ID and a client secret that you can later add to Azure Active Directory (Azure AD).

Go to the Google APIs at, and sign in with your Google account. We recommend that you use a shared team Google account.

Give Your project a name.

Go to Apis

And open the OAuth consent screen

Give a app name and email for user support.

Add to domain and Developer contact email.

Open Credentials and add OAuth client ID

Under Authorized redirect URIs, enter the following URIs:

  •<tenant ID>/oauth2/authresp
    (where <tenant ID> is your tenant ID)
  •<tenant name>
    (where <tenant name> is your tenant name)

Copy the Client Id and Secret.

Azure portal

Open External identities and identity providers and and Client Id and Secret.


The process is similar with FB, I’m not going to go thru all the steps. You can them inside Microsoft documentation.

Other IdP’s


You Can add SAML (ex. ADFS) with Your metadata xml or manually.

The default location for Your metadata is: https://ServerPublicFQDN/federationmetadata/2007-06/federationmetadata.xml

Here is an article on creating ADFS server inside Azure.

Microsoft has an excellent article on what Claims and settings has to be done.

Direct Federation (Preview)

Direct federation is currently is Public preview, so it won’t be in the test but nice feature coming up in the roadmap.

Things to remember

External Collaboration settings affect also SPO and OneDrive.

You can Invite users with just Email. They don’t have to have Azure AD account.

OTP is used for the first login for Email invited accounts.

When BULK inviting users, You must add to all users Email Address and Redirection URL and You can optionally add customized message that will be send via Email

You can use Dynamic Groups to collect all the Guest users in the group.

For External Identity providers You need to have permissions to authenticate with OAuth to their API.

Link to main post

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *