Manage Users, Contacts and External Identities
Create and manage users in Microsoft Entra ID, handle external guest access with B2B collaboration, and maintain contacts β all at enterprise scale.
Identity management at Expert level
At the Expert level, user management isnβt about clicking βNew User.β Itβs about designing identity flows that scale.
Think of it like running an airport. You have employees (internal users), visitors with appointments (B2B guests), and names in your contacts database who might never enter the building (mail contacts). Each type needs different access, different rules, and different lifecycle management.
This module covers how to manage all three β including the external identity decisions that most admins get wrong.
Internal user management
Creating users β the methods
| Method | Best For | Where |
|---|---|---|
| M365 admin center | Individual users, quick adds | admin.microsoft.com > Users > Active users |
| Microsoft Entra admin center | Users needing Entra-specific config (CA, Identity Protection) | entra.microsoft.com > Users |
| Microsoft Graph PowerShell | Bulk creation, automation | New-MgUser cmdlet |
| Microsoft Entra PowerShell | Entra-focused bulk operations | New-EntraUser cmdlet |
| CSV import | One-time bulk loads | M365 admin center > Bulk upload |
| Directory sync | Hybrid environments (covered in Domain 2) | Entra Connect Sync or Cloud Sync |
Key user properties for the exam
| Property | Purpose | Exam Relevance |
|---|---|---|
| Usage location | Required for licence assignment | Must be set before assigning any licence |
| User principal name (UPN) | Primary sign-in identity | user@domain.com format |
| Mail nickname | Email alias | Can differ from UPN |
| Account status | Enabled/disabled | Disabled accounts retain data but block sign-in |
| Manager | Reporting hierarchy | Used by Viva Insights, approval workflows |
| Job title / Department | Org metadata | Used by dynamic groups, Conditional Access |
Exam tip: Usage location is mandatory for licensing
You cannot assign a Microsoft 365 licence to a user without setting their usage location first. This is one of the most commonly missed steps in both the real world and the exam. The usage location determines which services are available (some features are geo-restricted) and must match the userβs actual country.
For bulk operations, always set usage location in the CSV or PowerShell script before licence assignment.
External users: B2B collaboration
How B2B guest access works
When Priya invites a partner from a client organisation to collaborate on a project:
- Invitation sent β via the Entra portal, Teams, SharePoint, or Microsoft Graph API
- Guest accepts β authenticates with their home identity (work account, Microsoft account, or one-time passcode)
- Guest object created β a guest user object appears in GlobalReachβs Entra directory
- Limited access granted β the guest can access only resources theyβve been explicitly shared with
B2B access controls
| Feature | Member Users | Guest Users |
|---|---|---|
| Directory access | Full β can browse all users, groups | Limited β can only see their own profile by default |
| Licence requirement | Yes β need M365 licence | Usually no β authenticate with home identity (some features need licence) |
| Mailbox in your tenant | No mailbox β uses home email | |
| Teams access | Full β all teams they're members of | Only teams/channels they're invited to |
| SharePoint access | Based on site permissions | Based on sharing permissions, external sharing settings |
| Conditional Access | Full policy scope | Can be targeted with CA policies (recommended) |
| Lifecycle | You manage (or HR integration) | Should use access reviews and entitlement management |
Governing external access at scale
Priya manages B2B collaboration for 20,000 internal users inviting guests from dozens of partner organisations. Her governance model:
| Control | Configuration | Purpose |
|---|---|---|
| External collaboration settings | Entra > External Identities > External collaboration settings | Who can invite guests (all members, specific roles, or admins only) |
| Cross-tenant access settings | Entra > External Identities > Cross-tenant access | Per-organisation trust settings (which orgs can collaborate, what they can access) |
| Guest user access restrictions | Entra > User settings > External collaboration | What guests can see in your directory |
| Access reviews | Entra > Identity Governance > Access reviews | Regular reviews of who still needs guest access |
Deep dive: Cross-tenant access settings
Cross-tenant access settings let you define granular policies per external organisation:
- Inbound settings β control what external users can access in your tenant
- Outbound settings β control what your users can access in external tenants
- Trust settings β trust MFA and device compliance from the external org (avoids double-prompting)
For example, Priya trusts MFA claims from her top 5 partner organisations. When a guest from those orgs accesses GlobalReach resources, they donβt get prompted for MFA again if theyβve already authenticated at their home tenant. This improves UX without reducing security.
Mail contacts
Mail contacts are entries in the Global Address List (GAL) that represent external email addresses. They are not Entra user objects β they have no sign-in capability, no licence, and no mailbox.
When to use contacts vs guests
| Scenario | Use Contact | Use Guest |
|---|---|---|
| External person needs to receive email from your org | β Add as mail contact | Overkill |
| External person needs to collaborate in Teams/SharePoint | β Canβt | β Invite as guest |
| Vendor you email frequently but who doesnβt need access | β | β |
| Contractor working inside your org for 6 months | β | β (or member user with external email) |
Contacts are managed in the M365 admin center (Contacts section) or via Exchange Online PowerShell (New-MailContact).
Key concepts to remember
Knowledge check
Priya needs to allow partners from Contoso Ltd to collaborate in Teams without being prompted for MFA every time they access GlobalReach resources. Partners already complete MFA at Contoso. What should Priya configure?
Dev is onboarding 50 new users for a client. He creates the accounts via CSV import but licence assignment fails for all 50 users. What is the most likely cause?
π¬ Video coming soon
Next up: Groups, Shared Mailboxes and Licensing at Scale β the group types that power M365 collaboration, and how to manage licences without losing your mind.