🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-300 Domain 1
Domain 1 — Module 5 of 8 63%
5 of 27 overall

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free
Domain 1: Implement and Manage User Identities Premium ⏱ ~13 min read

External Identities: Guest Access & B2B

Invite contractors, partners, and vendors to collaborate securely with Microsoft Entra External ID — without creating internal accounts.

What are external identities?

☕ Simple explanation

External identities are like visitor passes for your office building.

You don’t give visitors a permanent employee badge. Instead, they sign in at reception (using their own ID), get a visitor pass, and can access only the meeting rooms you’ve booked for them. When the visit ends, the pass expires.

Microsoft Entra External ID works the same way. External users sign in with their own identity (their work account, Google account, or even just an email code) and get limited access to the resources you share with them.

Microsoft Entra External ID (formerly Azure AD B2B) enables organisations to share resources with external users — partners, contractors, vendors, customers — while maintaining control over what they can access. External users authenticate using their home identity provider (their own Entra tenant, Google, Facebook, or a one-time passcode) and appear as guest users in your directory.

The inviting organisation controls access through group memberships, Conditional Access policies, and app assignments — the same tools used for internal users.

External collaboration settings

External collaboration settings are the master controls for guest access. Find them at: Entra admin center → External Identities → External collaboration settings.

SettingWhat It ControlsRecommendation
Guest user accessWhat guests can see in your directory (all properties, limited, or most restrictive)Limited properties for most orgs
Guest invite settingsWho can invite guests — everyone, members+admins, admins only, or nobodyMembers + specific admins
Collaboration restrictionsAllow/deny invitations to specific domainsDeny known-bad domains; allow specific partners
Enable guest self-service sign-upGuests can request access via user flowsUse for customer-facing apps
ℹ️ Scenario: Priya locks down guest access at Meridian Health

Healthcare data requires strict controls. Priya configures:

  • Guest user access: Most restrictive — guests can’t enumerate directory users or groups
  • Guest invite settings: Only admins and the Guest Inviter role can invite
  • Collaboration restrictions: Allow list with only approved partner domains (medical suppliers, consulting firms)

This prevents random employees from inviting personal contacts as guests, which could expose patient-adjacent systems.

Inviting external users

Individual invitations

  1. Entra admin center → Users → Invite external user
  2. Enter their email address and a personal message
  3. The guest receives an email with a redemption link
  4. They click the link, authenticate with their home identity, and gain access

Bulk invitations

For inviting many guests at once:

  • Entra admin center → Users → Bulk invite → download CSV template → upload
  • PowerShell → New-MgInvitation in a loop
$guests = Import-Csv -Path "Partners.csv"
foreach ($guest in $guests) {
    New-MgInvitation -InvitedUserEmailAddress $guest.Email `
                     -InviteRedirectUrl "https://myapps.microsoft.com" `
                     -SendInvitationMessage $true
}

Redemption — how guests sign in

When a guest redeems their invitation, they authenticate using (in priority order):

  1. Their own Entra ID tenant (if they have one)
  2. A configured external identity provider (Google, Facebook, SAML/WS-Fed)
  3. Microsoft account (personal Outlook/Hotmail)
  4. Email one-time passcode (OTP) — a 6-digit code sent to their email
💡 Exam tip: redemption order matters

The exam tests that you understand the identity provider priority. If a guest’s organisation has an Entra tenant, they’ll use that — even if you’ve also configured Google federation. The order is: Entra ID tenant → configured external IdP → Microsoft account → email OTP.

Email OTP is the fallback when nothing else matches. It’s enabled by default and works for any email address.

Managing guest accounts

Guest users appear in your directory with a UserType of “Guest” (vs “Member” for internal users).

Key management tasks:

TaskHow
Convert guest to memberChange UserType in user properties
Block guest sign-inSet accountEnabled to false
Set expirationAccess reviews or entitlement management (covered in Domain 4)
Remove guestDelete the guest user object
Restrict guest permissionsUse external collaboration settings or CA policies
ℹ️ Scenario: Jake manages freelancer guest access

Coastline Creative works with 15 freelance designers. Jake invites them as guests and:

  • Assigns them to a “Freelancers” security group
  • Grants group access to the shared design SharePoint site
  • Creates a Conditional Access policy: guests must use MFA
  • Sets a quarterly access review to clean up stale accounts

When a freelancer’s project ends, the access review catches their inactive account and triggers removal. No orphaned guest accounts cluttering the directory.

External identity providers

By default, guests use their own Entra tenant or email OTP. You can add external identity providers for a smoother sign-in experience:

ProviderProtocolUse Case
GoogleOAuth 2.0 / OpenID ConnectPartners with Google Workspace
FacebookOAuth 2.0Customer-facing B2C apps
SAML/WS-Fed identity providerSAML 2.0 or WS-FederationEnterprise partners with non-Microsoft IdPs (Okta, Ping, etc.)

SAML/WS-Fed federation

For enterprise partners using non-Microsoft identity providers (Okta, Ping Identity, ADFS):

  1. Configure the partner’s IdP as a SAML or WS-Fed identity provider in your tenant
  2. Map the partner’s domain to the federation
  3. When guests from that domain are invited, they authenticate via their own IdP
💡 Exam tip: SAML vs WS-Fed

Both SAML 2.0 and WS-Federation achieve the same goal — federated authentication with external IdPs. The exam may ask which to choose:

  • SAML 2.0 — industry standard, works with almost any IdP (Okta, Ping, OneLogin)
  • WS-Federation — older Microsoft protocol, primarily for ADFS and legacy Microsoft environments

Default guidance: Use SAML 2.0 unless the partner specifically requires WS-Fed.

🎬 Video walkthrough

🎬 Video coming soon

External Identities — SC-300 Module 5

External Identities — SC-300 Module 5

~11 min

Flashcards

Question

What is the redemption priority order for guest users in Entra External ID?

Click or press Enter to reveal answer

Answer

1) Their own Entra ID tenant, 2) Configured external identity provider (Google, SAML/WS-Fed), 3) Microsoft account, 4) Email one-time passcode (OTP). The first matching option is used.

Click to flip back
Question

What are the guest invite settings options in External collaboration settings?

Click or press Enter to reveal answer

Answer

Who can invite guests: 1) Anyone in the org (including guests), 2) Members and specific admin roles, 3) Only admin roles, 4) No one. Controls who can send B2B invitations to external users.

Click to flip back
Question

How do you configure federation with a partner using Okta as their identity provider?

Click or press Enter to reveal answer

Answer

Add a SAML 2.0 identity provider in Entra → External Identities → All identity providers. Map the partner's domain to the SAML federation. When guests from that domain are invited, they authenticate via Okta.

Click to flip back

Knowledge Check

Knowledge Check

Anika's client needs to invite 200 consultants from a partner firm that uses Okta as their identity provider. The client wants consultants to sign in with their existing Okta credentials. What should Anika configure?
Knowledge Check

A guest user from a partner company reports they can't sign in. The partner doesn't have an Entra tenant or Microsoft accounts. What authentication method will Entra use as a fallback?

Next up: Cross-Tenant Access & Synchronisation — control how your tenant trusts and shares with other Entra ID tenants using cross-tenant access settings and sync.

← Previous

Device Registration & Licensing

Next →

Cross-Tenant Access & Synchronisation

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.