PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 10 min read

Entra ID External Identities: How to Govern B2B Guest Users and Reduce Partner Access Risk

Guest
UserType for all B2B external identity objects -- filter Get-AzureADUser by this to enumerate guests
90 days
Inactivity period after which guest accounts should be reviewed and potentially disabled
Access Reviews
Entra ID Governance feature that automates periodic external user access recertification

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

External identity sprawl is one of the most common audit findings in Microsoft 365 environments: hundreds of guest accounts representing contractors, ex-partners, and vendor contacts who no longer have a business relationship with the organization. These accounts retain access to Teams channels, SharePoint sites, and sometimes Azure subscriptions. The fix requires a combination of: restricting who can invite guests, applying Conditional Access to guest sign-ins, automating access reviews to catch stale accounts, and configuring the cross-tenant access settings to limit what external users can do in your tenant.

Audit Current Guest Accounts

Start with a current-state inventory. PowerShell: Get-AzureADUser -Filter "UserType eq 'Guest'" | Select-Object DisplayName, UserPrincipalName, Mail, SignInActivity, CreatedDateTime | Export-Csv guests.csv -NoTypeInformation. The SignInActivity property requires the Entra ID P1 or P2 license and Microsoft Graph: Get-MgUser -Filter "UserType eq 'Guest'" -Property 'DisplayName,UserPrincipalName,SignInActivity,CreatedDateTime' | Select-Object DisplayName,UserPrincipalName,@{N='LastSignIn';E={$_.SignInActivity.LastSignInDateTime}},CreatedDateTime. Sort by LastSignIn ascending to find the stalest accounts. Guest accounts with no sign-in in 90+ days are candidates for review and disablement. Guest accounts created more than 1 year ago with no sign-in in 90+ days are candidates for deletion. Before deleting, check group memberships and SharePoint access: Get-AzureADUserMembership -ObjectId [GuestUPN] to see what groups and applications the guest has access to.

Configure Cross-Tenant Access Settings

Cross-Tenant Access Settings (in Entra admin center > External Identities > Cross-tenant access settings) allow you to control which external tenants can collaborate with your organization and what trust settings apply. Default settings: set the default inbound policy (what external users from any tenant can access in your tenant) to require MFA redeeming (trust the external user's MFA from their home tenant) and to not trust device compliance claims from unknown tenants. Set outbound defaults to restrict which of your users can be invited into external tenants (important for data loss prevention). Organization-specific settings: for trusted partner organizations, add them specifically and configure trust for their MFA and device compliance -- this allows their users to access your resources with their home tenant MFA without being prompted again. For all other tenants (unknown partners), keep the defaults restrictive. Enable the 'B2B collaboration' toggle for inbound to control which external users can be invited. Disable 'B2B direct connect' (which allows access without being in your directory) unless specifically required.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Apply Conditional Access Policies to Guest Users

Guest users are often excluded from Conditional Access policies that were written for member users. Verify your CA policies and create guest-specific policies. In Conditional Access, the condition 'User type' can be set to 'Guest or external users' -- use this to create policies that apply specifically to guest identities. Minimum CA policy for guests: require MFA for all cloud app access (regardless of what the guest's home tenant enforces -- your MFA requirement is independent). Block access from high-risk sign-in locations or sign-in risk = High. Set session controls: require re-authentication every 8 hours (shorter session lifetime than member users), restrict downloads from SharePoint and Teams via Defender for Cloud Apps session policies on unmanaged guest devices. Block access to high-sensitivity applications (Azure Resource Manager, Entra admin center, security tooling) for all guest accounts -- guests should never need administrative access.

Automate Access Reviews for External Identities

Entra ID Governance includes Access Reviews that can automatically review and remove guest access. Configure an Access Review specifically for guest accounts: in Entra admin center > Identity Governance > Access Reviews > New Access Review. Scope: all users with Guest UserType (or specific groups that contain guests). Reviewer: the business owner or group owner who invited the guest. Frequency: quarterly. At end of review: auto-apply results -- deny access removes the guest from the group. Enable the option to 'Remove access if no response from reviewer within X days' (auto-deny unreviewable accounts). Configure a second Access Review scoped to all guests across all applications: Entra admin center > Identity Governance > Access Reviews > New Review for Azure AD roles (select All applications). This broader review catches guests who have direct application access outside of group membership. After each review cycle, export the list of denied guests and disable then delete their accounts.

Restrict Guest Invitation Permissions

By default, member users in Entra ID can invite external guests. This creates ungoverned guest sprawl -- any employee can invite a contractor, former colleague, or unknown person into the tenant. Restrict invitation to admins and designated guest inviters: Entra admin center > External Identities > External collaboration settings > Guest invite settings: set to 'Only users assigned to specific admin roles can invite guest users'. Create a Guest Inviter Entra role assignment for the team leads or project managers who legitimately need to invite partners. Require approval for guest invitations via Entitlement Management access packages: create an access package for each external collaboration scenario (e.g., Project Alpha Partner Access). Include the Teams channel, SharePoint site, and any applications needed. Configure the access package to require HR or manager approval and set an automatic expiration (e.g., 6 months, renewable). Guests request access via MyAccess.microsoft.com, managers approve, access expires automatically at the end of the project.

The bottom line

Unmanaged guest access is a persistent data exposure and unauthorized access risk. Enforce three controls: restrict who can invite guests (admin-only with approval), apply mandatory MFA and session Conditional Access to all guest sign-ins, and run quarterly Access Reviews that auto-deny non-reviewed accounts. Entitlement Management access packages with automatic expiration are the most effective tool for preventing guest sprawl in project-based collaboration scenarios.

Frequently asked questions

What is the difference between guest users and external member users in Entra ID?

Guest users (UserType = Guest) are external identities invited via B2B collaboration. They have limited permissions in the tenant by default -- they cannot enumerate all users and groups, see directory structure, or access internal company data outside what they are explicitly granted access to. External member users (UserType = Member) are external identities with the full member user permissions -- typically used for acquisitions or subsidiary scenarios where the external users need the same directory access as internal employees. For security purposes, keep all external partner and contractor identities as Guest type to maintain the permission boundary.

Can guest users bypass MFA by using their home tenant's MFA?

It depends on your Cross-Tenant Access Settings. If you configure 'Trust MFA from Microsoft Entra tenants' for a specific partner organization, their MFA claim is honored and your CA policy's MFA requirement is satisfied without prompting the guest again. If you do not configure this trust, guests are always prompted for your tenant's MFA regardless of what they completed in their home tenant. For unknown or untrusted tenants, do not enable MFA trust -- require their users to complete MFA in your tenant. For known, well-governed partner organizations with mature security programs, trusting their MFA reduces friction while maintaining security.

How do I find guest accounts that have never signed in?

Get-MgUser -Filter "UserType eq 'Guest'" -Property 'DisplayName,UserPrincipalName,SignInActivity,CreatedDateTime' | Where-Object { $_.SignInActivity.LastSignInDateTime -eq $null } | Select-Object DisplayName, UserPrincipalName, CreatedDateTime. A null LastSignInDateTime means the account has never signed in (or the sign-in activity data was not retained). Guests who were invited but never redeemed their invitation are low risk from an active access standpoint, but they still represent invited access that should be cleaned up. Check their CreatedDateTime -- accounts created more than 30 days ago with no sign-in were probably invited by mistake or the collaboration never started.

Do guest users count against our Entra ID license count?

For Entra ID Free, up to 5 guests per licensed member user are included at no extra cost. For Entra ID P1 and P2, the same 5:1 ratio applies for features that require P1/P2 licenses. Features like Access Reviews, Entitlement Management, and PIM for guest users require that the guest's access to P1/P2-governed features is covered by a license. Microsoft's current model provides a 5 external user allowance per licensed internal user -- if you have 100 P2 licensed internal users, you can have 500 guests using P2 features before additional licensing is required. Check current Microsoft licensing documentation for the exact calculation as it can change.

How do I prevent guest users from enumerating internal user accounts and group membership?

By default, guest users have limited directory read permissions -- they cannot enumerate all users or see group membership for groups they are not members of. However, they can read the public profile attributes of any user in the tenant (name, email, job title) if they know the UPN or can search for it. Restrict this further in Entra admin center > External Identities > External collaboration settings > 'Guest user access restrictions': set to 'Guest users have restricted access to properties and memberships of directory objects' (the most restrictive option). This prevents guests from using the Graph API to enumerate users and groups beyond their own assigned resources.

How do you implement a lifecycle management process for B2B guest accounts to prevent accumulation of stale external access?

B2B guest account sprawl is a common compliance finding: organizations invite guests for a project, the project ends, and the guest accounts persist indefinitely with access to SharePoint sites and Teams. Lifecycle management requires three components. Access reviews: configure Entra ID Identity Governance access reviews for guest users on a quarterly basis, assigned to the sponsoring internal user or resource owner. The review prompts the reviewer to confirm each guest still needs access; if they deny or do not respond within the review window, the guest's access is automatically removed. Expiration policies: Entra ID External Identities supports configuring guest account expiration (30, 60, 90 days or custom). If a guest account has not signed in within the expiration window, it is automatically disabled and can be scheduled for deletion. Entitlement management: use Entra ID Entitlement Management access packages to grant guests access to predefined resource bundles with built-in expiration dates. When the package expires, all access granted through it is revoked simultaneously without manual cleanup. For remediation of existing stale guests: query SignInLogs for guest accounts with no sign-in in 90+ days using the Microsoft Graph API and initiate a bulk review cycle.

Sources & references

  1. Microsoft: Entra External Identities Overview
  2. Microsoft: Cross-Tenant Access Settings

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.