All guests and external users

Luis Olias 156 Reputation points


I am newish to Azure AD and I am trying to figure out how "Conditional Access" works.

When I try to put in place MFA for guests, I stumble upon this:

"All guest and external users"

My question is quite simple: Is there any difference between "guests" and "external users"?

Thanks in advance.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,585 questions
No comments
{count} votes

Accepted answer
  1. mirba-msft 651 Reputation points Microsoft Employee

    Hello @Luis Olias

    Thank you for reaching out to us.

    The main difference between "Guest" and "External users" are as follows:

    External Users: In Azure AD entitlement management utilizes Azure AD business-to-business (B2B) to collaborate with people outside your organization in another directory. With Azure AD B2B, external users authenticate to their home directory but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.

    This article describes the settings you can specify to govern access for external users.

    Guest Users : Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources. Developers can use Azure AD business-to-business APIs to customize the invitation process or write applications like self-service sign-up portals. For licensing and pricing information related to guest users, refer to Azure Active Directory pricing.

    For more information please refer to this article.

    Finally in order to make it simple to understand External user has there own Azure AD where they will be Authenticated but the Guest user does not need to have an Azure AD they can even use their personal email ID in order to receive the invitation.

    Guest User also has the capability to enable Authentication through Email One-time passcode authentication This is really helpful when a Guest user is unable to Authenticate through other means like Azure AD, a Microsoft account (MSA), or Google federation. With one-time passcode authentication, there's no need to create a Microsoft account. When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in. This is going to be a default option for all the tenants from march 2021.

0 additional answers

Sort by: Most helpful