Convert local guest accounts to Microsoft Entra B2B guest accounts
Article
With Microsoft Entra ID (Microsoft Entra B2B), external users collaborate with their identities. Although organizations can issue local usernames and passwords to external users, this approach isn't recommended. Microsoft Entra B2B has improved security, lower cost, and less complexity, compared to creating local accounts. In addition, if your organization issues local credentials that external users manage, you can use Microsoft Entra B2B instead. Use the guidance in this document to make the transition.
This article is number 10 in a series of 10 articles. We recommend you review the articles in order. Go to the Next steps section to see the entire series.
Identify external-facing applications
Before migrating local accounts to Microsoft Entra B2B, confirm the applications and workloads external users can access. For example, for applications hosted on-premises, validate the application is integrated with Microsoft Entra ID. On-premises applications are a good reason to create local accounts.
We recommend that external-facing applications have single sign-on (SSO) and provisioning integrated with Microsoft Entra ID for the best end user experience.
Identify local guest accounts
Identify the accounts to be migrated to Microsoft Entra B2B. External identities in Active Directory are identifiable with an attribute-value pair. For example, making ExtensionAttribute15 = External for external users. If these users are set up with Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync, configure synced external users to have the UserType attributes set to Guest. If the users are set up as cloud-only accounts, you can modify user attributes. Primarily, identify users to convert to B2B.
Map local guest accounts to external identities
Identify user identities or external emails. Confirm that the local account (v-lakshmi@contoso.com) is a user with the home identity and email address: lakshmi@fabrikam.com. To identify home identities:
The external user's sponsor provides the information
The external user provides the information
Refer to an internal database, if the information is known and stored
After mapping external local accounts to identities, add external identities or email to the user.mail attribute on local accounts.
End user communications
Notify external users about migration timing. Communicate expectations, for instance when external users must stop using a current password to enable authentication by home and corporate credentials. Communications can include email campaigns and announcements.
Migrate local guest accounts to Microsoft Entra B2B
After local accounts have user.mail attributes populated with the external identity and email, convert local accounts to Microsoft Entra B2B by inviting the local account. You can use PowerShell or the Microsoft Graph API.
Inviting external users to use company Azure resources is a great benefit, but you want to do it in a secure way. Explore how to enable secure external collaboration.