Discover the current state of external collaboration in your organization

Before you learn about the current state of your external collaboration, determine a security posture. Consider centralized vs. delegated control, also governance, regulatory, and compliance targets.

Learn more: Determine your security posture for external users

Users in your organization likely collaborate with users from other organizations. Collaboration can occur with productivity applications like Microsoft 365, by email, or sharing resources with external users. The foundation of your governance plan can include:

• Users initiating external collaboration
• Collaboration with external users and organizations
• Access granted to external users

Users initiating external collaboration

Users seeking external collaboration know the applications needed for their work, and when access ends. Therefore, determine users with delegated permission to invite external users, create access packages, and complete access reviews.

To find collaborating users:

• Microsoft 365, audit log activities
• Auditing and reporting a B2B collaboration user

Collaboration with external users and organizations

External users might be Azure AD B2B users with partner-managed credentials, or external users with locally provisioned credentials. Typically, these users are a UserType of Guest. See, B2B collaboration overview.

You can enumerate guest users with:

• Microsoft Graph API
• PowerShell
• Azure portal

There are tools to identify Azure AD B2B collaboration, external Azure AD tenants and users accessing applications:

• PowerShell module
• Azure Monitor workbook

Email domains and companyName property

Determine external organizations with the domain names of external user email addresses. This discovery might not be possible with consumer identity providers such as Google. We recommend you write the companyName attribute to identify external organizations.

Allowlist, blocklist, and entitlement management

For your organization to collaborate with, or block, specific organizations, at the tenant level, there is allowlist or blocklist. Use this feature to control B2B invitations and redemptions regardless of source (such as Microsoft Teams, SharePoint, or the Azure portal). See, Allow or block invitations to B2B users from specific organizations.

If you use entitlement management, you can confine access packages to a subset of partners with the Specific connected organizations option, under New access packages, in Identity Governance.

External user access

After you have an inventory of external users and organizations, determine the access to grant to these users. You can use the Microsoft Graph API to determine Azure AD group membership or application assignment.

• Working with groups in Microsoft Graph
• Applications API overview

Enumerate application permissions

Investigate access to your sensitive apps for awareness about external access. See, Grant or revoke API permissions programmatically.

Detect informal sharing

If your email and network plans are enabled, you can investigate content sharing through email or unauthorized software as a service (SaaS) apps.

• Identify, prevent, and monitor accidental sharing
  • Learn about data loss prevention
• Identify unauthorized apps
  • Microsoft Defender for Cloud Apps overview

Next steps

• Determine your security posture for external access
• Create a security plan for external access
• Securing external access with groups
• Transition to governed collaboration with Azure Active Directory B2B collaboration
• Manage external access with entitlement management
• Manage external access with Conditional Access policies
• Control access with sensitivity labels
• Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business