Plan a Microsoft Entra B2B collaboration deployment
Secure collaboration with your external partners ensures they have correct access to internal resources, and for the expected duration. Learn about governance practices to reduce security risks, meet compliance goals, and ensure accurate access.
Governance benefits
Governed collaboration improves clarity of ownership of access, reduces exposure of sensitive resources, and enables you to attest to access policy.
- Manage external organizations, and their users who access resources
- Ensure access is correct, reviewed, and time bound
- Empower business owners to manage collaboration with delegation
Collaboration methods
Traditionally, organizations use one of two methods to collaborate:
- Create locally managed credentials for external users, or
- Establish federations with partner identity providers (IdP)
Both methods have drawbacks. For more information, see the following table.
| Area of concern | Local credentials | Federation |
|---|---|---|
| Security | - Access continues after external user terminates - UserType is Member by default, which grants too much default access |
- No user-level visibility - Unknown partner security posture |
| Expense | - Password and multi-factor authentication (MFA) management - Onboarding process - Identity cleanup - Overhead of running a separate directory |
Small partners can't afford the infrastructure, lack expertise, and might use consumer email |
| Complexity | Partner users manage more credentials | Complexity grows with each new partner, and increased for partners |
Microsoft Entra B2B integrates with other tools in Microsoft Entra ID, and Microsoft 365 services. Microsoft Entra B2B simplifies collaboration, reduces expense, and increases security.
Microsoft Entra B2B benefits
- If the home identity is disabled or deleted, external users can't access resources
- User home IdP handles authentication and credential management
- Resource tenant controls guest-user access and authorization
- Collaborate with users who have an email address, but no infrastructure
- IT departments don't connect out-of-band to set up access or federation
- Guest user access is protected by the same security processes as internal users
- Clear end-user experience with no extra credentials required
- Users collaborate with partners without IT department involvement
- Guest default permissions in the Microsoft Entra directory aren't limited or highly restricted
Next steps
- Determine your security posture for external access
- Discover the current state of external collaboration in your organization
- Create a security plan for external access
- Securing external access with groups
- Transition to governed collaboration with Microsoft Entra B2B collaboration
- Manage external access with entitlement management
- Secure access with Conditional Access policies
- Control access with sensitivity labels
- Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business
- Convert local guest accounts
- Onboard external users to Line-of-business applications