B2B External Collaboration Architecture

Substantive Overview

External collaboration is no longer an edge case—it is a core business function. The historical approach of creating "vendor accounts" in your own AD (effectively treating partners as employees) is an anti-pattern that creates lifecycle nightmares and security holes.

Microsoft Entra External ID (B2B) offers a paradigm shift: Bring Your Own Identity (BYOI). Instead of managing credentials for partners, you manage authorization and trust. The partner authenticates with their own credentials (their Entra ID, Google, or OTP), and you grant access to resources in your tenant.

A robust B2B architecture explicitly differentiates between Collaboration (Guests in your directory) and Connectivity (Shared Channels/Teams). It uses Cross-Tenant Access Settings (XTAS) to enforce Zero Trust boundaries—trusting the partner's MFA or compliant device claims rather than re-prompting.

Decision	Options	Recommendation	Context
Trust Model	Trust Partner MFA vs. Require My MFA	Trust Partner MFA (via XTAS)	Re-prompting guests for MFA (creating a 2nd MFA profile) causes massive friction. Trusting their home MFA is cleaner and secure.
Guest Governance	Manual Cleanup vs. Access Reviews	Access Reviews	Guest accounts rot. Automate monthly/quarterly reviews by sponsors to delete inactive guests.
Invitation	Self-Service vs. Admin Only	Self-Service with Governance	Allow users to invite, but restrict to specific domains or require Entitlement Management (access packages) for approval flows.
Isolation	Allow All Domains vs. Allow-List	Deny-List (Baseline) / Allow-List (High Security)	For most, "Allow all except known bad/competitors" is practical. "Allow only specific domains" creates high admin overhead.
B2B Direct Connect	Enable vs. Disable	Enable Specific Partners	Only enable Direct Connect for close partners where "Shared Channels" adds value.

Implementation Strategy

Phase 0: Discovery

Inventory: Scan directory for existing UserType=Guest. Identify "Vendor" accounts that are actually UserType=Member (bad practice).
Shadow IT: Check Teams/SharePoint sharing reports to see who is sharing what.

Phase 1: Security Baseline (The "wall")

External Collab Settings: Restrict "Guest invite" rights to specific roles or users.
Cross-Tenant Access: Configure "Default" settings to be restrictive.
MFA Enforcement: Ensure Conditional Access requires MFA for all guests (or trusts inbound MFA claims).

Phase 2: Trusted Partner Integration

XTAS Configuration: Identify strategic partners. Configure Inbound Trust settings to accept their MFA and Device Compliance claims.
Conversion: Convert existing "Member" vendor accounts to "Guest" accounts where possible (preserving permissions is tricky).

Phase 3: Governance & Automation

Entitlement Management: Create Access Packages for partners. "Project X Collaboration" package grants access to the Team + SharePoint + App.
Lifecycle: Configure Access Package expiration (e.g., 180 days) requiring renewal.
Access Reviews: Turn on automated reviews for all Guest users.

Phase 4: Operate

Monitoring: Watch "Sign-ins" logs for B2B failures.
Sponsor Management: Ensure every Guest has a valid internal "Sponsor" attribute for accountability.

Risks & Anti-Patterns

Risk	Likelihood	Impact	Mitigation
Guest Sprawl	High	Medium	Accumulating thousands of guests who left the partner org. Mitigation: Automated Access Reviews.
Data Exfiltration	Medium	High	Guests downloading data to unmanaged devices. Mitigation: Use "App Enforced Restrictions" (Session Control) to block downloads for guests.
"Member" masquerade	Medium	High	Creating vendors as internal "Member" accounts. Mitigation: Policy prohibiting manual account creation; force B2B flow.
Over-permissioning	High	High	Adding Guests to "Everyone" or "All Users" dynamic groups. Mitigation: Exclude Guests from broad internal groups.
Tenant Takeover	Low	Critical	Allowing external guests to invite other guests unrestricted. Mitigation: Lock down "Guest Invite" settings.

KPIs & Outcomes

Guest MFA Coverage: 100% (either performed in tenant or trusted from home).
Stale Guest Count: fewer than 5% of total guests inactive for >90 days.
Member-to-Guest Ratio: Appropriate to business model (track trend).
Access Review Completion: >95% of reviews completed by decision makers.

Workshop Questions

Do you currently create AD accounts for vendors/partners?
Which external organizations do you collaborate with most intensely?
Do you want to trust the partner's MFA (if they have it) or force them to use yours?
Do you have "competitor domains" that should be strictly blocked?
Who is allowed to invite a guest? (Admins? Any user? Managers?)
How do you know when a project ends and the guest access should be removed?
Do you use Teams Shared Channels today?
Are guests allowed to access internal applications (ServiceNow, Jira) or just M365?
What is the policy for guests downloading documents?
Do you have a "Sponsor" field in your guest user objects?
How do you handle "personal" email addresses (Gmail/Outlook.com) for guests?
Do you use Entitlement Management (Identity Governance) today?
Are there regulatory requirements (export control) restricting specific nationalities?
Do guests need to accept a Non-Disclosure Agreement (NDA) before signing in?
How do you handle support for guests who can't log in?

Checklist

Collaboration Settings: Review "External collaboration settings" in Entra portal.
Cross-Tenant Access: Configure default outbound/inbound settings.
Conditional Access: Create dedicated "Guest Access" policy.
Dynamic Groups: Review "All Employees" dynamic groups to ensure (userType -ne "Guest").
SharePoint Sharing: Set tenant-level sharing capability (e.g., "New and existing guests").
Terms of Use: Upload standard NDA/Terms for guest acceptance.
Access Reviews: Configure a pilot review for one Team.