The Blown Light Bulb

Information worth to share...

Microsoft Entra ID and Microsoft 365 Collaboration Map

Posted on in Collaboration • 1015 words • 5 minute read

External collaboration in Microsoft 365 is a game-changer. Whether it’s inviting a freelance designer to review mockups in SharePoint Online (SPO) or working with a partner team across tenants in Microsoft Teams, enabling seamless collaboration is crucial for today’s workplace. But let’s be honest—understanding the web of settings that make this possible can feel overwhelming.

That’s where the map I’ve created comes in. It’s a visual guide to navigating the dependencies and connections between Microsoft Entra ID (formerly Azure AD) and Microsoft 365 when setting up external collaboration.

WhatHappensWhenYouInviteSomeone

In this post, I’ll break down the key pieces of the puzzle, walk through common workflows, and explain why certain settings matter. Ready? Let’s dive in.

The Building Blocks of External Collaboration

When you want to share content with people outside your organization, several systems need to work together:

  1. Microsoft Entra ID: This is the backbone of identity and access management. It controls how external users authenticate and what policies apply to them. External Identities settings define how Microsoft B2B Collaboration is going to work and behave when collaborating with non-Entra ID organizations. Cross-Tenant access dictates it when you interact with other Microsoft Entra ID organizations, including B2B direct connect, and cross-tenant synchronization.

  2. SharePoint Online (SPO) and OneDrive: These govern file and site sharing settings. They decide how external users interact with your documents and sites, through External sharing settings.

  3. Microsoft Teams: Teams pulls sharing and membership rules from Entra ID, SPO, and group settings to allow external communication. It uses Microsoft B2B collaboration, or B2B direct connect with shared channels.

  4. Microsoft 365 groups: These have specific settings to allow (or not) external people to be added to them. Microsoft 365 groups is a hard dependency when collaborating in Microsoft Teams or SharePoint Online (SPO) modern sites.

Each of these has its own settings, and they’re interconnected. Change one, and it might ripple across the entire collaboration setup.

Inviting External Users to Collaborate

Let’s say you want to invite a consultant to collaborate on a project in Teams. Here’s what happens behind the scenes:

  1. User Invitation:

    • You invite the consultant using their email address.
    • Microsoft Entra ID kicks in, creating a guest user account for them (when B2B collaboration applies). Policies like multi-factor authentication (MFA) and Conditional Access may apply here, depending on your tenant’s configuration.

  2. Access Permissions:

    • If you’re sharing a Teams channel, the external user is added to the underlying Microsoft 365 Group.
    • For document sharing in SPO, permissions are managed at the file or folder level.

  3. Authentication:

    • The guest user either signs in with their own Microsoft account or another identity provider (Google, LinkedIn, etc.). If you have Cross-Tenant Sync enabled, the process is even smoother for users in synced directories.

  4. Collaboration:

    • Once invited, the external user gains access to the Teams channel, SPO site, or document. Real-time collaboration tools like co-authoring in Word or commenting in Excel become available instantly.

Reference(s). Add a guest user and send an invitation, and Add a guest user with PowerShell.

Key Settings to Know

Now let’s break down the settings that can make or break this process:

1. External Collaboration Settings in Entra ID

  • These are found under Entra ID > External Identities > External Collaboration Settings.
  • Key options include:
    • Guest invite settings: Who can invite external users? Admins? All employees?
    • Collaboration restrictions: What domains are allowed or restricted (whitelist vs blacklist approach)?

Reference. B2B collaboration with external guests for your workforce

2. SharePoint Online Sharing Settings

  • Located in the SharePoint admin center, these control how files and sites are shared externally. You’ll find settings like:
    • External sharing: Sets the level of permissivity for SharePoint and OneDrive, defining with whom contents can be shared with.
    • More external sharing settings: Limit your external sharing by domain, and by group membership.
  • These settings apply to OneDrive as well since it’s built on the same infrastructure.
  • Pay special attention to SharePoint and OneDrive integration with Microsoft Entra B2B and confirm is it enabled for your tenant.

Reference. External sharing in SharePoint and OneDrive in Microsoft 365

3. Cross-Tenant Access Settings

  • It defines a more granular settings for Microsoft B2B collaboration, as well as B2B direct connect when inviting guests from other Entra ID domains. Also, if your organization collaborates with another tenant often, enabling Cross-Tenant access settings can simplify things.

Reference. Cross-tenant access with Microsoft Entra External ID

4. Microsoft Teams External Access

  • Teams has two layers of external access:
    1. Guest Access: Allows external users to join your Teams and channels.
    2. External Access: Allows communication with other Teams tenants or Skype users without full guest access. They don’t have access to your teams, sites, or other Microsoft 365 resources.
  • Configure these under Teams Admin Center > Users > External Access and Guest Access settings.

Reference. Collaborate with guests in a team

5. Microsoft 365 Groups

  • Located in Microsoft 365 admin center > Show all > Settings > Org settings > Microsoft 365 Groups
  • Microsoft 365 Groups have guest access turned on by default, which allows group owners to add people from outside your organization.

Reference. Manage guest access in Microsoft 365 groups

Common Pitfalls (and How to Avoid Them)

  1. Overly Restrictive Settings:

    • If your sharing settings are too tight, external users might struggle to access content. Strike a balance between security and usability.

  2. Forgotten Permissions:

    • Always check group and site permissions when adding new users. Misconfigured permissions are a common source of frustration.

  3. Inconsistent Policies Across Tenants:

    • If you’re using Cross-Tenant Sync, ensure both tenants agree on collaboration policies. Misaligned settings can lead to access issues, particularly when B2B direct connect is being used.

Wrapping Up

Enabling external collaboration in Microsoft 365 is like tuning a complex orchestra—each system has its part to play. But when everything’s in harmony, the result is a beautiful, seamless experience for your users.

Hopefully, the map I’ve shared and the walkthrough in this post give you a clearer picture of how it all fits together. Whether you’re inviting someone to co-author a document, collaborate in Teams, or share a SharePoint site, understanding these connections is the key to success.

Enjoy it!