Microsoft Azure Active Directory (Azure AD) is a cloud-based multi-tenant identity platform that provides a wide range of identity and access management capabilities. These capabilities include core identity services, application access, and security features including external collaboration settings. Understanding how to properly manage these settings is essential especially for those studying for the SC-300 Microsoft Identity and Access Administrator exam.

External collaboration in Azure AD involves managing interactions with users outside your organization. By correctly setting up and controlling these interactions, you can ensure secure access to resources while enabling collaboration with your partners.

Table of Contents

Examine B2B Collaboration

Azure AD offers a feature called business-to-business (B2B) collaboration, allowing you to invite external users to your company’s apps and services. Primarily, the external collaboration settings are designed to control who your users can invite and whether guests can invite others.

The B2B collaboration feature is manageable in the Azure AD admin center. Default settings typically allow guests equal access as members and users can invite guests. However, these settings can be customized based on the required level of external collaboration control.

Controlling Guest User Access

There are several ways to restrict or allow guest access. Specifically, the Azure AD controls include settings for member permissions, guest permissions, and external collaboration settings.

  • In the Members can invite setting, member users can invite new guests to collaborate on your organization’s resources. If you disable this, only admins will have this ability.
  • In the Guest users permissions are limited setting, you can give guest users less access to directory data than member users. If this is set to “No”, guests effectively have the same permissions as members.
  • Finally, the Manage external collaboration settings are where you can establish if guests from other Azure AD organizations can be invited (Allow invitations to be sent to any domain) or block invitations to certain domains (Block invitations to the specified domains).

Using PowerShell to Manage Settings

Alternatively, you can manage external collaboration settings using PowerShell cmdlets. Here’s a simple example showing how to deny all external invitees except a specified domain.

$settings = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Tenant-wide configuration for B2B management” -EQ).id
$settings[“InvitationsBlockedForUnmanagedDomains”] = $true
$settings[“AllowedInvitedUserDomainsList”] = “trustedPartner.com”
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Conversely, here’s how to permit all external invitees except for a specific domain.

$settings = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Tenant-wide configuration for B2B management” -EQ).id
$settings[“InvitationsBlockedForUnmanagedDomains”] = $false
$settings[“BlockedInvitedUserDomainsList”] = “unwantedPartner.com”
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Conclusion

Thus, managing external collaboration settings in Azure AD provides you with granular control over how and with whom your users collaborate. By understanding the different settings and how to change them, either through the admin center or PowerShell, you can better tailor your organization’s access and security policies. This is an integral part of preparing for the SC-300 Microsoft Identity and Access Administrator exam, ensuring you have the skills to efficiently and securely manage identity and access within Azure AD.

Practice Test

True or False: External collaboration settings in Azure AD allow users from other organizations to access your resources.

  • True
  • False

Answer: True

Explanation: Azure AD external collaboration settings enable you to manage who can participate as guests in your directory. These settings controls guest invitation policies.

Can guests in Azure AD be treated with the same controls and policies as regular members?

  • Yes
  • No

Answer: Yes

Explanation: Azure AD offers the option to apply the same sign-in and user risk policies for your guest users as you do for your internal users.

Which of the following is not a collaboration option in Azure AD?

  • A) Invite user through Azure AD B2B collaboration
  • B) Directly add user from partner organization
  • C) Add user from government organization
  • D) Invite user through email invitation

Answer: C) Add user from government organization

Explanation: Azure AD B2B collaboration supports invitation of partner organization users and individual users through email invitation but there is no direct support to add users from government organization.

True or False: In Azure AD, you can allow or block invitations to specific organizations.

  • True
  • False

Answer: True

Explanation: Azure AD external collaboration settings allows you to manage who can invite outside users and which organizations the invitations can be sent.

Azure AD simplifies access to ________.

  • A) On-premise resources
  • B) Non Azure resources
  • C) External resources
  • D) Light-weight directory services

Answer: C) External resources

Explanation: Azure AD simplifies access to external resources such as SaaS applications.

Which among the following cannot be managed by Azure AD external collaboration settings?

  • A) Who can invite external users
  • B) The domains to which invitations can be sent
  • C) The trusted documents for collaboration
  • D) Whether guests in your directory can invite other guests

Answer: C) The trusted documents for collaboration

Explanation: The Azure AD external collaboration settings manage the invitations to outside users, including who can send these invitations, and the domains that can receive these invitations. It doesn’t manage document trust.

True or False: It is possible to prevent new guest users from being added to your directory in Azure AD.

  • True
  • False

Answer: True

Explanation: Azure AD has settings that allow you to prevent any new guest users from being added to your directory.

Can external user reset password in Azure AD?

  • A) Yes
  • B) No

Answer: A) Yes

Explanation: External users in Azure AD B2B collaboration features can use self-service password reset if allowed by the policy and settings.

Which of the following refers to Azure AD B2B?

  • A) Azure Business to Business
  • B) Azure Background to Business
  • C) Azure Backup to Backup
  • D) Azure Bridge to Business

Answer: A) Azure Business to Business

Explanation: In Azure AD, B2B stands for Business to Business, referring to collaboration features for external partners.

True or False: Azure AD B2B collaboration features cannot allow you to add Google accounts.

  • True
  • False

Answer: False

Explanation: One of the Azure AD B2B collaboration features is that it can allow users with Google accounts to use their Google credentials to sign in to your services.

Interview Questions

What does external collaboration settings in Azure Active Directory (AD) enable?

External collaboration settings in Azure AD enable organizations to manage how their users collaborate with users in other organizations.

How is B2B Collaboration regulated in Azure AD?

B2B Collaboration in Azure AD is regulated through an invitation model which invites external users to collaborate and share directory resources.

What is the default external collaboration setting in Azure AD?

The default external collaboration setting in Azure AD allows all users to invite guests and share resources with outside organizations.

How can you prevent specific users from creating B2B collaboration invitations in Azure?

You can prevent specific users from creating B2B collaboration invitations in Azure by selecting ‘selected’ in the ‘Members can invite’ setting and not including the specific users.

What does the ‘Guests can invite’ setting in Azure AD control?

The ‘Guests can invite’ setting in Azure AD controls whether B2B guest users can invite other guests from within your organization.

Can external collaboration settings in Azure AD be set at a granular level?

Yes, Azure AD allows for setting external collaboration settings at a granular level which can be specified at the user and group level.

How do you block users from specific organizations from being invited to collaborate?

You can block users from specific organizations from being invited to collaborate by adding the domains to be blocked to the ‘Blocked domains’ list in external collaboration settings.

How can an Azure AD administrator permit specific users to bypass the blocked domains list?

An Azure AD administrator can permit specific users to bypass the blocked domains list by adding the permitted users to the ‘Users who can invite’ list in external collaboration settings.

Can an Azure AD guest user invite users from their home directory?

No, guest users in Azure AD do not have permission to invite users from their home directory unless the ‘Guests can invite’ setting is enabled.

What action does setting ‘Admins and users in the guest inviter role can invite’ in the ‘Members can invite’ setting perform?

This action only allows administrators and users assigned with the guest inviter role to send invitations for B2B collaboration.

How can you permit B2B collaboration only from specific organizations?

You can permit B2B collaboration only from specific organizations by adding allowed domains to the ‘Allow invitations only to the specified domains’ list in external collaboration settings.

What is the default ‘Guest users permissions are limited’ setting in Azure AD?

By default, the ‘Guest users permissions are limited’ setting in Azure AD is set to ‘Yes’, restricting guest users from certain directory tasks such as enumerate users, groups, or other directory resources.

What does setting the ‘Guest users permissions are limited’ to ‘No’ do?

Setting ‘Guest users permissions are limited’ to ‘No’ gives guest users the same access as members in your directory, with the exception of any settings or policies that specifically limit guest user access.

What is the ‘Enable Email one-time passcode for guests’ setting in Azure AD?

This setting allows users who do not have an Azure AD account or a Microsoft account to sign in using a one-time passcode sent to their email.

Can you review and monitor B2B collaboration invitations in Azure AD?

Yes, Azure AD provides a detailed audit log in the Azure portal, where administrators can monitor B2B collaboration invitations.

Leave a Reply

Your email address will not be published. Required fields are marked *