Microsoft 365 relies on Azure Active Directory (Azure AD) for user identity management.
Azure AD is the identity foundation and can be used as a single identity repository.
Identity profiles allow users to be assigned roles, privilege levels, depending on their internal/external status and the use they will make of the tools.
Moreover, an external user can be invited in different ways (Azure AD, shares, groups).
It is fundamental to understand and follow the different identity profiles that exist in Microsoft 365 to define appropriate policies and to ensure the security of the user, especially over time.
Discover the 5 types of identity for Microsoft 365 users with their specificities:
Users
Users are generally internal employees of the organization or external employees on long-term contracts.
They have access to all collaboration features as soon as they are granted an Office 365 license.
The account is provided by the organization and it is the organization that controls the end-to-end lifecycle.
Anonymous users
Anonymous users are external to the organization.
Therefore, they should have more limited use of collaboration tools and more limited access to data. With the "anonymous user" profile they will only have access to the tenant via SharePoint, OneDrive anonymous share links or within Teams meetings (if you allow them).
As an external user, no Microsoft license is required.
Federated users
The federated users are also external to the organization but belong to a company authorized by the organization to use Microsoft Teams.
They have access to limited functionalities around communication: chat, audio, video.
The account is provided by the federated organization, no license is required, but the users must authenticate themselves.
Azure AD B2B users
Unlike other identity profiles, Azure AD BtoB includes external users or guests, using the collaboration functionality in Microsoft Teams.
Since March 2022, there are two groups: Collaboration and Direct.
Azure AD B2B Collaboration users (guests)
These users are external to the organization but have an authorized domain in Azure AD.
They have access to the collaboration features in the Teams/SharePoint guest space after a team owner has added them.
For these users, an Azure AD P1/P2 license will need to be granted. The lifecycle is not to be managed but it will be necessary to ensure that their presence and permissions are legitimate.
This can be from a personal account or an account provided by the organization.
This category is intended to replace SharePoint guests.
Azure AD B2B Direct users
These are also external to the organization but from an authorized Azure tenant in Azure AD. The collaboration features are accessible to them but only in the shared channels.
By default, these identities are closed, an administrator must open the permissions at the Azure AD tenant level for them to be accessible.
No license is required and the account is provided by the federated tenant organization.
To summarize, Microsoft's Azure AD B2B identities provide for collaboration users who are the classic guests where you have to manage the lifecycle. Then you have direct guests - privileged partners where you don't have control over the lifecycle, but they can be added into your shared channels.
And today, this notion of Azure AD BtoB direct is restricted to channels, although Microsoft plans to extend it to other services later.
Towards a better management of external guests
Once you are familiar with the 5 identity profiles in Microsoft 365, you need to think about the desired security policies, including the implementation of a guest user lifecycle.
It is necessary to ensure that the guest user respects the security policies of the company. To do this, companies can implement conditional access policies.
Finally, to delete a user, Microsoft does not propose anything by default, it will then be necessary to define and implement manual or automatic processes.
