Guest Accounts vs External Accounts in Microsoft Entra ID
Guest Accounts vs External Accounts in Microsoft Entra ID
Summary Table
| Term | Meaning | Example |
|---|---|---|
| Guest Account | A user added to your Entra ID tenant with the user type = Guest. Typically added via B2B collaboration. |
You invite john@gmail.com to access your SharePoint site; he becomes a guest user in your directory. |
| External Account | A user not managed by your tenant. They authenticate via their own Entra ID, Microsoft Account, or other identity provider. | user@partnercorp.com logs in using their own Entra ID – they are external to your organization. |
Detailed Differences
| Feature | Guest Account | External Account |
|---|---|---|
| User Type in Entra ID | Guest |
Can be Guest or Member (in federated scenarios) |
| Managed in Your Tenant? | Yes (limited) | No |
| Authentication Source | External IdP (e.g., Microsoft Account, Google, or their own Entra ID) | Their own home IdP (could be Entra ID or something else) |
| Typical Use Case | B2B Collaboration (e.g., invite external vendors or partners to Teams, SharePoint) | External federation or identity providers (e.g., SAML/WS-Fed B2B, cross-tenant access, identity federation) |
| Account Lives In | Your Entra tenant (as a guest entry) | Their home tenant or IdP |
| Management Control | You control access & policies for the guest entry | Limited — you rely on trust/federation settings |
Conceptual Explanation
All guest accounts are external, but not all external users are guests.
A guest account is like giving someone a visitor badge to your office—they exist in your directory, but aren’t fully internal.
An external account might never show up in your directory at all if they’re only accessing through cross-tenant trust or identity federation.
Examples
- Guest (B2B): You add
alex@gmail.comas a guest to your tenant to access a shared Power BI dashboard. They appear in your directory asalex_gmail.com#EXT#@yourcompany.onmicrosoft.com. - External (Federated): Your company has a federation with
partnercorp.com. Whenjane@partnercorp.comlogs into your app, she authenticates through her own company’s Entra ID, without being added as a guest.
Leave a Reply