To create guest users from the Azure portal, browse to your Entra tenant as a user with rights to create users, select the Users blade, choose New User, and then select Invite External User. An example of this blade is shown in Figure 1-10. A guest user can be anyone who is invited to collaborate with your organization. Once created, the guest user should receive an invitation in their mailbox.
Creating and managing guest users is similar to creating and managing normal user accounts. Guest users can be invited to the directory, group, or application. As soon as you invite the guest user, that account is created in Entra ID with the User Type set to Guest. The guest user will receive an email invitation immediately after creation. The guest user must accept the invitation along with the first-time consent process in order to access the assigned resources.
By default, all users and admins can invite guests. You can restrict the way guest users can be invited by selecting Manage External Collaboration Settings on the Users blade under User Settings. The External Collaboration Settings blade is shown in Figure 1-11. You can also access these settings from the Entra tenant by clicking User Settings on the left, and then choosing Manage External Collaboration Settings in the External Users section.
FIGURE 1-10 Invite External User blade in the Azure portal
FIGURE 1-11 External Collaboration Settings blade in the Azure portal
When a guest user is added, the Consent Status for the guest user (viewable in PowerShell) is PendingAcceptance. This value will be changed to Accepted immediately after the guest user accepts the invitation. The guest user will appear as an “invited user” in the Azure portal until the user accepts the invitation.
Microsoft Entra includes the ability to manage device identity, which enables single sign-on to devices and the applications and services managed through Entra that are accessed from that device. Managed devices include both enterprise and bring-your-own-device (BYOD) scenarios. This allows users to work from any device, including personal devices, all while protecting corporate intellectual property with the necessary regulatory and compliance controls.
Using Entra ID Join, you can control these devices, the applications installed and accessed from them, and how those applications interact with your corporate data.
When associating devices with Entra, you have three options: Register A Device, Join A Device, and Use Hybrid Joined. Registering devices would be appropriate for personal devices, while joining devices is useful for corporate-owned devices. Hybrid joined devices are joined to your on-premises Active Directory and are registered with your Entra ID tenant.
When you associate a device with Entra ID, you can manage a device’s identity by imple- menting features like single sign-on (SSO) and securing access using conditional access. Note that this identity can be managed independently of a user’s identity. This provides a great degree of flexibility because devices can be enabled or disabled without affecting a user account. Entra ID Join is an extension of device registration that changes the local state of the device. When a device is Entra-joined, users can sign in to the device using an organizational account instead of a personal account.