Help CenterMicrosoft Entra External ID is a component of the Microsoft Entra identity platform designed to manage external identities. It allows organizations to securely collaborate and engage with users outside their organization (partners, customers, and vendors) without the need for creating separate accounts within the internal workspace.
On the other hand, a Workspace Tenant (often referred to as an Entra ID tenant or home tenant) is the central tenant that manages internal users, devices, and applications of an organization, providing full access to Microsoft 365 services, Azure resources, and enforcing policies like Zero Trust.
Let's break down the comparison between Microsoft Entra External ID and the Workspace Tenant.
1. Microsoft Entra External ID
- Purpose: Manage and securely collaborate with external users (partners, customers, vendors) by granting them access to your resources without creating separate internal accounts. External users can use their own credentials from other identity providers or social accounts.
- Guest and B2B Collaboration: External users can access applications, documents, or resources via B2B scenarios while using their external identity provider credentials (e.g., Google, Microsoft accounts, or SAML-based providers).
- Identity Providers: Supports various identity providers including Azure AD B2B, Google, Facebook, LinkedIn, and SAML, allowing external users to authenticate using their own credentials.
- Conditional Access and Zero Trust: You can enforce Conditional Access policies on external users, just like you would for internal users, ensuring that external partners meet security requirements (such as MFA or device compliance).
- External Collaboration Use Case: Use Microsoft Entra External ID to manage partners or contractors needing access to resources without creating separate accounts within your organization.
Example: A partner from an external company accessing a SharePoint site or an application in your environment using their own credentials, with limited permissions defined by your security policies.
2. Workspace Tenant
- Purpose: A Workspace Tenant (or Entra ID tenant) manages internal users, devices, applications, and security policies. It is the primary tenant where internal IT manages identity and access control for users and resources within the organization.
- Identity Management: Manages internal users using Microsoft Entra ID (formerly Azure AD). These users typically have organizational accounts (e.g., `user@yourcompany.com`) and are fully governed by the organization's security and identity policies.
- Resource Access: Workspace tenants control access to all internal resources such as Microsoft 365, Azure resources, SharePoint, Teams, and internal applications. Policies are enforced on users, devices, and apps through Intune, Conditional Access, and role-based access control (RBAC).
- Conditional Access and Zero Trust: Conditional Access and Zero Trust models are applied across internal users to ensure security policies are followed. These could include enforcing MFA, compliant devices, and strict security policies within the tenant.
Example: Employees logging into Microsoft Teams or SharePoint with full access to internal documents and applications as governed by the organization's policies.
Why Use Microsoft Entra External ID?
- Simplified External Collaboration: External partners and customers can access your resources using their own credentials without needing to manage new accounts for them within your organization.
- Security and Conditional Access: Apply security policies such as multifactor authentication (MFA), session controls, and risk-based access management for external identities, ensuring security without compromising ease of use.
- Integration with Various Identity Providers: Allow external users to authenticate with identity providers they are familiar with, such as Google, LinkedIn, or social logins, reducing the friction for accessing your resources.
Conclusion
- Microsoft Entra External ID: Best for managing external collaboration and partnerships, allowing secure access to external users while letting them use their own identity providers.
- Workspace Tenant (Internal Tenant): Ideal for managing your internal users, identities, devices, and resources, ensuring full control and application of your organization's security policies.
By leveraging both Microsoft Entra External ID for external users and your Workspace Tenant for internal users, you can maintain a secure and collaborative environment that adheres to Zero Trust principles.