Technical Lab: Manage External Users
Questionsβ
Question 1 β Multiple Choiceβ
A company needs to grant access to the Azure portal to an external partner named ana.souza@parceiro.com. The administrator sends an invitation via Microsoft Entra External ID. Before Ana accepts the invitation, what is the status of her account in the company's directory?
A) The account doesn't exist in the directory until the invitation is accepted.
B) The account is created immediately as Guest with pending acceptance status.
C) The account is created as Member and converted to Guest after acceptance.
D) The account is only created if the parceiro.com domain is verified in the tenant.
Question 2 β Technical Scenarioβ
An administrator needs to allow external users to collaborate only on specific tenant resources, without access to the Microsoft Entra Admin Center. The current external collaboration policy is configured as follows:
External collaboration settings:
Guest user access: "Guest users have limited access to properties
and memberships of directory objects"
Invite settings: Admins and users in the guest inviter role can invite
Collaboration restrictions: Allow invitations to any domain
A project manager, without administrative role, requests the ability to send invitations directly. What does the administrator need to change to fulfill this request without excessively expanding permissions?
A) Change Guest user access to "Guest users have the same access as members".
B) Change Invite settings to "Anyone in the organization can invite".
C) Assign the Global Administrator role to the manager temporarily.
D) Enable the Self-service sign-up option in tenant settings.
Question 3 β True or Falseβ
A guest user added via Microsoft Entra External ID automatically inherits all Microsoft Entra Conditional Access policies applied to member users of the tenant, since both reside in the same directory.
Question 4 β Technical Scenarioβ
An organization wants to automate the periodic review process of external users with access to groups and applications. The administrator configured a monthly Access Review. After the review cycle, some guests were not reviewed by the designated responsible party. What behavior should the administrator configure to ensure that non-reviewed access is automatically revoked?
Access Review settings:
Reviewers: Selected users (manager of each guest)
Duration: 30 days
Upon completion settings: [?]
If reviewers don't respond: [?]
A) Set Upon completion to "Auto apply results" and If reviewers don't respond to "No change".
B) Set Upon completion to "Auto apply results" and If reviewers don't respond to "Remove access".
C) Set Upon completion to "Require manual apply" and If reviewers don't respond to "Remove access".
D) Set Upon completion to "Auto apply results" and If reviewers don't respond to "Approve access".
Question 5 β Multiple Choiceβ
An administrator needs to remove access for all external users who haven't logged in within the last 90 days. Which Microsoft Entra ID feature allows identifying these users based on last login date?
A) Access Reviews with scope configured for inactive guest users.
B) Sign-in logs filtered by user type "Guest" in Microsoft Entra ID.
C) Usage & insights reports, "Azure AD application activity" section.
D) signInActivity property available via Microsoft Graph API.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
When an invitation is sent via Microsoft Entra External ID, the external user's account is created immediately in the directory as type Guest, with the externalUserState attribute set to PendingAcceptance. This means the account exists and can be viewed in the portal even before any action from the invitee.
The main misconception represented by the distractors is confusing the moment of account creation with the moment of activation. Option A is incorrect because the account already exists in the directory in pending state. Option C reverses the logic: the account is born as Guest, never as Member. Option D is incorrect because domain verification is not a prerequisite for sending invitations in default configurations.
Understanding this behavior is important for auditing and managing expired or unaccepted invitations.
Answer Key β Question 2β
Answer: B
The Invite settings configuration controls who in the tenant can send invitations. The option "Admins and users in the guest inviter role can invite" restricts sending to administrators and users with the Guest Inviter role. For any organization user, like the project manager, to send invitations without receiving an administrative role, simply change to "Anyone in the organization can invite".
Option A changes permissions of the invitees themselves in the directory, not who sends invitations. Option C grants excessive privileges and violates the principle of least privilege. Option D activates the self-service sign-up flow, which serves for external users to create their own accounts, not for internal collaborators to send invitations.
Answer Key β Question 3β
Answer: False
Guest users do not automatically inherit Microsoft Entra Conditional Access policies applied to members. Conditional Access policies can be explicitly targeted to external users through conditions that filter by user type or specific origin domains.
By default, a policy that includes "All users" may reach guests, but this depends on how the scope was configured. The absence of a policy targeted to guests means they can operate without the same controls applied to members, which represents a real security risk often overlooked in environments with many external collaborators.
Answer Key β Question 4β
Answer: B
To ensure that non-reviewed access is automatically revoked, two combined configurations are needed:
- Upon completion: Auto apply results makes reviewer decisions automatically applied at the end of the cycle, without need for manual intervention.
- If reviewers don't respond: Remove access defines that absence of response equals a removal decision, ensuring pending access doesn't remain active by omission.
Option A maintains access in case of reviewer silence, which nullifies the control objective. Option C requires manual application, introducing human dependency that can delay or omit revocations. Option D automatically approves non-reviewed access, behavior opposite to desired and potentially dangerous in regulated environments.
Answer Key β Question 5β
Answer: D
The signInActivity property from Microsoft Graph API provides the date and time of the last interactive and non-interactive login for each user, including guests. It is the correct resource to programmatically identify inactive users based on time criteria.
Option A is incorrect because Access Reviews evaluate group members or applications through human or automated decision, but don't filter users by last login date. Option B is valid for point investigation of logins, but Sign-in logs have limited retention (30 days in standard plan) and are not designed for bulk inactivity queries. Option C, Usage & insights, focuses on application activity, not individual user inactivity.
Combining the Graph API query with an automation script is the recommended approach for periodic hygiene of inactive guests at scale.