Types of External Users in Microsoft 365
Before addressing licensing, it is essential to understand how Microsoft categorises external users — because the licensing obligations differ significantly by external user type. There are four primary external user categories in M365:
- Entra B2B Guest Users: External individuals who have been invited into your Entra ID tenant as guest accounts (account type: Guest). They authenticate using their own identity (a personal Microsoft account, another organisation's work account, or a one-time passcode) and are represented in your directory as guest objects. Most Teams guests and SharePoint external collaborators with long-term access fall into this category.
- Entra B2B Direct Connect: A newer collaboration model where external users from partner organisations access specific shared channels or resources through a trust relationship between two tenants — without creating guest accounts in your directory. This is primarily used for Teams Shared Channels (which we address below).
- Anonymous link recipients: External individuals who access SharePoint or OneDrive content via a "Anyone with the link" sharing link. They do not authenticate at all and are not represented in your directory.
- External members (Entra External ID): Introduced as part of the Entra External ID product, external members can be granted member-level (rather than guest-level) access to your tenant resources. This is primarily relevant for extranets, partner portals, and customer-facing applications rather than standard M365 collaboration.
Teams Guest Access Licensing
Teams is where most external user licensing questions originate, because Teams guest access is easy to enable, commonly used, and its licensing rules are frequently misapplied.
The Teams Guest Exemption
Microsoft's published policy on Teams guest licensing is: an external user who joins your Teams environment as a guest does not require a licence from you, provided they have their own qualifying Microsoft 365 or Teams licence. This exemption covers a very broad range of real-world scenarios — most professional external collaborators (law firms, consulting firms, client organisations, partner companies) have their own Microsoft 365 subscriptions that include Teams, and their access to your Teams channels as a guest is covered by their own licence.
This exemption is what makes Teams the default collaboration channel with external parties for most enterprises — it is effectively free for both parties if both have M365 licences.
When Teams Guest Access Does Require a Licence
The guest exemption does not apply in several common scenarios:
- External users without a qualifying licence: A guest user who has no Microsoft 365 subscription — a freelancer with a personal Gmail account, a small supplier without M365, a retired adviser — does not have their own qualifying licence. Microsoft's published terms state that you must licence these users through a Microsoft 365 subscription assigned in your tenant. In practice, the most cost-effective approach is to assign Microsoft 365 Business Basic (the cheapest M365 SKU with Teams, at ~£4.60/user/month) to these unlicensed external users.
- External users accessing capabilities beyond the base Teams guest feature set: Teams guest access provides a defined (and limited) set of capabilities — joining meetings, participating in chat, accessing shared channels and files. External users who require broader M365 capabilities (Exchange Online access, SharePoint site creation, Power Platform, etc.) require a licence that provides those capabilities.
- Shared channel participants via B2B Direct Connect: Teams Shared Channels use B2B Direct Connect rather than the guest account model. Shared Channel participants access your channels through their own tenant identity and their own Microsoft 365 licence — they do not need a licence from you. However, any enhanced capabilities applied to a shared channel (for example, sensitivity labels that require Purview licences, or Copilot summaries) may trigger licence requirements in the host tenant.
SharePoint Online External Sharing Licensing
SharePoint Online's external sharing capabilities are among the most extensively used — and most licensing-complex — aspects of M365 external collaboration. The licensing rules differ significantly by sharing type:
Anonymous Link Sharing (Anyone Links)
"Anyone with the link" sharing provides access to specific files or folders without authentication. Recipients are not Entra ID users, do not appear in your directory, and do not require a licence — neither their own nor one provided by you. This is the lowest-friction sharing method and the highest-risk from a data governance perspective.
From a licensing standpoint, anonymous links have no direct licensing cost. The governance risk is that they create uncontrolled access that cannot be audited against specific user identities, and they bypass any Conditional Access policies that would apply to authenticated access. Purview Information Protection policies (sensitivity labels with encryption) applied to documents can prevent anonymous link recipients from accessing protected content — but this capability requires E5 Compliance or a Purview add-on licence.
Specific People Sharing (Authenticated External Access)
When sharing with specific external individuals who authenticate (via Microsoft account, work account, or one-time passcode), those individuals become Entra B2B guests. The same licensing rule as Teams guests applies: if they have a qualifying M365 licence from their own organisation, their SharePoint access is covered. If they do not, you must licence them.
The compliance implication of authenticated SharePoint external sharing is more nuanced than Teams guest access because SharePoint documents may be subject to retention policies, eDiscovery holds, and DLP policies. External users who have accessed or modified documents that are subject to a litigation hold create a discovery scope question — can you preserve and export content that was shared with and potentially modified by an external user who has since left your tenant? This is addressed by Purview eDiscovery capabilities that are included in M365 E3 and above but require explicit consideration in external sharing governance policies.
Entra External ID: The Licensing Model for External-Facing Applications
Microsoft repositioned and rebranded its external identity capabilities under "Entra External ID" in 2023–2024. Entra External ID combines the B2B collaboration (guest accounts) and B2C (customer identity) capabilities under a single product family, with a MAU (Monthly Active User) pricing model for external users in customer-facing scenarios.
B2B (Business Partner) Licensing
Entra B2B functionality — creating guest accounts, B2B direct connect, cross-tenant access settings — is included in all Entra ID P1 and P2 licences (and therefore in M365 E3 and E5). There is no separate per-guest charge for B2B guest accounts in a tenant where licensed users are present.
The important nuance: premium Entra ID P1 and P2 features applied to guest users require the host tenant to have sufficient Entra ID P1/P2 licences. The "5:1 ratio rule" — which historically provided that one Entra P1 licence could cover 5 guest users for premium feature access — has been updated. As of 2024, Microsoft moved to a simpler policy: premium Entra features for guest users require that the tenant has Entra P1 or P2 licences for its own users, and guest users can access premium features up to a multiple of the organisation's licensed seats. Organisations should verify the current ratio in Microsoft's published guidance, as this has been an area of policy change.
External ID for Customer-Facing Applications (B2C)
For customer-facing applications that use Entra External ID for customer identity management (consumer login, customer portals, partner onboarding applications), Microsoft uses a MAU-based pricing model. The first 50,000 MAUs per month are included at no charge; beyond that, pricing applies per MAU (approximately $0.00325/MAU as of 2026, decreasing at scale).
This MAU pricing applies to external users accessing customer-facing applications built on the Entra External ID for customers platform — not to standard B2B guest access within Microsoft 365. Organisations building customer portals or partner onboarding applications should model their expected MAU volume and include Entra External ID consumption in their Azure budget planning.
Entra P1 and P2 Features for External Users
Several Entra ID P1 and P2 features are specifically relevant for managing external users at scale. Understanding which features require which licences — and whether those licences must be assigned to the host tenant users or to the guest users themselves — is important for compliance architecture.
| Feature | Licence Required | Who Must Be Licensed | Practical Relevance |
|---|---|---|---|
| B2B guest invitations (basic) | Entra ID Free | No additional licence required | Standard guest invitations and access |
| Conditional Access for guest users | Entra P1 | Host tenant users must have P1 (included in M365 E3) | Applying MFA, compliant device, or location requirements to guests |
| Access Reviews for guest accounts | Entra P2 | Host tenant must have P2 licences for reviewers | Periodic review and attestation of guest access — critical for governance |
| Entitlement Management (access packages) | Entra P2 | Host tenant users with access packages require P2 | Structured onboarding and offboarding of external partners at scale |
| Identity Protection for guests | Entra P2 | P2 assigned to host tenant | Risk-based Conditional Access for high-risk sign-ins by guests |
| Cross-tenant access (B2B Direct Connect) | Entra P1 | Both tenants must configure XTAP (Entra P1 not required for basic config) | Teams Shared Channels federation |
The most practically important insight from this table: Conditional Access for guest users (requiring MFA from guests, ensuring guests are accessing from compliant networks) requires Entra P1 in the host tenant — which is included in M365 E3. Organisations on M365 E1 or Business Basic that have not applied Conditional Access to guest users may be providing unrestricted access to external collaborators, which is a security governance gap regardless of the licensing question.
External User Governance: A Licensing-Led Framework
The absence of external user governance is the primary reason external user licensing compliance fails. Most organisations have no systematic process for: cataloguing which external users exist in their tenant; verifying that those users have qualifying licences or are licensed by the host; reviewing whether external access is still needed (especially for guests from former partners, contractors, or vendors); or removing access when it is no longer justified.
The resulting situation — which we observe consistently across our engagements — is a tenant with hundreds or thousands of stale guest accounts, some of which belong to individuals who have left their own organisation and whose Microsoft accounts are no longer active, and others of which belong to active external users accessing the tenant with no current business justification. The licensing governance framework must include external users as a discrete governance category.
Implementing Guest Access Reviews
Microsoft Entra ID P2 (included in M365 E5 or available as a standalone add-on to E3) provides Access Reviews — a built-in capability for scheduling periodic reviews of guest access that routes approval requests to nominated reviewers. Reviewers can confirm that specific guests still need access, or flag accounts for removal.
For organisations on M365 E3 without Entra P2, manual quarterly guest access reviews — pulling a guest account report from the Entra ID portal and distributing it to team owners for attestation — are a workable alternative. The process is more labour-intensive but achieves the same governance outcome. A quarterly review cadence is the minimum appropriate for most enterprise tenants; monthly is preferable for organisations in regulated sectors.
External User Lifecycle Management
External users should be managed through a defined lifecycle: invitation → active collaboration → periodic access review → access removal. Each stage has licensing implications:
- Invitation: At the point of invitation, verify whether the external user has a qualifying M365 licence (if their email domain is a known M365 tenant domain, they likely do; if it is a personal domain or an ISP, they likely do not and will require a licence from you).
- Active collaboration: Monitor guest account activity through Entra ID sign-in logs. Guests who have not signed in for 90+ days are candidates for immediate access review — either they no longer need access, or they are inactive accounts creating a potential security exposure.
- Access review: Implement formal periodic review (quarterly minimum). Use Entra P2 Access Reviews if available; otherwise implement a manual process with team owners.
- Access removal: When access is no longer needed, disable and then delete the guest account. Disabled accounts retain their directory entry and can be re-enabled if access is needed again without going through the full invitation process.
External User Licensing and Governance Review
If your organisation has never conducted a systematic external user licensing audit, you likely have both unlicensed access creating compliance exposure and stale guest accounts creating security risk. An independent review identifies both issues and establishes the governance process to prevent recurrence.
Guest Access Audit
Independent audit of your external user estate — identifying unlicensed guests, stale accounts, and governance gaps that create licensing compliance risk.
Request AuditM365 Governance Advisory
We design and implement a licensing governance framework that includes external users, reducing ongoing compliance exposure.
Learn MoreM365 Licensing Guide
Download our Microsoft 365 licensing framework — including the external user right-sizing and governance methodology.
Download GuideExternal User Licensing in Specific Workloads
Power Platform and External Users
Power Apps and Power Automate flows that are shared with external users create additional licensing considerations. A Power App shared externally (via a guest invitation) requires that the external user has either their own Power Apps licence or a per-app pass assigned by the host tenant. The M365 E3 Power Apps "seeded" licence (limited to Microsoft 365-connected scenarios) does not extend to external users accessing your custom Power Apps.
This is a frequently overlooked licensing gap in organisations that build internal process applications on Power Platform and then share them with partner organisations or contractors. The Power Platform licensing guide covers this in detail, but the key principle is: external access to custom Power Apps requires a Power Apps licence, and the host organisation bears that cost if the external user does not have their own qualifying licence.
Dynamics 365 and External Users
Dynamics 365 has a separate "Team Member" licence that is designed for read-only or light-use access to Dynamics data. External users who access Dynamics 365 in any capacity — even for basic record viewing — require either a full Dynamics 365 licence or a Team Member licence. There is no Dynamics 365 equivalent of the M365 guest exemption. This is a common source of unlicensed access in organisations that use Dynamics 365 for CRM and share customer records with external partners through Power Apps or Power BI reports connected to Dynamics data.
Frequently Asked Questions
Do Teams guests always need a licence?
Not always. If the guest user has their own qualifying Microsoft 365 subscription that includes Teams, their guest access to your Teams environment is covered by their own licence. The licence obligation applies when the guest has no qualifying licence from their own organisation — in that case, you must provide them with an M365 licence (typically Business Basic at minimum) to cover their access.
How many guest users can we have in Entra ID?
There is no hard cap on the number of guest users in an Entra ID tenant. Microsoft allows guest users up to the tenant's overall directory size limits (which are very large). The practical constraint is not quantity but licensing compliance — ensuring that guests either have their own qualifying licences or are licensed by you.
Does SharePoint anonymous link sharing require a licence?
No. Anonymous link recipients access documents without authenticating — they are not Entra ID users and require no licence from either party. The governance and security risks of anonymous links are real (loss of audit trail, no ability to revoke access from a specific individual), but these are governance concerns rather than licensing obligations.
What is the cheapest way to licence external users who have no M365 subscription?
Microsoft 365 Business Basic (~£4.60/user/month) is the cheapest M365 licence that provides Teams access, which covers the most common external user collaboration scenario. If the external user needs SharePoint access as well, Business Basic covers that too. If they need desktop Office applications or advanced compliance features, a higher tier is required. Assign the minimum tier that covers the actual access requirement — do not over-licence external users by default.