Microsoft Entra Connected Organizations: Getting External Access Under Control
Every IT team knows the struggle: a supplier needs SharePoint access, a consulting firm needs to join a Teams workspace, or a subsidiary wants to log into an internal app. What usually happens? Someone invites an external user as a guest, gives them access, and moves on. Fast forward a year — nobody remembers who invited them, what they have access to, or whether they still work for the partner.
Multiply that by dozens of partners and you’ve got a serious security and compliance headache.
Microsoft Entra Connected Organizations was designed to fix exactly this. Instead of managing guests one by one, you define an external company once as a Connected Organization. From there, you can manage how their users request access, enforce Conditional Access, and apply lifecycle governance such as approvals, expirations, and reviews.
What Exactly is a Connected Organization?
A Connected Organization is an object in Microsoft Entra that represents an external entity (another Entra tenant or domain). Think of it as a “container” for partner users.
- Configured organizations – Created and approved by admins. These are trusted and eligible for access packages.
- Proposed organizations – Auto-created when an unknown external user requests access. They do nothing until an admin promotes them to “configured.”
Every Connected Org also has sponsors — contacts (internal or external) who are accountable for that relationship. Sponsors get involved during access reviews and help validate whether users from that partner should continue to have access.
This combination of “container + sponsor + governance” makes Connected Organizations far more scalable than ad-hoc guest invites.
Why They Matter
Without Connected Organizations, external collaboration looks like:
- Dozens of guest accounts scattered across your directory.
- Inconsistent MFA and security enforcement.
- No clear owners for partner access.
- Difficult audit trails.
With Connected Organizations, you get:
- Consistency – All partner users flow through the same governance controls.
- Scalability – Define the org once, manage hundreds of users.
- Compliance – Expirations, reviews, approvals, and audit logs included.
- Better experience – Partner employees sign in with their home credentials.
It’s a shift from managing users to managing organizations.
The Correct Design Flow
One mistake is creating a Connected Organization first, only to realize there’s nothing for its users to request. The right design sequence is:
- Catalog – Container for resources.
- Resources – Groups, Teams, SharePoint sites, apps.
- Access Package – Bundle of resources to grant.
- Assignment Policy – Rules for who can request (including external users).
- Connected Organization – Defines which external tenant(s) are eligible.
- Conditional Access – Secures how they sign in.
- Lifecycle Governance – Expirations, reviews, automatic removal.
This ensures there’s always a complete flow from “what they need” → “who can ask” → “how they authenticate.”
Step-by-Step Walkthrough
Step 1: Create a Catalog
Start in Identity Governance → Catalogs. Create one specifically for partner access, e.g., Supplier Collaboration Catalog. Keep external catalogs separate from internal for easier reporting.
+ New Catalog → Provide Name and Description → Then make sure to select “enabled for external users”
You will see the New Catalog in the list.
Step 2: Add Resources
Add the apps, groups, or sites partners will need. Common choices: SharePoint project sites, Microsoft Teams groups, or line-of-business apps.
Select the newly created Catalog → Resources → Add Resources
On the add Resource section, select the Roles we will assign and Groups.
After adding your Resources, the catalog will look as follows:
Step 3: Create an Access Package
Bundle those resources into an access package, e.g., “ThatLazyAdmin Consulting Services.” Keep the scope narrow — least privilege is the goal.
Start in Identity Governance → Access packages → + New Access package
Provide the following information for the access package Name → Description → Select the New Created Catalog.
On the Resource Roles, + Add resource roles. (for this demo I will select the following)
- Select Group > Set group role as “member”
- Select Entra Role (Global Reader) > Set Entra Role as “Active Member”
Step 4: Configure an Assignment Policy
On the Requests Section complete the following information.
- Users who can request Access select “Users not in your directory”
- Specify connected organisations > Then click “add directories”
Step 5: Define the Connected Organization
- Type the Partners Domain “ThatLazyAdmin.com”, you will get another option to “+add connected organisation”
You will be presented with the Add Connected organisation page, completed the Basics as below.
On the next section, add the partner domain as above.
On the Next Section provide the details for the Internal Sponsors.
Next click, Next: Review + Create > Create.
Now back on the Access package page you will see the connected organisation now as follow.
Now lets continue with the approval section, we will configure as follows.
- Require approval > No
- Email Notifications – Disable assignment emails > No
On the next section Enable select the following configuration:
- Enable new requests > Yes
On the Requestor Information you can leave this blank and continue to Lifecycle.
Step 6: Govern the Lifecycle
External access should never be “forever.”
- Set expiration dates (30–90 days, I will use 365 days).
- Configure access reviews for owners to re-attest need. (Optional)
- Require re-approval for renewals. (Optional)
- Monitor audit logs for activity and policy compliance.
On the Lifecycle section here, you can select how long before the access package will expire, here I will set the following configuration.
- Expiration > Number of days > 365
Click Review + Create
The partner will have to use the link provided in “My Access portal link”
Step 7: Apply Conditional Access
Entitlement Management controls what they get. Conditional Access controls how they sign in.
Best practices:
- Require MFA for all external access.
- Block legacy authentication for external identities.
- For sensitive workloads, require compliant or hybrid-joined devices.
- Scope policies specifically to Connected Orgs — don’t lump all guests together.
Test Access to Customer Tenant from the Partner (Connected Organisation) ThatLazyadmin.com.
From the Access package we copied the MyAccess Link, that link will need to be shared with the vendor / partner. Once the partner accesses the link they will see the following.
The link will look as follows : https://myaccess.microsoft.com/@cloudlapsforall.onmicrosoft.com#/access-packages/ac1db7c3-d1ee-43cc-a3ae-ce5a62495919
Once the Partner / vendor signs in they will see the following:
- Click Continue
- Provide Business Justification as follows:
- Accept the Consent form and click submit request as follows:
After I have completed the above process, waited a min or 2 the policies from the Customer Tenant prompted me for Authenticator registration.
Complete the MFA setup process on the Authenticator App.
Once completed you will be redirected back to the MyAccess portal, where you will see all our access packages. You will now notice that you have an Active Assignment.
On the Active Assignment you will notice that the end date is 365 days from when we created the access package.
Now, lets see if we can see the Customers Entra Directory since we have Global reader role. Go to https://Entra.microsoft.com and then click on your profile picture and select switch directory.
Now select the customers Tenant form the list, if you have multiple customers, you will see multiple tenants if not you will only see the new one.
Select Switch next to the customers Directory name.
If you head over to Users in Entra you will now the customers users.
Compliance and Audit Benefits
Connected Organizations are not just an IT convenience. They address a real compliance gap: unmanaged external access.
For audits, you can now show:
- Which partner orgs have access.
- Who sponsored the relationship.
- Which users were approved, by whom, and when.
- When access will expire or be reviewed.
That turns “shadow IT guest accounts” into a governed, auditable process that satisfies regulators and aligns with Zero Trust.
Real-World Example
Let’s say your logistics team works with Cloud Contractors:
- Create a “Logistics Collaboration” catalog.
- Add the SharePoint and Teams resources.
- Build an access package granting access to those resources.
- Add a policy allowing “users not in your directory” scoped to Cloud Contractors.
- Create Cloud Contractors as a Connected Org with sponsors.
- Apply a Conditional Access policy requiring MFA and blocking legacy auth.
- Set the package to expire after 90 days with mandatory re-approval.
Now Cloud employees can self-request via the MyAccess portal, approvals flow automatically, and stale access is removed on schedule.
Best Practices
- Keep partner catalogs separate from internal ones.
- Use specific Connected Organizations instead of “all configured.”
- Always require MFA (and consider compliant devices).
- Set expiration and re-approval for all external access.
- Review sponsors and approvers quarterly.
- Use access reviews to keep auditors happy.
Final Thoughts
Connected Organizations are easy to overlook, but they solve one of the biggest blind spots in modern IT: unmanaged guest access.
They let you scale partner collaboration while keeping tight control through Entitlement Management, Conditional Access, and lifecycle reviews.
If you’re still manually inviting partners or leaving guest accounts unmanaged, it’s time to modernize. Connected Organizations aren’t just a convenience — they close a security and compliance gap that auditors love to spotlight.
About Me
I’m Shaun Hardneck, a Microsoft 365 & Azure Security Specialist and the author of ThatLazyAdmin.com. I share practical, real-world guidance on Microsoft cloud technologies to help IT teams secure and modernize their environments.
