Many organizations are building Power Pages to collaborate with external partners, vendors, and contractors, requiring them to access internal systems and data. Microsoft Power Platform allows for secure external access using business-to-business (B2B) collaboration features through Microsoft Entra ID. In this article, we cover how to configure B2B collaboration for external users and leverage Conditional Access to ensure that the right security measures are in place.

Understanding B2B External Collaboration

B2B external collaboration allows organizations to grant external users access to their resources, such as Power Apps, Dataverse, or Power Automate. This allows vendors, clients, and other stakeholders to access the same environment without creating new accounts for each external user.

Steps to Configure B2B External Collaboration:

1️⃣ Enable External Sharing:

• In the Microsoft Entra ID Admin Center, go to External Identities → External collaboration settings.
• Enable B2B direct connect or B2B invitation (depending on your preference). This will allow external users to access your environment.

2️⃣ Invite External Users:

• Go to Power Platform Admin Center → Environments → Settings → Users → Invite External Users.
• Input the email addresses of the external users, which will send an invitation to their Microsoft account or personal email.

3️⃣ Assign Roles and Permissions:

• After inviting the external users, assign appropriate roles in Power Platform. Use security roles to define what these users can and cannot access.
• For example, you can grant external vendors access to specific apps without giving them full admin rights.

Leveraging Conditional Access for External Users

1️⃣ Create a Conditional Access Policy:

• In the Microsoft Entra ID Admin Center, go to Security → Conditional Access → New Policy.
• Set conditions like user/group (external users group), cloud apps/actions (Power Apps, Dataverse), and grant controls (require MFA, compliant devices, etc.).

2️⃣ Enforce Location or Device Restrictions:

• Define location-based access by allowing only certain countries or IP ranges.
• Enforce device compliance by allowing access only from managed and compliant devices.

💡 Practical takeaway

When giving access to contractors or vendors, I recommend creating an “External Users” security role with only the minimum permissions required — and pairing it with location-based Conditional Access policies. It gives them what they need, and keeps your environment secure.

By using B2B collaboration and Conditional Access, you can securely allow external users to access Power Platform solutions while ensuring they comply with your organization’s security policies. This approach provides flexibility and scalability while keeping your data secure.