Cloud Identity Engine: Support for Entra B2B External User Authentication

Executive Summary

Palo Alto Networks’ Cloud Identity Engine now supports Entra B2B external user authentication, unlocking secure access for partners, vendors, and external collaborators. This enhancement allows organizations to apply Zero Trust policies across both internal and external users, ensuring seamless, policy-driven access without compromising security.

Enabling Collaboration Without Compromising Security

Today’s interconnected business environments demand secure access for external parties, whether they’re partners, suppliers, or clients. Entra B2B, a solution in Microsoft Entra ID, simplifies this by allowing users from outside organizations to access resources using their own credentials. Cloud Identity Engine’s support for Entra B2B now extends this secure, flexible access, providing a seamless experience for external users while preserving strong access controls.

With the latest enhancement, Palo Alto Networks Cloud Identity Engine now enables secure Entra B2B external user authentication. This addition lets organizations integrate external Entra B2B identities within a unified Zero Trust security model, streamlining secure collaboration with partners and vendors while ensuring fine-grained access control.

Key Capabilities and Benefits of Entra B2B Support in Cloud Identity Engine

With this enhancement, Cloud Identity Engine delivers:

• Streamlined Collaboration: Businesses now benefit from a simplified setup process for external access. Authorized users from other organizations can authenticate seamlessly, enabling faster, more secure collaboration without added friction.
• Centralized Access Control: Cloud Identity Engine’s support for Entra B2B allows administrators to manage internal and external identities from a single platform, making it easy to apply and monitor security policies across all users.
• Directory Synchronization Service Support: With Directory Synchronization, Cloud Identity Engine can directly sync with Entra ID, ensuring that guest user identities and group memberships stay up to date. This capability makes it simpler to manage external users, providing real-time visibility and quick synchronization.
• Cloud Dynamic User Group Support: Automatically categorizing users based on attributes like role, department, and if they are a guest using Cloud Dynamic User Groups. This is especially useful for external Entra B2B users, as administrators can define policies for dynamic groups that adapt as user roles and attributes change, enforcing access controls based on real-time user context.
• Cloud Authentication Service Support: Cloud Identity Engine’s support for Cloud Authentication Service offers additional flexibility for external users. Organizations can enforce specific authentication methods tailored to different groups of users—such as requiring MFA for high-risk or privileged access—creating more granular and adaptive access controls.

These capabilities collectively enable Cloud Identity Engine to streamline external user access, enhance control through centralized policies, and maintain security across diverse user environments, including those involving dynamic roles or heightened security needs.

You can read more about how Entra B2B works here.

Start Using the Feature Today!

New and existing customers can begin leveraging Entra B2B support in Cloud Identity Engine immediately with straightforward setup steps.

You can follow this video or the steps provided below:

1. Follow the steps provided by Microsoft to invite guest users to your Entra ID tenant here
2. Once a guest user is added to your Entra ID, connect it to Cloud Identity Engine using one of the methods in our documentation: CIE Enterprise App, SCIM, or Client Credential Flow

Guest users will appear in the Cloud Identity Engine with the naming format: userName_externalDomain.com#EXT#@internalDomain.com

Guest users’ attributes and group membership will also be shared with Cloud Identity Engine. Guest users and their attributes can be used in Cloud Dynamic User Groups for:

1. Risky User Groups

Integrating Entra B2B guest users into Risky User Groups enhances security by enabling dynamic responses to potentially malicious behavior or compromised accounts. For example, external users flagged for suspicious activity—such as multiple failed login attempts or accessing resources outside their usual context—can be automatically grouped and subjected to stricter policies, such as requiring additional MFA or blocking access entirely. By leveraging Entra ID’s security insights alongside Cloud Identity Engine’s risky user groups, organizations can preemptively mitigate risks posed by external collaborators while maintaining productivity.

2. Attribute Based Groups

Entra B2B users can be seamlessly integrated into Attribute-Based Groups, enabling highly granular access controls based on user attributes such as guest, department, and role. This ensures that external collaborators receive access only to the resources relevant to their specific needs. For instance, a guest supplier tagged with a “Finance” role in Entra ID can be automatically granted access only to financial systems and data, avoiding over-permissioning. This alignment of attributes across platforms helps enforce least-privilege principles, minimizing the attack surface while maintaining operational efficiency.

3. On Demand Assignment Groups

With Entra B2B support in On-Demand Assignment Groups, organizations can provide time-bound, purpose-specific access to external users, ensuring they only interact with resources for as long as necessary. For example, a guest developer collaborating on a project can be granted temporary access to a test environment, with access revoked automatically after the defined period. This approach minimizes the risk of lingering permissions and unauthorized access while supporting dynamic collaboration needs.