Entra ID – Convert external users to internal (Preview)

Posted by Harri Jaakkonen Posted on 16/03/2024
Posted in Azure, Entra ID, Identity, Security

Prologue

Mergers, acquisitions, and reorganizations can create a tangled web of user accounts. Imagine acquiring a company where some employees collaborate with your team using external guest accounts. Integrating them fully requires converting them to internal users – a process that can be disruptive and time-consuming if done incorrectly.

The Solution: External User Conversion

External user conversion offers a seamless approach to integrating external collaborators into your organization’s internal user base. Here’s how it empowers a smooth transition:

  • Simplified User Management: No need to delete and recreate user accounts. Conversion leverages existing user objects, minimizing administrative burden and potential errors.
  • Uninterrupted Access: Users retain their existing accounts and access levels, avoiding disruptions to ongoing work.
  • Preserved History: Conversion seamlessly integrates a user’s activity history, ensuring a complete record of their contributions.
  • Enhanced Collaboration: Converted users become full-fledged internal members, fostering deeper collaboration and knowledge sharing across the newly combined teams.

External User Conversion Guide

Understanding User Types

TermDescriptionImpact on Conversion
Internal UserAuthenticates with the local tenant’s credentials.Not eligible for conversion (already internal).
External UserAuthenticates with a method not managed by your organization (e.g., another company’s Entra ID, Google federation).Eligible for conversion if configured as member or guest.
User Type (Member vs Guest)Defines permission level within your tenant.Does not affect conversion eligibility, only permissions after conversion.

Converting users

Open your user from Entra ID portal from here https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers/menuId/ and choose B2B collaboration and Convert to Internal

When you are choosing the new username, the local part of a User Principal Name must be between 1 and 64 characters.

Conversion Process Breakdown

User TypeConversion StepsNotes
Cloud UserSpecify Username (UPN) and set PasswordUser can authenticate directly with your tenant after conversion.
Synced User (On-Premises Managed)Conversion only (no UPN or password options)User authentication remains on-premises (no change).
Synced User (Federated Authentication)PHS Enabled
Conversion only (no password option).

No PHS
Administrators have the option to set a password.		Password cannot be changed during conversion due to PHS. User authentication remains federated.
Managed Tenant UserSpecify PasswordUser can authenticate directly with your tenant after conversion.

Important Considerations

  • Use test accounts to avoid impacting production users during conversion testing.
  • Only users with the User Administrator role can convert external users.
  • Users must be configured with an external authentication method to be eligible for conversion.

Additional Resources

Microsoft documentation for details on specific conversion methods (Entra ID Portal or MS Graph API) can be found through relevant Microsoft support channels.

Convert external users to internal users (Preview) – Microsoft Entra ID
You can convert users from external to internal without the need to recreate them.

And there is also other enhancements made, these include:

  • Preloaded scrolling so that you no longer have to select ‘Load more’ to view more users
  • More user properties can be added as columns including city, country/region, employee ID, employee type, and external user state
  • More user properties can be filtered on including custom security attributes, on-premises extension attributes, and manager
  • More ways to customize your view, like using drag-and-drop to reorder columns
  • Copy and share your customized All Users view with others
  • An enhanced User Profile experience that gives you quick insights about a user and lets you view and edit more properties

Note! they aren’t available to B2C tenants

See more from Learn

User management enhancements – Microsoft Entra ID
Describes how Microsoft Entra ID enables user search, filtering, and more information about your users.

Closure

Small feature but big difference for organizations which External user conversion goes beyond streamlining administrative tasks. It fosters a sense of inclusion for newly integrated employees. They retain their familiar login credentials and access history, reducing friction during the onboarding process. This fosters a smoother transition and a more positive experience for your new team members.

Author: Harri Jaakkonen