![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 97%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 49%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
If you have Entra ID tenant X and Entra External ID tenant Y, you can use "Create new external user" on Y to create a user called ******@x.onmicrosoft.com. But that user is a member of Y (local account) - not a federated one.
If you try and self-register on Y with ******@x.onmicrosoft.com, you will be asked to verify the OTP and enter whatever sign-up attributes are configured but the user has a userType of "Member" and so will be a local account.
The user's identity contains only an email address and a UPN.
The only way to get federation and use tenant X credentials is to create a guest account via email invite.
This is clearly described in the docs:
"Note
The Microsoft Entra ID Sign up option is unavailable because although customers can sign up for a local account using an email from another Microsoft Entra organization, Microsoft Entra federation isn't used to authenticate them. Google and Facebook become available only after you set up federation with them. Learn more about authentication methods and identity providers."
So if the user signs up with ******@x.microsoft.com and uses the same X password, they can still log in, but if they change the X password, that won't be reflected in Y.