Enterprise SSO for external users: centralize logins without Entra or Google licenses
Every company eventually needs to give access to external people: consultants, suppliers, customers, temporary collaborators. Doing it by creating a Microsoft Entra ID or Google Workspace account for each one means paying a license per external user and bringing them into your corporate directory. There is a better way.
The problem: giving external users access costs money and widens risk
Most companies use Entra ID or Google Workspace as the directory for employees. The problem arises when you need to give access to an internal application to someone who is not an employee. The two traditional routes both carry a cost:
- Creating a corporate account (Entra/Google) for each external user: it consumes a paid license and brings the external user into the corporate directory perimeter.
- Managing separate credentials app by app: it multiplies passwords, resets and attack surfaces, with no single control point.
Multiplied by dozens or hundreds of external users, it becomes a significant cost item and a security risk.
LoginMaster as central SSO: a single front door
LoginMaster acts as a central Single Sign-On for the whole organization. It integrates SSO with Microsoft Entra ID and Google Workspace for employees — who keep signing in with the corporate credentials they already use — and at the same time lets you create native "LoginMaster" credentials for everyone else. All from the same tenant console.
- Employees sign in with Entra ID or Google Workspace (SSO).
- External users sign in with a dedicated LoginMaster account.
- Applications see a single identity provider: LoginMaster.
"LoginMaster" accounts for external users, without Entra or Google licenses
This is the key economic point. Creating a LoginMaster account for an external user does not consume a Microsoft Entra ID license (P1/P2) or a Google Workspace mailbox. With per-tenant/project licensing and unlimited users, adding external users does not increase the per-user cost.
| Approach | Cost per external user | Directory exposure |
|---|---|---|
| Entra ID account | Per-user license (P1/P2) | External user enters the corporate directory |
| Google Workspace mailbox | Per-mailbox fee | External user enters the corporate domain |
| LoginMaster account | Included (unlimited users) | External user isolated from the directory |
Secure self-service onboarding, without provisional passwords
Adding a user happens via an email invitation managed from the tenant console. There is no provisional password to share and then force a change — a classic anti-pattern that generates tickets and phishing risk.
- 1The administrator invites the user from the tenant console by entering their email.
- 2The user receives the email and opens the secure link.
- 3They create their own password, which never passes through anyone else.
- 4They enable their own 2FA independently.
Where credentials live: in your tenant, not with third parties
User credentials — external and internal — stay in the LoginMaster tenant installed in the customer datacenter. They are not handed to third-party services, nor to the LoginMaster Cloud, which operates only on encrypted, pseudonymized data.
- External users do not enter the Entra/Google corporate directory.
- Credentials do not end up on a third-party SaaS.
- Not even the LoginMaster vendor can read your users' credentials.
It is the same principle of data sovereignty applied to external-user onboarding.
What changes for the IT department
- A single console for employees (via Entra/Google) and external users (LoginMaster accounts).
- Centralized onboarding and offboarding: revoking an external user is immediate and does not touch the corporate directory.
- No provisional passwords to manage and fewer reset tickets.
- Self-service 2FA with uniform policies across all users.
- Application integration via open standards (SAML, OIDC).
What changes for the CIO
- Cost: external users consume no Entra P1/P2 licenses or Google mailboxes — unlimited users in the LoginMaster model.
- Risk and compliance: the corporate directory does not bloat with external accounts and credentials stay in your own datacenter (GDPR and NIS2 by-design).
- Scalability: adding partners or customers does not change the cost structure.
- Governance: a single access control point for the whole organization.
See the licensing model on the pricing page and compliance details on compliance.
Frequently asked questions
No. A LoginMaster account dedicated to external users consumes no Entra ID (P1/P2) licenses or Google Workspace mailboxes. With per-tenant/project licensing users are unlimited, so adding external users does not increase the per-user cost.
No. The user is invited by email and creates their own password, which never passes through the administrator or any third party. The user also enables their own 2FA in self-service.
No. Credentials stay in the LoginMaster tenant installed in the customer datacenter. They are not handed to third-party services nor to the LoginMaster Cloud, which operates only on encrypted, pseudonymized data.
No. Employees keep signing in with their Microsoft Entra ID or Google Workspace corporate credentials via SSO; the only change is that external users use dedicated LoginMaster accounts, managed from the same console.
Want to see LoginMaster in action?
Request a personalized demo and discover how to manage identities and access securely and compliantly.