We have a Test Azure Active Directory which we have created to manage our external users.
We have noticed that when we add a native user to the active directory, that they can login to the Azure Portal. They have an organizational role of user.
https://portal.azure.com
We didn't expect that when they log into the portal that they have the permission's to create new users and groups. And that they can see all of the other users within the active directory.
We have seen that he pattern put forward to deal with external user's is B2B. If we want to add a corporate user email then the process seems to be that this will create a Microsoft account to facilitate their login. We have read that Corporate Admin's should be careful about using their corporate email address for Microsoft accounts because it could cause issues later if they wanted to use AAD.
We thought giving them a native account in the AAD was a viable alternative but not if we can't control their access rights. We really don't want them to be able to see other users and perform any actions within the AAD.