External User
An External User in Salesforce is a user account that belongs to someone outside the host organization, such as a customer, partner, supplier, broker, or dealer.
Definition
An External User in Salesforce is a user account that belongs to someone outside the host organization, such as a customer, partner, supplier, broker, or dealer. External users sign in to Experience Cloud sites (help centers, partner portals, customer accounts) using a special category of license built for outside access. They cannot reach Lightning Experience or Salesforce Classic, and they only see the sites they are a member of.
Every external user is tied to a Contact record, and that Contact belongs to an Account. The Account decides whose data the user can touch. Permissions, field visibility, and Setup access are all narrower than for an internal employee user, by design. This split between external and internal users is one of the platform's main security boundaries, and it keeps cost and data exposure under control.
How external users fit into the Salesforce identity model
Internal versus external: the core distinction
Salesforce splits every login into two camps. Internal users are employees, contractors, and consultants who need company data. They sign in at login.salesforce.com or a My Domain URL, and they can open Lightning Experience and Salesforce Classic. External users are the people outside your business: end customers, resellers, brokers, and dealers. They reach only the Experience Cloud sites they belong to, and they never see the internal app. Salesforce documents this as a deliberate choice. External licenses carry stronger privacy and security limits, so they are the right tool when someone needs limited access to a slice of your data. The practical test is simple. If the person works for your company and needs broad CRM access, give them an internal license. If they are a customer or a partner who needs a focused view, give them an external license. Picking the wrong side either overspends on internal seats or exposes more data than an outsider should ever see. Guest visitors who browse a public site without logging in are a third case, and they do not consume an external license at all.
License types you can assign
External users come in several flavors, and the license you pick sets the ceiling on what they can do. External Identity is for high-volume identity and registration with light data access. External Apps suits app-style access without full community features. Customer Community is the high-volume option for self-service customers: cases, public Knowledge, and a narrow set of objects, with no role hierarchy. Customer Community Plus adds reports, sharing through the role hierarchy, and broader record access for customers who need more. Partner Community is the B2B option, with access to Leads, Opportunities, Accounts, and other sales objects so channel partners can work deals. Channel Account licenses are member-based and priced per partner account rather than per person, which fits large partner networks. Salesforce sells some of these as member-based (a fixed pool of named users) and others as login-based (a pool of logins consumed per month). The right choice depends on how often your users actually sign in. Frequent daily users favor member-based; occasional users who log in a few times a year often cost less under login-based.
The Contact and Account link
An external user is never just a User record. It is always paired with a Contact, and that Contact rolls up to an Account. The Contact represents the human being; the User record represents their login and permissions. When you enable a Contact as an external user, Salesforce creates the User record and copies some fields straight from the Contact, like name and email. The Account behind the Contact is what scopes the user's world. For a partner, the Account is the partner company, so the external user can see that company's Leads and Opportunities. For a customer, the Account groups the customer's own records. This is why partner accounts must be enabled before you can create partner users, and why a customer Contact's Account needs an owner with a role before you can create a customer user. Salesforce also supports contactless external users for cases where tracking a Contact adds overhead you do not need, such as huge identity-only populations. For most B2B and B2C portals, though, the Contact stays in the picture and does real work.
Profiles, permission sets, and what they can do
External users get their permissions from a profile, usually a community-specific one like Customer Community User or Partner Community User, often cloned and tightened for a given site. The profile controls object access, field-level security, and page layouts, and it blocks Setup entirely. External users cannot open Setup, cannot see internal-only objects, and cannot view fields that field-level security hides from them. Permission sets layer extra access on top of the profile when a subset of users needs more, which keeps you from cloning a dozen near-identical profiles. The guiding rule Salesforce repeats is that external users should have only the access and abilities their work requires. That means starting from a restrictive baseline and adding access deliberately, not starting broad and trimming later. Field-level security matters more here than almost anywhere else, because a single exposed field on a shared object can leak data to the wrong customer or a competing partner. Treat every object and field you expose to an external profile as a conscious decision, and review those decisions whenever the site's data model changes.
Sharing, roles, and record visibility
Record visibility for external users follows a stricter model than for employees. Customer Community users sit outside the role hierarchy, so they rely on sharing sets and the Account they belong to for access, rather than on a manager-and-report chain. Customer Community Plus and Partner Community users can sit in an external role hierarchy under their Account, which lets a partner manager see records owned by partner users below them. Salesforce notes that fewer external roles perform better, and Account Role Optimization exists to reduce the role count when you have many business accounts. Sharing sets grant access based on the relationship between the user's Contact or Account and the records, which is the common way to open up data to high-volume users. Super User access can be switched on for Partner Community or Customer Community Plus users so a chosen person sees more of their Account's data. One important limit: access granted through sharing sets does not roll up to people above the user in the role hierarchy. Plan visibility from the Account outward, and test it as the external user, not as an admin.
Provisioning, login, and lifecycle
You can create external users one at a time from a Contact, in bulk with Data Loader, or let people self-register on the site. Self-registration has three common shapes: open sign-up where anyone can join, gated sign-up where an admin approves each request, and invitation-only where admins send invites to specific addresses. Login options on an Experience Cloud site include username and password, single sign-on with SAML or OpenID Connect, social sign-on through providers like Google, and passwordless flows. The piece teams forget is the end of the lifecycle. An external user keeps access until someone deactivates them, and there is no automatic expiry tied to a contract or a partner program. Decide your deactivation triggers on day one: contract end, departure from the partner program, or account closure. Track sign-in activity to find dormant users, since a member-based license held by someone who never logs in is wasted spend. A quarterly review that deactivates inactive users and reclaims their licenses keeps both your security surface and your bill in check.
How to create an external user from a Contact
You create an external user by enabling an existing Contact, not by adding a User from scratch. Salesforce builds the User record for you and links it to the Contact. The exact action depends on whether the person is a partner or a customer, and the account behind them must be set up first.
- Prepare the account
For a partner user, enable the related Account as a Partner Account first. For a customer user, make sure the Contact's Account has an owner who is assigned a role. Without this, the enable action is blocked.
- Open the Contact
Find or create the Contact record for the person. In Lightning Experience, open the actions dropdown on the Contact. In Salesforce Classic, use the Manage External User button.
- Enable the user
Choose Enable Partner User or Enable Customer User. Salesforce opens a new User record with the name and email pre-filled from the Contact.
- Assign license, profile, and role
Pick the external license (Customer Community, Customer Community Plus, or Partner Community), select a community profile, and set a role if the license uses the role hierarchy.
- Control the welcome and save
If the site is not live yet, deselect the option to generate a new password and notify the user immediately. Save the record to provision the external user.
The person being enabled. The User record links back to this Contact, and its Account scopes data access.
The external license, such as Customer Community or Partner Community. It sets the upper bound on features and objects.
A community-specific profile that defines object access, field-level security, and the absence of Setup access.
Required for licenses that use the external role hierarchy (Customer Community Plus, Partner Community). Keep the role count low for performance.
- You need Manage External Users, Manage External Users (Limited), or Manage Customer Users permission to enable the user.
- A customer Contact's Account must have an owner assigned to a role, or the Enable Customer User action will not appear.
- Deselect the immediate password email when the site is still in setup, or the user gets a login link to a site that is not ready.
- External users cannot open Lightning Experience or Salesforce Classic, so do not test their access from the internal app.
Prefer this walkthrough as its own page? How to External User in Salesforce, step by step
Trust & references
Cross-checked against the following references.
- When to Use an Internal or External LicenseSalesforce
- Manage External UsersSalesforce
Straight from the source - Salesforce's reference material on External User.
- Create Experience Cloud Site UsersSalesforce
- Learn More About Experience Cloud LicensesSalesforce
Hands-on resources to go deeper on External User.
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. Who is an External User in Salesforce?
Q2. Which license type would an External User on a partner portal typically hold?
Q3. What record links an External User to the organization or household they represent?
Discussion
Loading discussion…