External User
An External User in Salesforce is a user account that belongs to someone outside the host organization: a customer, partner, supplier, or other non-employee.
Definition
An External User in Salesforce is a user account that belongs to someone outside the host organization: a customer, partner, supplier, or other non-employee. External Users access Experience Cloud sites (customer help centers, partner portals) with limited license types specifically designed for external access: Customer Community, Customer Community Plus, Partner Community, and a few specialized variants. Their permissions, data visibility, and feature access are all narrower than internal Salesforce users by design, both to constrain cost and to maintain the security boundary between the host org and the outside world.
External Users are central to Salesforce''s customer-self-service and partner-collaboration strategy. Every Customer Community portal user is an External User; every Partner Community user is an External User. They live in the same User object as internal users, but with a different license type, a Contact record linking them to an Account (the partner organization or the customer household), and a profile that restricts what they can do. The line between External and Internal users is one of the platform''s primary security boundaries.
How External Users work in Salesforce
License types for External Users
Customer Community: read-only access to limited objects, public Knowledge, case submission. Customer Community Plus: extends with case management and sharing rules. Partner Community: broader access for B2B partners including Lead, Opportunity, and Account. External Apps License: legacy variant for app-only access. Each license type has different per-user pricing and feature ceilings.
The Contact-to-User link
Every External User has a Contact record they are linked to. The Contact represents the person; the User record represents their login. Both records exist; both are managed. Account ownership of the Contact determines the External User''s scope: a Contact under Acme Corp''s Account means the External User sees Acme Corp''s data.
Profile-based access control
External Users use community-specific profiles (Customer Community User, Partner Community User, and custom variants). These profiles restrict object access, field-level security, and Setup access. They cannot see internal-only objects, internal-only fields, or any Setup pages. The platform enforces this strictly to prevent data leakage.
Sharing and the External User scope
External Users are not in the role hierarchy by default. They see records owned by their associated Account (when Account access is enabled) or records explicitly shared with them via sharing rules. Cross-Account sharing for external users is limited; the platform enforces a stricter visibility model than internal users to prevent partners from seeing each other''s data.
Login and authentication
External Users log in through the Experience Cloud site''s login URL: typically a custom domain like portal.acme.com or the default Salesforce-hosted URL. Authentication options include username/password (default), SSO with SAML or OIDC, social sign-on (Google, Facebook, LinkedIn), and passwordless email magic links. The Experience Cloud login page is configurable per site.
User provisioning and self-registration
External Users can be provisioned by admins (one-by-one or via Data Loader) or self-register through the Experience Cloud site. Self-registration is configurable per site: open registration (anyone can sign up), gated registration (admin approves each request), or invitation-only (admins send invites to specific email addresses).
Cost and license management
External User licenses cost per named user. A site with 10,000 community users on Customer Community can cost as much as the internal Salesforce license. Plan carefully: deactivate inactive users, audit licensing quarterly, and consider PAUL (Per Active User License) for sites with many infrequent users. Salesforce''s pricing for external users is the main cost driver in Experience Cloud deployments.
How to provision an External User in Salesforce
Provisioning an External User requires creating a Contact (if not already there) and then enabling the Contact as a Customer/Partner User. The user is now a full External User with login credentials and Experience Cloud access.
- Identify or create the Contact
Open the Account that represents the external organization (or the customer''s personal Account in Person Account orgs). Add the new person as a Contact, or open the existing Contact record.
- Enable as a Customer or Partner User
On the Contact, click the dropdown actions menu and select Enable Customer User (or Enable Partner User for partner contacts). The New User form opens.
- Configure user settings
Set username (typically the email), pick the appropriate license (Customer Community, Customer Community Plus, Partner Community), pick the right profile, assign role if applicable. Save.
- Send the welcome email
Salesforce sends a welcome email with login instructions. The user resets their password and logs in. Their access to the Experience Cloud site begins immediately.
- Test the user''s access
Use Login As to verify the user sees the right pages, records, and Knowledge articles. Adjust sharing or profile settings if anything looks wrong.
- Document the user lifecycle
Capture the user''s purpose, the Account they belong to, and the deactivation trigger (left the partner program, ended the contract). Without lifecycle hygiene, External Users accumulate.
The Contact record the External User is linked to. Must exist before enabling the user.
The login identifier. Typically the user''s email address.
Customer Community, Customer Community Plus, Partner Community, or similar.
The profile that constrains what the External User can do. Often a custom variant of the standard community profile.
- External User licenses cost per named user. Inactive users continue consuming licenses until deactivated. Audit quarterly to recover cost.
- The Contact-to-User link is one-to-one. A single Contact can be enabled as exactly one External User; a single User must link to exactly one Contact. Plan the data model accordingly.
- Profile changes affect every External User assigned to that profile. Changing a community profile is a high-impact action; test thoroughly before applying.
- External Users cannot be added to standard Salesforce roles. They have a separate sharing model; do not expect role-hierarchy semantics to work.
Trust & references
Straight from the source - Salesforce's reference material on External User.
- External Users in Experience CloudSalesforce Help
- Community License TypesSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What is an External User?
Q2. What's a common External User license type?
Q3. Why does license choice matter?
Discussion
Loading discussion…