The customer wants to know how OneDrive distinguishes internal from external users.

Securlet uses domain matching to identify external users.

In a Cloudsoc tenant with domains example.com and example.org , users from those domains - like user@example.com or user@example.net - would be considered internal , while a user from any other domain that is not defined in the tenant would be considered external, something like user@<any other domain>.com