In a growing ‘cloud first-mobile first’ world, data sharing and collaboration with external organisations is becoming one of the key differentiators for successful organisations.
How does Microsoft provide external users to access to Azure Resources
Microsoft provide a B2B framework to allow organisations to share data with external users. It works based on an invitations system where external users are invited via collaboration apps, Azure-native invite cmdlets / UI. Most of the Microsoft collaboration applications such as SharePoint and Teams also allow an organisation to invite external users.
Note: A new guest account will be provisioned on the inviter’s tenant when an external user is invited.
Why B2B lifecycle Management is important
When a new Identity is provisioned on Azure AD for each B2B invite, user permissions get grouped based on each collaboration channel that the user is invited to be a part of. As such, lifecycle Management of these accounts is critical, since organisations can easily lose track of External Users, for scenarios including:
- When external users are invited from different Azure App platforms this may or may not follow Azure AD Native invite process. For example, a SharePoint online invitation to the external users using its service account rather than the inviter’s credentials – which is a challenge if you rely on Azure AD Audit logs to accurately track invitations of certain guest Accounts.
- The Identity lifecycle and access management solutions are limited to on-premises corporate users and will not have visibility on External Azure AD Users, leading to orphaned identities that are are diffcult to manage
- Sensitive and secure data could be shares with external organisations or users without the implicit controls given by the existing Identity lifecycle solution
Recommendations from the Field
Minimize invitation channels
Instead of opening B2B invites from all the applications, use only the channels which are easily manageable and provide extensive auditing capabilities. Utilizing Azure AD invitation processes, Guest access is limited only to the users within Directories on application platforms.
Set a lifetime threshold for B2B users
Setting an extensible authorised lifetime policy to help organisations to control the number of guest accounts
Periodic Access Reviews
To reduce the risk of granting excessive, cumulative permissions for B2B users, implement Periodic Access reviews. These reviews can be delegated to the guest account sponsors.
Accountability for Each invite
It is good practice to keep track of the inviter of the external user and implement periodic attestation (3 months for example). As the external users may have access to multiple project files, the guest user sponsor role may not be limited to one person.
Consider whitelisting of organisations
Restricting B2B invitations based on trusted organisations will let enterprises ensure that only the users from partner organisations have access to Azure/O365 resources. Utilising an existing Azure AD B2B Allow/Deny list is not followed by all applications. As some of the Applications maintain their own invite process, review the invitation restrictions for each application which has External Guest access enabled. As of now SharePoint and OneDrive maintain their own Allow/Deny Organisation list. There is a preview feature available for SharePoint online which honours the Azure AD Domain restrictions. https://docs.microsoft.com/en-us/microsoftteams/teams-dependencies details how External Access Authorisation is implemented on Teams.
Consider deleting inactive B2B Users
Keeping track of B2B user logins by reading Azure AD Audit logs will help to delete inactive B2B Users.
Consider the deployment of Azure P2 features
It’s good practice to deploy B2B Identity governance features which are part of the Azure AD P2 license. For further details see:
Cloudneo has helped numerous organisations with Identity Management around B2B across the Microsoft application family and other key vendors. We’ve worked with them to organise, optimise and flex their B2B identity solutions in short order.
To find out more about Azure B2B and how to get going, get in touch with Chris Hudson
Refer to https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b for more details on Microsoft’s solutions.
Chris is an Identity and Access Management expert and founder of Cloudneo with many years’ vendor and industry experience with clients.