In a growing ‘cloud first-mobile first’ world, data sharing and collaboration with external organisations is becoming one of the key differentiators for successful organisations.
How does Microsoft provide external users to access to Azure Resources
Microsoft provide a B2B framework to allow organisations to share data with external users. It works based on an invitations system where external users are invited via collaboration apps, Azure-native invite cmdlets / UI. Most of the Microsoft collaboration applications such as SharePoint and Teams also allow an organisation to invite external users.
Note: A new guest account will be provisioned on the inviter’s tenant when an external user is invited.
Why B2B lifecycle Management is important
When a new Identity is provisioned on Azure AD for each B2B invite, user permissions get grouped based on each collaboration channel that the user is invited to be a part of. As such, lifecycle Management of these accounts is critical, since organisations can easily lose track of External Users, for scenarios including:
When external users are invited from different Azure App platforms thismay or may not follow Azure AD Native invite process.For example, a SharePoint online invitation to the external users using its service account rather than the inviter’s credentials – which is a challenge if you rely on Azure AD Audit logs to accurately track invitations of certain guest Accounts.
The Identity lifecycle and access management solutions are limited to on-premises corporate users and will not have visibility on External Azure AD Users, leading to orphaned identities that are are diffcult to manage
Sensitive and secure data could be shares with external organisations or users without the implicit controls given by the existing Identity lifecycle solution
Recommendations from the Field
Minimize invitation channels
Instead of opening B2B invites from all the applications, use only the channels which are easily manageable and provide extensive auditing capabilities. Utilizing Azure AD invitation processes, Guest access is limited only to the users within Directories on application platforms.
Set a lifetime threshold for B2B users
Setting an extensible authorised lifetime policy to help organisations to control the number of guest accounts
Periodic Access Reviews
To reduce the risk of granting excessive, cumulative permissions for B2B users, implement Periodic Access reviews. These reviews can be delegated to the guest account sponsors.
Accountability for Each invite
It is good practice to keep track of the inviter of the external user and implement periodic attestation (3 months for example). As the external users may have access to multiple project files, the guest user sponsor role may not be limited to one person.
Consider whitelisting of organisations
Restricting B2B invitations based on trusted organisations will let enterprises ensure that only the users from partner organisations have access to Azure/O365 resources. Utilising an existing Azure AD B2B Allow/Deny list is not followed by all applications. As some of the Applications maintain their own invite process, review the invitation restrictions for each application which has External Guest access enabled. As of now SharePoint and OneDrive maintain their own Allow/Deny Organisation list. There is a preview feature available for SharePoint online which honours the Azure AD Domain restrictions. https://docs.microsoft.com/en-us/microsoftteams/teams-dependenciesdetails how External Access Authorisation is implemented on Teams.
Consider deleting inactive B2B Users
Keeping track of B2B user logins by reading Azure AD Audit logs will help to delete inactive B2B Users.
Consider the deployment of Azure P2 features
It’s good practice to deploy B2B Identity governance features which are part of the Azure AD P2 license. For further details see:
Cloudneo has helped numerous organisations with Identity Management around B2B across the Microsoft application family and other key vendors. We’ve worked with them to organise, optimise and flex their B2B identity solutions in short order.
To find out more about Azure B2B and how to get going, get in touch with Chris Hudson
As more organizations embark on their cloud/digital transformation journey; identity, security, infrastructure, developer technologies are rated as priority workloads to design, plan & deploy. One of key success metrics being assessed happens to be user experience. This implies users are accessing some applications, resources, data Or at least we presume so.
Are our IT teams focussed OR should we say, STILL focussed enough on integrating applications to cloud identity platforms? Going by experience, Nah!!
Some of the key reasons for reduced focus being operational complexity, lack of ownership, an increased need for collaboration and stakeholder management. Most of the cloud identity/security projects work on integrating one or few applications to prove the concept, deploy and move on. One usually misses out on passing that baton.
Though not statistically proven, I am fairly confident this would closely resemble reality.
About 50% of the organizations with one or more cloud identity platforms would probably have less than 10 applications integrated. I wouldn’t be surprised if a few amongst them are test/staging instances.
Let’s review the reasons behind my emphasis on integrating applications to Cloud identity platforms-
Single Sign on for users. This being one of the obvious benefits to ensure users can sign to all applications regardless of where they are hosted using one set of credentials. Enable something as simple as SSO & users return the favour by enrolling & leveraging a second factor of authentication. Great trade off, one would imagine!!
Reduction in number of identity/authentication platforms being managed. Most organizations favour one or more of either an Active directory, LDAP Services, Federations services & other identity providers. Consolidation being the current theme, application integration to a single cloud identity platform would pave way for cost savings. These would present themselves in the form of reduced infrastructure & support spend.
Improvised/Automated User provisioning to various applications. Every application, be it internal OR vendor supplied would demand some kind of user information. Most of them tend to utilize a number of custom scripts or scheduled tasks to fulfil this requirement. If an organization has 100 applications, we are probably executing those many operations on a regular basis. This is certainly an overkill and often leads to instances where we unknowingly build dependencies on individuals.Catering to provisioning requirements using SCIM or native methods would alleviate these challenges.
Increased uptime and ease of feature rollout. As business owners procure applications, they would like users to be onboarded to these platforms in the most efficient way possible and start deriving business benefits. On the other hand, IT teams would like this to be secure and comply to all regulations. Strategically, settling on a single cloud identity platform would aid in striking a balance between business units & IT. Most cloud identity vendors provide a pre-defined list of applications for quicker integration.
Access from anywhere & securely. Once business applications are integrated, one can benefit by maximizing their investments on their cloud identity/security platforms. Securing access to these applications, protecting underlying data, device security and identity based security become prevalent only if there are applications. Any discussions about remote access, cloud security features could be irrelevant without users consuming them via integrated applications.
Moving on to the next set of obvious questions – How do we get there & what could be the potential challenges along the way ? Let’s begin with some stumbling blocks
As IT organizations mature, so does complexity & the term *Cloud* brings about the responsibility of dealing with vendor(s). Sometimes not just the cloud identity provider, but application vendors/developers too.
Understanding & navigating through the application landscape with organizations in itself is a formidable task. Most conversations, unsurprisingly end with open questions – Do we have tools OR should I rely on some kind of magic wand ? In most situations, *magic wand* tends to be replaced by a set of tools, operational interviews & long forgotten inventory.
Organizations tend to face another significant decision, choice of who owns this experience and work. Is it operations OR BAU as some say OR is it a Project/Program ? This could be pretty interesting depending on the dynamics between these teams. Based on experience, project OR a partner/vendor followed by training/handover to operations would prove beneficial.
Trainingof the appropriate team members on the cloud identity platform of choice & application integration specifics is often ignored. There is an underlying expectation on the team members to work on procedures as documented & learn on the job. This leaves the team self-learning to understand some of the basic concepts about protocols & standards like SAML, OAUTH etc. Sometimes, learning about the application, configuration of authentication requirements.
Lack of automation for the end to end process from request through to deployment, testing & production. There are certain elements which could be automated, there would remain a certain element of human interaction.
Let’s now laydown an optimistic approachto leverage all the benefits listed above and more, resolve some of the blockers along the way-
Discoverand evaluate the application landscape. Shadow IT discovery management is highly recommended during this phase. These can be accomplished by using existing tools, custom scripts to query current federation providers and feeding the information to the next phase.
Plan & Prepare– Often overused terms in project management, this implicates a lot of importance in our current scenario. Once there is application specific data , a common recommendation is to prioritize and prepare based on criteria like usage, complexity, compatibility, test patterns, provisioning, budget, resourcing, integration timelines & other significant dependencies.
Then comes the most awaited phase, Deploy! Let’s encourage integrating new applications for single sign on from the very outset as an organization-wide strategy. Collating a list of initial set of applications of varied shapes & sizes is desired. This could serve as an important tool to test patterns when we have engineers, vendors pushing towards our common goal. At Cloudneo, We have encountered organizations selecting least impactful applications initially and seen some extremely brave teams who decided to migrate the high usage ones first. Take your pick based on the organization’s risk appetite.
Operationalize & keep deploying, implementing , integrating! Feedback to various cloud vendors is an essential step in this journey. Not only do they benefit by reducing the integration burden for other customers, your time to market reduces for newer business applications. Application owners tend to absorb the risks and own company-wide communications.
As one can observe from the thoughts above, apart from having a technical acumen, being quite passionate about documenting, automating some of the operational workload achieves significance. A Program/Project Manager, who is equally passionate about process & technology would prove beneficial ? Perhaps, an interactive session with CloudNeo architects ?
We don’t see an end to Integrating applications to cloud identity providers.it’s rather an ongoing process. Let’s plan, prepare & deploy !
Ananth is the co-founder & innovation lead at Cloudneo with extensive experience in Identity, Security, Devops and Infrastructure solutions for more than 15 years. He has worked for Microsoft in various roles, the latest being a Program Manager in the Azure Active directory Product Group. He has architected & implemented digital transformation projects across most industrial vertical across multiple geographies. He believes in consulting with purpose,absolute clarity,automation & maps business requirements to technical excellence.