Blog Summary
Partners and contractors often need short-term access to Microsoft resources, which expands exposure if requests, approvals, and expirations are ad hoc. Security teams scope guest access to business need, apply Conditional Access and time limits, and use entitlement workflows so external users get only what they need and nothing persists after the engagement.
Microsoft Azure AD B2B Collaboration
Microsoft Azure AD B2B collaboration allows customers to invite guest users to collaborate with their users. Azure guest accounts enable any organization using Azure AD to work safely and securely with users from other organizations. Azure customers use this functionality to provide access to documents, resources, and applications to their partners and are able to share living, breathing documents and resources, rather than sending them around in copies.
As organizations undergo digital transformations and need to continue enabling remote and hybrid work scenarios, functionality like sharing with guests becomes even more critical. These guests may be outside contractors like PR agencies, writing contractors, outsourced IT, or more, and they often perform essential tasks that need to get done without hindrances. However, being able to govern these accounts is critical to ensure a comprehensive audit trail of these accounts, to see who invited them, how long they have access, to regularly certify that access, and more. Otherwise, security holes pop up and audit requirements become difficult to meet.
Microsoft, to their credit, makes it very easy to add members to Teams, groups, documents, and more, by easily sharing resources, documents, presentations, and more with a simple email address and the click of a mouse. After adding an email address, that account is added as a guest user directly in Azure AD. While easy, it does leave it a bit open-ended, as guests can invite other guests, who can then invite other guests, and so on down the line. While these accounts and identities are inherently added to Azure AD, even with logging, it can be challenging for administrators to catch potentially malicious and dangerous activities in real time. It can also be a challenge to set up controls to govern and maintain visibility as to who exactly is doing what. This also requires a good deal of manual work. Further, it can be murky, if not impossible, to see invitation chains and who has invited who, with no automatic ownership of guest accounts and regular attestations. Organizations need a way to control these guest accounts, which can grow like wildfire in the name of productivity.
Implementing Identity lifecycle for Azure guest accounts
A common workflow is that within Microsoft applications, people can simply right-click on a document and share it with a guest, giving them view or edit privileges. If the guest account is not recognized, a new guest account is created using a default setting that adds them to the directory. A good additional layer is to implement an identity lifecycle for Azure guest accounts that comes from identity governance and administration (IGA) solutions. This can be done by provisioning these guest accounts through an IGA solution and setting validity periods to ensure that these guest accounts are not given access in perpetuity. It also ensures that as these guest accounts and the identities associated with them change roles or employment status, their access rights change with it. These guest accounts can also have regular entitlement attestations.
With IGA solutions in conjunction with Azure AD, as the guest accounts are added, the IGA solution creates the identity, then provisions them to Azure AD, with a defined owner who then creates the lifecycle and validity period as described above. By taking the time to define the workflow in an IGA solution, it ensures that as guest accounts are created, they have an owner and validity period so that the accounts can be monitored and governed. These accounts are simultaneously created in Azure and imported so that they are registered in the directory.
As the accounts are created, they can be assigned proper access to various Microsoft 365 applications like Sharepoint, Teams, Office, and more. However, there are proper approvals baked in and ensure that there are checks and balances in place to enforce that no unintended guests can gain access to internal resources. Similar to identity lifecycle, as people’s identity data changes, such as a contractor or customer becoming an employee, or even someone leaving the organization coming back, being able to quickly provision access without causing security holes is key.
Setting up policies in place
Setting up access control policies is also an efficient way of providing people access, while not violating the principle of least privilege. As an example, an assignment policy can be crafted to say that any guest account needs to have a match within the Azure AD tenant, that lines up with an existing email address, and password. This type of policy can also be used to create risk scores and track the violation statuses of each account to ensure that they are not being added to anything nefarious or excessive. Additionally, a policy can be created that if an identity affiliated with a guest account moves roles, then the organization can easily revoke permissions and delete the assignment easily. Accounts can also be deleted, or temporarily removed, the latter being particularly useful for people who return to the organization (think a third-party contractor who works during particular seasons on a regular basis).
Guest accounts should also be regularly recertified and reviewed to ensure that their access is current, and modern identity governance solutions can greatly aid in this effort. Together, Microsoft Azure AD and Omada can help customers improve efficiency by inviting guests to participate in critical work, while not sacrificing security.
