With the Azure AD Identity Governance feature “Entitle Management” it is easier to automate the access requests, set expiry dates, justify why a user needs access and get the load out of the IT admins.
Azure B2B collaboration is a hot topic these days, and the end result should be stressed access from the end user’s end. However, security is a concern, and who gets the right access is a consideration.
The feature I’m testing today is not specifically related to internal users, but it will be helpful in managing Guest User access to resources.
What is Entitlement Management
As per Microsoft Documentation, Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale by automating access request workflows, access assignments, reviews, and expiration.
Licensing Considerations
While this can be used to get the internal staff to request access to different apps, SharePoint sites, and Teams, I will be using this to support my scenario.
What questions this answer?
Automate Guest User creation – Currently, to provide someone external to the organization with Guest access, the account needs to be created in Azure AD.
Not all the users will get access, but only the external users need access.
This can be automated with the Connected Organizations option in Entitlement Management.
Automatically added to the Groups and Teams in the other tenant without an invitation.
Connected Organizations
Ideally, this answers the relationship between Tenant A and Tenant B. This is the connection you need to setup in order an external party to access the resources under the Entitlement Management policies
Catalog
The Catalog will contain the access package that required by the end user (internal or external). It can be SharePoint Sites, Teams or Apps.
Let's test this out.
Scenario: Tenant A, Tenant B. Both of the tenants are under the same company, but because of the nature of the business, the tenants can’t be consolidated.
Users from Tenant B, needs to access the resources in Tenant A
1. Create a Connected Organization
Go to https://aad.portal.azure.com/ > Azure Active Directory > Identity Governance > Entitlement Management > Connected Organizations > Add Connected Organization
Add the directory
Skip the sponsors if you are not adding any in the next screen.
Review and Create
2. Next, let's create the Access Package
Go to https://aad.portal.azure.com> Azure Active Directory > Identity Governance > Entitlement Management.
Select Access Packages > New Access Package
Create the Catalog
Click on the “Create new catalog” link and complete the form.
Add the resources as shown in the screenshot below and select the roles for each resource.
Click Next: Requests to go forward in the wizard
This is where you make sure the access package is assigned to the relevant connected organization
Select Add Directores and add the Tenant that was connected previously
For the automation to work, set the below settings to NO and move to the next step
This step is purely to collect information about the requestor and can be skipped if not required
The next step is important and can be setup according to your requirement
Access Reviews can be done periodically if needed. This will be another major topic in Identity Governance and will be discussed separately.
Press Review + Create once all done.
Note down the URL in the Access Package. This will be the URL that the users from the other tenant need to request access.
This can be found in the Overview section of the Access Package.
https://myaccess.microsoft.com/@xxxxx.onmicrosoft.com#/access-packages/4aswscd-edf5-4b7e-1119-4f0096uwhsdf
User from the Tenant B – [email protected]
Login to Tenant B office.com with the [email protected] account as usual
Since the user from Tenant B needs to access the resources from Tenant A, advise the user to open the above link from their account.
They will see the below package that setup earlier.
Click on Request Access option
Complete the below form. Press Submit.
The progress of receiving access if you click on the Details link
The same can be checked from the Admin end
Notice the Demo User from Tenant B will be created in Tenant A’s Azure AD, and the Invitation Accepted is still NO.
Demo user will receive the Consent Accept/ Decline option when they trying to access the Tenant A resources and that completed the user creation flow
Look at their Teams! The user’s Teams is already set to go for Tenant B
When switched to Tenant B, the Team that the Demo User is a member or will be there
The access package is now completed, and as you can see, the Guest user’s access has been fulfilled.