Manage external users

Manage external users

With Office 365 project, it is common to have external user access (b2b collaboration). This users may need access to a resource (sharepoint, etc.). These users usually have an Office 365 account and are therefore guest users. Nevertheless, security being an extremely important point nowadays, it is important to set up security rules.

Create guest user

From the Azure AD portal, click on Users then on New guest user.

Manage external users - B2B collaboration

Select Invite user and enter information for the identity. You can also enter Personal message. Click on Invite.

Manage external users - Invite users

User has been added on Azure Active Directory.

user has been added on Azure AD

The user receives an e-mail. Click on Accept the invitation.

Manage external users - Accept invitation

The guest user has been created and access to ressource portal.

Configure Azure PIM

From Azure AD portal, click on Azure Active Directory then on Identity Governance.

Configure external access with Azure AD

Click on Azure AD.

Activate PIM for Azure AD

On Azure PIM blade, click on Azure AD roles then on Roles.

List azure ad role

In the list of roles, click on Guest Invite.

Select Guest inviter role

Click on Add assignments.

Add Assignments

Click on No member selected for add new member.

Add member user azure ad

Search guest user and click on it. Click on Select for validate selection. I add an other user, this user has no right of administration. It is syncronized from my AD directory.

Select guest user

Click on Next then on Assign. User has been added.

Assign guest user

User receive an email when it’s assigned.

Role has been assigned

On Azure PIM portal, click on Role settings.

Configure Role Settings

Click on Edit to force Azure MFA.

Enable MFA

Check Azure MFA and click on Next.

Enable MFA

Check Require Azure Multi-Factor Authentification on active assignment and click on Update.

Enable Require MFA

Setting up invitations

We will now configure the invitation policy at the level of the Office 365 tenant. From the Azure AD portal, click on External Identities.

Setting up invitation

Click on External collaboration settings.

Configure external collaboration settings

Select No on Members can invite option. Repeat the same operation for Guests can invite.

Configure user can invite

You can enable Collaboration restrictions on the same blade. Click on Save to backup modification.

Configure External collaboration

Add connected organization

From Azure AD portal, click on Identity Governance then on Connected organizations.

Term of use

Click on Add connected organization.

Add connected organization

Enter the name of the organization and click on Next.

Enter organization name

Click on Add directory + domain, enter the domain name and click on Add. Click on Next.

Add thie domain of external user

You can now add a user sponsor. This external user can be approval access for other employees of his company. You can add internal or external user. in my case I add the twice. Click on Add/Remove for select user (for internal or/and external users). Click on Next then on Create.

Add/remove sponsors

The connected organization has been added.

Term of use

It may be important to get acceptance of the terms of use of Office 365. Azure AD allows conditional access to be created so that users must agree to these terms of use.

Click on Terms of use then on New terms.

Add new terms

Enter the Name and Display name. You can upload document and configure option. Select Create conditional access policy later. Click on Create.

Configure Terms of use

Terms has been added.

terms of use has been added

You can now create conditional access. From Azure portal, click on Security then on Conditional Access.

create Conditional access

Click on New policy for create new conditional access policy.

Create new conditional policy

Enter the desired name and click on Users and groups.

Add users or groups

Check Select users and groups then All guest and external users.

Select external users

Select Cloud apps or actions and click on All cloud apps.

Select application

Click on Grant then on Terms of InYourCloud. Click on Select.

Enable Terms of use

Enable policy then click on Create.

Enable policy

Conditional access is now enable. Guest users must be accept Terms of use before use Office 365.

Resources catalog

The catalog of resources can be created and assign at guest users. Click on Identity Governance then on Catalogs.

Create Catalog

Click on New catalog.

Create new catalog

Enter the desired name and description then click on Create.

Create catalog

Catalog has been created, click on it.

Catalog has been created

Click on Resources then on Add resources.

add ressource on the catalog

You can add Sharepoint sites, Applications or Groups and Teams. I add an Azure AD application.

Add application ressource on catalog

Application can be added on the catalog.

Ressource has been added

Click on Access packages then on New access package.

Create access packages

Enter name and description then click on Next.

Enter name and credential

You can add ressources. When you select it, you can enable only apps on Guest Users catalog or view all ressource in the tenant. Select the desired resources then the role.

Select resources
Select resources

Check For users not in your directory then click on Add directories. Select the directory oh the guest users.

Configure assignments of the access package

Enable Require approval option then select External Approver or Internal Approver. It’s possible to add failback approver. Enter the number of the day who the decision must be made. Enable Enable new requests and assignments option then click on Next.

Configure new access package

Enter the question and the answer format for the Requestor information.

Configure Requestor information

Configure Lifecycle then click on Review + Create. you can also configure Access Reviews.

Configure Lifecycle

Test Resource catalog

After logging in to myapps.microsoft.com with the user account, I change my organisation to access the organisation for which I received an invitation.

Access to other organization

Terms of use must be accepted by user.

Terms of use must be accepted

The user can access the application.

User can access the application

Approval other external user

Two approvers have been configured. One internal and one external approver . We will use the company’s internal user account to create new guest accounts.

From Azure AD portal, login with the user account (I used my synchronized account). Click on All services then on Azure AD Privilegied Identity Management.

Open Azure PIM

Click on My roles.

Activate roles on PIM

Click on Activate for enable assignments.

enable assignments

Additional verification must be done. Click on it to continue.

Additional verification on PIM

Click on Next on the new page.

configure MFA

Configure MFA as you want.

Configure MFA

it’s now possible to activate the role. Enter Reason and click on Activate. You can reduce duration of activation.

Activate roles on Azure PIM

All stage has been validated, assignments is activated.

Role has been active

Click on Users then on New guest user.

Create new guest user

Create new guest user and click on Invite.

Create new guest user

User receive invitation by mail, click on Accept Invitation.

Accept invitation

From the web browser, go to the URL https://myaccess.microsoft.com/ and click on Organization

Access to Organization

Access to other organization.

access to other organization

Select the desired package and click on Request Access

Request access

The question configured during the creation of the access package is present. Enter an answer as well as a justification then click on send.

request access

Click on View, you can access at your request.

view your request

All approvers receive an email. Approval can be done from the website https://myaccess.microsoft.com/. Connect it with approver user.

Approve request

Select the request and click on Approve.

approve request

Enter reason and click on Approve

The package has been enable.

Package has been enable

From the https://myapps.microsoft.com/, click on the account and change organization.

change organization on myapps portal

User can access to ressources.

User access to ressources

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.