Manage external users

With Office 365 project, it is common to have external user access (b2b collaboration). This users may need access to a resource (sharepoint, etc.). These users usually have an Office 365 account and are therefore guest users. Nevertheless, security being an extremely important point nowadays, it is important to set up security rules.
Create guest user
From the Azure AD portal, click on Users then on New guest user.
Select Invite user and enter information for the identity. You can also enter Personal message. Click on Invite.
User has been added on Azure Active Directory.

The user receives an e-mail. Click on Accept the invitation.
The guest user has been created and access to ressource portal.
Configure Azure PIM
From Azure AD portal, click on Azure Active Directory then on Identity Governance.
Click on Azure AD.
On Azure PIM blade, click on Azure AD roles then on Roles.
In the list of roles, click on Guest Invite.
Click on Add assignments.
Click on No member selected for add new member.
Search guest user and click on it. Click on Select for validate selection. I add an other user, this user has no right of administration. It is syncronized from my AD directory.
Click on Next then on Assign. User has been added.
User receive an email when it’s assigned.
On Azure PIM portal, click on Role settings.
Click on Edit to force Azure MFA.
Check Azure MFA and click on Next.
Check Require Azure Multi-Factor Authentification on active assignment and click on Update.
Setting up invitations
We will now configure the invitation policy at the level of the Office 365 tenant. From the Azure AD portal, click on External Identities.
Click on External collaboration settings.
Select No on Members can invite option. Repeat the same operation for Guests can invite.
You can enable Collaboration restrictions on the same blade. Click on Save to backup modification.
Add connected organization
From Azure AD portal, click on Identity Governance then on Connected organizations.
Click on Add connected organization.
Enter the name of the organization and click on Next.
Click on Add directory + domain, enter the domain name and click on Add. Click on Next.
You can now add a user sponsor. This external user can be approval access for other employees of his company. You can add internal or external user. in my case I add the twice. Click on Add/Remove for select user (for internal or/and external users). Click on Next then on Create.
The connected organization has been added.
Term of use
It may be important to get acceptance of the terms of use of Office 365. Azure AD allows conditional access to be created so that users must agree to these terms of use.
Click on Terms of use then on New terms.
Enter the Name and Display name. You can upload document and configure option. Select Create conditional access policy later. Click on Create.
Terms has been added.
You can now create conditional access. From Azure portal, click on Security then on Conditional Access.
Click on New policy for create new conditional access policy.
Enter the desired name and click on Users and groups.
Check Select users and groups then All guest and external users.
Select Cloud apps or actions and click on All cloud apps.
Click on Grant then on Terms of InYourCloud. Click on Select.
Enable policy then click on Create.
Conditional access is now enable. Guest users must be accept Terms of use before use Office 365.
Resources catalog
The catalog of resources can be created and assign at guest users. Click on Identity Governance then on Catalogs.
Click on New catalog.
Enter the desired name and description then click on Create.
Catalog has been created, click on it.
Click on Resources then on Add resources.
You can add Sharepoint sites, Applications or Groups and Teams. I add an Azure AD application.
Application can be added on the catalog.
Click on Access packages then on New access package.
Enter name and description then click on Next.
You can add ressources. When you select it, you can enable only apps on Guest Users catalog or view all ressource in the tenant. Select the desired resources then the role.
Check For users not in your directory then click on Add directories. Select the directory oh the guest users.
Enable Require approval option then select External Approver or Internal Approver. It’s possible to add failback approver. Enter the number of the day who the decision must be made. Enable Enable new requests and assignments option then click on Next.
Enter the question and the answer format for the Requestor information.
Configure Lifecycle then click on Review + Create. you can also configure Access Reviews.
Test Resource catalog
After logging in to myapps.microsoft.com with the user account, I change my organisation to access the organisation for which I received an invitation.
Terms of use must be accepted by user.
The user can access the application.
Approval other external user
Two approvers have been configured. One internal and one external approver . We will use the company’s internal user account to create new guest accounts.
From Azure AD portal, login with the user account (I used my synchronized account). Click on All services then on Azure AD Privilegied Identity Management.
Click on My roles.
Click on Activate for enable assignments.
Additional verification must be done. Click on it to continue.
Click on Next on the new page.
Configure MFA as you want.
it’s now possible to activate the role. Enter Reason and click on Activate. You can reduce duration of activation.
All stage has been validated, assignments is activated.
Click on Users then on New guest user.
Create new guest user and click on Invite.
User receive invitation by mail, click on Accept Invitation.
From the web browser, go to the URL https://myaccess.microsoft.com/ and click on Organization
Access to other organization.
Select the desired package and click on Request Access
The question configured during the creation of the access package is present. Enter an answer as well as a justification then click on send.
Click on View, you can access at your request.
All approvers receive an email. Approval can be done from the website https://myaccess.microsoft.com/. Connect it with approver user.
Select the request and click on Approve.
Enter reason and click on Approve
The package has been enable.
From the https://myapps.microsoft.com/, click on the account and change organization.
User can access to ressources.
