How to invite a guest

When organization invites you the process is really simple from Azure AD perspective.

Admin adds your email and welcome message if needed, nothing else.

And admin will see user as invited in Azure AD

How guest is seeing the process

And you will an email invite for this email address.

When you accept the invite you will be asked for a consent.

When you accept you will be re-directed to https://myapplications.microsoft.com

And the organizational admin will see that you have accepted the invite and can reset the invitation status and require the guest to do the consent again.

Microsoft has verifiable credentials in preview. With verifiable credentials you can use your passport, driving license, school certificate or what ever evidence the organization requires to be provided, kinda excellent feature and I will be covering this one in my next posts.

What to do when I have the guest inside my directory?

This user has a same kind of identity that all the other users. You can add the account to a group and assign permissions, policies, roles licenses to it.

Adding guest users to Dynamic Microsoft 365 Group.

Add a dynamic query for guest. This is a simple query but you could use very complex multi-layered queries against the user attributes, see Microsoft for reference https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

You can add expiration for the group, minimum 30 days.

Now you could be using let's say Conditional Access to force policies to this group.

And the external guest can remove himself from the organization by going to https://myaccount.microsoft.com/organizations and selecting "leave organization"

Last but not least

So that's it, with these instructions you could allow external guest users to your organization. The only downside with this and also Entitlement management is that your really cannot remove the external users from your directory.

Edit 11.10.2021: Access reviews can do user removal thru dynamic groups. Either from the existing Microsoft 365 groups or thru a Dynamic User filtered External Guests users group. I will cover this on the next posts.

You can remove the users from a group and disallow them to access a resource it's mapped to but you cannot remove the users automatically when they don't need the access anymore.

For this one you should be using an external Identity and Access Management governance solution that can automate user invites, modification or removals.

Some examples of the ones I have experience with.

Third-Party Access Governance | Saviynt

Don’t let supply chain risks slow you down. Saviynt’s Third-Party Access Governance solution secures data and identities from leaks and cyber threats.

Identity for Access Management

Step up your security with access controls that drive compliance Access management empowers users with access anytime, anywhere. But once they’ve gained

That's a wrap for this post.

KEEP CALM AND PROTECT YOUR IDENTITY - Keep Calm and Posters Generator, Maker For Free - KeepCalmAndPosters.com

Archives