In the past year, we as IT admins have all dealt with it. Working together in an environment where external users or companies (described as guests) need access to your Microsoft environment. In this blog series, I will help you manage and control guest accounts in your tenant which is part of the Azure AD Identity Governance strategy.

This blog series will consist of 4 blog posts.
Blog 1: Manage and control guest accounts in Microsoft 365
Blog 2: Create access packages to provide access to specific company resources
Blog 3: How to know if a guest still needs access to the environment using Azure AD access reviews
Blog 4: Use Privileged Identity Management to assign admin roles on demand for a specific period

Now let’s start! When granting access to guests in your environment, you should ask yourself the following questions:

  • Do we have an Identity Governance strategy in place?
  • What additional licenses are required for guests?
  • How do you ensure that access takes place in a secure and controlled manner?
  • What processes are involved in granting access?
  • How to know if a guest still needs access to specific resources and who is responsible for reviewing this?

Why did I write this blog?

Granting guests access to the environment is underestimated and underexposed. Besides this, no processes are mapped internally before access is granted. The main reason for this is not to get in the way of business operations. Besides, many organizations have already granted guest access to the environment.

Why do we even need guests in our tenant?

Well, often the main reasons why guest access is needed are:

  • Working together on a project with guests needing access to Microsoft Teams channel(s)
  • Guests requires access to a SharePoint site
  • Temporarily hiring someone for support that requires a guest account

Azure AD settings

Within Azure AD, there are some settings related to guests. Below you will find the commonly used settings.

Guest invite settings

One of the settings is about the policy regarding which persons and or groups can invite guests. Every organization should consider what works best for them.

Guest invite settings options within Azure AD

To ensure that employee productivity does not decrease, it’s obvious for most organizations to opt to “Member users and users assigned to specific admin roles can invite guest users including guest with member permissions” setting. With this setting, you ensure that a user with specific admin roles (e.g. guest-inviter role) and a member or guest who is a member of a specific team can invite a guest.
If organizations prefer to have control over granting guest access, an organization can choose to allow specific users (based on group membership) to include the guest-inviter admin role. Followed by setting the option “Only users assigned to specific admin roles can invite guest users

Limit the access rights of guest users

When a guest is invited to the environment, it is necessary to limit the rights as much as possible. For example, you do not want certain data to be visible to a guest. One of these settings concerns restricting access to the Azure portal. By default, a guest can log in to the Azure portal and read tenant information. This setting can be found under Azure Active Directory > User Settings > Administration portal > Restrict access to Azure AD administration portal

Limit access to the Azure AD portal

Secure access for guests using Conditional Access

Granting access to a guest user is done in a few clicks. How do you ensure that a guest logs in to the environment in a secure way? Conditional Access is the answer here.
In order for each guest to be prompted for a two-factor authentication method when attempting to log in, it is necessary to add a Conditional Access rule that pertains to guests. Note that using Conditional Access requires at least 1 Azure AD Premium (AAD) P1 license added to the tenant. 1 AAD P1 license, equals the use of P1 functionalities for 5 guests. Below is a screenshot of the Conditional Access policy configured for guests:

CA policy for guests
Set the Grant option to Grant access and Require multi-factor authentication.

Sidenote: Don’t forget to turn on Continous Access Evaluation in your tenant when using Conditional Access

Limit invitations

In addition to granting guest access, an organization needs to think about the domains that they want to grant access to the environment. Is it allowed to grant access to e.g. an @gmail.com or @outlook.com domain as these are domains that are often related to personal accounts? You can block these specific domains via Azure Active Directory > User settings > Manage external collaboration settings > Collaboration restrictions > Deny invitations to the specified domains.

Blocking invites sent to gmail.com and outlook.com e-mail addresses

I hope that after reading this blog, you have gained more control and insight into granting and securing guest access. The next blog post will be about providing access to specific company resources.

Please follow and like us:
Pin Share

4 Comments

  1. Nassim El Boutaibi Reply

    Awesome blog, it gives starters a better insight of Guests account and the true meaning of it within Azure AD..! Looking forward to the next one!

  2. bilalelhaddouchi Reply

    Thanks for the compliment Nassim. It gives me energy when we share knowledge in such a way that it’s beneficial. That’s what counts.

  3. Adam Mallinson Reply

    We have just started using this feature to enable easier document collaboration with our third parties, we are wanting to put in a Terms of Use policy but have been unable to find any good examples of this (I know everywhere will be different) but even just something generic to get us started would be great. Do you happen to have an example you might be able to share?

  4. bilalelhaddouchi Reply

    Adam, it’s important that working with terms of use covers the company in case of abuse. I would suggest you create a Terms of Use policy within Conditional Access by someone that has a legal background. Unfortunately, I don’t have any examples since my clients deliver those most of the time. Good luck!

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.