In the past year, we as IT admins have all dealt with it. Working together in an environment where external users or companies (described as guests) need access to your Microsoft tenant. In this blog series, I will help you manage and control guest accounts in your tenant which is part of the Azure AD Identity Governance strategy.
This blog series will consist of 4 blog posts.
Blog 1: Manage and control guest accounts in Microsoft 365
Blog 2: Create access packages to provide access to specific company resources
Blog 3: How to know if a guest still needs access to the environment using Azure AD access reviews
Blog 4: Use Privileged Identity Management to assign admin roles on demand for a specific period
Now let’s start! When granting access to guests in your environment, you should ask yourself the following questions:
- Do we have an Identity Governance strategy in place?
- What additional licenses are required for guests?
- How do you ensure that access takes place in a secure and controlled manner?
- What processes are involved in granting access?
- How to know if a guest still needs access to specific resources and who is responsible for reviewing this?
Why did I wrote this blog?
Granting guests access to the environment is underestimated and underexposed. Besides this, no processes are mapped internally before access is granted. The main reason for this is not to get in the way of business operations. Besides, many organizations have already granted guests access to the environment.
Why do you need guests in our tenant?
Often the main reasons why guest access is needed are:
- Working together on a project with guests needing access to Microsoft Teams channel(s)
- Guests requires access to a SharePoint site
- Temporarily hiring someone for support that requires a guest account
Azure AD settings
Within Azure AD, there are some settings related to guests. Below you will find the commonly used settings.
Guest invite settings
One of the settings is about the policy regarding which persons and or groups can invite guests. Every organization should consider what works best for them.
To ensure that employee productivity does not decrease, it’s obvious for most organizations to opt to “Member users and users assigned to specific admin roles can invite guest users including guest with member permissions” setting. With this setting, you ensure that a user with specific admin roles (e.g. guest-inviter role) and a member or guest who is a member of a specific team can invite a guest.
If organizations prefer to have control over granting guest access, an organization can choose to allow specific users (based on group membership) to include the guest-inviter admin role. Followed by setting the option “Only users assigned to specific admin roles can invite guest users”
Limit the access rights of guest users
When a guest is invited to the environment, it is necessary to limit the rights as much as possible. For example, you do not want certain data to be visible to a guest. One of these settings concerns restricting access to the Azure portal. By default, a guest can log in to the Azure portal and read tenant information. This setting can be found under Azure Active Directory > User Settings > Administration portal > Restrict access to Azure AD administration portal
Secure access for guests using Conditional Access
Granting access to a guest user is done in a few clicks. How do you ensure that a guest logs in to the environment in a secure way? Conditional Access is the answer here.
In order for each guest to be prompted for a two-factor authentication method when attempting to log in, it is necessary to add a Conditional Access rule that pertains to guests. Note that using Conditional Access requires at least 1 Azure AD Premium (AAD) P1 license added to the tenant. 1 AAD P1 license, equals the use of P1 functionalities for 5 guests. Below is a screenshot of the Conditional Access policy configured for guests:
Sidenote: Don’t forget to turn on Continous Access Evaluation in your tenant when using Conditional Access
In addition to granting guest access, an organization needs to think about the domains that they want to grant access to the environment. Is it allowed to grant access to e.g. an @gmail.com or @outlook.com domain as these are domains that are often related to personal accounts? You can block these specific domains via Azure Active Directory > User settings > Manage external collaboration settings > Collaboration restrictions > Deny invitations to the specified domains.
I hope that after reading this blog, you have gained more control and insight into granting and securing guest access. The next blog post will be about providing access to specific company resources.