Securing Guest Access Without Paying More with Azure Active Directory B2B
Working with external companies and partner organizations just became a lot easier thanks to one of Azure AD’s service features: Azure AD Business-to-Business (B2B).
Companies always looking for solutions to improve their security and simplify collaboration. In today’s workplace, it’s very common for organizations to work with external partners. Office 365 is a great solution to collaborate with people both inside and outside your organizations, as it provides an easy way to share documents with external users or invite them to join your Microsoft Teams. Unfortunately, when you share using the default methods, your external users aren’t subject to the same security policies, such as multifactor authentication, that you’ve set up for your internal users.
What most organizations are looking for is a way to manage external access that is predictable and consistent with their security practices. A hidden gem that is part of Azure Active Directory and solves this problem is leveraging Azure Active Directory B2B users. Azure AD B2B is not a different version of Active Directory, but just an additional feature that allows one organization to invite members from other organizations to share application access. This tool is beneficial not only for seamless collaboration, but it decreases the worry of security issues.
How Does Azure Active Directory B2B Work?
When working with external organizations or contractors, granting access to your files and resources is important, but it's also important to manage these privileges. The issue does not lie with granting access to new users, but in managing them. Here are the common problems:
- Managing the lifecycle of these accounts
- Controlling the access to resources and applications
- Monitoring the account activities and granting access privileges
Azure AD B2B works by allowing external users access to another organization’s resources, but it applies that companies’ original security policy and leaves the management of the account to the host organization. You can granularly control which resources the account can access in your tenant and can enforce your security policies—like Multi-Factor Authentication (MFA) if they weren’t required before. We can even automate the process in most cases.
Here’s how it works:
- Administrator invites the partner users by uploading the details using a CSV file.
- The Azure portal sends the invite emails to the new users.
- A user clicks on the email link and sign in using their work credentials (if they already have an Azure AD account) or sign up as a new Azure AD B2B collaboration user.
- A user can now log in and access the shared resources.
Improving Security & Collaboration
When partnering or working alongside other companies, they are some things to be considered:
- Do the security policies match?
- Will additional accounts be needed to be created for multiple users?
- Once new accounts are created, who disables them when required?
- Who manages these accounts and takes care of passwords?
Azure AD B2B aims to solve these problems and still allow you to be in control. When you invite a new user to your application, they will get access using their Azure AD account. There is no need to create multiple new accounts or multiple new passwords. The new user will sign into your app with their credentials. You are still able to manage and control your application because you can decide if the login will require MFA and who has access.
Azure AD B2B provides an Application Programming Interface (API) so you can build onboarding processes and send invitations to apps or you can use the default service. This simplifies things by creating safe and secure collaboration.
Licensing – Azure Active Directory B2B
Guest access for the free tier of Azure Active Directory is included with the Office 365 service. This allows you to create users within Azure Active Directory and assign rights to them. A guest user is defined as someone who is not a member of your organization or your organization’s affiliates. Some types of users are specifically prevented from using guest access. These include employees, on-site contractors, and on-site agents.
The Azure Active Directory Premium Plan 1 (AAD P1) is the next step up in functionality and includes features like multifactor authentication and conditional access. It is sold standalone, as part of the Enterprise Mobility and Security Suite (EMS) E3 and the M365 E3 bundle. If the host organization owns AAD P1, then they get external sharing rights included. The rights are granted on a 1:5 ratio. For each AAD P1 license (or bundle that includes it) that is assigned to a user, the company can invite up to five guest users and leverage the same features. Microsoft calls this functionality and licensing privilege Azure AD B2B. Plus, if the guest user already has an AAD P1 license assigned to their identity by their own employer, then it will not even count against the guest license allocation. For more details, read Azure Active Directory B2B Collaboration Licensing Guidance – an article from Microsoft.
The Azure Active Directory Premium Plan 2 (AAD P2) works the same way. So, if document level encryption and control are needed, guests can also share in that functionality on a 1:5 basis.
How We Can Help
Whether you have questions about Azure Active Directory B2B, Azure migrations, or general licensing questions, Interlink has the experience to help. Our consultants have worked with numerous clients on getting the most out of their investments with Active Directory and we can ensure that you will learn how to best utilize your technology. Azure AD B2B is only one of Azure AD’s features that can help with more seamless collaboration. Contact us today to set up a consultation to see how we can help you benefit from Azure.
About the author
Mike Wilson brings over 18 years of technology experience to Interlink. Prior to joining Interlink, he served as a Director of Technology for a mid-size insurance company and has led multiple consulting practices to substantial growth. In those roles, Mike delivered tremendous value for his customers by designing and implementing scalable, reliable and business aligned solutions. Mike’s focus at Interlink is on leveraging the power of the Microsoft cloud to streamline IT operations in a way that reduces cost and allows businesses to refocus on core operations. He plays a key role in architecting projects and ensuring high standards in service delivery across the Interlink team. Mike earned a Bachelor of Science degree in Mathematics from the University of Cincinnati and is a proud graduate of St. Xavier High School. He is active in a number of local non-profits and has served on multiple non-profit boards and in executive leadership.
Welcome to the Interlink Cloud Blog
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.