Azure AD identity governance — Part 2— Govern identity lifecycle
The blog series
Part 1 — The basics
Part 2 — Govern identity lifecycle
Part 3 — Govern resource lifecycle
Part 4 — Govern Azure AD B2B
Part 5 — Govern access lifecycle
Part 6 — Reach back to on-premises
Govern identity lifecycle
Now that we have a basic understanding of the identities involved, we’ll quickly realize that we can’t cover all areas with standard Azure AD features. In this blog article I would like to focus on the Azure AD standard features and concepts, in a following blog article of the series we will deal with custom solutions.
Azure AD Workday inbound provisioning
When a company uses Workday as its HCM system, Azure AD out of the box offers inbound provisioning for the identity lifecycle. Unfortunately, this only covers a part of the companies, furthermore, the out of the box integration may not cover all required use cases. For this I have already published a blog.
The UserType and guest user limitations
You might think that a B2B user is always a guest user [UserType = Guest]. However, this is not the case, even a B2B user can be regarded as an internal user [UserType = Member]. A detailed explanation can be found at Microsoft Docs.
Furthermore, the restrictions for guest users can also be removed.
External collaboration settings
With the Azure AD external collaboration settings you can define who is allowed to invite B2B users. For example, a blacklist or whitelist can be created based on domains.
- Turn off invitations
- Only admins and users in the Guest Inviter role can invite
- Admins, the Guest Inviter role, and members can invite
- All users, including guests, can invite
- Restrictions based on domain
Further restrictions
Azure AD B2B offers settings which type of B2B users may be present in the tenant. Here there are the settings worth mentioning:
Azure AD also offers a self service signup feature
John Craddock has published excellent blogs on these two topics.
More more B2B details take a look at my other blog