Azure AD B2B life-cycle management with a sponsor per partner organization and fallback
This is a simple implementation proposal for Azure AD B2B life-cycle management with a sponsor per partner organization and fallback based on Azure AD Entitlement Management.
For more information about the numerous possibilities for a B2B lifecycle in Azure AD please read my blog: Azure AD identity governance — Part 4 — Govern Azure AD B2B
- Create a cloud only security group called “B2BAccess”
2. Create a catalog enabled for external users
3. Add your B2BAccess group as resource to the catalog
4. Create a access package “B2B Access” that only contains your B2BAccess group
5. Make sure the access package policy is for users not in your directory, you may adjust the approval and user scope to your needs. In this example the access package is available to all users (All connected organizations + any new external users) and the first approver is based on the connected organization with a fallback to a generic internal B2B sponsor (e.g. a internal partner management department)
6. If desired, configure your connected organizations
7. Make sure the access package policy has life-cycle settings to ensure a life-cycle of the B2B users, not just a initial approval. In this case this is based on expiration with possible extension including a re-approval. However, you could also do it with a access review.
8. Understand the Entitlement Management settings for external user life-cycle
9. Find the My Access portal link on the access package overview which you can provide to external users so they can request access to your tenant. E.g. https://myaccess.microsoft.com/@filipinlabs.onmicrosoft.com#/access-packages/1ad507c4-641d-4d07-ba6c-199fcbc27dec [Feel free to spam me]
10. The sponsor approves the request and the life-cycle dream starts :))