Azure AD identity governance — Part 4 — Govern Azure AD B2B

The blog series

Part 1 — The basics

Part 2 — Govern identity lifecycle

Part 3 — Govern resource lifecycle

Part 4 — Govern Azure AD B2B

Part 5 — Govern access lifecycle

Part 6 — Reach back to on-premises

Azure Active Directory (Azure AD) business-to-business (B2B) is a powerful tool of the Azure AD Identity Platform, our documentation describes it as follows:

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration lets you securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don’t have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company’s resources.

As powerful as it is, the more important it is to control it.

In order to control it we should think about the following points

1. A controlled way for external users to get initial access to the tenant (invitations)
2. Ensure that external users have only the access they need to be productive during their lifetime, this means that permissions no longer needed should be removed
3. A controlled way how external users leave the tenant
4. Clean up or involve existing external users in the intended governance process

Control possibilities

First of all, we need to understand which control options exist in order to be able to assess how these control options can help us with the above mentioned points.

The following control options and solutions are available.

External collaboration settings

In the Azure AD external collaboration settings you will find options that can be helpful in controlling the initial tenant access.

• Turn off invitations
• Limit invitations to admins users in the Guest Inviter role
• Enable invitations for members
• Enable invitations for guests

Furthermore, the rights of guests can be restricted in these settings.

Note: Make sure you understand the difference between external user and guest.

Service settings

Services that use the Azure AD Identity Stack can themselves provide settings that can restrict the access of external users and thus help to ensure that the external users do not have too many permissions.

I cannot and will not list here every service that has such control options. In the best case, such controls refer to data classification, for teams this is possible with sensitivity labels. Another good starting point is the Microsoft Teams guest access checklist.

If you consider further service settings to be very important, let me know and I will include them here.

Sign-in activity cleanup

The external collaboration settings mentioned above are completely open in the default settings of Azure AD, which means that many companies that have not thought about their B2B governance process are faced with a huge number of external users in their tenant, where responsibility and necessity is unclear.

These external users must either be included in the selected governance process or be initially cleaned up. For such an initial cleanup, the Azure AD Sign-in logs can be analyzed and, for example, external users who have not logged in during the last quarter can be removed from the tenant.

Ideally, the analysis can be performed with the company’s SIEM tool. With Microsoft native tools this can be done with Azure Monitor / Azure Log Analytics or Azure Sentinel using Kusto queries. 3rd party SIEMs are also natively supported: ArcSight, Splunk, SumoLogic

Alternatively, the sign-in logs can also be queried via PowerShell or Graph. You can also download the sign-in logs from the Azure Portal.

No matter which path is chosen, in the end you want to remove users who have not logged in for a longer period of time from the Tenant, e.g. via Remove-AzureADUser. You should be careful not to remove external users from the Tenant who have just been added to the Tenant and therefore do not appear in the sign-in logs.

Such a solution can be used for a one time cleanup or run on a regular basis. Azure Automation could be used to implement such a solution.

Unfortunately I do not have a solution where I am allowed to publish, if you know a public solution I can link it here.

Life-cycle management with a unique sponsor per external user

Here an internal employee takes over the responsibility for an external employee. For initial access to the tenant, the internal employee must request this for the external employee and, if necessary, provide additional information (for example, business justification).

There is no out-of-the-box solution with Azure AD, this process can be implemented with an on-premises identity management system such as Microsoft Identity Manager, but also a cloud native solution based on SharePoint lists and the Power Automate Platform would be conceivable. In addition, there are numerous 3rd party / partner solutions on the market that pursue this approach. Historically, companies are often familiar with this approach, as they often use it when creating accounts for external employees in their on-prem AD.

In this approach, B2B invitations for employees are often deactivated and the invitation is sent through a service account of the respective 3rd party solution. Depending on the 3rd party solution, additional approval processes / adjustments can be integrated.

Often such a solution also includes a regular review process in which the internal responsible person must confirm that the external employee still needs access.

Life-cycle management with a sponsor per partner organization with fallback

This approach is similar to the life-cycle management with a unique sponsor per external user, but here there is not one individual sponsor per external user but one sponsor per external partner or a general person responsible for the external users (e.g. a department for partner management).

The big difference: This solution can be implemented out-of-the-box [requires Azure AD Premium P2] with Azure AD Entitlement Management and the external user can start the process on it’s own.

For implementation details please take a look at my blog: Azure AD B2B life-cycle management with a sponsor per partner organization and fallback

This solution can cover the entire life-cycle of an external user, from the initial request, through renewal, to the final removal of the external user. However, only the external user themselves is regularly checked here, not their permissions.

Life-cycle management with a focus on external user access

This is probably the best solution, but for most companies it also has the highest entry threshold.

In this solution, the external user requests access to bundled permissions which are approved by a resource owner. As soon as the external user loses their last access, they are removed from the tenant.

This is also based on Azure AD Entitlement Management and is therefore available out-of-the-box in Azure AD, but for this companies have to structure their permissions in Access Packages and for IT departments this is only possible in cooperation with the business and can take a lot of time.

This solution can cover the entire life-cycle of an external user, from the initial request, through renewal, to the final removal of the external user. In addition, the permissions are also regularly checked here

Control comparison

Now that we are familiar with the most important control options we can compare them

We find that one control option alone cannot cover a complete governance process, even if few of them come very close.

Define your own governance strategy, every company is different.