This blog is a transcript from The Practical 365 Podcast Special Guest episode hosted by MVPs Sigi Jagott & Dominik Hoefling.
They are discussing Dominik's downloadable guide ‘How to manage guest access in Azure Active Directory' which you can download here.
Dominik: Sigi, thanks for having me today, my name is Dominik Hoefling. I’m working as a Consultant for Atwork and I’ve been an MVP since 2018. My daily work contains about Exchange, Exchange Hybrid deployments, identity, and identity security.
Sigi: So Dominikm the reason we’re here together is to talk about your recent blog post, Azure AD Access Reviews and how to manage guest access in Azure Active Directory. So, what are guest accounts then and when should we use it?
Dominik: Absolutely Sigi, so Azure B2B, business to business, enables collaboration across organizations boundaries, as an example, guest users from other tenants can be added through Office 365 applications like Microsoft Teams, Planner and Office 365 groups or they can be invited for Administrators.
Sigi: So normal user can add guests correct?
Dominik: If their administrator allows them of course, it's a tenant organization wide setting. Every user can add guest users into your team or to your group to work together.
Sigi: Yeah, that's a great feature we are always using here (Atwork), as well as at Practical 365. So why it is important to manage guest accounts in your tenant as an administrator?
Dominik: So depending on your configuration and number of applications or Teams or Groups within your tenant. Guest users are likely to continue increasing, so as contractors or third parties are brought into your tenant, so it's important that this is monitored regulary. For example, if the project is finished or the extra external employees have done all their tasks. You should do a clean up to secure the other data and keep your tenant clean.
Sigi: But I guess that's a big task for an administrator because we as the IT Pros don’t see the projects. So I guess it’s hard for users to do this, so what features do we have in Azure AD to manage guest accounts?
Dominik: Yes. So it's really, really hard. You can imagine if you have one hundred projects for an enterprise or big organization. They could be 4 or 5000 guests accounts per tenant. It's really hard to do a clean-up, if you don't know you need access or has the access already expired or whatever, so we have two features in Azure AD to get rid of expired guest users, and the first one is Azure AD Access reviews.
Sigi: So what's that?
Dominik: Azure AD Access Reviews are not only for managing guest users and it enables organizations to manage group memberships, review access to your cloud and arise applications in Azure role assignments. For example, you can define a specific time frame that your guest users can access your organizational resources, or if the access must be reviewed again. And if an approval is required to add specific guest users to your applications like teams or SharePoint online or Planner. So does this mean basically you specify like half a year a guest account can access the resources in your organization and after that they are removed? Or, they are disabled, or the access is removed? Is this how it works?
Dominik: Yes, right you can define a specific timeframe like 3 months or 6 months and then the access has to be reviewed again from an administrator or your project manager who manages this project.
Sigi: That's cool so it's more like a lifecycle implementation for your guest accounts wow. But there's a second option that you mentioned?
Dominik: So yes, the second option is Azure AD Entitlement Management, which was announced at Ignite last year. As you can imagine users’ need access to various groups application insights to perform the daily task within your tenant especially for new users in your organization. This gets more and more complicated when you collaborate with outside organisations. You may not know who needs access to the organizations resources and the guest users or partners won’t know what applications, groups or sites your organization is using.
Sigi: That sounds really tricky.
Dominik: Yes it’s really tricky, especially for large organizations and to solve this issue, Entitlement Management enables organizations to manage identity and Access Lifecycle at scale by automating requests workflows, access assignments, reviews and expiration. On Top of that it can be combined with Azure AD access reviews as well.
Sigi: So it's a combination of both that you need in order to have a full solution for gas management. Correct?
Dominik: Yes, correct. It’s not needed in particular but if you combine this you have a lot more features for your workflow.
Dominik: So to put a block of Entitlement Management features is an access package. It's a set of permissions or rules on given resources and policies that control how access will be granted. The policy control describes who can request access, who is responsible for approving it? And does access to the given pictures expire and when? So this set of resources is available for role assignments in the form of a catalogue. A catalogue can contain multiple access packages and you can have multiple catalogues in your organization.
Sigi: Wow, okay so let’s talk about some real-world examples, do we have some real-world examples of when you should use Azure AD Access Reviews or Azure AD Entitlement Management Dominik?
Dominik: Yes, so for access reviews, imagine your organization wants to monitor guest users after a certain amount of time for your projects and external partners and members. So you should or you can enable the access reviews to monitor these guest users within your tenant and you can see if this excellent guest user wasn't locked in your tenant within a specific time frame. You can send an email to discuss users, “Hey, do you need longer access to this resource or can we remove the access? Or the owner of a team or an administrator can remove the access as well?”.
So, for Entitlement Management the best example we are using with our customers is if you have new employees or employees are switching within the organisation so there are new rules. We define Entitlement Management access resources so imagine a new sales employee joins your organization. This salesperson needs access to maybe the sales team SharePoint site, and the sales planner.
Sigi: So that's automatically done once you use this feature correct? It's like copy a user in Active Directory and you get the same permissions that a user you copied?
Sigi: Basically, it's a similar thought here that you just match permissions or access rights of users and provide them with the necessary access to any resources they need, correct?
Dominik: Absolutely, access to any resources they need for applications or group memberships, Teams or Planner, whatever it's based for the complete Office 365 suite.
Sigi: Yeah, I guess I guess that helps a lot of Administrators. But I also assume that there is some specific license requirements for using access reviews and Entitlement Management test.
Dominik: That's right, yes, so both features are only available with Azure AD Premium P2 licenses.
Sigi: Oh, okay so that’s a big requirement yeah? So if you don’t have P2 licenses or E5, is there a way around to get to even be able to review your guest access?
Dominik: Yes, so it's always a good approach to use PowerShell as well. With PowerShell you can really minutes and review a lot of things in your tenant for free. And Tony Redmond did write a script to highlight state guest users and their group memberships with PowerShell
Sigi: So you can get it from Tony's website? Yeah, Tony will be cheering about that because when I mentioned his script, he said now he’s famous in the podcast. Yeah, so excellent thanks Dominik for this information, yeah, so I guess for everybody who wants to read your in-detail blog article, they can find the correct link in this post.
If you'd like to read MVP Dominik Hoefling's ‘How to Manage Guest Access in Azure Active Directory' article, you can download it here.