Tutorial / Cram Notes
External identities in Azure AD refer to user accounts that belong to individuals outside of your organization. These external users can be collaborators from other Azure AD organizations (B2B) or users with Microsoft Accounts (MSA), Google IDs, or other identity providers configured through Azure AD B2C.
Inviting and Adding External Users
- Azure Portal: Admins can invite users directly via the Azure portal. You navigate to ‘Azure Active Directory’ > ‘Users’ > ‘New guest user’.
- PowerShell: This can also be done using PowerShell cmdlets, such as
New-AzureADMSInvitation. - Email Invitation: Upon invitation, external users receive an email with a link to accept the invitation.
- Direct Add: Alternatively, you can directly add external users if they are from another Azure AD organization with a trusted relationship.
Governing External Access
- Conditional Access Policies: Apply conditional access policies to guest users to enforce multi-factor authentication (MFA) or other condition-based access requirements.
- Access Reviews: Conduct access reviews periodically to ensure that external users still require access to your organization’s resources.
- Entitlement Management: Use Azure AD’s entitlement management to manage access packages that provision access for external users to specific groups, applications, and SharePoint sites.
Managing User Roles and Permissions
– Assign roles and access permissions to external users based on the principle of least privilege, ensuring they have the minimum level of access needed to perform their duties.
– Leverage built-in roles such as ‘Guest inviter’ to allow certain employees to invite external users without granting full administrative privileges.
Monitoring External User Activity
- Audit Logs: Regularly audit external user sign-ins and access to resources using Azure AD’s sign-in and audit logs to monitor user activity.
- Compliance Reports: Generate compliance reports to ensure external access aligns with regulatory and organizational security policies.
Example: Inviting an External User
Invitation Process via Azure Portal:
- Sign into the Azure portal as an administrator.
- Navigate to ‘Azure Active Directory’ > ‘Users’.
- Click ‘New guest user’.
- Provide the email address of the external user.
- Customize the invitation message if necessary.
- Click ‘Invite’.
Policies for Collaboration with External Users
It’s essential to have set policies for collaborating with external users:
- Establish clear guidelines on who can invite external users.
- Define what types of data and resources external users can access.
- Determine the lifecycle of external user accounts, including expiration of access.
Example: Conditional Access Policy for MFA
Policy Application for Guest Users:
- Go to ‘Azure Active Directory’ > ‘Security’ > ‘Conditional Access’.
- Create a new policy and name it (e.g., ‘MFA for Guest Users’).
- Under ‘Assignments’, select ‘Users and groups’ and include guest users.
- Under ‘Cloud apps or actions’, select the apps this policy will apply to.
- Under ‘Access controls’, select ‘Grant’ and then ‘Require multi-factor authentication’.
- Enable the policy and save.
Table: External User Permissions Comparison
| Feature | Azure AD B2B (Guest Users) | Azure AD B2C (Consumer Users) |
|---|---|---|
| Identity Source | Work, school, or social identities | Consumer identities |
| Invitation Process | Email invitation or direct add | Signup through user flows |
| Permissions Configuration | Azure AD & Application-specific permissions | Identity provider configurations |
| Governance | Access reviews and entitlement management | Customizable policies |
| Usage Scenarios | Collaboration with partners/vendors | Customer-facing applications |
| Conditional Access Policies | Available | Limited |
Conclusion
Managing external user accounts in Azure AD is crucial to maintaining organizational security. By effectively inviting, governing, and monitoring external users, organizations can ensure that their collaborations are secure and efficient. Implementing best practices, such as conditional access policies and access reviews, is necessary to handle external identities in a manner that protects the organization’s data while facilitating productivity. Exam SC-300 candidates must be familiar with these concepts and know how to apply them in Azure AD for comprehensive identity and access management.
Practice Test with Explanation
True or False: Guest users in Azure AD can be added by any user in the organization by default.
False
By default, only administrators can add guest users. The ability for all users to add guest users can be enabled by an administrator, but it is not the default setting.
Which Azure AD feature is specifically designed to manage external user accounts?
- A) Azure AD Connect
- B) Azure AD B2C
- C) Azure AD B2B
- D) Azure AD Privileged Identity Management
C) Azure AD B2B
Azure AD B2B (Business-to-Business) is designed to manage and collaborate with external user accounts safely and securely.
True or False: An external user invited to Azure AD will have the same privileges as a native user by default.
False
External users (guest users) have limited privileges by default, and their access is based on what has been explicitly granted.
Which authentication method cannot be used by B2B guest users in Azure AD by default?
- A) Azure AD credentials
- B) Google IDs
- C) External organization’s federated login
- D) Microsoft Account (MSA)
C) External organization’s federated login
By default, Azure AD does not automatically support federated logins from external organizations for B2B guest users, unless the feature is specifically configured.
True or False: You can enforce Multi-Factor Authentication (MFA) on external users in Azure AD.
True
You can enforce Multi-Factor Authentication on external users to increase security for your organization’s resources.
True or False: Licensing requirements for guest users in Azure AD are the same as for full, licensed users within the tenant.
False
Guest users do not consume a full Azure AD license and are granted access to resources in a different manner compared to full, licensed users.
How many B2B collaboration user invitations can a single Azure AD admin send without requiring additional licenses?
- A) Up to 5 guest users per licensed user
- B) Unlimited guest users
- C) Up to 50 guest users per licensed user
- D) None, guest user invitations always require additional licenses
C) Up to 50 guest users per licensed user
Each Azure AD license allows an admin to invite up to 50 guest users (the 5:1 ratio), meaning you can invite 5 guest users for each license that you own.
True or False: Guest users must always be part of an email domain that is verified in the host Azure AD tenant.
False
Guest users can be invited using any email address, including consumer email services. They do not need to belong to a verified domain.
Which of the following options is NOT a step in the Azure AD B2B collaboration user invitation process?
- A) Redemption through a direct URL
- B) Invitation through the Azure portal
- C) Pre-approval by Azure AD Identity Protection
- D) Invitation via PowerShell
C) Pre-approval by Azure AD Identity Protection
Azure AD Identity Protection does not pre-approve B2B collaboration invitations. It provides risk-based conditional access to protect Azure AD.
True or False: External users invited to the Azure AD tenant can be assigned to Azure AD roles.
True
External users, once they have redeemed their invitations and become guest users, can be assigned to Azure AD roles based on the principle of least privilege.
Which of the following is NOT required for a guest user to accept an invitation to an Azure AD tenant?
- A) An Azure subscription
- B) A Microsoft account or other supported email
- C) Invitation redemption process
- D) Access to the email with the invitation link
A) An Azure subscription
Guest users do not require their own Azure subscription. They accept invitations through a supported account (Microsoft or otherwise) and need access to the invitation link, usually sent by email.
Interview Questions
What is SharePoint Online?
SharePoint Online is a cloud-based service that allows organizations to create and manage websites for collaboration and document management.
What is external sharing in SharePoint Online?
External sharing in SharePoint Online is the process of granting access to your organization’s SharePoint sites and documents to external users, such as partners, contractors, and vendors.
How can you grant external access to a SharePoint site or document?
To grant external access, go to the SharePoint site or document where you want to share files or folders and click on “Share.” Enter the external user’s email address and choose the appropriate permission level.
What is a permission level in SharePoint Online?
A permission level in SharePoint Online is a collection of permissions that define what a user can do in a SharePoint site or document.
How can you control access to a SharePoint site or document?
To control access, go to the site permissions page and click on “Advanced permissions settings.” From there, you can add or remove users, groups, or permissions levels.
How can you revoke external access to a SharePoint site or document?
To revoke access, go to the site permissions page and remove the external user’s access. You can also set an expiration date for external access.
What are the best practices for managing external user accounts in SharePoint Online?
The best practices for managing external user accounts in SharePoint Online include using secure sharing methods, controlling external user access, customizing the invitation message, monitoring external user access, setting expiration dates, and using granular permissions.
How can you monitor external user access in SharePoint Online?
You can monitor external user access using the SharePoint audit logs to track when external users access your organization’s resources.
What is Azure AD B2B?
Azure AD B2B (Business-to-Business) is a feature that enables organizations to collaborate securely with external partners, contractors, and vendors.
How can you use Azure AD B2B to control external user access to SharePoint Online?
You can use Azure AD B2B to control external user access to SharePoint Online by configuring policies that control which users can access SharePoint Online, and which SharePoint sites and documents they can access.
Can you set an expiration date for external access to SharePoint Online?
Yes, you can set an expiration date for external access to SharePoint Online to ensure that external users can only access your organization’s resources for a limited period.
How can you customize the invitation message when inviting external users to SharePoint Online?
You can customize the invitation message to help external users understand how to access your organization’s resources.
Can you control external user access to specific files or folders in SharePoint Online?
Yes, you can use granular permissions to control access to specific files or folders in SharePoint Online.
How can you ensure that external users have access only to the resources they need in SharePoint Online?
You can use granular permissions to ensure that external users have access only to the resources they need in SharePoint Online.
Can you use PowerShell to manage external user accounts in SharePoint Online?
Yes, you can use PowerShell to manage external user accounts in SharePoint Online.
Great blog post on managing external user accounts in Azure AD. Exactly what I needed!
I found the section on B2B collaboration particularly useful. Can someone elaborate on the Guest user invitation process?
Sure! For B2B collaboration, you can invite guests to your directory by sending email invitations. This can be done manually or automated using PowerShell scripts or Graph API.
For the SC-300 exam, how deep do we need to go into managing external identities?
You should have a good understanding of both B2B and B2C scenarios, including configuring policies, managing guest access, and handling user lifecycle management.
Anyone have tips for setting up Conditional Access policies for external users?
Yes, start by creating a new Conditional Access policy specifically for guest users. Use the ‘Users and groups’ assignment to target external users. Configure conditions like location and device compliance to ensure security.
How are external users billed in Azure AD?
External users are generally free, but they are subject to the limitations of your Azure AD licensing. Premium features may incur charges if leveraged by external accounts.
Can external users reset their own passwords?
Yes, if self-service password reset (SSPR) is enabled for guest users, they can reset their own passwords just like internal users.
Appreciate the detailed guide!
Is it possible to use MFA for external users?
Absolutely! You can enforce MFA on external users through Conditional Access policies or by configuring MFA directly.