Manage application permissions for your B2B users

It’s quite difficult for an IT department to manage access towards corporate data for B2B users. The IT department is mostly not aware which companies needs access to which resources of your organization. Also the IT department isn’t aware of the people that needs to have access towards a specific application. This article describes how we can create Access Packages for B2B users and how those B2B users can request access. This functionality is called Azure AD Entitle Management.

Create a connected organization

Browse towards the Azure AD Portal click on Azure Active Directory -> Identity Governance. On the Identity Governance page you can add an Connected Organization. Click on Add connected organization.

Fill in the name of the organization and a description.

You need to add that specific customers domain. Type in the domain name of that specific customer for example the domain name of their mailadres. Currently (at the time this article was created) you can add only one Azure AD directory or domain per connected organization.

Select the sponsors of the organization. Sponsors can be internally or externally. Internal sponsors are users that are part of your directory, for example an internal sponsor can be someone that knows the connected organization very well or someone who is the contact person for that specific organization. External sponsors are people of the connected organization for example a teamlead of that connected organization, this user needs to be present in the current Azure Active Directory (Guest user). I have chosen an internal sponsor.

Create an Access package

The next step is to create an access package for that specific organization. Browse again towards the Idenity Governance page and create a new access package.

Give your package a name and description. Leave the catalog as default. You can create a catalog for example the Marketing department, this catalog can than contains multiple access packages. For example a user in the Marketing department doesn’t need to have permissions towards all marketing application therefore you create an app catalog with multiple access packages.

In the Resource Role tab you can define which applications, groups, teams and sharepoint sites are part of that access package. If a user request an access package they will be granted permissions towards those applications.

As we are talking about B2B users we need to select the option that this is an access package for user that are not in our directory. We selected the specific connected organization that we created previously. Also Approval is required when a user request that package, the approvers are currently the sponsors of the connected organization and 2 backup users. The requestor needs to write down why he needs access towards that specific package. Also the approver needs to give a justification and needs to respond within 14 days. The enable new requests and assignments activates the package immediately.

We also needs to define an expiration time for the package. I’ve chosen 60 days, you can also let a package assignment expire on a specific date or you can set it to never expires. I’ve also created an access review members of that access package receives every month an email with the question they still need access towards the resources in the access package.

End-user experience

We’ve created an Azure B2B user that is part of the connected organization. Remember that we’ve added the domain name in the connected organization. So new guest users with that specific domain name are automatically attached towards that connected organization.

This specific guest user receives an email that he is added towards the directory of O365 test. This user needs to accept the invitation and accept permissions on his/her account.

When the user browse to http://myaccess.microsoft.com/ and selects the correct organization in the upper right corner he or she can see the access package that we previously created.

When requesting access the user needs to give a business justification.

As an administrator you can now see that the guest user “Blommaert, Jordy” requested access towards the “delaware package”

The internal sponsor also received an email that “Blommaert, Jordy” requested access towards the “delaware package” when he or she clicks on approve or deny request, he or she is redirected towards the myaccess page where he or she needs to approve access.

Now that specific user haves access towards the Teams of “External Organization delaware”

Published by jordyblommaert

My passion is the cloud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: