Score:0

Best practice for adding contract companies as AAD guests

br flag

Our small business has an Azure Active Directory "Azure AD for Office 365" subscription. Recently, we've started hiring outside companies to do product development. For now, this involves adding a very small number of people from each company to our Azure AD to allow them access to our resources.

When we start doing business with a company and their employees, I add their employees to our Azure AD and manually edit their profiles to specify their company name. That way, when we stop doing business with that company, I can filter my member list by their company name and remove them.

My question is: How do people who know what they are doing deal with this sort of thing (the ability to remove all members of a group from AAD when you stop doing business with that group)? Is there some automation available in Azure AD at my subscription level?

Score:0
br flag

You're doing it wrong.

Azure already provides a good set of tools that you can use to govern and manage access to resources, even for Guest/B2B accounts, don't leave things to chance or depends on peoples memory to do the right thing, automate and use processes and flows that are already available.

Start by doing more reading about the available tools in Azure, here are a few links to get you started:

What is Azure AD entitlement management?: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview

And

What are Azure AD access reviews?: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Edit:

This too: Govern access for external users in Azure AD entitlement management: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users

Bob.at.Indigo.Health avatar
br flag
LOL. Just learning about the tools before I can start using them effectively is turning into a full-time job. I can only hope that by spending the time to figure this out and implement it correctly, the automation will save me time and grief in the future.
Bob.at.Indigo.Health avatar
br flag
Ok, this doesn't actually help me. Requires Azure AD Premium P2 or Enterprise Mobility + Security (EMS) E5 license. Apparently, that's an upgrade from my existing "Azure AD for Office 365" license. What other options do I have at this subscription level?
Noor Khaldi avatar
br flag
I mean, you asked for the best practices. Anything else would be more of a best effort approach you need to come up with depends on your own needs, I'd suggest to go over the FAQ page for more details, hopefully this will give you ideas on what more you can do: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/faq
Bob.at.Indigo.Health avatar
br flag
Fair enough. I guess "best practice" starts with paying for the higher subscription level.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.