Best practice for adding contract companies as AAD guests

Bob.at.Indigo.Health

10/13/22, 8:09 PM

Our small business has an Azure Active Directory "Azure AD for Office 365" subscription. Recently, we've started hiring outside companies to do product development. For now, this involves adding a very small number of people from each company to our Azure AD to allow them access to our resources.

When we start doing business with a company and their employees, I add their employees to our Azure AD and manually edit their profiles to specify their company name. That way, when we stop doing business with that company, I can filter my member list by their company name and remove them.

My question is: How do people who know what they are doing deal with this sort of thing (the ability to remove all members of a group from AAD when you stop doing business with that group)? Is there some automation available in Azure AD at my subscription level?

1 + 0

azure-active-directory

Score:0

Server

Noor Khaldi

10/14/22, 12:43 PM

You're doing it wrong.

Azure already provides a good set of tools that you can use to govern and manage access to resources, even for Guest/B2B accounts, don't leave things to chance or depends on peoples memory to do the right thing, automate and use processes and flows that are already available.

Start by doing more reading about the available tools in Azure, here are a few links to get you started:

What is Azure AD entitlement management?: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview

And

What are Azure AD access reviews?: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

Edit:

This too: Govern access for external users in Azure AD entitlement management: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users

0 + 4

Bob.at.Indigo.Health

10/14/22, 7:01 PM

LOL. Just learning about the tools before I can start using them effectively is turning into a full-time job. I can only hope that by spending the time to figure this out and implement it correctly, the automation will save me time and grief in the future.

Bob.at.Indigo.Health

10/14/22, 8:38 PM

Ok, this doesn't actually help me. Requires Azure AD Premium P2 or Enterprise Mobility + Security (EMS) E5 license. Apparently, that's an upgrade from my existing "Azure AD for Office 365" license. What other options do I have at this subscription level?

Noor Khaldi

10/15/22, 7:00 PM

I mean, you asked for the best practices. Anything else would be more of a best effort approach you need to come up with depends on your own needs, I'd suggest to go over the FAQ page for more details, hopefully this will give you ideas on what more you can do: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/faq

Bob.at.Indigo.Health

10/16/22, 8:26 PM

Fair enough. I guess "best practice" starts with paying for the higher subscription level.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Best practice for adding contract companies as AAD guests

TH: แนวปฏิบัติที่ดีที่สุดสำหรับการเพิ่มบริษัทที่ทำสัญญาเป็นแขกของ AAD

RO: Cele mai bune practici pentru adăugarea companiilor contractuale ca invitați AAD

VI: Phương pháp hay nhất để thêm các công ty hợp đồng làm khách của AAD

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.