Automate Cross Tenant Resource Access With Azure AD Entitlement Management

With the Azure AD Identity Governance feature “Entitle Management” it is easier to automate the access requests, set expiry dates, justify why a user needs access and get the load out of the IT admins.

Azure B2B collaboration is a hot topic these days and the end result should be stresses access from the end user’s end, however security is a concern and who gets the right access is a consideration.

The feature I’m testing today is not specifically related to internal users, but it will be helpful in managing Guest User access to resources.

What is Entitlement Management

As per the Microsoft Documentation, is Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

Licensing Considerations

While this can be used to get the internal staff to request for access to different apps, SharePoint sites and Teams, I will be using this to support my scenario.

What questions this answers?

Automate Guest User creation – Currently, to provide someone external to the organization with Guest access, the account needs to be created in Azure AD.

Not all the users will get access, but only the external users who needs access

This can be automated with the Connected Organizations option in Entitlement Management.

Automatically added to the Groups and Teams in the other tenant without an invitation

Connected Organizations

Ideally this answers the relationship between Tenant A and Tenant B. This is the connection you need to setup in order an external party to access the resources under the Entitlement Management policies

Catalog

The Catalog will contain the access package that required by the end user (internal or external). It can be SharePoint Sites, Teams or Apps.

Lets test this out

Scenario: Tenant A, Tenant B. Both of the tenants are under the same company, but because of the nature of the business, the tenants can’t be consolidated.

Users from Tenant B, needs to access the resources in Tenant A

  1. Create a Connected Organization

Go to https://aad.portal.azure.com/ > Azure Active Directory > Identity Governance > Entitlement Management > Connected Organizations > Add Connected Organization

Add the directory

Skip the sponsors if you not adding any in the next screen

Review and Create

2. Next, lets create the Access Package

Go to https://aad.portal.azure.com> Azure Active Directory > Identity Governance > Entitlement Management

Select Access Packages > New Access Package

Create the Catalog

Click on the “Create new catalog” link and complete the form.

Add the resources as shown in the below screenshot and select the roles for each resource

Click Next: Requests to go forward in the wizard

This is where you make sure the access package is assigned to the relevant connected organization

Select Add Directores and add the Tenant that was connected previously

For the automation to work, set the below settings to NO and move to the next step

This step is purely to collect information about the requestor and can be skipped if not required

The next step is important and can be setup according to your requirement

Access Reviews can be done periodically if needed. This will be another major topic in Identity Governance and will be discussed separately.

Press Review + Create once all done.

Note down the URL in the Access Package. This will be the URL that the users from the other tenant need to request access.

This can be found in the Overview section of the Access Package.

https://myaccess.microsoft.com/@xxxxx.onmicrosoft.com#/access-packages/4aswscd-edf5-4b7e-1119-4f0096uwhsdf

User from the Tenant B – demouser@xxxxxx.com

Login to Tenant B office.com with the demouser@xxxxxx.com account as usual

Since the user from Tenant B needs to access the resources from Tenant A, advise the user to open the above link from their account.

They will see the below package that setup earlier.

Click on Request Access option

Complete the below form. Press Submit.

The progress of receiving access if you click on the Details link

The same can be checked from the Admin end

Notice the Demo User from Tenant B will be created in the Tenant A’s Azure AD and the Invitation Accepted is still NO

Demo user will receive the Consent Accept/ Decline option when they trying to access the Tenant A resources and that completed the user creation flow

Look at their Teams! The user’s Teams is already set to go for Tenant B

When switched to Tenant B, the Team that the Demo User is a member or will be there

The access package is now completed and as as you can see, the Guest user’s access has been fulfilled.

image credits: Invitation vector created by stories – www.freepik.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.