Microsoft Azure AD (Securing B2B Collaboration with External Users)

There's no question that the ability to work seamlessly with other businesses - including partners, contractors, and vendors - is essential to an organization's success. Collaborating with outside users delivers proven business benefits including improved productivity, agility, visibility, and more. But it also necessitates shared access to critical on-premises, mobile, web, and cloud applications, as well as files and other network resources - which is not without its challenges. Microsoft's intent for Azure AD is to be the connecting fabric that brings these disparate systems together in a seamless, secure way that is not a hindrance to the way employees collaborate. Azure AD is a modern identity management system that spans cloud and on-premises providing identity management, device registration, user provisioning, application access control, and data security.

How Azure AD Enables Secure B2B Collaboration

Centralized User Database

Because external users and their devices are not "members" of the host organization, they are not part of the central user database. As such, they are not identified in its directory service - the single shared information store from which IT manages users, devices, and other network objects. This shared store is also responsible for verifying visitor credentials and defining access rights to corporate resources. In the Microsoft Office Suite, Active Directory (AD) is responsible for managing on-premises resources, and Azure AD provides access and identity management for users of cloud-based applications.

External users pose a number of challenges when attempting to join these organizations. There is an increased security risk in the ad-hoc time and resource-intensive process of gaining approval, awaiting set-up, and managing external accounts. There are also considerable maintenance concerns, such as tracking the title and employment status of users from external companies.

Some recommendations when inviting guest users to your database: 

  • Limit guest access to browsing groups and other properties in the directory
  • Block access to employee-only apps
    • This can be done by creating a conditional access policy to block access to Azure AD integrated applications
  • Block access to the Azure portal and make exceptions when necessary  
    • Create a conditional access policy that includes all guests and external users and then use policy to restrict access

One Secure Identity for All Applications

Balancing security with convenience is essential so that neither hinders productivity. With Azure AD Premium, external users sign in once with their Azure AD account information. From there, they are able to gain authorized, role-based access to the host's on-premises and cloud resources. From an IT perspective, this single sign-on (SSO) feature eliminates the need to manage multiple users and passwords across applications. This is conveniently pre-integrated with a thousand SaaS applications including Salesforce, DropBox, and ServiceNow, and allows for the addition of custom apps and self-service capabilities.

[DIAGRAM] Windows Server Active Directory Overview

Sophisticated Identity Protection

The most recent Verizon Data Breach Investigations Report cites that 81% of hacking-related breaches leverage stolen and/or weak passwords. As attackers become more sophisticated, Azure AD Premium's Identity Protection helps organizations gain the upper hand through proactive account management. Organizations can configure risk-based policies that automatically block identities that appear to be compromised. Adaptive machine learning detects and reports behaviors that are suspicious (e.g., unauthorized or geographically inconsistent sign-ins), and automatically initiates policy-driven remediation including password resets and forced multi-factor authentication.

Privileged Identity Management

The protection of privileged identities is imperative, given the scope of their administrative rights. This can include access to critical resources, and control over the creation, modification, and deletion of user accounts, or configurations. Azure AD Premium allows organizations to manage, monitor, and control privileged accounts and their access to resources. It also supports the enforcement of multi-factor authentication for highly privileged roles and on-demand temporary privileged access which automatically returns to normal user status after a pre-set time period.

The Pros & Cons of Microsoft Azure Cloud Infographic

External Users Don't Need to Have Azure AD

It is important to note that a partner company does not need to be using Azure AD in order to collaborate with a host organization. Through Office 365, a host can set up a "Group" specifically for Azure B2B collaboration. Each Group is assigned an internal authorized owner. External users can be invited to create an account, or proactively request an account through the organization's self-service Azure portal. User requests are routed automatically to the Group owner, who approves additions, and secure access to files and applications. 

Collaborators Use Their Own Credentials

Regardless of whether they are invited or request access, guests can use their own email addresses (corporate or otherwise) to set user names and passwords. Not only does this place the onus of responsibility with the guest, it frees the host organization from managing user identities. Azure AD Premium's secure environment also includes policy-driven multi-factor authentication. This two-step verification method assures stronger, convenient protection of identities and user access anywhere - from any device. Today's business relies on external collaboration. Contact iCorps to learn how Microsoft Azure AD Premium can make access sharing easier and more secure, for both your employees and associates.

Contact for a Free Consultation