« Previous 1 2 3
Manage guest accounts in Azure Active Directory
Welcome, Guest
Delegate Wherever Possible
If you are only reviewing B2B guests, an additional setting will appear in the penultimate step when you create an Access Review (Figure 3): Action to apply on denied guest users . This setting lets you stipulate that guests are simply removed from the group or application. However, you could also go for Block user from signing-in for 30 days, then remove user from the tenant . Of course, this is a sledgehammer method that culminates in the removal of the guest if combined with a multilevel review. If the external user has not contacted you, though, and an internal second examiner is not sure, deletion could be the best remedy.
Multistage reviews are useful for three areas of operation: reaching a quorum, escalating reviews, and delegating review work. You reach a quorum when reviewing users by having several stages confirmed in succession. Access only continues at the end of the process if everyone agrees that certain users should continue.
You can map escalation processes with multistage reviews if you want to have a second reviewer cross-check the rejected users, if any users are marked don't know , or if users received no response from the first reviewer. The second reviewer can then correct opinions or enter them in the first place; no results means no access.
Of course, no self-respecting admin likes to spend time on repetitive tasks, clicking through line after line of users to be confirmed. Alternatively, you can first delegate the main work to the actual beneficiaries of group memberships or access to applications: the users themselves. Getting users to participate in the review means that all users who fail to report or say no are dropped before the second or third stage, reducing the workload on the second- and third-stage reviewers.
Conclusions
If cloud collaboration is a part of your working life, and you enable it for your employees, you are likely to discover that as the number of partners increases, the trust placed in them does not always keep pace. Relationship depths with business partners need to be mapped in a fairly granular way, even in B2B environments, and the cross-tenant access settings in Azure AD let you do this. To make it easier on yourself when cleaning up your business partners, you first need to engage the users themselves by imposing multistage reviews to let them say whether further collaboration is desired and necessary.
Infos
- Fabrikam: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/identity-lifecycle-manager/ms694611(v=vs.85)
- Microsoft Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer
- Cross-tenant access settings API: https://docs.microsoft.com/en-us/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta
- Cross-tenant access activity workbook: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/workbook-cross-tenant-access-activity
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)