Businesses often require several partners, organizations, and customers to collaborate and exchange data. Microsoft Entra allows these external entities to access your IT environment seamlessly without compromising on security. Guest access can be managed through Microsoft Entra ID and Microsoft Entra ID Governance.
Guest access management with Microsoft Entra ID
Here’s how you can manage guest access management with Microsoft Entra ID:
Adding a guest user
-
Log in to the Microsoft Entra admin center with a role that allows you to create users in the directory, such as User Administrator or Guest Inviter.
-
In the left navigation pane, browse to Identity > Users > All Users > New User
-
Choose Invite External User from the menu. This would take you to a window that lets you invite users through their email address.
-
Add the following information for the guest user:
-
- Email: The email address of the guest user you want to invite.
- Display name(optional): The name for the guest user that will be displayed within your organization.
- Invitation message (optional): You can personalize the invitation message with a welcome note and instructions.
-
You can now review the details. Click Invite to finalize the process.
Managing Guest user access permissions
-
Go to Identity > User Settings >Guest User Access
-
You will have three options to manage appropriate access permissions for your guest users:
-
- Guest users have the same access as members (most inclusive)
- Guest users have limited access to properties and memberships of directory objects
- Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)
Check out a detailed list of the permissions granted to each option here.
-
Depending on your use case, you can configure the specific level of access each guest user has.
Conditional access
Conditional access refers to a set of policies that define how users access your organization’s resources. Simply put, it is an if-then rule that considers specific conditions and takes corresponding actions based on whether those conditions are met. This adds an extra layer of security beyond just passwords and hence is a crucial part of Microsoft’s Zero Trust security model.
You can create a conditional access policy for guest user accounts with the following steps:
- Log into the Microsoft Entra admin center with an account that has Conditional Access Administrator rights
- Navigate to Protection>Conditional Access>Create New Policy and name your policy
- Under Assignments, choose who the policy will apply to. You can select Users or groups, then choose specific users, user groups, or even Guest users.
Note: Configuring conditions is an optional step. With this, you can define the circumstances that trigger the policy, such as:
- Locations: Restrict access based on user location
- Devices: Enforce access only from devices meeting specific standards
- Client apps: Control access for specific cloud applications.
- Under Access Controls,you can define how access is granted or blocked by selecting your choices from the list. A few of these options are:
- Require device to be marked as compliant
- Require multi-factor authentication (MFA)
- Require approved client app
- Review all your settings. To assess the policy’s impact on users without enforcing restrictions, you can leverage the Report-only mode.This step is highly recommended to prevent unintended consequences.
Click “Create” to activate your policy.
Guest access management with Microsoft Entra ID Governance
Entra ID covers most guest access control needs. However, for organizations that require heavy weight governance solutions, Entra ID Governance would be worth looking into. Entra ID Governance helps you manage guest access more effectively with access reviews and entitlement management.
Access reviews are recurring reviews of your directory that can be automated.This boosts security by ensuring that your guest users don’t retain access indefinitely.
Entitlement management enables seamless B2B collaboration by letting you specify organizations whose users can access your organization’s resources. You can also define the specific resource a guest needs for their collaboration, such as an application or a SharePoint site. This minimizes the damage a compromised guest account could cause.
While Entra ID provides basic guest access functionality, Entra ID Governance offers a more comprehensive solution for managing external collaborators. Hence, it’s advisable to use Entra ID to create guest user accounts and assign basic permissions whilst leveraging Entra ID Governance for advanced guest access management.