Forum Discussion
Best Practice to Administer Guest Users from another Tenant
All,
I have a requirement to implement B2B for few partners with are with us.
I would like to know what the best practice for doing this?
AAD is configured with AAD Connect to Windows AD.
Requirements:
1. Guest users shouldn't have the ability to access AAD related information even through Powershell or Graph API
2. Group Guest Users using AAD Groups and grant them access for specific application only
3. Implement Additional Security policy over Authentication like MFA and Password Complexity over their original Tenant.
Hello,
For 1) you can take a look at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-restrict-guest-permissions (in preview)
For 3) (MFA) you can use https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-tutorial-require-mfa
For password complexity I'm not sure you can do it because, to me, it doesn't make sense a tenant manage passwords for external identities.
3 Replies
Hello,
For 1) you can take a look at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-restrict-guest-permissions (in preview)
For 3) (MFA) you can use https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-tutorial-require-mfa
For password complexity I'm not sure you can do it because, to me, it doesn't make sense a tenant manage passwords for external identities.
- I assumed, guest user are still treated like normal user where we can still track their activity through log analytics right?
- You cannot change the guest users password, but all conditional access control will apply to a user (require MFA, block etc...)
You can monitor through log analytics indeed
For number 2, I would look into access packages - https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-first
