B2B guest permissions on security groups to tie down guests inviting guests

%3CLINGO-SUB%20id%3D%22lingo-sub-271441%22%20slang%3D%22en-US%22%3EB2B%20guest%20permissions%20on%20security%20groups%20to%20tie%20down%20guests%20inviting%20guests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271441%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20have%20guests%20be%20able%20to%20add%20additional%20guests%20only%20to%20a%20security%20group%20that%20they%20are%20a%20member%20of%2C%20but%20be%20blocked%20from%20adding%20them%20to%20other%20security%20groups%20within%20the%20same%20Azure%20AD%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20detail.%20We%20have%20a%20number%20of%20subscriptions%20on%20a%20single%20Azure%20AD.%20We%20want%20to%20publish%20apps%20to%20these%20separate%20subscriptions%2C%20and%20allow%20external%20support%20companies%20to%20access%20their%20respective%20subscription%20for%20troubleshooting%2C%20should%20any%20problems%20arise.%20We%20want%20each%20external%20company%20to%20also%20be%20able%20to%20invite%20guests%20in%20from%20their%20own%20company%20as%20well%20(so%20one%20person%20from%20each%20external%20support%20company%20will%20be%20in%20charge%20of%20inviting%20in%20their%20colleagues%2C%20without%20us%20having%20to%20have%20any%20interaction).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20created%20a%20number%20of%20security%20groups%2C%20one%20for%20each%20external%20company.%20However%2C%20when%20we%20invite%20one%20in%20as%20a%20guest%2C%20and%20use%20a%20dynamic%20rule%20to%20add%20them%20to%20their%20respective%20security%20group%2C%20they%20can%20invite%20guests%20in%20and%20then%20add%20them%20to%20not%20only%20the%20group%20that%20they%20are%20a%20member%20and%20owner%20of%2C%20but%20also%20to%20other%20security%20groups%20which%20they%20are%20neither%20owners%20nor%20members%20of%2C%20which%20is%20a%20security%20issue%20for%20us.%20We%20have%20confirmed%20this%20happens%20whether%20or%20not%20the%20guest%20is%20a%20member%20of%20the%20RBAC%20group%20%22Guest%20Inviter%22.%20At%20the%20moment%20they%20do%20not%20have%20any%20special%20permissions%20other%20than%20what%20they%20are%20provided%20as%20guests.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%20it%20appears%20the%20only%20way%20to%20do%20this%20is%20to%20have%20separate%20Azure%20AD's%20for%20each%20subscription%2C%20but%20we%20would%20rather%20keep%20our%20single%20Azure%20AD%20and%20add%20subscriptions%20per%20customer%20as%20necessary%20then%20publish%20our%20app%20to%20that%20subscription%2C%20create%20a%20security%20group%20for%20each%20subscription%20or%20app%2C%20invite%20the%203rd%20party%20support%20rep%20in%2C%20then%20leave%20them%20to%20it%20to%20invite%20additional%20colleagues%20as%20required%20so%20they%20can%20work%20on%20any%20issues%20with%20the%20app%20by%20themselves%2C%20without%20involving%20us.%20Is%20this%20scenario%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-271441%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hi,

 

Is it possible to have guests be able to add additional guests only to a security group that they are a member of, but be blocked from adding them to other security groups within the same Azure AD?

 

Some detail. We have a number of subscriptions on a single Azure AD. We want to publish apps to these separate subscriptions, and allow external support companies to access their respective subscription for troubleshooting, should any problems arise. We want each external company to also be able to invite guests in from their own company as well (so one person from each external support company will be in charge of inviting in their colleagues, without us having to have any interaction).

 

We have created a number of security groups, one for each external company. However, when we invite one in as a guest, and use a dynamic rule to add them to their respective security group, they can invite guests in and then add them to not only the group that they are a member and owner of, but also to other security groups which they are neither owners nor members of, which is a security issue for us. We have confirmed this happens whether or not the guest is a member of the RBAC group "Guest Inviter". At the moment they do not have any special permissions other than what they are provided as guests.

 

Right now it appears the only way to do this is to have separate Azure AD's for each subscription, but we would rather keep our single Azure AD and add subscriptions per customer as necessary then publish our app to that subscription, create a security group for each subscription or app, invite the 3rd party support rep in, then leave them to it to invite additional colleagues as required so they can work on any issues with the app by themselves, without involving us. Is this scenario possible?

 

Thanks,

0 Replies