SOLVED

Best Practice to Administer Guest Users from another Tenant

%3CLINGO-SUB%20id%3D%22lingo-sub-1767295%22%20slang%3D%22en-US%22%3EBest%20Practice%20to%20Administer%20Guest%20Users%20from%20another%20Tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1767295%22%20slang%3D%22en-US%22%3E%3CP%3EAll%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20requirement%20to%20implement%20B2B%20for%20few%20partners%20with%20are%20with%20us.%3C%2FP%3E%3CP%3EI%20would%20like%20to%20know%20what%20the%20best%20practice%20for%20doing%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAAD%20is%20configured%20with%20AAD%20Connect%20to%20Windows%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERequirements%3A%3C%2FP%3E%3CP%3E1.%20Guest%20users%20shouldn't%20have%20the%20ability%20to%20access%20AAD%20related%20information%20even%20through%20Powershell%20or%20Graph%20API%3C%2FP%3E%3CP%3E2.%20Group%20Guest%20Users%20using%20AAD%20Groups%20and%20grant%20them%20access%20for%20specific%20application%20only%3C%2FP%3E%3CP%3E3.%20Implement%20Additional%20Security%20policy%20over%20Authentication%20like%20MFA%20and%20Password%20Complexity%20over%20their%20original%20Tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1767295%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%20Guest%20User%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1767489%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20to%20Administer%20Guest%20Users%20from%20another%20Tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1767489%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%201)%20you%20can%20take%20a%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fusers-restrict-guest-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20feature%3C%2FA%3E%20(in%20preview)%3C%2FP%3E%3CP%3EFor%203)%20(MFA)%20you%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Fb2b-tutorial-require-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Econditional%20access%3C%2FA%3E%3C%2FP%3E%3CP%3EFor%20password%20complexity%20I'm%20not%20sure%20you%20can%20do%20it%20because%2C%20to%20me%2C%20it%20doesn't%20make%20sense%20a%20tenant%20manage%20passwords%20for%20external%20identities.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1770437%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20to%20Administer%20Guest%20Users%20from%20another%20Tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1770437%22%20slang%3D%22en-US%22%3EI%20assumed%2C%20guest%20user%20are%20still%20treated%20like%20normal%20user%20where%20we%20can%20still%20track%20their%20activity%20through%20log%20analytics%20right%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

All,

 

I have a requirement to implement B2B for few partners with are with us.

I would like to know what the best practice for doing this?

 

 

AAD is configured with AAD Connect to Windows AD.

 

Requirements:

1. Guest users shouldn't have the ability to access AAD related information even through Powershell or Graph API

2. Group Guest Users using AAD Groups and grant them access for specific application only

3. Implement Additional Security policy over Authentication like MFA and Password Complexity over their original Tenant.

 

 

 

 

 

3 Replies
best response confirmed by MosesLim (Occasional Contributor)
Solution

Hello,

 

For 1) you can take a look at this feature (in preview)

For 3) (MFA) you can use conditional access

For password complexity I'm not sure you can do it because, to me, it doesn't make sense a tenant manage passwords for external identities.

I assumed, guest user are still treated like normal user where we can still track their activity through log analytics right?
You cannot change the guest users password, but all conditional access control will apply to a user (require MFA, block etc...)
You can monitor through log analytics indeed

For number 2, I would look into access packages - https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-pac...