Manage federated accounts in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-2115145%22%20slang%3D%22en-US%22%3EManage%20federated%20accounts%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115145%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20a%20newbie%20in%20Azure%20AD%2C%20please%20help%20me%20out.%3C%2FP%3E%3CP%3EI%20would%20like%20to%20understand%20that%20if%20I%20set%20up%20a%20federated%20account%20of%20a%203rd%20party%20with%20my%20Org%20Azure%20AD%2C%20how%20much%20that%20account%20has%20control%20over%20my%20environment%20-%20in%20applications%2C%20policies%2C%20etc.%3F%20Is%20there%20any%20Microsoft%20recommended%20best%20practice%20to%20manage%20or%20control%20these%20federated%20accounts%20in%20Azure%20AD%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2115145%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2116580%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20federated%20accounts%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2116580%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F956348%22%20target%3D%22_blank%22%3E%40Ranjita%3C%2FA%3E%26nbsp%3BFor%20best%20practices%20or%20recommendations%20you%20should%20take%20a%20look%20at%20the%20Azure%20Security%20Center.%3C%2FP%3E%3CP%3ESettings%20on%20tenant%20level%20can%20be%20set%20in%20Azure%20Active%20Directory%20%26gt%3B%20External%20Identities%20%26gt%3BExternal%20Collaboration%20Settings.%26nbsp%3BYou%20should%20deactivate%20%E2%80%9EGuest%20can%20invite%E2%80%9C%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnder%20Azure%20Active%20Directory%20%26gt%3B%20User%20Settings%20restrict%20the%20access%20to%20the%20Azure%20AD%20Administration%20Portal.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIt%20would%20make%20administration%20easier%20to%20create%20a%20security%20group%20which%20inhibits%20all%20guest%20users%2C%20so%20you%20can%20assign%20apps%20on%20a%20higher%20level.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I am a newbie in Azure AD, please help me out.

I would like to understand that if I set up a federated account of a 3rd party with my Org Azure AD, how much that account has control over my environment - in applications, policies, etc.? Is there any Microsoft recommended best practice to manage or control these federated accounts in Azure AD? 

 

Thanks in advance!

1 Reply

@Ranjita For best practices or recommendations you should take a look at the Azure Security Center.

Settings on tenant level can be set in Azure Active Directory > External Identities >External Collaboration Settings. You should deactivate „Guest can invite“ there.

 

Under Azure Active Directory > User Settings restrict the access to the Azure AD Administration Portal.


It would make administration easier to create a security group which inhibits all guest users, so you can assign apps on a higher level.