As COVID-19 public health guidance keeps suppliers, distributors, vendors and contractors at home, organizations around the world must figure out how to enable productivity for their blended workforce of employees and external partners. A few weeks ago, we shared 5 steps you can take to enable remote work with Azure Active Directory. We’ve since shared how to enable remote collaboration for your employees and how to allow remote employees to securely access on-prem apps. Today we’ll talk about ways you can enable remote collaboration with your external users using B2B collaboration capabilities in Azure AD.
We have heard from our customers that Azure AD’s B2B collaboration features enable critical work with their business partners. The current circumstances only accelerate many organizations’ plans to enable secure collaboration and support business continuity. While monthly active usage has grown 100% year over year, Microsoft’s March 2020 data shows a 65% increase in the number of overall active B2B collaboration users in just one month.
Here are ways Azure AD can enable secure and productive collaboration with your external users, while everyone is working remotely.
Empower employees to collaborate with external users
IT admins must balance how to delegate some tasks to end users while maintaining proper control over access and resources, in the context of their industry and organization’s needs.
When your employees share SharePoint documents externally or invite external collaborators to Teams, Azure AD helps you make sure that the easiest path to collaboration is also the one that you can audit and block if necessary. You also don’t have to make an all-or-nothing decision, as there are controls for sharing at the Azure AD level (including allow/deny lists for specific external domains) as well as controls specific to apps like Microsoft Office 365 Groups, SharePoint Online, and Teams so you can determine what makes sense for your business.
Enable external partners to ‘bring their own identity’
Your partner organizations may use different authentication methods for their users. With Azure AD B2B collaboration, you still securely authenticate any user with a variety of methods that are automatically chosen based on what kind of account the user has – whether or not they use Azure AD.
With Azure AD B2B collaboration, organizations can enable external users from partner organizations to use their own credentials. This offers several benefits:
- Partners are more likely to remember their credentials and keep them secure, since they’re using them every day to access resources in their home tenant
- When a partner loses access to their main account (for example, if they’ve left the company), they also lose access to your resources automatically
- Partners no longer need your IT support to manage their account, such as resetting passwords
- Partners benefit from a more seamless experience, as they no longer need to switch back and forth between separate accounts and can use single sign-on to access the resources they need.
There are multiple security controls for enabling B2B collaboration so you can control what’s right for your organization.
Azure AD and Microsoft accounts are automatically configured to work as a B2B authentication method in every directory. If you have a partner who manages their own domain through a different identity provider, you can still provide a seamless single sign on experience for their users through direct federation. Gmail accounts can be enabled by turning on Google federation. For other partners who aren’t covered by one of these methods, you can enable users to authenticate using an email one-time passcode, where every time they want to access your resources they authenticate by returning a temporary code sent to their inbox.
We know some customers have already created internal accounts for their external users, and they don’t want to go through the hassle of deleting those accounts and re-inviting those users through the B2B collaboration process. For these scenarios, we’re introducing the capability to change a user who already has an internal account in your directory, into an account that uses B2B collaboration authentication going forward. This leaves the user’s ID, user principal name, group membership, and app assignment intact. This feature is starting public preview now and will be rolling out over the next couple weeks until it’s available to all tenants.
Apply Azure AD Conditional Access policies to external users
Just as it’s important to get the right Conditional Access policies applied to employees, it’s also important to ensure that you have the right security controls in place. You can apply Conditional Access policies to your external users, for example, to require external users to use multi-factor authentication (MFA) before they access your resources, or to limit their access to a subset of apps.
Nearly all the controls you can apply to internal users can also be applied to external ones, so you should think through where your Conditional Access policies should be the same for all users and where it makes sense to have exceptions or differences for external users.
Require partners to agree to a Terms of Use before accessing apps or resources
Many organizations need to record agreement to a particular set of terms before someone is allowed to have access to sensitive data or other important resources. Azure AD provides terms of use functionality to automatically check whether a user has agreed to the appropriate terms when they try to access a resource, and allow them to agree as part of the authentication flow if they haven’t already done so. Terms of use are targeted to particular users and apps using Conditional Access, so you can use all the flexibility of Conditional Access to ensure that the right terms are shown to the right users in the right circumstances and set different terms for different conditions.
Enable partners to use their own credentials to access your resources
We know that not all organizations are using Azure AD, so some of the organizations you need to work with might be using other authentication methods for their users. Azure AD B2B can still securely authenticate any user with a variety of methods that are automatically chosen based on what kind of account the user has.
Azure AD and Microsoft accounts are automatically configured to work as a B2B authentication method in every directory. If you have a partner who manages their own domain through a different identity provider, you can still provide a seamless single sign on experience for their users through direct federation. Gmail accounts can be enabled by turning on Google federation. For other partners who aren’t covered by one of these methods, you can enable users to authenticate using an email one-time passcode, where every time they want to access your resources they authenticate by returning a temporary code sent to their inbox.
Support structured partnerships with entitlement management
For some of the external organizations you work with, you might have a more structured relationship where many people from the external organization need access to the same set of apps, SharePoint sites, Office 365 Groups and Teams. At the same time, you may not be familiar with each of these external users, so inviting them might not be feasible. Rather than manually adding and removing users individually from accessing these resources, Azure AD offers new entitlement management capabilities to help streamline the entire access lifecycle process for internal and external users. This includes being able to have users request access themselves, delegate approvals to stakeholders in the external organization, and removing the external user’s account from your directory when they no longer need it. Check out our case studies with Avanade and Centrica.
Remove unnecessary guest access with access reviews
The rapid transition to remote collaboration means that both you and your external users may need to quickly enable access to collaborate. In the process, organizations may temporarily grant more access than is necessarily. It’s important to have a process to validate that the external users in your directory still need access to the resources they’ve been granted. Access reviews enable you to set up regular reviews at the app or group level, as well as delegate the approval process to either someone else in your organization or even the guests themselves. A best practice that many customers have implemented is to conduct an initial review for external users to self-attest that they still need access, and then a follow-up review for internal users to approve their continued access. Azure AD offers flexibility to allow you to conduct access reviews at the granularity and schedule that makes sense for your organization, with appropriate delegation as well.
Collaborate within national clouds
For customers who use our national clouds, the same B2B collaboration controls on who can collaborate and what actions are restricted are also available. In the Azure US Government cloud, B2B collaboration is supported between two tenants that are both in the Azure US Government cloud and also support B2B collaboration, as well as personal Microsoft accounts and Gmail accounts through Google federation. In the Azure China cloud, B2B collaboration between tenants in the Azure China cloud will be rolling out starting in late April.
Need more support? |
We hope these tips will help you and your partners continue uninterrupted business operations in these challenging times. Stay safe and be well.