cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Best Practice to Administer Guest Users from another Tenant

MosesLim
Copper Contributor

‎Oct 10 2020 06:18 AM - last edited on ‎Jan 14 2022 03:10 PM by

‎Oct 10 2020 06:18 AM - last edited on ‎Jan 14 2022 03:10 PM by

Best Practice to Administer Guest Users from another Tenant

All,

 

I have a requirement to implement B2B for few partners with are with us.

I would like to know what the best practice for doing this?

 

 

AAD is configured with AAD Connect to Windows AD.

 

Requirements:

1. Guest users shouldn't have the ability to access AAD related information even through Powershell or Graph API

2. Group Guest Users using AAD Groups and grant them access for specific application only

3. Implement Additional Security policy over Authentication like MFA and Password Complexity over their original Tenant.

 

 

 

 

 

1,103 Views
1 Like
3 Replies
Reply
3 Replies
best response confirmed by MosesLim (Copper Contributor)
Bastien Perez

‎Oct 10 2020 08:29 AM

‎Oct 10 2020 08:29 AM

Solution

Re: Best Practice to Administer Guest Users from another Tenant

Hello,

 

For 1) you can take a look at this feature (in preview)

For 3) (MFA) you can use conditional access

For password complexity I'm not sure you can do it because, to me, it doesn't make sense a tenant manage passwords for external identities.

2 Likes
Reply
MosesLim

‎Oct 12 2020 12:19 AM

‎Oct 12 2020 12:19 AM

Re: Best Practice to Administer Guest Users from another Tenant

I assumed, guest user are still treated like normal user where we can still track their activity through log analytics right?
1 Like
Reply
Thijs Lecomte

‎Oct 12 2020 08:16 AM

‎Oct 12 2020 08:16 AM

Re: Best Practice to Administer Guest Users from another Tenant

You cannot change the guest users password, but all conditional access control will apply to a user (require MFA, block etc...)
You can monitor through log analytics indeed

For number 2, I would look into access packages - https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-pac...
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by MosesLim (Copper Contributor)
Bastien Perez

‎Oct 10 2020 08:29 AM

‎Oct 10 2020 08:29 AM

Solution

Re: Best Practice to Administer Guest Users from another Tenant

Hello,

 

For 1) you can take a look at this feature (in preview)

For 3) (MFA) you can use conditional access

For password complexity I'm not sure you can do it because, to me, it doesn't make sense a tenant manage passwords for external identities.

View solution in original post

2 Likes
Reply