Hi BloodDeath,
Yes, in Azure, you can invite external users from Company 1 to Company 2’s directory, assign them roles using Azure RBAC, and manage their access. This way, you don’t need to create every user on the client account. You can also use entitlement management in Microsoft Entra ID Governance for self-service access requests (optional).
So the flow at the end is:
- Company 2 sends an invitation to the user.
- The user accepts the invitation.
- The user is added to the directory of Company 2 as an external user.
- Company 2 assigns an RBAC role to the user. (This could be to specific subscription / MG or resource)
- The user switches to the directory of Company 2.
- The user accesses the resources in Company 2.
There are some additional security best practices:
- Set Permission Differences: Users of a directory with member type (member users) have different permissions by default than users invited from another directory as a B2B collaboration guest (guest users).
- Use Two-Factor Authentication: Activate two-factor authentication for added security.
- Set Session Timeouts and Expiration Dates: This can help ensure that access is revoked after a certain period.
- Change Default Link Permissions to View-Only: This can prevent external users from making unwanted changes.
- Create a Dynamic Guest Group: This can help manage access for multiple external user
References:
- https://video2.skills-academy.com/en-us/azure/role-based-access-control/role-assignments-external-users
- https://video2.skills-academy.com/en-us/entra/id-governance/entitlement-management-external-users
If the information helped address your question, please Accept the answer.
Luis