Best way to give access to external group of users

BloodDeath 20 Reputation points
2024-03-14T13:33:16.8866667+00:00

Hello

What's the proper way to give access to external group of users?

Let's say there are 2 accounts: Client and Company.
Company have many employees that need access to client account. Everyone with the same privileges.

In AWS Company have account with IAM users. Each client account have defined role in IAM for Company account. Each user based on privileges set on Company account can switch role and access client account.
Maintaining users is on Company account side, so if there is new employee or someone leaves Company make a single change that works accross all clients.

Is it possible to do something like this in Azure?
Is there any way to avoid creating every user on Client account?

Kind regards

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
808 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,699 questions
0 comments
Accepted answer
  1. Luis Arias 6,796 Reputation points
    2024-03-15T08:48:53.51+00:00

    Hi BloodDeath,

    Yes, in Azure, you can invite external users from Company 1 to Company 2’s directory, assign them roles using Azure RBAC, and manage their access. This way, you don’t need to create every user on the client account. You can also use entitlement management in Microsoft Entra ID Governance for self-service access requests (optional).

    So the flow at the end is:

    1. Company 2 sends an invitation to the user.
    2. The user accepts the invitation.
    3. The user is added to the directory of Company 2 as an external user.
    4. Company 2 assigns an RBAC role to the user. (This could be to specific subscription / MG or resource)
    5. The user switches to the directory of Company 2.
    6. The user accesses the resources in Company 2.
    7. User's image

    There are some additional security best practices:

    1. Set Permission Differences: Users of a directory with member type (member users) have different permissions by default than users invited from another directory as a B2B collaboration guest (guest users).
    2. Use Two-Factor Authentication: Activate two-factor authentication for added security.
    3. Set Session Timeouts and Expiration Dates: This can help ensure that access is revoked after a certain period.
    4. Change Default Link Permissions to View-Only: This can prevent external users from making unwanted changes.
    5. Create a Dynamic Guest Group: This can help manage access for multiple external user

    References:

    If the information helped address your question, please Accept the answer.

    Luis

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.