Easily Collaborate with External Microsoft 365 Users

Remember what a nightmare it was for the Griswolds when Cousin Eddie came for a visit? Microsoft Entra ID (formerly known as Azure AD) administrators might feel the same way with the options and headaches that come with managing external identities. The Griswolds were gracious hosts– Directory and data managers can also be gracious hosts by following some emerging trends for managing guest access.

Problems Hosts Can Have with Visitors

  • They may not announce themselves
  • They don’t always leave when their welcome is up
  • They may steal or damage things

 

In Microsoft 365, significant challenges when providing access to External Identities:

  • CISOs want to know who’s coming, and to strengthen the identity and access management of external entities.
  • Admins want to remove visitors once their work is done and prefer not to create accounts in their directory nor to manage “guest” lifecycles.
  • Users want easy access to external content, without switching tenants or logging in twice.

Common Needs and Current Solutions for Guests

Organizations have several reasons to provide an external person with access to their apps or data. A contractor may need a full AD account and a VPN to access on-premises or cloud services. A vendor may need access to a SharePoint site to upload data. An external project team member may want to collaborate within another organization’s Microsoft Team environment. 

A traditional solution was to create new directory credentials for external users. However, if the external person left the other company, how would the host organization know to clear the account? Active Directory Federation Services could span organizational boundaries, but is complex and coarse, with little control of access or visibility into the apps or data being accessed.

Thankfully, more flexible options are emerging, steadily trying to solve these challenges. This blog will outline some of the technical and user experience differences and provide some decision-making logic between three emerging models:

  1. Azure AD B2B Direct Connect with Teams Shared Channels
  2. B2B Collaboration with Guest Access
  3. Cross-Tenant Synchronization

Three Modern Options

1. Azure AD B2B Direct Connect with Teams Shared Channels
  • Direct Connect is a feature of External Identities that lets you set up a mutual trust relationship with another Azure AD organization for seamless collaboration.
  • IT admins from each of the tenants shown in the figure below must make some configurations to direct(ly) connect to the other tenant.
  • Then, users can communicate 1:1 or in a ‘shared channel’ without switching to your tenant. This is useful to keep communications flowing as if in the same tenant.
  • In this case, users do not need a ‘guest account’ in your tenant.
  • Such directly connected identities are notated with “External.”
  • Teams Shared Channels are the only workload using the Azure B2B Direct Connect method. Users will also have access to the files inside of that channel.
  • Access to other apps can be handled with option two below:
User Experience
  1. Shared channels will be identifiable with an icon of linked chains.
  2. With B2B Direct Connect, external entities will appear as ‘External’ in Teams shared channels. Users will no longer need to switch tenants to interact with the other organization.
High-Level Process to Set Up Direct Connect/Teams Shared Channels:
  • Talk to business partners’ IT teams to ensure they are complicit to setting up B2B direct connect.
  • Enable cross-tenant access settings on both sides.
  • Configure inbound trust settings , i.e. whether your Conditional Access policies will trust the multi-factor authentication (MFA), compliant device, and hybrid Azure AD joined device claims from an external organization.
  • Owner creates Team.
  • Owner creates Shared Channel within the Team.
  • Owner invites UPN of the external user to the shared channel. *For this reason, Team ownership should be granted carefully*
  • The B2B direct connect user has single sign-on access using credentials from their home tenant.
Reporting
  • External active users (new) shows the number of active users from external organizations who perform an action in that team in a resource – such as a shared channel in a team.
    External users have their own identities in different tenants and aren’t reported as a guest account. Teams user activity reports show the email addresses of the guest(s) who are “external” and the shared channels of which they are a part of.
Notes/Issues
  • Existing Teams channels cannot be converted to shared channels at this time. They can only be recreated as shared channels.
  • Access reviews should be set up and Team owners occasionally asked to confirm membership.
  • Purview DLP controls can be put in place in the channels to keep external entities from downloading sensitive information.
2. B2B Collaboration with Guest Access
  • B2B collaboration is way to invite External Identities to collaborate with your organization as “Guests.”
  • External people can be invited, then use one of several identity providers to authenticate access to your tenant (i.e. AAD acct, social identities, or One Time Passwords), shown below:
  • B2B collaboration users are represented in your directory as “Guest” users.
  • This method allows access to more apps (rather than just channels and files within Teams) but requires managing the external user in your Azure AD tenant.
  • B2B Guests can easily have access to all Microsoft Apps and with some configuration work, be provisioned to use other SaaS or LOB applications
  • With B2B collaboration, you can securely share your company’s applications and services with external users, while maintaining control over your own corporate data.
  • The feature is free for the first 50,000 guests
  • This method trusts the external entities less than option 1, but does require users to switch tenants. (See the Trust row in the table at What is a multi-tenant organization in Microsoft Entra ID (formerly known as Azure AD)?) You can either trust the partner organization’s login legitimacy (see below), or force conditions on their access similar to the way you might enforce MFA for your own employees.
  • Admins have some granularity (note this screenshot was taken during Public Preview and may be changed) to keep the wild west from taking over.
  • But access reviews and governance should be used to expire dormant or irrelevant accounts.
User Experience

If relying only on B2B collaboration (or Cross-tenant Sync), an external user appears as a ‘Guest’ in Teams.

3. Cross-Tenant Synchronization
  • For M&A and multi-tenant orgs (i.e. government agencies within a state or large municipality), cross-tenant synchronization automates creating user accounts across tenants in your organization.
  • Users across your organization can access applications regardless of the tenant where they are hosted, including Microsoft and 3rd party applications.
  • The sync process leverages Azure AD B2B functionality.
  • One major benefit is that users will be automatically updated and removed when they leave their organization.
  • Cross-tenant synchronization is just recently generally available and is being used for basic sync operations such as creating, updating, and deleting users and validating user data is updated in the target tenants, but doesn’t synchronize groups, devices, or contacts.
  • It doesn’t improve the current Teams or Microsoft 365 experiences like Shared Channels. Synchronized users will have the same cross-tenant Teams and Microsoft 365 experiences available to any other B2B collaboration user.

Conclusion

There’s no panacea to fully address the needs of end-users, system administrators, and CISOs when it comes to external collaboration. However, the emerging options are showing positive momentum.

Typically, decisions like this must balance the tradeoff between security and productivity. For instance, to approach the concept of zero trust, B2B Collaboration (Option 2) is the best choice. Option 1 (shared channels) is the best choice if the user experience is paramount, but only works for Teams.

You can mix and match. For instance, you might need to use B2B Collaboration if the external entity is a sole proprietor (contractor) using Gmail, or if the external org is too small to have an IT department. In the meantime, sister companies or agencies can also set up Cross-Tenant Synchronization. Expect improvements over time – one can envision each technique leveraging some capabilities of the others, since AAD is the common backplane.

CISOs and CIOs should make policy decisions that guide a system administrator’s implementation choices. External entities are another vector to take into close consideration. Decision matrices for unique organizations would be prudent.

Finally, you can view the comparison between the 3 methods, and keep an eye on this blog for announcements and updates. 

Still unsure as to what options are right for your organization? Needing help auditing and implementing some of these processes within your current environment? Complete the form below to set up some time with our team to further discuss your specific business needs. 

Chris Stegh

Chris Stegh

CTO & VP of Strategy - eGroup | Enabling Technologies

Learn more about Microsoft 365 Capabilities

Interested in seamlessly collaborating with external Microsoft 365 users?

Contact our team of experts to get started today!

Last updated on August 6th, 2023 at 04:44 pm