Granting external users access to your resources while maintaining security can be quite the challenge. Efficiently granting access to external suppliers and collaborators is essential for organisations, as it allows them to leverage the specialised skills of their partners. However, these external users often lack the same onboarding, offboarding, and governance procedures as internal employees.
Many organisations still provide external users with access by creating a local account within their directory and giving them username and password logins. The downside of this approach is that it introduces an extra set of credentials that the security team needs to protect and manage. Additionally, this method disassociates the partner’s access from their own company. This means that if users leave their original organisation, they may still retain access to your systems, posing a significant security threat. In this blog post, we will explore what Azure B2B (now Entra B2B) is and how it can help facilitate collaboration with external partners without increasing security risks.
What is Azure Active Directory?
Azure Active Directory (Azure AD) is the core of identity management services and features in Azure. It offers traditional username and password identity management, allowing users to be created in Azure AD manually using the Azure portal or programmatically using the Azure SDK, PowerShell, and the Graph API.
Azure AD also offers roles and permission management, known as role-based access control (RBAC), to give access and permissions to various resources in Azure, such as management and resource groups, databases, applications, and more. In addition, Azure AD provides enterprise-grade solutions, such as multifactor authentication (MFA), application monitoring, solution monitoring, and alerting. Azure AD can easily be integrated with your on-premises Active Directory to create a hybrid infrastructure.
What is Azure B2B?
Azure AD B2B is a feature of Azure AD that facilitates seamless and secure collaboration with external users. By using the Azure B2B invitation manager API, you can create a shadow user object in your directory and provision access while linking this access to the partner’s company identity.
During authentication, the user will identify with their company account. You maintain full control over their access permissions and your corporate data. Azure AD B2B is suitable for partners of any size, regardless of whether they have Azure AD or an IT department.
Benefits of Azure B2B
Azure B2B offers a robust and versatile solution for managing external collaboration and access. By leveraging Azure B2B, organisations can enjoy numerous benefits that enhance productivity, security, and control. Here are some of the key advantages:
1. Integration with Office 365
Azure B2B is fully integrated into Office 365 apps, making it easy to share rich experiences.
2. Compatibility with Custom Apps
It works seamlessly with custom apps and resources that use Azure AD, allowing guests to access your custom business applications and third-party applications.
3. Seamless Collaboration
Azure B2B enables smooth collaboration between your organisation’s users and trusted guests from external organisations.
4. Secure Access
External users can sign in with their own credentials and securely access shared resources and applications.
5. Full Control
You maintain complete control over what external users can access, ensuring your data remains protected.
How Does Azure B2B Authentication Work?
Azure B2B authentication works by linking external users’ access to their own organization’s credentials. When an external user is invited to collaborate, they receive an email invitation. Upon accepting, they authenticate using their home organisation’s identity provider. Azure AD then creates a shadow account for the user in your directory, allowing you to manage their permissions and access without having to manage their credentials.
In essence, Azure AD B2B provides a robust solution for organisations looking to collaborate securely with external partners. By integrating external users through their existing credentials, Azure B2B minimises security risks and simplifies access management. This makes it an ideal choice for any organisation aiming to enhance collaboration while maintaining a strong security posture.
Enabling Azure AD B2B
Sign In
To begin enabling Azure AD B2B, sign in to the Azure B2B portal using a global administrator account. Then, open the Azure Active Directory service. Select ‘External Identities’, then ‘External collaboration settings’.
Guest User Access
This is where you will select your guests’ user access level:
- Same access as members – Guests have full access to Azure AD resources.
- Default limited access – Guests have limited access to tasks and data.
- Restricted to own data – This is the most restrictive option, where guests can only access their own profiles.
Guest Invite
- Anyone can invite guests – Guests and non-admins can invite other guests.
- Members and select admins can invite – Specific members and admins with select roles can invite guests.
- Specific admins can invite – Admins with roles such as Global Administrators or Guest Inviter can invite guests.
- No one can invite – Most restrictive setting, where no one can invite guests.
External User Leave & User Flows
To allow users to sign up successfully, select ‘yes’ to enable guest self-service sign-up. In terms of external user leave, this is where users can remove themselves from your organisation. Selecting ‘yes’ will allow them to leave without admin permission.
Is Azure B2B Free?
Azure AD B2B pricing follows the External Identities model, based on monthly active users. It offers three tiers:
- Free Tier – 50,000 free MAU for Premium P1 and P2 features.
- Flexible Tiers – This lets you connect with customers and partners based on the usage and features you require.
- Predictable Tier – Pay only for what you use, with no extra charges.
This model is designed to provide flexible and cost-effective billing, with most customers utilising Azure AD External Identities for free.
Comparing Azure B2B to B2C
Azure AD offers two solutions: B2B and B2C. B2C, as a customer identity access management (CIAM) solution, supports millions of users, allowing sign-ins with external identities like Facebook or Gmail. It provides customisable sign-up, sign-in, and profile management options.
B2C is currently more customisable, however, B2B is rapidly gaining new features, such as API connectors and custom layouts. Microsoft may eventually merge their functionality into an identity portal.
Contact CWSI Today
For over a decade, CWSI has played a crucial role in helping customers stay safe and secure. CWSI’s specialist expertise in the Microsoft stack has led them to become a selected member of the Microsoft Intelligent Security Association, which is an exclusive group of premiere security partners.With three Microsoft Security Specialisations in Identity and Access Management, Information Protection and Governance, and Threat Protection, CWSI is your trusted Microsoft security partner. Get in touch with our security experts today to begin your Microsoft security journey.