In this post I’d like to talk about Azure Active Directory, how guest users are created and how best to manage them. Azure Active Directory is one of the components that covers your entire business included with Office365, Power BI and other Azure assets. Azure Active Directory is the identity backbone of the Microsoft cloud.
We’ve worked with many customers that need to support external users in their environment for a variety of reasons, such as Power BI Embedded, to share assets with business partners in multiple active directory domains within the environment. The B to B functionality in Azure Active Directory is the solution to these scenarios.
Here are 3 key things to know about guest users in Azure Active Directory:
1. Tools in the Microsoft cloud can create guest users without necessarily asking your permission. For example, Power BI has multiple mechanisms, including email and sharing, which are simply button clicks. They can allow users with Pro licenses to share with users outside of your organization.
This is done though an invitation to allow a guest user to be added to your Azure Active Directory. Depending on the Microsoft cloud product, you may have a variety of ways to lock this down or change it. However, you can always trump the apps by using Azure Active Directory. I recommend managing those permissions, or at least the permissions allowing who can share with guest users, which can be set in Active Directory.
2. Guest users can be added to a security user group and should be. It’s not uncommon or bad to have guest users in your environment, but you should be using Active Directory security groups to drop them into, so you can manage your permissions at a group level. I would not recommend blending groups between guest users and your normal domain users, but that’s for you to decide.
3. Guest users can come from any domain. You should know who your guests are; if you don’t recognize or know anything about their email domain, for instance, be careful. You must know and understand where those guest users come from and manage them accordingly, so they’re easy to identify in Active Directory and you know who has access to your assets.
Azure Active Directory is a powerful feature inside of Azure, but it’s important to know how to manage the B to B feature and how guest users are created. If you have any questions about this feature, Azure Active Directory in general, or anything Azure related, click the link below or contact us—we’d love to help.