As a consultant working with many different clients, I often need access to the client’s environment in order to get work done – things like deploying resources or checking existing configurations.
I see this all the time: I get full external guest access which somehow never gets revoked. Managing guests and temporary access accounts are something faced by every company, and yet we fail miserably to manage them well.
We have come a long way as an industry over the past 20 years, which have put us in the public cloud, and yet this still remains an issue. Why?
The problem is not in creating a new account and granting access. This is easy and we have been doing it for years.
It has gotten even easier with cloud access.
Need an account? Sure – no problem, do you have your Microsoft Account (or LiveID as we know it)? We will grant you access to our Azure subscription!
Not really – you get assigned as a global admin, and it is solved (based on real-life situations, you’ll be surprised to learn how many external people are granted domain admin and global admin privileges in organizations).
It is a broad subject, so let’s focus on the first task.
How to effectively manage external accounts in an organization for Azure cloud access?
The 411 on access:
Fair question! Yes, of course, you can. This is actually the first step to get your access under control.
Do not use multiple Azure AD tenants to manage your organization’s resources – unless you need to provide strict separation between services. Get them under a single Azure Active Directory. For existing Azure subscriptions you can do this by changing the default directory for the subscription.
Tip #1: Bring all your Azure subscriptions under the management of a single Azure Active Directory tenant. It will make your life much easier… Make it the second step in your operations after creating the Azure subscription.
In this video, I explain the relationship between Azure subscriptions and Azure AD tenant.
Right, that’s the first step – getting your Azure subscriptions under control.
To do this, you’ll need to provide them with an account or allow them to use their existing account to access your resources.
Which approach is better? Before we answer that, let’s start with the types of accounts available. Your choices are:
You create a dedicated account in your Azure AD tenant with a local username and password. It is similar to any other user in your tenant; you have to manage it and provide a username and password to your guest.
Your guest might already have an Azure AD account from a different organization. Or you can create one in a dedicated tenant which might be invited to join your tenant.
You can invite a user with a Microsoft Account to join your Azure AD tenant. These are consumer accounts, so use it as a last resort only.
Clearly, the best choice is always to use the option where you have the most control over accounts.
Tip #2: Always use organizational, Azure AD accounts to grant access to your Azure subscription and don’t use a consumer grade Microsoft Account. By doing it this way, you have more control over the accounts which are getting access to your Azure resources.
So, we’ve eliminated option three. You will only use organizational accounts to grant access to your Azure subscription (good decision!).
But now the question is, should you use a dedicated Azure AD tenant or invite users with their existing accounts? To answer that, I give you the following decision tree:
Simple. If the user has an existing Azure AD account, it means it’s managed by another organization. This includes password policies, access methods, lifecycle etc.
You might have noticed that I mentioned a dedicated Azure AD tenant a few times here.
If you remember the separated forests in your on-premises environment for managing accounts of external users, then this is basically the same concept.
You can establish a dedicated tenant for managing external accounts – let’s call it partners.predica.pl – through the standard tenant handling your enterprise users for a domain like predica.pl.
Separating your guest users from your production tenant gives you an additional layer of control and a security boundary. These users will not get the same access level as the standard users in your organization. You will have to invite them and assign access.
A little more admin overhead for more control. A good tradeoff, if you ask me.
At the dawn of Azure AD and while using the classic portal for managing Azure there was (and still is) an option available to invite guests in the account creation process.
Go to the classic Azure portal, Azure AD management, and start a new user creation process. The first step is to select the type of user or, better said, the source of authority. Your choices are:
Sounds simple, but the key problem here is to have admin credentials to both tenants. This is rarely the case.
It is 2017, do we need to use the CSV file? Is this the best we can do? Luckily for us – no! We can do better than this.
What is Azure AD B2B? Is it a separate type of directory? No, it is a function of Azure AD built to allow one organization to invite a user from another organization to work on the same applications and resources.
You are allowing the user access to your resources and applying your policies, while leaving the responsibility for managing the account lifecycle in its original organization.
Tip #3: Use Azure AD B2B as a way to invite users into your organization and Azure AD tenant for granting them access to your resources and applications.
In the new Azure portal, you can use Azure AD B2B directly from user management.
In this video, I will guide you through the process and explain different options and processes behind the scenes of Azure AD B2B and how you can control usage of this function in your organization.
How To Manage Users – Azure AD B2B
Getting back to this CSV file – do we have to use it? As you can see – no. CSV, however, allows us to add users in bulk.
In the final version of Azure AD B2B you can still do this, but through an invitation API rather than a CSV file. You can also integrate it into your onboarding process.
What? API? That means we need to write code! Don’t worry, for those who are not developers, use PowerShell cmdlet.
In this video, I will demonstrate how to use PowerShell to invite guest users into your organization.
PowerShell rescue – inviting guests to the cloud
Tip #4: Build your procedures around inviting guests.
Use an invitation API and PowerShell to automate this task so you don’t have to rely on the manual actions from administrators.
This scenario is not a theoretical one. It is what we use and practice on a daily basis at Predica.
Here’s the lowdown on the project we are working on for a manufacturing company:
Instead of creating a new set of accounts for them, they were invited to a target directory with Predica accounts using Azure AD B2B and were granted access to the necessary resources. Bam!
With Azure AD B2B they don’t have to maintain separate accounts, and they get the benefit of full SSO to target resources.
Stay tuned for my upcoming posts!
I covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s t...
Sometimes it feels like I'm pushing too much with security and software development, but then you prove me wrong. Rec...