blog

Automate Guest Onboarding with Microsoft Entra ID Identity Governance

Written by Nick Wages | 5/21/24 1:35 PM

Welcoming guests into your organization's digital space should be as seamless as greeting them at your front door. With Microsoft Entra ID Identity Governance, you can make guest onboarding not only efficient but also secure. In this post, we'll dive into how to automate guest onboarding using access packages, self-invite links, and connected organizations, allowing guests to use their own MFA policies. This is the first in our series on entitlement management—stay tuned for more!

Understanding Microsoft Entra ID Identity Governance

Imagine a smart security system that automatically manages access for everyone in your organization. That’s what Microsoft Entra ID Identity Governance does for your digital environment. It ensures the right people have the right access to the right resources at the right time. The main features include Access Packages, Policies, and Connected Organizations, all designed to simplify identity and access management. Together, these features can onboard your guests and offboard them automatically, keeping your environment in pristine condition. 

Setting up Cross-Tenant Access Settings

Before diving into access packages, it is essential to configure Cross-Tenant settings. This is how we will enable our guest users to use their own tenants MFA policies. If the guests don't have MFA configured, then our tenant's conditional access policies will force them to setup MFA. Win Win! It is best to hold the Global Admin role for these configuration settings. If the guest tenant is not an M365 tenant, you can skip these steps.

  1. Navigate to External Identities in the Entra ID Portal.
  2. Select Cross-Tenant Access Settings and click on "Add Organization"
  3. Enter the Domain Name of the guest organization

  1. Configure Inbound Access to allow the guest organization to use their MFA.
  2. Review and Save the settings to ensure proper configuration.

Setting up Connected Organizations

We need to setup a connected org to use in our access package in the next step. This is what is going to allow us to securely bind a self-invite link to our guest's organization.

  1. Navigate to Identity Governance - Entitlement Management
  2. Select Connected Organizations from the menu, then click "Add connected organization".
  3. Enter a name for this org and a description.
  4. On the Sponsors page, you will want to designate someone in your organization that is responsible for the relationship as the "Internal Sponsor".
  5. On the Sponsors page, you will want to designate someone in the guest organization who is responsible for the relationship with your organization. This person must be an existing guest in your tenant. You can skip this step if necessary.
  6. On the last page, review and create the connected organization.

Setting up Access Packages for Guest Onboarding

Now that we have our cross-tenant settings configured, it is time to set up our access packages. These packages streamline the process of granting guest access to resources, making onboarding and offboarding effortless and more secure. This is especially useful if you are working with a team of guests in different time zones or locations. The guests can simply use a link bound to their organization to invite themselves and get the access they need! This part gets pretty technical, hang in there! TL;DR?

What are Access Packages?

Think of access packages as custom-built welcome kits for your digital guests. These kits include everything they need to get started, from applications and groups to SharePoint sites. By defining resources, policies, and request types, access packages take the hassle out of managing access manually, ensuring your guests are ready to hit the ground running.

Configure an access package
  1. Navigate to Identity Governance - Entitlement Management
  2. Select Access Packages from menu and select "New access package"
  3. Create a name and description for the access package. Your guest users will see this name and description when they request access.
  4. Define the resources
    • You will be able to select Groups and Teams, Applications, SharePoint sites, and Entra ID roles
    • Forgot something? Requirements changed? - Adding or removing resources is retroactive, and will affect all users who currently have the access package assigned!
    • It is recommended to assign guests directly to applications instead of to groups that give access to applications to speed up onboarding

  5. Configure Requests
    • Select "For users not in your directory"
    • Select "Specific connected organizations"
    • Select "Add Directories" under Select connected organizations and select the desired guest organization.
    • Choose whether to require approvals.
    • Finally enable new requests.

  1. Configure requestor information
    • Here you can configure questions or attributes you want to collect from the requester. These answers will be tied to the users request.
    • We will leave this section blank in this tutorial.
  2. Configure lifecycle
    • Configure the expiration of access for the access package
    • We can set a specific date (ex: project end date), number of days, hours, or never
    • Set assignment expiration. For long term partners, we recommend 90 days.
    • Select "Show advanced expiration settings"
    • Here we can set if users can extend access beyond our initial assignment
    • Enable access reviews
      • We recommend monthly access reviews
      • 7 day duration
      • Set the Internal Sponsor as the reviewer
      • Select "Show advanced access review settings"
      • Select "Take recommendations" - Microsoft will recommend if the guest should keep access or not based on usage of the guest account
      • Select "No" for reviewer justification - This keeps your internal sponsor from hating your guts.

  1. Configure Custom Attributes
    • We might cover this in a future blog post, but these attributes can be passed into workflows like Logic Apps to allow things like Active Directory user account creation and more!
  2. Review the access package and create it!
    • Once the access package is created a URL for the "My Access Portal" will be generated. This is the URL that you can provide to your guests for them to self invite to your organization!
    • You can return to the access package at any time to get the URL.

Using Self-Invite Links

Now that the access package is configured, you can distribute the guest invite link to the guest organization. This URL is bound specifically to a user guest's domain, and can't be used by any other organization. We can also remove the access package and its access at any time.

  • Send the link to your guest contact or "External Sponsor".
  • Guest clicks the link, and is prompted to register their account in your organization.
  • Guest uses their own MFA policies to complete the process.
  • Guests receive instant access to resources without any manual intervention!

Licensing Requirements

Understanding Microsoft licensing can feel complex, but, luckily, we can help with that!  These features require Entra ID Governance license(s). You can check out Microsoft's documentation for more details.

Best Practices for Managing Guest Access

Effectively managing guest access is crucial to maintaining security and efficiency. Regularly review and update your access packages to ensure they meet current needs. Monitor guest activity through audit logs and set alerts for critical actions. Conduct periodic access reviews to verify the necessity of continued access. Communicate clearly with guests about onboarding processes and usage policies. Enforce Multi-Factor Authentication (MFA) and use conditional access policies tailored to the sensitivity of resources. Automate offboarding to deactivate access when it's no longer needed, and regularly clean up inactive guest accounts to minimize security risks.

Conclusion

Automating guest onboarding with Microsoft Entra ID Identity Governance transforms a complex process into a streamlined, secure, and user-friendly experience. By leveraging cross-tenant access settings, connected organizations, and access packages, you can ensure that your guests are onboarded efficiently while maintaining robust security standards. Implementing best practices for managing guest access further enhances your organization’s security posture and operational efficiency.

Stay tuned for the next post in our series on entitlement management, where we'll dive deeper into other powerful features of Microsoft Entra ID Identity Governance.

If you need assistance with setting up and managing your identity governance, contact us below!

 

 
View full post