External user accounts in Azure Active Directory (AD) provide capabilities that keep your business integrated with partners, vendors, or clients in a secure and manageable way. Azure AD is Microsoft’s multi-tenant cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. This blog post will talk about how to manage these external user accounts as required by the SC-300 Microsoft Identity and Access Administrator exam.
Creating External User Accounts in Azure AD
To manage external user accounts in Azure AD, identity administrators must first understand how to create these accounts. There are three methods available to create an external user account:
- Direct addition
- Invitation
- External Identities self-service sign-up.
- Direct addition: Direct adds are when administrators manually input a user’s information into the Azure AD. The drawback of this method is that it is best suited for small quantities of users.
- Invitation: The Azure AD B2B collaboration invitation process allows businesses to invite external users to join their directories.
- External Identities self-service sign-up: With this approach, businesses can customize sign-up user flows for external users, and users can sign themselves up for an app.
Managing External User Accounts in Azure AD
For managing external user accounts, Azure AD offers a range of options such as:
- Assigning user roles
- Assigning group membership
- Superseding invitation features.
Assigning User Roles
Most of the permissions that you can assign can also be assigned to external users. However, administrators are restricted from providing some roles to external users. For example, you cannot assign the Global Administrator role to an external user.
Assigning Group Membership
Azure AD allows you to add external users to any security group or Office 365 group, making it easier to manage multiple users with the same permissions and roles.
Superseding Invitation features
Azure AD also provides several superseding invitation features as a part of external user management. These include:
- Redemption Status: This attribute presents whether or not an invitation has been accepted by a user.
- Invited User Email Address: You can send out invitations by setting up the “invited user email address” attribute.
- Invited User Message Info: This is a custom message that appears in an invitation.
- Invite Redirect URL: The URL to which a user is directed when they complete the invitation acceptance process.
Deleting External User Accounts
Azure AD also allows administrators to delete external user accounts. You can remove users from your Azure AD in the Azure portal by following the standard user deletion process.
Example: Adding an External User in Azure AD
To get started with managing external user accounts, the following example demonstrates how to add an external user:
go
Azure portal> Active Directory> Users> New guest user
Then fill in the required fields (Name, Email address, etc.), and click “Invite.”
To conclude, managing external user accounts is a key aspect of Azure AD and is a critical area of focus in the SC-300 Microsoft Identity and Access Administrator exam. Understanding the various aspects such as creating, assigning roles, and managing user accounts can significantly maximize the security and integration of your IT ecosystem.
Practice Test
True or False: Azure Active Directory B2B collaboration allows you to work with external users and organizations.
- True
- False
Answer: True
Explanation: Azure Active Directory (Azure AD) B2B collaboration is a feature that allows you to invite external users to collaborate with your organization.
Multiple Select: Which of the following operations require administrative privileges? (Choose two.)
- a) Creating an external user account
- b) Changing the password for an external user
- c) Assigning roles to an external user
- d) Modifying the profile information of an external user
Answer: a, c
Explanation: Administrative privileges are necessary to create new user accounts and assign roles. The other operations can be carried out by the users themselves.
Single Select: Which feature allows administrators to govern access of Azure resources based on the risk level of the user?
- a) Conditional Access
- b) Azure AD Connect
- c) IAM role assignment
- d) Azure AD B2C
Answer: a) Conditional Access
Explanation: Conditional Access is an Azure Active Directory capability that allows admins to implement automated access control decisions for accessing cloud apps based on conditions.
True or False: You can assign Azure AD roles to external guest users.
- True
- False
Answer: True
Explanation: Azure AD supports assigning roles to guest users just as for members. However, it’s a best practice to assign minimum necessary permissions.
Single Select: What is the default limit for B2B guest users in Azure AD?
- a) 250,000
- b) 500,000
- c) 1,000,000
- d) There is no default limit
Answer: d) There is no default limit
Explanation: As of March 2021, Microsoft removed the default limit on the number of B2B guests.
True or False: An external user can be a member of more than one directory.
- True
- False
Answer: True
Explanation: External users may be invited to multiple directories as guests and can switch their active directory from the profile menu.
Multiple select: What are privileges of the Global administrator role? (Choose two.)
- a) Manage all aspects of Azure AD and Microsoft services
- b) Manage user accounts and profile settings
- c) Assign roles to other admins
- d) All of the above
Answer: a, c
Explanation: The Global admin role in Azure AD allows an administrator to manage all aspects of Azure AD, assign roles to other admins, and much more.
True or False: You cannot assign the built-in Azure AD roles to the service principal.
- True
- False
Answer: False
Explanation: In Azure, you can assign the built-in Azure AD roles to a service principal, which is a security identity used by application or services.
Single Select: Who can invite guest users to an Azure AD directory?
- a) User
- b) Guest User
- c) Global admin
- d) All of the above
Answer: d) All of the above
Explanation: By default, all users, guest users, and global admins can invite guest users to the tenant’s Azure AD directory. The ability to invite guest users can be restricted by changing the settings.
True or False: You can use Azure AD Access Reviews to review the access of external users.
- True
- False
Answer: True
Explanation: Azure AD Access Reviews enable administrators to manage and control user access efficiently, which includes external guest users as well.
Interview Questions
What is Azure AD B2B collaboration?
Azure AD B2B collaboration allows an organization to share its applications and services with guest users from any other organization, while keeping control over its own corporate data.
True or False: To invite a guest user to your organization, you need an Azure AD Premium license.
False, you can invite guest users to your organization with the free edition of Azure AD.
What does the term ‘External user’ refer to in Azure AD?
‘External Users’ in Azure AD refers to the users that are not employees or onsite agents for a business. They can include partners, customers, vendors, or other external parties that the organization has a business relationship with.
Can a guest user see all the directories in the organization in Azure AD?
No, guest users only have access to the resources that the organization has shared with them. They cannot see all the directories in the organization as it could pose a security risk.
What is the purpose of the Guest Inviter role in Azure AD?
The Guest Inviter role in Azure AD is responsible for adding guests to the directory, inviting guests, and managing invitations.
How do you configure self-service sign-up for external users in Azure AD?
You can configure self-service sign-up for external users by using Azure Active Directory B2B collaboration. This allows guest users to sign up for an application themselves and then the appropriate admin approvals can be collected.
What does Azure AD Access Reviews feature do?
Azure AD’s Access Reviews feature provides an efficient way to review and monitor access rights of users. This is useful especially for managing external user access because it provides insights into who has access to what resources and if that access is still needed.
What is Azure AD B2C?
Azure AD B2C (Business to Customer) is an identity management service that enables customization and control over how customers sign up, sign in, and manage their profiles when using your applications.
How do you remove an external user’s access rights in Azure AD?
External user’s access rights can be removed by deleting the guest account from Azure AD or by removing their memberships from any groups or apps they had access to.
How to restrict external collaboration in Azure AD?
To restrict external collaboration in Azure AD, you can use the Azure portal and set a rule in the ‘External Collaboration settings’ in the Azure AD section. You can either block guests from specific domains or allow guests only from certain domains.
Can an external user be an owner of an Azure AD object such as an application or a group?
Yes, external users can be assigned as the owner of an Azure AD resource, such as a group, an application, or a service principal.
What entities are audited in Azure AD for external users?
Actions like invitation of a new guest user, redemption of an invitation, updates to guest user properties, etc. are audited in Azure AD for external users.
Can you convert a guest user to a member in Azure AD?
Yes, you can change a guest user’s UserType from ‘Guest’ to ‘Member’ in Azure AD. This way, they can access resources just like any other member of the Azure AD tenant.
Can external users modify their metadata in Azure AD?
No, external users cannot modify their metadata in a host tenant. Only a limited subset of the profile, like mobile, phones and thumbnail photo can be edited by the external users.
How is a Guest user redeemed in Azure AD?
A guest user is redeemed in Azure AD when they accept the invitation and sign in for the first time.