Simplifying Complexity: Guest User Management in Entra ID
Navigating the labyrinth of managing external B2B users or guest users in your Entra ID can be a daunting task. Picture this: thousands of guest users in your tenant, each requiring access to one or more of your applications. The question then arises, how do we manage these guest users effectively? How do we update their attributes such as phone numbers and contact information, or remove users who are no longer required to be part of your tenant? ??
With such a large number of guest users, the burden on the IAM/identity team can be overwhelming. The ideal solution would be to empower the invitee or the sponsor of the guest user to manage the respective guest users they invite. This flexibility would pave the way for more effective management. ??
In this edition of the newsletter, we will delve into the utilization of the Sponsor feature and Administrative Units in Entra ID to streamline this process. ??
Who is a Sponsor?
The Sponsor feature in Entra ID is a powerful tool designed to streamline the management of guest users in your organization.
Here’s a simple explanation: A “sponsor” is an individual or group that is responsible for a guest user. They understand why a guest account exists and can help manage the lifecycle of the user, ensuring they have access to the appropriate resources. This doesn’t grant administrative powers to the sponsor, but it can be used for approval processes in Entitlement Management. The Sponsor feature serves as a foundation for other scenarios that aim to provide a full governance lifecycle for external partners. For example, administrators can transfer sponsorship to another user or group if the guest user starts working on a different project.
For more detailed information, you can refer to the official Microsoft documentation on : Adding sponsors to a guest user in the Microsoft Entra admin center.
User Administrator privileges to Sponsors?
By default, sponsors in Entra ID do not possess administrative privileges to perform actions on user identities and it is definitely not a good idea to assign the user administrator role at the tenant level to sponsors but the role is necessary for making changes to Entra ID user identities. Doing so would grant them the ability to modify attributes and manage all users, which is not desirable.
The solution to this challenge lies in the use of Administrative Units in Entra ID. This feature allows for a more granular level of control, ensuring that sponsors can manage guest users effectively without compromising the overall security and integrity of the system. ??
What are Administrative Units in Entra ID?
Administrative Units in Entra ID are a powerful feature that provide a way to delegate administrative tasks within your organization. They act as containers for Entra ID resources, allowing you to group together users, groups, and other resources.
An Administrative Unit is a Microsoft Entra resource that can contain only users, groups, or devices. It serves as a container for these resources, enabling you to define any portion of your organization and restrict permissions in a role to that defined portion. This means you can delegate permissions to administrators of each unit in your organization, so they could control access, manage users, and set policies only within their respective units.
For more detailed information, you can refer to the official Microsoft documentation on: Administrative units in Microsoft Entra ID.
Administrative Units in Action:
Let’s consider a scenario where your organization collaborates with multiple external partners, each represented by a sponsor. Each sponsor invites guest users in your Entra ID tenant.
To manage this effectively, you could create separate Administrative Units for each external partner. Each Administrative Unit would contain the guest users invited by the respective sponsor. This way, each sponsor is only able to manage the guest users they have invited, without affecting other guest users in your tenant.
For example, let’s say you have two external partners: Company-1 and Company-2. The sponsors from these companies are Sponsor-A and Sponsor-B respectively.
This approach provides a clear separation of responsibilities and ensures that each sponsor can manage their guest users effectively, without interfering with each other’s operations. It simplifies the management of guest users and reduces the burden on your IAM/identity team. ??
The Solution:
Let’s delve into the solution with a step-by-step approach -
First step is to assign sponsors to the Guest users if not already assigned.
As you can see above for the Guest user, I have assigned my Test user as a sponsor.
Next step is to create the Administrative unit as discussed in earlier steps.
Here we assign the User Administrator role to my test user who is a sponsor for all guest users on-boarded from Company-1.
领英推荐
Next step is to create the administrative unit.
Now we would want our Administrative unit to be dynamically populated with the Guest users where the sponsor is my test user. This would ensure that all guest users for whom my test user is a sponsor are placed in the administrative unit. We can further create dynamic rules based on guest organization or other filters as desired.
But a challenge here is that Entra ID does not supports the sponsor attribute to be included in the dynamic query rule. More details from here : Rules for dynamically populated groups membership - Microsoft Entra ID | Microsoft Learn
But we would still want the sponsor dynamic rule to be used. If you have had a chance to go through my earlier newsletter on Directory extensions : Entra ID Users & Groups : new Attributes | LinkedIn.
We can use directory extensions to create an attribute for sponsor and then use it in our dynamic query rule.
Below steps define the graph requests to create the extension and assign my test user as an sponsor using the same.
Next step is to include the custom extension properties in the dynamic query rule. So first we would need to provide the application id for the app which was used while creating the extensions.
Next step is to use the extension.
Thus, the dynamic rule query would be something like as below -
Next step is to save the dynamic rule and let the Administrative unit auto-populate the guest users.
The administrative unit is now populated with the respective guest users.
Let us try now to edit the attributes for a guest user who is from Company-1.
As you can see below I am able to modify the properties and it does displays that the guest user is part of an administrative unit.
For a guest user who is not part of the administrative unit, I am not able to modify any properties or attributes.
Final Thoughts :
In conclusion, managing a large number of guest users in your Entra ID doesn’t have to be a daunting task. By empowering the invitee or the sponsor with the ability to manage their respective guest users, we can significantly reduce the burden on the IAM/identity team. The utilization of the Sponsor feature and Administrative Units in Entra ID can be used for more effective and streamlined management.
Moreover, the user experience for sponsors can be further enhanced by building custom applications using the Power Platform or SharePoint. These applications can provide a more intuitive and user-friendly interface for sponsors, eliminating the need for them to directly use the Entra ID portal.
I hope this post has provided you with valuable insights and practical steps to improve your guest user management. Please feel free to share your thoughts, experiences, and suggestions in the comments section below.
Thank you for taking the time to read this post. I look forward to hearing from you!