Access Management Part 4: External Access

00:00

Welcome back to the M s. 3 65. All of security Administration course. I'm your instructor, Jim Daniels.

00:06

In this lesson, we're continuing model to identity and access. We're gonna wrap up less than three access management with part four external access

00:16

in this. Listen, we're gonna talk about Azure 80 business to business collaboration

00:21

and management of customer lockbox. Request

00:25

as your 80 can provide access of documents, re sources and applications to external users

00:32

while maintaining complete control over your corporate data

00:36

as Ray D. B two B and SharePoint Online or two systems myself currently has in place to accomplish this.

00:43

Let's look at a comparison between azar a d baby and share for Milan external collaboration.

00:50

So for clarity sakes, share for non also includes one draw for business.

00:55

SharePoint Juan has a separate invitation manager. External collaboration sharing actually started with sheriff. Want Walon prior to azar a. D Having a some solution.

01:06

So during that process,

01:07

sheriff one alon gotta documentation that users got some adoption going.

01:14

SharePoint Oman as users to directory after the user has redeemed their invitation,

01:21

it's important

01:22

you have the imitation user signs in. Then their attitude of the rectory.

01:27

The redemption and user experience is different

01:30

after the redemption that you X is the same. Remember, the imitation manager is separate.

01:36

If you want to set as your 80 as your external sharing authority, you go to the classic shirt for Lamont Admin Center.

01:42

Toggle settings, as seem to allow sharing only with external users, already exists in your organizations. The rectory.

01:51

So licensing for the as Brady B two B collaboration is kind of confusing.

01:57

External users must have the appropriate licence to access to paid services.

02:01

This calculation or ratio

02:05

the guest licensing is one. The five. If you have 10 as a radio licenses.

02:10

Yeah, 50 b two b guest second collaborate.

02:14

Once you determine how many guests users need to access your paid as your 80 services,

02:19

you make sure you have enough as radi pay licences to cover

02:23

the guests. Users.

02:24

Where this gets confusing and muddled

02:28

is you have two versions of Azure ADM licensing right you have your

02:31

P one and P two.

02:34

If the feature the paid feature

02:37

that your guess users utilise

02:39

require a key to license,

02:43

that's the license that goes in the 15 ratio.

02:46

If What they're accessing requires a P one lessons.

02:49

It looks at P one

02:52

or the p two. Because the P two contains everything that the P one does,

02:55

it looks a dance at the 15 ratio.

02:59

So if you use identity protection features

03:01

S A P to license.

03:05

If you use conditional access in F A

03:07

as a P one license,

03:09

so you have to know

03:12

Want license allows you want? Feature.

03:15

If you have a mix of P one and P two licenses within your environment,

03:20

there are some benefits of using the azure 80 b two b collaboration

03:27

with the B two b. The partner uses their own identity management solution. There's no external administrative overhead for your organization.

03:36

You don't to utilize the same system that shipping along uses toe where they're actually a guest account with inter attendant that you have to manage.

03:44

The partner uses their own identity and credentials. Aggerated. He's not required,

03:49

he asked. With Federated, with Gmail,

03:52

you don't need to manage external accounts.

03:54

That is by far the biggest benefit.

03:58

You don't need to sink accounts or manage. It can't last.

04:01

You can invite guests users of simple imitation and redemption process.

04:06

They can sign into your action services with our own work, school or social identities

04:12

if they don't have an identity that works

04:15

once created for them when they were deemed their invitation

04:17

invited guests users can use the identity of their shorts.

04:23

You can send it directly to an APP

04:25

or send an invitation to the guests. Users Own Access panel

04:30

Guess Users follow a few simple redemption steps to sign in.

04:33

It's simple for the user.

04:35

You can use policies to securely share your absence services.

04:40

You can use authorization policies to protect your content. Conditional access policies such as M F. They can even be enforced at a tenant level and application little. So you can actually say

04:50

these external users within the access this application thereafter have enough A as a condition for them to access it.

04:59

That is

05:00

no relation

05:01

to want the external users. Tenant doesn't doesn't doesn't allow

05:05

you set a standard for your content for your tenant. If they're coming into your house,

05:12

they're gonna get about your house rules.

05:15

You can easily and guess users in the as Radi Portal. As an administrator,

05:18

you're gonna Adam in or you can offset it

05:21

to another member or another user of your organization. To him by guest users,

05:27

you don't have to manage every aspect of the guest user environment.

05:30

You let the application of group owners man has your own guess. Users.

05:33

Castan tickets

05:35

cuts down on headaches, Coastal Management overhead and allows you to do other things. Besides being a very highly paid

05:45

group

05:45

list administrator,

05:47

delegate guest user management to the openers.

05:50

And they can share and I guess, directly as they need. According

05:56

to the application,

05:58

administrators can also set up self service, app and group management.

06:02

Here we're looking at how you can actually add a guest user.

06:06

So an as radi,

06:09

we got all users and get a new user.

06:12

You have awesome, create a user and body user

06:15

identity.

06:15

Fill out the same information

06:17

email address is

06:19

outside of our tent,

06:23

and then we can get through groups, rolls a lot more information it invite

06:28

that same email limitation

06:30

that goes to

06:31

anybody in as Brady

06:33

goes to Mary Smith in this example,

06:36

you can even add collaboration users in bulk.

06:41

You can go into your azure A D

06:44

and in center. All users

06:46

bulk. Invite

06:47

up with a free format of CSFB with information,

06:51

and it will go through the process

06:55

and invite them.

06:56

Power shell. Yes, power shell can also be used.

07:00

These commands do require the latest version of Azure and directory power show for graph

07:08

go through two Connected the tenant Connect Dash as Radi.

07:12

That's tended domain pretending domain name

07:15

at a new user. New dash Azure ADM s invitation.

07:19

You guys through something This is Apple were doing

07:23

invited user display. Name is Santa Claus

07:26

Bided user email address the big higher resulting dot com

07:30

invite redirect euro.

07:32

This is where we want him to go to once he

07:35

sees the invitation and close one,

07:39

and we want the message to go out. So we're doing true.

07:42

If you do false, this person won't be emailed a invitation

07:46

even get through and use power shell to list all of your guests Users in your tenant

07:51

If you want to remove a guest user removed Dash as Radi user, that's I'm Jake, 90 and put in the U P N of that user

08:01

after user didn't get their invitation or went to a spam jumped folder. Shame on them

08:07

However, if you pull their user profile, there is an option to recent invitation. As you see in this screenshot.

08:13

All right, so this question is more basin area.

08:16

Let's say your organization has 50 as writing directory.

08:22

He won license and 20 azar 80 p two licenses said 50

08:26

plus 20.

08:28

The new external collaboration project is starting next week. It's going to utilize

08:33

as Ray D. B two B for guests identity.

08:37

The project workflow contains elements that require in azure ADP to license.

08:41

There will be 124 guests users involved in this project.

08:46

What do you need to be

08:48

in compliance

08:50

with Brady B two b licensing?

08:52

So look out for the choices.

08:54

You know you do anything you're already compliant

08:56

need at 124

08:58

b two B premium licenses for that 124 guests. Users

09:03

is asked 74

09:05

p one licenses

09:07

at four p. Two

09:09

at 5 ft. Um, we're at 24.

09:13

Be to be Crimean licenses

09:16

give you a little bit of the math.

09:18

Break out a sticky note. No pad

09:22

calculator,

09:24

how it works

09:28

if you don't have guns for now, hit Paul's

09:31

because I'm going to go to the answer.

09:33

The answer is

09:37

E at five

09:39

as your ADP two licenses. Remember that 15 ratio

09:43

for everyone as Raid 82? A license you have. You're allowed five

09:48

Basically users

09:50

Project requires features only in

09:54

He, too, said. That's what the ratio goes off off.

09:58

You need a 25.

10:05

So if you have 25

10:05

as Ray D. P. Two licenses, most part that by five. And that gives you up to 125 as radi b two b license of the second take advantage of

10:16

P two features

10:20

roadmap update. Again, everything changes quickly.

10:22

So depending on the time that you

10:26

sit for your exam,

10:28

this may or may not be

10:30

one there. That's why I'm going over both

10:33

explanations,

10:33

Marcus solved. Soon we're no longer support redemption of imitations

10:37

by creating unmanaged as Radi accounts in tenants for collaboration scenarios.

10:43

A one time passed it off is gonna be used for B two B guess and don't have an azure 80

10:50

Microsoft account or Google Federation.

10:54

So what that means right now within my tenant

10:56

and one draw for business, we're previewing this feature

11:01

I can take a filing one draw

11:03

and share it with somebody.

11:07

That user doesn't have tohave and like herself, account. They don't a have a Google him. They don't have tohave

11:15

A

11:16

as your idea count

11:18

and they don't have to sign up for a guest account. My tenor,

11:20

it actually gives them a one time, 24 hour pass code,

11:26

so they click on it,

11:28

verify,

11:30

have access to it for 24 hours. Three days later, they click on it again. It's gonna ask him to re verify they have access to it for another 24 hours.

11:39

That really fits all of the security models we've been learning up to this point

11:43

where you want to give always privilege.

11:45

You don't want to get permission. Just leave it for an indefinite amount of time.

11:48

You want to give my permission and have it expire, especially if it's a guest user, not in your environment. So this fits in with the whole strategy.

11:58

Let's take a look at that one time password authentication.

12:01

You share an item that user gets. Hey, this person has share something with you. Click here. Click here.

12:09

It brings him up to a sign of the screen says Sin code.

12:13

They said they get a code center, their email that's viable for 30 minutes.

12:18

If they sit on for over 30 minutes and try and put it in, it will not work.

12:24

You just request a new one

12:26

once they sign in. It goes that 24 hour where it's violent and then a resets.

12:31

So this is a really

12:33

big deal for ease of use for external collaboration within in this race. 65

12:39

it's major.

12:41

This allowed adoption within

12:45

or organization for a someone collaboration to Skyrocket.

12:48

Before

12:50

there was a 45 page PdF that we had to send out to users,

12:54

they couldn't figure it out.

12:56

It was just too long,

12:58

too cumbersome.

12:58

They they saw what they read and write. I'm not doing this. I'm going to shadow I t. And we'll do something else. I'm gonna go around my backside to getting that elbow to make it work.

13:09

This allows them to actually use approved,

13:13

monitored

13:16

and assigned license supported

13:20

ways to Kleiber and externally,

13:22

and allows

13:22

ex Army user a simple and quick way to get into a file. This

13:28

has been one of the best

13:31

changes that M S 3 65 has had over the past few years for organization as it revolves around adoption and next time of collaboration.

13:39

Really good stuff.

13:41

Customer lockbox.

13:43

Growing up, my parents had a lockbox, actually had a physical still fire safe of lockbox. What was inside of it? Social Security House deed. Lots of

13:56

really important information toe where if the house burns, if something happened,

14:01

it will be okay.

14:03

They could go in the event of a hurricane. Grab it. And if we had to evacuate, we will tell you that with us.

14:09

If the house set on fire, God forbid,

14:13

it would still be there. Lockbox.

14:15

Same concept You put important things in it to other people. Can't get to without the combination or key.

14:20

It's a customer. Lockbox provides an additional layer of control but offering customers the ability to give explicit access authorization for service operations.

14:31

But demonstrating these procedures are in place for explicit

14:35

data access authorization.

14:37

Customer lockbox can be used to help meet certain compliance obligations such as hip that ramp

14:43

so a user must explicitly approve of Microsoft Support Engineers requests access data

14:50

to use customer lockbox. You'd have the 03 65. 5. Sweet

14:56

in this 3 65 5 sweet

14:58

or office 3. 65 Advanced compliance licenses,

15:01

and this is activated in the security and compliance center.

15:05

So to recap, today's lesson

15:07

as your A B two b allows organizations to collaborate with external guests while maintaining control over organizational data.

15:16

Customer lockbox provides an additional layer of control. The offering customers the ability to give explicit access authorization for service operations

15:26

one time passcodes. Authentication is a feature that I was guests without a Microsoft or Federated identity to access content without having a creation account of the room.

15:39

Thank you for joining me. I hope to see you next time.