Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7

Video Transcription

00:00
Welcome back to the M s. 3 65. All of security Administration course. I'm your instructor, Jim Daniels.
00:06
In this lesson, we're continuing model to identity and access. We're gonna wrap up less than three access management with part four external access
00:16
in this. Listen, we're gonna talk about Azure 80 business to business collaboration
00:21
and management of customer lockbox. Request
00:25
as your 80 can provide access of documents, re sources and applications to external users
00:32
while maintaining complete control over your corporate data
00:36
as Ray D. B two B and SharePoint Online or two systems myself currently has in place to accomplish this.
00:43
Let's look at a comparison between azar a d baby and share for Milan external collaboration.
00:50
So for clarity sakes, share for non also includes one draw for business.
00:55
SharePoint Juan has a separate invitation manager. External collaboration sharing actually started with sheriff. Want Walon prior to azar a. D Having a some solution.
01:06
So during that process,
01:07
sheriff one alon gotta documentation that users got some adoption going.
01:14
SharePoint Oman as users to directory after the user has redeemed their invitation,
01:21
it's important
01:22
you have the imitation user signs in. Then their attitude of the rectory.
01:27
The redemption and user experience is different
01:30
after the redemption that you X is the same. Remember, the imitation manager is separate.
01:36
If you want to set as your 80 as your external sharing authority, you go to the classic shirt for Lamont Admin Center.
01:42
Toggle settings, as seem to allow sharing only with external users, already exists in your organizations. The rectory.
01:51
So licensing for the as Brady B two B collaboration is kind of confusing.
01:57
External users must have the appropriate licence to access to paid services.
02:01
This calculation or ratio
02:05
the guest licensing is one. The five. If you have 10 as a radio licenses.
02:10
Yeah, 50 b two b guest second collaborate.
02:14
Once you determine how many guests users need to access your paid as your 80 services,
02:19
you make sure you have enough as radi pay licences to cover
02:23
the guests. Users.
02:24
Where this gets confusing and muddled
02:28
is you have two versions of Azure ADM licensing right you have your
02:31
P one and P two.
02:34
If the feature the paid feature
02:37
that your guess users utilise
02:39
require a key to license,
02:43
that's the license that goes in the 15 ratio.
02:46
If What they're accessing requires a P one lessons.
02:49
It looks at P one
02:52
or the p two. Because the P two contains everything that the P one does,
02:55
it looks a dance at the 15 ratio.
02:59
So if you use identity protection features
03:01
S A P to license.
03:05
If you use conditional access in F A
03:07
as a P one license,
03:09
so you have to know
03:12
Want license allows you want? Feature.
03:15
If you have a mix of P one and P two licenses within your environment,
03:20
there are some benefits of using the azure 80 b two b collaboration
03:27
with the B two b. The partner uses their own identity management solution. There's no external administrative overhead for your organization.
03:36
You don't to utilize the same system that shipping along uses toe where they're actually a guest account with inter attendant that you have to manage.
03:44
The partner uses their own identity and credentials. Aggerated. He's not required,
03:49
he asked. With Federated, with Gmail,
03:52
you don't need to manage external accounts.
03:54
That is by far the biggest benefit.
03:58
You don't need to sink accounts or manage. It can't last.
04:01
You can invite guests users of simple imitation and redemption process.
04:06
They can sign into your action services with our own work, school or social identities
04:12
if they don't have an identity that works
04:15
once created for them when they were deemed their invitation
04:17
invited guests users can use the identity of their shorts.
04:23
You can send it directly to an APP
04:25
or send an invitation to the guests. Users Own Access panel
04:30
Guess Users follow a few simple redemption steps to sign in.
04:33
It's simple for the user.
04:35
You can use policies to securely share your absence services.
04:40
You can use authorization policies to protect your content. Conditional access policies such as M F. They can even be enforced at a tenant level and application little. So you can actually say
04:50
these external users within the access this application thereafter have enough A as a condition for them to access it.
04:59
That is
05:00
no relation
05:01
to want the external users. Tenant doesn't doesn't doesn't allow
05:05
you set a standard for your content for your tenant. If they're coming into your house,
05:12
they're gonna get about your house rules.
05:15
You can easily and guess users in the as Radi Portal. As an administrator,
05:18
you're gonna Adam in or you can offset it
05:21
to another member or another user of your organization. To him by guest users,
05:27
you don't have to manage every aspect of the guest user environment.
05:30
You let the application of group owners man has your own guess. Users.
05:33
Castan tickets
05:35
cuts down on headaches, Coastal Management overhead and allows you to do other things. Besides being a very highly paid
05:45
group
05:45
list administrator,
05:47
delegate guest user management to the openers.
05:50
And they can share and I guess, directly as they need. According
05:56
to the application,
05:58
administrators can also set up self service, app and group management.
06:02
Here we're looking at how you can actually add a guest user.
06:06
So an as radi,
06:09
we got all users and get a new user.
06:12
You have awesome, create a user and body user
06:15
identity.
06:15
Fill out the same information
06:17
email address is
06:19
outside of our tent,
06:23
and then we can get through groups, rolls a lot more information it invite
06:28
that same email limitation
06:30
that goes to
06:31
anybody in as Brady
06:33
goes to Mary Smith in this example,
06:36
you can even add collaboration users in bulk.
06:41
You can go into your azure A D
06:44
and in center. All users
06:46
bulk. Invite
06:47
up with a free format of CSFB with information,
06:51
and it will go through the process
06:55
and invite them.
06:56
Power shell. Yes, power shell can also be used.
07:00
These commands do require the latest version of Azure and directory power show for graph
07:08
go through two Connected the tenant Connect Dash as Radi.
07:12
That's tended domain pretending domain name
07:15
at a new user. New dash Azure ADM s invitation.
07:19
You guys through something This is Apple were doing
07:23
invited user display. Name is Santa Claus
07:26
Bided user email address the big higher resulting dot com
07:30
invite redirect euro.
07:32
This is where we want him to go to once he
07:35
sees the invitation and close one,
07:39
and we want the message to go out. So we're doing true.
07:42
If you do false, this person won't be emailed a invitation
07:46
even get through and use power shell to list all of your guests Users in your tenant
07:51
If you want to remove a guest user removed Dash as Radi user, that's I'm Jake, 90 and put in the U P N of that user
08:01
after user didn't get their invitation or went to a spam jumped folder. Shame on them
08:07
However, if you pull their user profile, there is an option to recent invitation. As you see in this screenshot.
08:13
All right, so this question is more basin area.
08:16
Let's say your organization has 50 as writing directory.
08:22
He won license and 20 azar 80 p two licenses said 50
08:26
plus 20.
08:28
The new external collaboration project is starting next week. It's going to utilize
08:33
as Ray D. B two B for guests identity.
08:37
The project workflow contains elements that require in azure ADP to license.
08:41
There will be 124 guests users involved in this project.
08:46
What do you need to be
08:48
in compliance
08:50
with Brady B two b licensing?
08:52
So look out for the choices.
08:54
You know you do anything you're already compliant
08:56
need at 124
08:58
b two B premium licenses for that 124 guests. Users
09:03
is asked 74
09:05
p one licenses
09:07
at four p. Two
09:09
at 5 ft. Um, we're at 24.
09:13
Be to be Crimean licenses
09:16
give you a little bit of the math.
09:18
Break out a sticky note. No pad
09:22
calculator,
09:24
how it works
09:28
if you don't have guns for now, hit Paul's
09:31
because I'm going to go to the answer.
09:33
The answer is
09:37
E at five
09:39
as your ADP two licenses. Remember that 15 ratio
09:43
for everyone as Raid 82? A license you have. You're allowed five
09:48
Basically users
09:50
Project requires features only in
09:54
He, too, said. That's what the ratio goes off off.
09:58
You need a 25.
10:05
So if you have 25
10:05
as Ray D. P. Two licenses, most part that by five. And that gives you up to 125 as radi b two b license of the second take advantage of
10:16
P two features
10:20
roadmap update. Again, everything changes quickly.
10:22
So depending on the time that you
10:26
sit for your exam,
10:28
this may or may not be
10:30
one there. That's why I'm going over both
10:33
explanations,
10:33
Marcus solved. Soon we're no longer support redemption of imitations
10:37
by creating unmanaged as Radi accounts in tenants for collaboration scenarios.
10:43
A one time passed it off is gonna be used for B two B guess and don't have an azure 80
10:50
Microsoft account or Google Federation.
10:54
So what that means right now within my tenant
10:56
and one draw for business, we're previewing this feature
11:01
I can take a filing one draw
11:03
and share it with somebody.
11:07
That user doesn't have tohave and like herself, account. They don't a have a Google him. They don't have tohave
11:15
A
11:16
as your idea count
11:18
and they don't have to sign up for a guest account. My tenor,
11:20
it actually gives them a one time, 24 hour pass code,
11:26
so they click on it,
11:28
verify,
11:30
have access to it for 24 hours. Three days later, they click on it again. It's gonna ask him to re verify they have access to it for another 24 hours.
11:39
That really fits all of the security models we've been learning up to this point
11:43
where you want to give always privilege.
11:45
You don't want to get permission. Just leave it for an indefinite amount of time.
11:48
You want to give my permission and have it expire, especially if it's a guest user, not in your environment. So this fits in with the whole strategy.
11:58
Let's take a look at that one time password authentication.
12:01
You share an item that user gets. Hey, this person has share something with you. Click here. Click here.
12:09
It brings him up to a sign of the screen says Sin code.
12:13
They said they get a code center, their email that's viable for 30 minutes.
12:18
If they sit on for over 30 minutes and try and put it in, it will not work.
12:24
You just request a new one
12:26
once they sign in. It goes that 24 hour where it's violent and then a resets.
12:31
So this is a really
12:33
big deal for ease of use for external collaboration within in this race. 65
12:39
it's major.
12:41
This allowed adoption within
12:45
or organization for a someone collaboration to Skyrocket.
12:48
Before
12:50
there was a 45 page PdF that we had to send out to users,
12:54
they couldn't figure it out.
12:56
It was just too long,
12:58
too cumbersome.
12:58
They they saw what they read and write. I'm not doing this. I'm going to shadow I t. And we'll do something else. I'm gonna go around my backside to getting that elbow to make it work.
13:09
This allows them to actually use approved,
13:13
monitored
13:16
and assigned license supported
13:20
ways to Kleiber and externally,
13:22
and allows
13:22
ex Army user a simple and quick way to get into a file. This
13:28
has been one of the best
13:31
changes that M S 3 65 has had over the past few years for organization as it revolves around adoption and next time of collaboration.
13:39
Really good stuff.
13:41
Customer lockbox.
13:43
Growing up, my parents had a lockbox, actually had a physical still fire safe of lockbox. What was inside of it? Social Security House deed. Lots of
13:56
really important information toe where if the house burns, if something happened,
14:01
it will be okay.
14:03
They could go in the event of a hurricane. Grab it. And if we had to evacuate, we will tell you that with us.
14:09
If the house set on fire, God forbid,
14:13
it would still be there. Lockbox.
14:15
Same concept You put important things in it to other people. Can't get to without the combination or key.
14:20
It's a customer. Lockbox provides an additional layer of control but offering customers the ability to give explicit access authorization for service operations.
14:31
But demonstrating these procedures are in place for explicit
14:35
data access authorization.
14:37
Customer lockbox can be used to help meet certain compliance obligations such as hip that ramp
14:43
so a user must explicitly approve of Microsoft Support Engineers requests access data
14:50
to use customer lockbox. You'd have the 03 65. 5. Sweet
14:56
in this 3 65 5 sweet
14:58
or office 3. 65 Advanced compliance licenses,
15:01
and this is activated in the security and compliance center.
15:05
So to recap, today's lesson
15:07
as your A B two b allows organizations to collaborate with external guests while maintaining control over organizational data.
15:16
Customer lockbox provides an additional layer of control. The offering customers the ability to give explicit access authorization for service operations
15:26
one time passcodes. Authentication is a feature that I was guests without a Microsoft or Federated identity to access content without having a creation account of the room.
15:39
Thank you for joining me. I hope to see you next time.
15:43
Thanks.

Up Next

MS-500: Microsoft 365 Security Administration

The Microsoft 365 Security Administration course is designed to prepare students to take and pass the MS-500 certification exam. The course covers the four domains of the exam, providing students with the knowledge and skills they need to earn their credential.

Instructed By

Instructor Profile Image
Jim Daniels
IT Architect
Instructor