Access Management Part 4: External Access
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
6 hours 59 minutes
Welcome back to the M s. 3 65. All of security Administration course. I'm your instructor, Jim Daniels.
In this lesson, we're continuing model to identity and access. We're gonna wrap up less than three access management with part four external access
in this. Listen, we're gonna talk about Azure 80 business to business collaboration
and management of customer lockbox. Request
as your 80 can provide access of documents, re sources and applications to external users
while maintaining complete control over your corporate data
as Ray D. B two B and SharePoint Online or two systems myself currently has in place to accomplish this.
Let's look at a comparison between azar a d baby and share for Milan external collaboration.
So for clarity sakes, share for non also includes one draw for business.
SharePoint Juan has a separate invitation manager. External collaboration sharing actually started with sheriff. Want Walon prior to azar a. D Having a some solution.
So during that process,
sheriff one alon gotta documentation that users got some adoption going.
SharePoint Oman as users to directory after the user has redeemed their invitation,
you have the imitation user signs in. Then their attitude of the rectory.
The redemption and user experience is different
after the redemption that you X is the same. Remember, the imitation manager is separate.
If you want to set as your 80 as your external sharing authority, you go to the classic shirt for Lamont Admin Center.
Toggle settings, as seem to allow sharing only with external users, already exists in your organizations. The rectory.
So licensing for the as Brady B two B collaboration is kind of confusing.
External users must have the appropriate licence to access to paid services.
This calculation or ratio
the guest licensing is one. The five. If you have 10 as a radio licenses.
Yeah, 50 b two b guest second collaborate.
Once you determine how many guests users need to access your paid as your 80 services,
you make sure you have enough as radi pay licences to cover
the guests. Users.
Where this gets confusing and muddled
is you have two versions of Azure ADM licensing right you have your
P one and P two.
If the feature the paid feature
that your guess users utilise
require a key to license,
that's the license that goes in the 15 ratio.
If What they're accessing requires a P one lessons.
It looks at P one
or the p two. Because the P two contains everything that the P one does,
it looks a dance at the 15 ratio.
So if you use identity protection features
S A P to license.
If you use conditional access in F A
as a P one license,
so you have to know
Want license allows you want? Feature.
If you have a mix of P one and P two licenses within your environment,
there are some benefits of using the azure 80 b two b collaboration
with the B two b. The partner uses their own identity management solution. There's no external administrative overhead for your organization.
You don't to utilize the same system that shipping along uses toe where they're actually a guest account with inter attendant that you have to manage.
The partner uses their own identity and credentials. Aggerated. He's not required,
he asked. With Federated, with Gmail,
you don't need to manage external accounts.
That is by far the biggest benefit.
You don't need to sink accounts or manage. It can't last.
You can invite guests users of simple imitation and redemption process.
They can sign into your action services with our own work, school or social identities
if they don't have an identity that works
once created for them when they were deemed their invitation
invited guests users can use the identity of their shorts.
You can send it directly to an APP
or send an invitation to the guests. Users Own Access panel
Guess Users follow a few simple redemption steps to sign in.
It's simple for the user.
You can use policies to securely share your absence services.
You can use authorization policies to protect your content. Conditional access policies such as M F. They can even be enforced at a tenant level and application little. So you can actually say
these external users within the access this application thereafter have enough A as a condition for them to access it.
to want the external users. Tenant doesn't doesn't doesn't allow
you set a standard for your content for your tenant. If they're coming into your house,
they're gonna get about your house rules.
You can easily and guess users in the as Radi Portal. As an administrator,
you're gonna Adam in or you can offset it
to another member or another user of your organization. To him by guest users,
you don't have to manage every aspect of the guest user environment.
You let the application of group owners man has your own guess. Users.
cuts down on headaches, Coastal Management overhead and allows you to do other things. Besides being a very highly paid
delegate guest user management to the openers.
And they can share and I guess, directly as they need. According
to the application,
administrators can also set up self service, app and group management.
Here we're looking at how you can actually add a guest user.
So an as radi,
we got all users and get a new user.
You have awesome, create a user and body user
Fill out the same information
email address is
outside of our tent,
and then we can get through groups, rolls a lot more information it invite
that same email limitation
that goes to
anybody in as Brady
goes to Mary Smith in this example,
you can even add collaboration users in bulk.
You can go into your azure A D
and in center. All users
up with a free format of CSFB with information,
and it will go through the process
and invite them.
Power shell. Yes, power shell can also be used.
These commands do require the latest version of Azure and directory power show for graph
go through two Connected the tenant Connect Dash as Radi.
That's tended domain pretending domain name
at a new user. New dash Azure ADM s invitation.
You guys through something This is Apple were doing
invited user display. Name is Santa Claus
Bided user email address the big higher resulting dot com
invite redirect euro.
This is where we want him to go to once he
sees the invitation and close one,
and we want the message to go out. So we're doing true.
If you do false, this person won't be emailed a invitation
even get through and use power shell to list all of your guests Users in your tenant
If you want to remove a guest user removed Dash as Radi user, that's I'm Jake, 90 and put in the U P N of that user
after user didn't get their invitation or went to a spam jumped folder. Shame on them
However, if you pull their user profile, there is an option to recent invitation. As you see in this screenshot.
All right, so this question is more basin area.
Let's say your organization has 50 as writing directory.
He won license and 20 azar 80 p two licenses said 50
The new external collaboration project is starting next week. It's going to utilize
as Ray D. B two B for guests identity.
The project workflow contains elements that require in azure ADP to license.
There will be 124 guests users involved in this project.
What do you need to be
with Brady B two b licensing?
So look out for the choices.
You know you do anything you're already compliant
need at 124
b two B premium licenses for that 124 guests. Users
is asked 74
p one licenses
at four p. Two
at 5 ft. Um, we're at 24.
Be to be Crimean licenses
give you a little bit of the math.
Break out a sticky note. No pad
how it works
if you don't have guns for now, hit Paul's
because I'm going to go to the answer.
The answer is
E at five
as your ADP two licenses. Remember that 15 ratio
for everyone as Raid 82? A license you have. You're allowed five
Project requires features only in
He, too, said. That's what the ratio goes off off.
You need a 25.
So if you have 25
as Ray D. P. Two licenses, most part that by five. And that gives you up to 125 as radi b two b license of the second take advantage of
P two features
roadmap update. Again, everything changes quickly.
So depending on the time that you
sit for your exam,
this may or may not be
one there. That's why I'm going over both
Marcus solved. Soon we're no longer support redemption of imitations
by creating unmanaged as Radi accounts in tenants for collaboration scenarios.
A one time passed it off is gonna be used for B two B guess and don't have an azure 80
Microsoft account or Google Federation.
So what that means right now within my tenant
and one draw for business, we're previewing this feature
I can take a filing one draw
and share it with somebody.
That user doesn't have tohave and like herself, account. They don't a have a Google him. They don't have tohave
as your idea count
and they don't have to sign up for a guest account. My tenor,
it actually gives them a one time, 24 hour pass code,
so they click on it,
have access to it for 24 hours. Three days later, they click on it again. It's gonna ask him to re verify they have access to it for another 24 hours.
That really fits all of the security models we've been learning up to this point
where you want to give always privilege.
You don't want to get permission. Just leave it for an indefinite amount of time.
You want to give my permission and have it expire, especially if it's a guest user, not in your environment. So this fits in with the whole strategy.
Let's take a look at that one time password authentication.
You share an item that user gets. Hey, this person has share something with you. Click here. Click here.
It brings him up to a sign of the screen says Sin code.
They said they get a code center, their email that's viable for 30 minutes.
If they sit on for over 30 minutes and try and put it in, it will not work.
You just request a new one
once they sign in. It goes that 24 hour where it's violent and then a resets.
So this is a really
big deal for ease of use for external collaboration within in this race. 65
This allowed adoption within
or organization for a someone collaboration to Skyrocket.
there was a 45 page PdF that we had to send out to users,
they couldn't figure it out.
It was just too long,
They they saw what they read and write. I'm not doing this. I'm going to shadow I t. And we'll do something else. I'm gonna go around my backside to getting that elbow to make it work.
This allows them to actually use approved,
and assigned license supported
ways to Kleiber and externally,
ex Army user a simple and quick way to get into a file. This
has been one of the best
changes that M S 3 65 has had over the past few years for organization as it revolves around adoption and next time of collaboration.
Really good stuff.
Growing up, my parents had a lockbox, actually had a physical still fire safe of lockbox. What was inside of it? Social Security House deed. Lots of
really important information toe where if the house burns, if something happened,
it will be okay.
They could go in the event of a hurricane. Grab it. And if we had to evacuate, we will tell you that with us.
If the house set on fire, God forbid,
it would still be there. Lockbox.
Same concept You put important things in it to other people. Can't get to without the combination or key.
It's a customer. Lockbox provides an additional layer of control but offering customers the ability to give explicit access authorization for service operations.
But demonstrating these procedures are in place for explicit
data access authorization.
Customer lockbox can be used to help meet certain compliance obligations such as hip that ramp
so a user must explicitly approve of Microsoft Support Engineers requests access data
to use customer lockbox. You'd have the 03 65. 5. Sweet
in this 3 65 5 sweet
or office 3. 65 Advanced compliance licenses,
and this is activated in the security and compliance center.
So to recap, today's lesson
as your A B two b allows organizations to collaborate with external guests while maintaining control over organizational data.
Customer lockbox provides an additional layer of control. The offering customers the ability to give explicit access authorization for service operations
one time passcodes. Authentication is a feature that I was guests without a Microsoft or Federated identity to access content without having a creation account of the room.
Thank you for joining me. I hope to see you next time.