Views:

Applies To:

GroupID 9 and 10 – Self-Service
(For a Microsoft Azure identity store only)

Business Scenario:

Organizations are not stand-alone bodies. They must collaborate with outsiders, such as vendors, consultants and contractors, in order to get work done. These outsiders, or call them external users, may be tasked with deploying resources, checking existing system configurations, conducting financial and asset audits, and more.

And however reluctant organizations may be, they must grant access on their resources – in however limited a capacity – to outsiders.

The Problem:

Now the big question is, what are some of the safest ways to enable these external users (or outsiders) to access your organization’s resources, while preventing unauthorized access and security breaches.

Solution:

GroupID offers a two-layered solution to this problem.

  • Invite an external user from another Azure AD tenant to the membership of a group in your domain.
  • Change the membership type of this guest user to ‘temporary member’.

From a security standpoint, this should work best for your organization. Rather than creating new users in your domain, invite these external users as ‘guest’ to the membership of a group in your domain. This group should have access right and privileges as required. Moreover, assigning temporary membership to users ensures that they should be removed from the group in due course of time. As a result, their access to organizational resources would be revoked.

Step 1: Invite a Guest User:

For a Microsoft Azure based identity store, the Self-Service portal enables you to invite a user from another Azure AD tenant to the membership of a group in your domain.

  1. Launch the Self-Service portal and connect it to an Azure identity store.
  2. On the left navigation bar, click Groups and then select the My Groups tab, or search the group you want to invite a guest user to.
  3. Select the group and click Properties on the toolbar.
  4. On the Members tab in group properties, click the Invite User button.
    The Invite User dialog box is displayed.

  5. Provide the following information:

    • In the Email box, enter the email address of the user you want to invite to your domain.
    • In the Redirect URL box, provide the URL of a portal page, such as the My Profile page. On accepting the invite, the guest user will be redirected to this page.
    • Add any message for the guest user in the Personal Message box.
    • Click Invite User.

  6. The guest user is sent an email with the redirect link. On clicking this link, the guest user is successfully invited.
    The Invite User button on the Invite User dialog box changes to Add To Group.

  7. Click the Add To Group button to add the guest user as a group member.

  8. Save the information.

An object for the guest user is created in Azure AD, with type as ‘guest user’. This user has the same rights and permissions as any other group member.

Step 2: Assign the ‘Temporary’ Membership Type to a Guest User

Access granted to external users on the organization’s resources must be revoked when it is no longer required. But this is not always the case. The groups continue to exist, and guest users continue to receive emails and access the resources without a justification. This is, of course, a security hazard.

GroupID can help prevent such a situation from happening. After adding the guest user as a group member, change its membership type to ‘Temporary Member’.

To achieve this, see Change a User’s Membership Type.

Reference:

GroupID Self-Service portal - Online Help

Keywords: Azure AD, Self-Service, Identity Store, tenant, guest user, group
Comments (0)