Delegate Administration To Partners Using Azure AD B2B Collaboration

[Виталий Филимонов]

The twist: we need to delegate user management to our partners/vendors. So as an example, for app3 we will have tons of partner/vendor organizations that need access. We want to give 1 person from that organization the responsibility of inviting their colleagues and removing folks when anyone leaves their organization. In many cases, they won't necessarily have the same email address domains so we can't restrict/group in that manner. In other cases, we need each national office of a global organization to have its own delegated admin to manage staff so there may be separate organizations with users that have the same email address domain.

My questions: Is Azure AD B2C the right approach for this? Can it support this kind of delegated management (something like -us/azure/active-directory/active-directory-accessmanagement-self-service-group-management)?

Delegate administration to partners using Azure AD B2B Collaboration

DOWNLOAD ->->->-> https://urluso.com/2yVFEx

Use Azure AD and the B2B collaboration feature (including its ability to delegate invitations). This also opens up the self-service group management capabilities you referenced. If you don't want these users to get access to other things in your organization, you would probably want to create a separate Azure AD tenant for this and also invite people from your on Azure AD via B2B collaboration.

B2B collaboration is a feature within Microsoft Entra External ID that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with external users, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Microsoft Entra ID or an IT department.

A simple invitation and redemption process lets partners use their own credentials to access your company's resources. You can also enable self-service sign-up user flows to let external users sign up for apps or resources themselves. Once the external user has redeemed their invitation or completed sign-up, they're represented in your directory as a user object. The user type for these B2B collaboration users is typically set to "guest" and their user principal name contains the #EXT# identifier.

In Partner Center, partners have access to a reporting tool that identifies and displays all active delegated administrative privilege connections and helps organizations discover inactive DAP connections. The reporting captures how partner agents are accessing customer tenants through those privileges and enables partners to remove connections that aren't in use. To improve security, Microsoft recommends that partners remove DAP connections that are no longer in use.

To improve security, Microsoft recommends that partners remove delegated administrative privileges that are no longer in use or that have been inactive for 90 days or more. For guidance about using the DAP report and self-service removal, see Monitoring administrative relationships and self-service DAP removal.

Customers can't find the partners who are assigned a Microsoft Entra role using Microsoft Entra admin center/PowerShell/Graph. Instead, they should use the Partner relationships page in the Office 365 Admin Portal to find out whether a delegated administration privilege has been assigned to a partner.

2. Submitted to Microsoft tab: This is for the issues to be submitted direct to Microsoft using a support plan. Competency partners can use their Signature Cloud Support incidents, any partner can purchase Advanced Support for Partners or Premier Support for Partners (MPN On-premises products support incidents cannot be used for cloud products).

Before you can start administering a client's account, the client must authorize you as a delegated administrator. To get client approval, you first send them an offer for delegated administration, which you can include with a trial invitation or purchase offer. You can also offer delegated administration to your client at a later time.

Saviynt helps you establish governance with Azure AD CIAM by providing delegated administration within B2C tenants and allows geofencing of administrative operations. This improves compliance enforcement with the administration of B2C identities, as well as role-based access control for fine-grained entitlements to the object attribute level.

Some best practices for managing external collaboration settings in Azure AD include using role-based access control, setting up policies for external collaboration, monitoring external collaboration settings, and providing training for external users.

To begin the move to GDAP, partners should first determine how users within their organization currently access customer tenants. This can be done using the DAP monitoring report in the Microsoft Partner Center. The report can also be used to remove inactive DAP connections. To access it, navigate to Partner Center, Account settings, Security center, and then Administrative relationships.

This improves collaboration between partners and their customers and enables partners to provide better customer service by enabling their customers to manage their own resources while still being able to rely on their partner for support and guidance.

Office 365 supports the idea of delegated administration to allow Microsoft partners to receive roles to provide important services. A partner can also assign admin roles to individuals in the organization. Delegated administration requires the partner to be assigned as a delegated admin on the Office 365 account.

For example, business partner visibility into inventory management systems, CRM, marketing, O365, and even HR applications is necessary to ease the flow of the business partnerships and allow for collaboration on projects.

Then you need to request a reseller relationship with a customer and you need to include delegated administration privileges for Azure Active Directory (Azure AD) and Office 365 in the request email that you send to the customer:

Users have the option to define additional application owners to delegate access and administration to other users. Owners can generate new certificates or administrate metadata of the enterprise app.

Subscribers can assign partners to help manage their Microsoft 365 workloads, all of which have their own quirks and nuances. It is possible to delegate individual workloads to different service providers, allowing you to work with multiple experts across different parts of your tenants. The ability to assign different partners who deeply understand your environment to specific workloads reduces access roadblocks for all the partners who support your tenant.

Transitioning not only affects internal access controls but also has a significant impact on external integrations with third-party services and applications. Migrating from DAP to GDAP involves careful consideration of this impact. Organizations must assess compatibility, establish trust, address compliance considerations, update contractual agreements, and provide necessary training and support to external partners. By aligning external integrations with GDAP, organizations can ensure secure data sharing, maintain compliance, and foster effective collaboration while leveraging the enhanced access control capabilities of GDAP.

Whether you rely on a consulting company to advise you on all things Microsoft 365, or you purchase licenses through a CSP partner, there is a good chance that partner has a Delegated Admin Permission link to your tenant. Delegated Admin Permissions (DAP) are provided to partners for ease of accessibility. By using DAP, they have access to the tenants of their customers without needing a dedicated account in each tenant.

According to Microsoft documentation, partners has different types to choose from when working with their customers. In this blog, we are focusing on Delegated administrator partners.

Microsoft announced in November 2021 a new more granular DAP called GDAP, which will allow partners to have more granular and time-bound access to their customers.Microsoft Threat Intelligence Center (MSTIC) recommends partners to move using GDAP:

Keeping with the Zero Trust principle of explicit verification and using least privileged access, GDAP provides more explicit roles and time-bound parameters for partner access to customer environments than DAP. They restrict access to customer tenants on a deeper level, thereby reducing security risk between Microsoft partners and their clients. More specifically, GDAP details access at the customer, partner tenant, partner user and workload levels for different Microsoft services.

When you first sync a device to your environment it creates a partnership between Office 365 and your device. You can see these partnerships for your entire organization by looking at the Users with Mobile Device report built into our advanced Office 365 delegated administration tool.

The mobile device market is one that is very fast-paced where people often replace their phones or tablets, often with their old models either thrown in a drawer or possibly reused by someone else. Identifying some of these old sync partnerships can be tricky, but using the Inactive Mobile Device report simplifies this problem. In the report, you can choose a particular interval to view.

With the enhanced partnership announced today, LaLiga and Microsoft will focus on co-innovation and cloud acceleration using Microsoft Azure and its AI capabilities. The collaboration will continue providing LaLiga, through LaLiga Tech assets, with new growth and business opportunities by leveraging the best innovations emerging across the sports market, entertainment companies and other commercial companies around the globe.

You can also manage machine identities for external parties who need access. To give access to machine identities, you can use IAM roles. IAM roles have specific permissions and provide a way to access AWS by relying on temporary security credentials with a role session. Additionally, you might have machines outside of AWS that need access to your AWS environments. For machines that run outside of AWS you can use AWS Identity and Access Management Roles Anywhere. For more information about roles, see IAM roles. For details about how to use roles to delegate access across AWS accounts, see IAM tutorial: Delegate access across AWS accounts using IAM roles.

aa06259810