ThirdSpace ThirdSpace
ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more
07 January 2019

Build a robust partner identity lifecycle process with Access Centre B2B

  • CIAM
  • Azure AD B2B
Marcus Idle

“We have over 3,000 local Active Directory accounts for external suppliers – and we don’t know which ones are needed.”

Sound familiar? These were the words of an Enterprise Architect we met with on a recent workshop – and we could tell from his tone that although he had resigned himself to the situation, it was clearly less than ideal.

 

The problems of a past identity

Most organisations need help from external organisations to get things done. It could be IT contractors fulfilling a development role in a one-off project, who need access to tools like Visual Studio and Azure DevOps. It could be subsidiaries who need access to project dashboards and file sharing. Whoever it is, whether supplier, customer, or other partner, they will most likely need to login to some organisational IT resource.

Organisations like the one we were visiting have, in the past, created an account for the new external user in the organisational Active Directory. In other words, provided them with a Windows logon.

There are two issues with this:

1. Access

The new user may have arrived to perform a very specific task, but providing them with an account would normally have opened up access to a number of company-wide systems that they don’t need. Giving this kind of inadvertent privilege (excess access) opens up security risks.

2. Lifecycle

Who manages the lifecycle of these external users? Quite often there can be a provisioning request and no deprovisioning request. Active Directory is perfectly happy with that and so, when the user leaves the project or even their own organisation, they retain that access. Who knows whether they are now working at a competitor? Again – a big security risk.

The solution? A token of trust

The solution is to ask your partners to login with their organisational credentials – the user name and password they use to login every day within their own organisation.

This bit of magic relies on something called ‘modern authentication’ or ‘modern auth’ for short, a concept that has been around for years but has gathered more momentum recently with ADFS and Microsoft B2B.

The trick is for your organisation and the partner organisation to have some sort of trust relationship – this means that your authentication gateway can trust a signed token from the partner organisation. So when the external user has logged in via their organisation’s sign in page, that page simply sends a token to your organisation, which accepts the token as a form of authentication.

This solution means that when your partner has left their organisation, as their credentials will no longer work, they can no longer sign in to your organisation’s resources.

It also means that you are not responsible for login and password-related support enquiries.

It’s all in the implementation

Microsoft B2B, together with Access Centre B2B from ThirdSpace, can enable this ability.

Used together, they allow you to:

  • Create administrative users who can invite or approve guest users (the admin users can be internal to your organisation, or guests themselves)
  • Invite and provision guest users onto web applications (via groups), all you need is their email address
  • Manage users in groupings known as ‘partners’, which allows you to create partner-specific restrictions
  • Bulk upload users
  • Provide users with a self-service mechanism for requesting access (even for unknown users)
  • These requests are routed through an approver before any users are provisioned in Azure
  • Send automated attestation requests to guest users

 

An effective outcome

Access Centre works for sharing web applications that are integrated into your Azure Active Directory for authentication. It can also be wired up to service some types of on-premise web applications.

Using Access Centre has been a source of relief to customers, who no longer have to route guest access requests through a central IT function. In addition those guest users are now provisioned more securely, with their lifecycle managed at several levels (user, inviter, and home organisation), and no longer impose an additional support overhead for sign in.

If you think that Access Centre could benefit your business, or you’d like to find out more about how to implement a proper identity lifecycle where you work, why not get in touch and book a free half-day workshop with us?

You may also like...

Blog

Azure AD B2C: Built-in flows vs custom policies. Which is right for you?

Blog

Enable secure user authentication with advanced flows in Azure AD B2C

Blog

Custom JavaScript and Dynamics 365 functionality add a New Year’s boost to Azure AD B2C

Recent Blog Articles

View All
Author
Marcus Idle
Head of CIAM and IP Development
Learn More

CIAM Envisioning Workshop

Securely authenticate users while removing friction from sign-up and sign-in. Book your free half-day CIAM Envisioning Workshop today.

Apply for a free workshop
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, Security and Compliance.

ThirdSpace

Welcome to ThirdSpace, the new home (and new name) for Oxford Computer Group UK.

Oxford Computer Group UK officially rebranded as ThirdSpace in the UK on 16 October. This rebrand reflects our broadening identity and security solutions, as working practices extend from the office and home into working flexibly and collaboratively from anywhere – Your "ThirdSpace".

Continue to ThirdSpace
ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.