ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
07 January 2019

Build a robust partner identity lifecycle process with Access Centre B2B

Written by Marcus Idle

“We have over 3,000 local Active Directory accounts for external suppliers – and we don’t know which ones are needed.”

Sound familiar? These were the words of an Enterprise Architect we met with on a recent workshop – and we could tell from his tone that although he had resigned himself to the situation, it was clearly less than ideal.


The problems of a past identity

Most organisations need help from external organisations to get things done. It could be IT contractors fulfilling a development role in a one-off project, who need access to tools like Visual Studio and Azure DevOps. It could be subsidiaries who need access to project dashboards and file sharing. Whoever it is, whether supplier, customer, or other partner, they will most likely need to login to some organisational IT resource.

Organisations like the one we were visiting have, in the past, created an account for the new external user in the organisational Active Directory. In other words, provided them with a Windows logon.

There are two issues with this:

1. Access

The new user may have arrived to perform a very specific task, but providing them with an account would normally have opened up access to a number of company-wide systems that they don’t need. Giving this kind of inadvertent privilege (excess access) opens up security risks.

2. Lifecycle

Who manages the lifecycle of these external users? Quite often there can be a provisioning request and no deprovisioning request. Active Directory is perfectly happy with that and so, when the user leaves the project or even their own organisation, they retain that access. Who knows whether they are now working at a competitor? Again – a big security risk.

The solution? A token of trust

The solution is to ask your partners to login with their organisational credentials – the user name and password they use to login every day within their own organisation.

This bit of magic relies on something called ‘modern authentication’ or ‘modern auth’ for short, a concept that has been around for years but has gathered more momentum recently with ADFS and Microsoft B2B.

The trick is for your organisation and the partner organisation to have some sort of trust relationship – this means that your authentication gateway can trust a signed token from the partner organisation. So when the external user has logged in via their organisation’s sign in page, that page simply sends a token to your organisation, which accepts the token as a form of authentication.

This solution means that when your partner has left their organisation, as their credentials will no longer work, they can no longer sign in to your organisation’s resources.

It also means that you are not responsible for login and password-related support enquiries.

It’s all in the implementation

Microsoft B2B, together with Access Centre B2B from ThirdSpace, can enable this ability.

Used together, they allow you to:

  • Create administrative users who can invite or approve guest users (the admin users can be internal to your organisation, or guests themselves)
  • Invite and provision guest users onto web applications (via groups), all you need is their email address
  • Manage users in groupings known as ‘partners’, which allows you to create partner-specific restrictions
  • Bulk upload users
  • Provide users with a self-service mechanism for requesting access (even for unknown users)
  • These requests are routed through an approver before any users are provisioned in Azure
  • Send automated attestation requests to guest users


An effective outcome

Access Centre works for sharing web applications that are integrated into your Azure Active Directory for authentication. It can also be wired up to service some types of on-premise web applications.

Using Access Centre has been a source of relief to clients, who no longer have to route guest access requests through a central IT function. In addition those guest users are now provisioned more securely, with their lifecycle managed at several levels (user, inviter, and home organisation), and no longer impose an additional support overhead for sign in.

If you think that Access Centre could benefit your business, or you’d like to find out more about how to implement a proper identity lifecycle where you work, why not request a Vision Call to speak to one of our experts?

You may also like...


Azure AD B2B vs B2C: What are the key differences between Microsoft’s external access products?


How to reduce membership friction and stay secure with Azure AD B2C


Secure application sign-in with Azure AD B2C

Recent Blog Articles

View All
Marcus Idle
Head of CIAM and IP Development
Learn More

Get in touch

We'd love to hear from you! Our friendly team can be reached Monday through Friday, from 9am to 5pm.

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.