Build a robust partner identity lifecycle process with Access Centre B2B

Sound familiar? These were the words of an Enterprise Architect we met with on a recent workshop – and we could tell from his tone that although he had resigned himself to the situation, it was clearly less than ideal.

The problems of a past identity

Most organisations need help from external organisations to get things done. It could be IT contractors fulfilling a development role in a one-off project, who need access to tools like Visual Studio and Azure DevOps. It could be subsidiaries who need access to project dashboards and file sharing. Whoever it is, whether supplier, customer, or other partner, they will most likely need to login to some organisational IT resource.

Organisations like the one we were visiting have, in the past, created an account for the new external user in the organisational Active Directory. In other words, provided them with a Windows logon.

There are two issues with this:

1. Access

The new user may have arrived to perform a very specific task, but providing them with an account would normally have opened up access to a number of company-wide systems that they don’t need. Giving this kind of inadvertent privilege (excess access) opens up security risks.

2. Lifecycle

Who manages the lifecycle of these external users? Quite often there can be a provisioning request and no deprovisioning request. Active Directory is perfectly happy with that and so, when the user leaves the project or even their own organisation, they retain that access. Who knows whether they are now working at a competitor? Again – a big security risk.

The solution? A token of trust

The solution is to ask your partners to login with their organisational credentials – the user name and password they use to login every day within their own organisation.

This bit of magic relies on something called ‘modern authentication’ or ‘modern auth’ for short, a concept that has been around for years but has gathered more momentum recently with ADFS and Microsoft B2B.

The trick is for your organisation and the partner organisation to have some sort of trust relationship – this means that your authentication gateway can trust a signed token from the partner organisation. So when the external user has logged in via their organisation’s sign in page, that page simply sends a token to your organisation, which accepts the token as a form of authentication.

This solution means that when your partner has left their organisation, as their credentials will no longer work, they can no longer sign in to your organisation’s resources.

It also means that you are not responsible for login and password-related support enquiries.

It’s all in the implementation

Microsoft B2B, together with Access Centre B2B from ThirdSpace, can enable this ability.

Used together, they allow you to:

• Create administrative users who can invite or approve guest users (the admin users can be internal to your organisation, or guests themselves)
• Invite and provision guest users onto web applications (via groups), all you need is their email address
• Manage users in groupings known as ‘partners’, which allows you to create partner-specific restrictions
• Bulk upload users
• Provide users with a self-service mechanism for requesting access (even for unknown users)
• These requests are routed through an approver before any users are provisioned in Azure
• Send automated attestation requests to guest users

An effective outcome

Access Centre works for sharing web applications that are integrated into your Azure Active Directory for authentication. It can also be wired up to service some types of on-premise web applications.

Using Access Centre has been a source of relief to clients, who no longer have to route guest access requests through a central IT function. In addition those guest users are now provisioned more securely, with their lifecycle managed at several levels (user, inviter, and home organisation), and no longer impose an additional support overhead for sign in.

If you think that Access Centre could benefit your business, or you’d like to find out more about how to implement a proper identity lifecycle where you work, why not request a Vision Call to speak to one of our experts?