“We have over 3,000 local Active Directory accounts for external suppliers – and we don’t know which ones are needed.”
Sound familiar? These were the words of an Enterprise Architect we met with on a recent workshop – and we could tell from his tone that although he had resigned himself to the situation, it was clearly less than ideal.
Most organisations need help from external organisations to get things done. It could be IT contractors fulfilling a development role in a one-off project, who need access to tools like Visual Studio and Azure DevOps. It could be subsidiaries who need access to project dashboards and file sharing. Whoever it is, whether supplier, customer, or other partner, they will most likely need to login to some organisational IT resource.
Organisations like the one we were visiting have, in the past, created an account for the new external user in the organisational Active Directory. In other words, provided them with a Windows logon.
There are two issues with this:
The new user may have arrived to perform a very specific task, but providing them with an account would normally have opened up access to a number of company-wide systems that they don’t need. Giving this kind of inadvertent privilege (excess access) opens up security risks.
Who manages the lifecycle of these external users? Quite often there can be a provisioning request and no deprovisioning request. Active Directory is perfectly happy with that and so, when the user leaves the project or even their own organisation, they retain that access. Who knows whether they are now working at a competitor? Again – a big security risk.
The solution is to ask your partners to login with their organisational credentials – the user name and password they use to login every day within their own organisation.
This bit of magic relies on something called ‘modern authentication’ or ‘modern auth’ for short, a concept that has been around for years but has gathered more momentum recently with ADFS and Microsoft B2B.
The trick is for your organisation and the partner organisation to have some sort of trust relationship – this means that your authentication gateway can trust a signed token from the partner organisation. So when the external user has logged in via their organisation’s sign in page, that page simply sends a token to your organisation, which accepts the token as a form of authentication.
This solution means that when your partner has left their organisation, as their credentials will no longer work, they can no longer sign in to your organisation’s resources.
It also means that you are not responsible for login and password-related support enquiries.
Microsoft B2B, together with Access Centre B2B from ThirdSpace, can enable this ability.
Used together, they allow you to:
Access Centre works for sharing web applications that are integrated into your Azure Active Directory for authentication. It can also be wired up to service some types of on-premise web applications.
Using Access Centre has been a source of relief to clients, who no longer have to route guest access requests through a central IT function. In addition those guest users are now provisioned more securely, with their lifecycle managed at several levels (user, inviter, and home organisation), and no longer impose an additional support overhead for sign in.
If you think that Access Centre could benefit your business, or you’d like to find out more about how to implement a proper identity lifecycle where you work, why not request a Vision Call to speak to one of our experts?
We'd love to hear from you! Our friendly team can be reached Monday through Friday, from 9am to 5pm.Contact Us
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.