0

The mission is to give access to external organizations to our sql dbs, power bi and storage accounts (through AAD?), basically to consume our data. Here is a link to the external user access to AAD, have a look at the features available and let me what you think would be a good approach:

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/compare-with-b2c

Xam
  • 1
  • Add the users from external organizations as the guest users to your Azure AD tenant and assign them the resource reader or other role (if needed). https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal – Allen Wu Sep 15 '20 at 03:50
  • Thank you @AllenWu for your solution. Challenges here: 1. we need to delegate managing users to the guest orgs. 2. Also we dont want users from separate guest orgs to see each others through AAD. – Xam Sep 16 '20 at 08:38
  • You want to the guest orgs to manage their own users and guest orgs cannot see each other? – Allen Wu Sep 16 '20 at 08:51
  • Yes, so Q1: How to delegate user-management to partners and/or non-admin / business (non-tech) users to reduce the work on host admin. (And in this case, how to ensure admins from org say xyz.com can only invite users that belong to the same domain?) Q2. B2B guest or separate-tenant option? Q3. Once users redeem invitations, we want these users auyomatically be assigned to specific aad groups and roles thst fit their organization and roles. How to do so in Azure. – Xam Sep 16 '20 at 09:03
  • I'm afraid that B2B guest cannot meet your first requirement. For Q2, separate-tenant is B2C option? For Q3, it should be able to be implemented via B2B guest. – Allen Wu Sep 16 '20 at 09:40
  • is there features in AAD that can make Q1 and or Q3 happen? – Xam Sep 16 '20 at 13:02
  • I don't think AAD can make Q1 perfectly for you currently. – Allen Wu Sep 17 '20 at 03:01
  • We can hardly restrict guest users to see others. Now there is a preview feature saying it can stop guest access to others but it seems not to work based on my test. And If you want to the guest admin to manage their own users, he will be able to see other guest orgs. – Allen Wu Sep 17 '20 at 03:17

0 Answers0