Share via

How to have more control on my users having access to client's tenant?

Najam ul Saqib 340 Reputation points
2024-10-31T05:19:33.8733333+00:00

Hi,

I am facing a scenario where a org needs to give his consultants (part time employees) a domain email address using which they get invited to a separate Azure tenant from client and do their tasks there.

The thing is, in this scenario org have no control at all over what the consultant does, the consultants are using their own machines, working remotely. If they do anything wrong in client's tenant (they mostly work on web and logic apps) it will be a hit for org's reputation as they're working on org's behalf and using their domain.

Can someone tell me what are the available options to have more access to what users do? The few options that came to my mind are:

  1. Create a VM for the consultants in org's Azure tenant and ask them to use that for connecting with client's environment -- I have no idea how fruitful can this be, but this can def be costly.
  2. Use external identities and connect the client's environment using B2B connection with org's environment -- again very little knowledge in this area but the research that I have done so far shows that it only connects the Entra and does not give access to the Azure portal resources, right?

Looking forward to a better and much securer approach to adopt.

P.S. The org have UEM solution (not intune) so that can be utilized as well.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
836 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,960 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,305 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 12,976 Reputation points
    2024-10-31T20:39:34.0366667+00:00

    Hello Najam ul Saqib,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to know how you can have more control on my users having access to client's tenant.

    Regarding your questions:

    How to have more control on my users having access to client's tenant?

    To have more control over your consultants’ access to the client’s tenant, you can implement the following measures:

    • Use Azure AD Conditional Access to enforce policies that require consultants to meet certain conditions before accessing resources. This can include multi-factor authentication (MFA), device compliance, and location-based restrictions.
    • Implement PIM to manage, control, and monitor access within Azure AD. This allows you to provide just-in-time privileged access to Azure resources and enforce approval workflows.

    Can someone tell me what are the available options to have more access to what users do?

    To gain more visibility into what users are doing, consider these options:

    • Set up Azure Monitor to collect and analyze logs from your consultants’ activities. This can help you detect and respond to suspicious activities.
    • Use Azure Security Center to get a unified view of security across your Azure environment. It provides advanced threat protection and security recommendations.

    Create a VM for the consultants in org's Azure tenant and ask them to use that for connecting with client's environment -- I have no idea how fruitful can this be, but this can def be costly.

    Creating VMs for consultants in your Azure tenant can provide a controlled environment for accessing the client’s resources. This approach can be effective but may incur higher costs and benefits include:

    • You can enforce security policies and configurations on the VMs.
    • Consultants’ activities are isolated from their personal devices, reducing the risk of data leakage.

    Use external identities and connect the client's environment using B2B connection with org's environment -- again very little knowledge in this area but the research that I have done so far shows that it only connects the Entra and does not give access to the Azure portal resources, right?

    Using Azure AD B2B to connect with the client’s environment can be a secure way to manage external users. However, it’s important to understand its limitations:

    • B2B collaboration allows you to invite external users to your directory and assign them roles. While it doesn’t directly grant access to Azure resources, you can manage their permissions through Azure AD roles and resource-specific roles.
    • You can apply conditional access policies to B2B users to ensure they meet your security requirements.

    About UEM solution (not intune) so that can be utilized as well.

    Since your organization has a Unified Endpoint Management (UEM) solution, you can leverage it to enforce security policies on consultants’ devices:

    • Make sure that consultants’ devices comply with your security policies before granting access to the client’s environment.
    • Use UEM to manage and monitor consultants’ devices, ensuring they adhere to your security standards.

    In summary here is my recommendations:

    1. Consider combining VMs with B2B collaboration and conditional access policies to create a layered security approach.
    2. Conduct regular security audits and reviews of access logs to ensure compliance and detect any anomalies.
    3. Provide training to consultants on security best practices and the importance of adhering to your organization’s policies.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.