25,081 questions
Thank you for your post!
I understand that you want to grant external contractors access to your Azure tenant for a specific Resource Group, timeline (1 year), and the users need to be secured via MFA. To hopefully point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
When it comes to managing these external contractors / users the best way that I found to do this would be:
- Create Azure AD guest user accounts for the external contractors.
- Assign the guest user accounts to an Azure AD group that you create specifically for this purpose.
- Assign or create a custom Azure RBAC role that grants the necessary permissions to the resource group(s).
- Assign the RBAC role to the Azure AD group that you created.
- Configure a Conditional Access Policy for the Azure AD group to require MFA.
- Set an expiration date for the guest user accounts to limit the duration of access. For more info, please refer to the links below.
- For more info - Manage the lifecycle of external users
Additional Links:
- Manage guest access with access reviews - Periodically review and ensure that guest users have appropriate access.
- When should you use access reviews?
- Assign Azure resource roles in Privileged Identity Management - With PIM, the external contractor users must activate an eligible role assignment to get permission to perform certain actions.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.