Transition to governed collaboration with Azure Active Directory B2B collaboration

Understanding collaboration helps secure external access to your resources. We recommend you read the following articles, first:

Use the information in this article to move external collaboration into Azure Active Directory B2B (Azure AD B2B) collaboration.

Control collaboration

You can limit the organizations your users collaborate with (inbound and outbound), and who in your organization can invite guests. Most organizations permit business units to decide collaboration, and delegate approval and oversight. For example, organizations in government, education, and financial often don't permit open collaboration. You can use Azure AD features to control collaboration.

You can control access your tenant, by deploying one or more of the following solutions:

  • External Collaboration Settings – Restrict the email domains that invitations got to
  • Cross Tenant Access Settings – Control application access by guests by user, group, or tenant (inbound). Control external Azure AD tenant and application access for users (outbound)
  • Connected Organizations – Determine what organizations can request Access Packages in Entitlement Management

Determine collaboration partners

Document the organizations you collaborate with, and organization users' domains, if needed. Domain-based restrictions might be impractical. One collaboration partner can have multiple domains, and a partner can add domains. For example, a partner with multiple business units, with separate domains, and add more domains as they configure synchronization.

If your users use Azure AD B2B, you can discover the external Azure AD tenants they're collaborating, with via the sign-in logs, PowerShell, or a workbook. Learn more:

You can enable future collaboration with:

  • External organizations (most inclusive)
  • External organizations (but not denied organizations)
  • Specific external organizations (most restrictive)

Note

If your collaboration settings are highly restrictive, your users might go outside the collaboration framework. We recommend you enable a broad collaboration that your security requirements allow.

Limits to one domain can prevent authorized collaboration with organizations that have other unrelated domains. For example, the initial point of contact with Contoso might be a US-based employee with email that has a .com domain. However if you allow only the com domain. you can omit Canadian employees who have the ca domain.

You can allow specific collaboration partners for a subset of users. For example, a university restricts student accounts from accessing external tenants, but allows faculty to collaborate with external organizations.

Allowlist and blocklist with External Collaboration Settings

You can use an allowlist or blocklist to from specific organizations. You can use only an allow or a blocklist, not both.

  • Allowlist - Limit collaboration to a list of domains. All other domains are on the blocklist.
  • Blocklist - Allow collaboration with domains not on the blocklist

Learn more: Allow or block invitations to B2B users from specific organizations

Important

These lists don't apply to users in your directory. By default, they don't apply to OneDrive for Business and SharePoint allowlist or blocklists. These lists are separate, but you can enable SharePoint-OneDrive B2B integration.

Some organizations have a blocklist of bad-actor domains from a managed security provider. For example, if the organization does business with Contoso and uses a com domain, an unrelated organization can use the org domain, and attempt a phishing attack.

Cross Tenant Access Settings

You can control inbound and outbound access using Cross Tenant Access Settings. In addition, you can trust multi-factor authentication (MFA), a compliant device, and hybrid Azure Active Directory joined device (HAADJ) claims from external Azure AD tenants. When you configure an organizational policy, it applies to the Azure AD tenant and covers users in that tenant, regardless of domain suffix.

You can enable collaboration across Microsoft clouds such as Microsoft Azure operated by 21Vianet (Azure China) or Microsoft Azure Government. Determine if your collaboration partners reside in a different Microsoft cloud. Learn more: Configure Microsoft cloud settings for B2B collaboration (Preview).

You can allow inbound access to specific tenants (allowlist), and set the default policy to block access. You then create organizational policies that allow access by user, group, or application.

You can block access to tenants (blocklist). Set the default policy to Allow and then create organizational policies that block access to some tenants.

Note

Cross Tenant Access Settings Inbound Access does not prevent invitations from being sent or redeemed. However, it does control applications access and whether a token is issued to the guest user. If the guest can redeem an invitation, policy blocks application access.

To control external organizations users access, configure outbound access policies similarly to inbound access: allowlist and blocklist. Configure default and organization-specific policies.

Learn more: Configure cross-tenant access settings for B2B collaboration

Note

Cross Tenant Access Settings apply to Azure AD tenants. To control access for partners not using Azure AD, use External Collaboration Settings.

Entitlement Management and Connected Organizations

Use Entitlement Management to ensure automatic guest-lifecycle governance. Create Access Packages and publish them to external users or to Connected Organizations, which support Azure AD tenants and other domains. When you create an Access Package restrict access to specific Connected Organizations.

Learn more: What is entitlement management?

Control external user access

To begin collaboration, invite or enable a partner to access resources. Users gain access by:

When you enable Azure AD B2B, you can invite guest users with links and email invitations. Self service sign-up, and publishing Access Packages to the My Access portal, require more configuration.

Note

Self service sign-up enforces no allowlist or blocklist in External Collaboration Settings. Use Cross Tenant Access Settings. You can integrate allowlists and blocklists with self service sign-up using custom API connectors. See, Add an API connector to a user flow.

Guest user invitations

Determine who can invite guest users to access resources.

  • Most restrictive: Allow only administrators and users with the Guest Inviter role

  • If security requirements permit, allow all UserType of Member to invite guests

  • Determine if UserType of Guest, the default Azure AD B2B user account, can invite guests

    Screenshot of guest invitation settings.

External users information

Use Azure AD entitlement management to configure questions that external users answer. The questions appear to approvers to help them make a decision. You can configure sets of questions for each access package policy, so approvers have relevant information for access they approve. For example, ask vendors for their vendor contract number.

Learn more: Change approval and requestor information settings for an access package in entitlement management

If you use a self-service portal, use API connectors to collect user attributes during sign-up. Use the attributes to assign access. You can create custom attributes in the Azure portal and use them in your self-service sign-up user flows. Read and write these attributes by using the Microsoft Graph API.

Learn more:

Troubleshoot invitation redemption to Azure AD users

Invited guest users from a collaboration partner can have trouble redeeming an invitation.

  • User domain isn't on an allowlist
  • The partner’s home tenant restrictions prevent external collaboration
  • The user isn't in partner Azure AD tenant. For example, users at contoso.com are in Active Directory.

External users access

Generally, there are resources you can share with external users, and some you can't. You can control what external users access. See, Manage external access with Entitlement Management.

By default, guest users see information and attributes about tenant members and other partners, including group memberships. Consider limiting external user access to this information.

Screenshot of Guest user access options on External collaboration settings.

We recommend the following guest-user restrictions.

  • Limit guest access to browsing groups and other properties in the directory
    • Use the external collaboration settings to restrict guests from reading groups they aren't members of
  • Block access to employee-only apps
    • Create a Conditional Access policy to block access to Azure AD-integrated applications for non-guest users
  • Block access to the Azure portal
    • You can make needed exceptions
    • Create a Conditional Access policy with All guest and external users. Implement a policy to block access.

Learn more: Conditional Access: Cloud apps, actions, and authentication context

Remove users who don't need access

Establish a process to review and remove users who don't need access. Include external users in your tenant as guests, and users with member accounts.

Learn more: Use Azure AD Identity Governance to review and remove external users who no longer have resource access

Some organizations add external users as members (vendors, partners, and contractors). Assign an attribute, or username:

  • Vendors: v-
  • Partners: p-
  • Contractors: c-

Evaluate external users with member accounts to determine access. You might have guest users not invited through Entitlement Management or Azure AD B2B

To find these users:

Transition current external users to B2B

If you don't use Azure AD B2B, you likely have non-employee users in your tenant. We recommend you transition these accounts to Azure AD B2B external user accounts and then change their UserType to Guest. Use Azure AD and Microsoft 365 to handle external users.

Include or exclude:

  • Guest users in Conditional Access policies
  • Guest users in Access Packages and Access Reviews
  • External access to Teams, SharePoint, and other resources

You can transition these internal users while maintaining current access, UPN, and group memberships. See Invite external users to B2B collaboration.

Decommission collaboration methods

To complete the transition to governed collaboration, decommission unwanted collaboration methods. Decommissioning is based on the level of control to exert on collaboration, and the security posture. See, Determine your security posture for external access.

Microsoft Teams invitation

By default, Teams allows external access. The organization can communicate with external domains. To restrict or allow domains for Teams, use the Teams admin center.

Sharing through SharePoint and OneDrive

Sharing through SharePoint and OneDrive adds users not in the Entitlement Management process.

Documents in email

Users send documents to external users by email. You can use sensitivity labels to restrict and encrypt access to documents. See, Learn about sensitivity labels.

Unsanctioned collaboration tools

Your users likely use Google Docs, DropBox, Slack, or Zoom. You can block use of these tools from a corporate network, at the firewall level, and with mobile application management for organization-managed devices. However, this action blocks sanctioned instances and doesn't block access from unmanaged devices. Block tools you don’t want, and create policies for no unsanctioned usage.

For more information on governing applications, see:

Next steps