Plan an Azure Active Directory B2B collaboration deployment

Secure collaboration with your external partners ensures they have correct access to internal resources, and for the expected duration. Learn about governance practices to reduce security risks, meet compliance goals, and ensure accurate access.

Governance benefits

Governed collaboration improves clarity of ownership of access, reduces exposure of sensitive resources, and enables you to attest to access policy.

  • Manage external organizations, and their users who access resources
  • Ensure access is correct, reviewed, and time bound
  • Empower business owners to manage collaboration with delegation

Collaboration methods

Traditionally, organizations use one of two methods to collaborate:

  • Create locally managed credentials for external users, or
  • Establish federations with partner identity providers (IdP)

Both methods have drawbacks. For more information, see the following table.

Area of concern Local credentials Federation
Security - Access continues after external user terminates
- UserType is Member by default, which grants too much default access
- No user-level visibility
- Unknown partner security posture
Expense - Password and multi-factor authentication (MFA) management
- Onboarding process
- Identity cleanup
- Overhead of running a separate directory
Small partners can't afford the infrastructure, lack expertise, and might user consumer email
Complexity Partner users manage more credentials Complexity grows with each new partner, and increased for partners

Azure Active Directory (Azure AD) B2B integrates with other tools in Azure AD, and Microsoft 365 services. Azure AD B2B simplifies collaboration, reduces expense, and increases security.

Azure AD B2B benefits

  • If the home identity is disabled or deleted, external users can't access resources
  • User home IdP handles authentication and credential management
  • Resource tenant controls guest-user access and authorization
  • Collaborate with users who have an email address, but no infrastructure
  • IT departments don't connect out-of-band to set up access or federation
  • Guest user access is protected by the same security processes as internal users
  • Clear end-user experience with no extra credentials required
  • Users collaborate with partners without IT department involvement
  • Guest default permissions in the Azure AD directory aren't limited or highly restricted

Next steps