Create a security plan for external access to resources
Before you create an external-access security plan, review the following two articles, which add context and information for the security plan.
- Determine your security posture for external access with Microsoft Entra ID
- Discover the current state of external collaboration in your organization
Before you begin
This article is number 3 in a series of 10 articles. We recommend you review the articles in order. Go to the Next steps section to see the entire series.
Security plan documentation
For your security plan, document the following information:
- Applications and resources grouped for access
- Sign-in conditions for external users
- Device state, sign-in location, client application requirements, user risk, and so on.
- Policies to determine timing for reviews and access removal
- User populations grouped for similar experiences
To implement the security plan, you can use Microsoft identity and access management policies, or another identity provider (IdP).
Learn more: Identity and access management overview
Use groups for access
See the following links to articles about resource grouping strategies:
- Microsoft Teams groups files, conversation threads, and other resources
- Formulate an external access strategy for Teams
- See, Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business with Microsoft Entra ID
- Use entitlement management access packages to create and delegate package management of applications, groups, teams, SharePoint sites, and so on.
- Apply Conditional Access policies to up to 250 applications, with the same access requirements
- Define access for external user application groups
Document the grouped applications. Considerations include:
- Risk profile - assess the risk if a bad actor gains access to an application
- Identify application as High, Medium, or Low risk. We recommend you don't group High-risk with Low-risk.
- Document applications that can't be shared with external users
- Compliance frameworks - determine compliance frameworks for apps
- Identify access and review requirements
- Applications for roles or departments - assess applications grouped for role, or department, access
- Collaboration applications - identify collaboration applications external users can access, such as Teams or SharePoint
- For productivity applications, external users might have licenses, or you might provide access
Document the following information for application and resource group access by external users.
- Descriptive group name, for example High_Risk_External_Access_Finance
- Applications and resources in the group
- Application and resource owners and their contact information
- The IT team controls access, or control is delegated to a business owner
- Prerequisites for access: background check, training, and so on.
- Compliance requirements to access resources
- Challenges, for example multifactor authentication for some resources
- Cadence for reviews, by whom, and where results are documented
Tip
Use this type of governance plan for internal access.
Document sign-in conditions for external users
Determine the sign-in requirements for external users who request access. Base requirements on the resource risk profile, and the user's risk assessment during sign-in. Configure sign-in conditions using Conditional Access: a condition and an outcome. For example, you can require multifactor authentication.
Learn more: What is Conditional Access?
Resource risk-profile sign-in conditions
Consider the following risk-based policies to trigger multifactor authentication.
- Low - multifactor authentication for some application sets
- Medium - multifactor authentication when other risks are present
- High - external users always use multifactor authentication
Learn more:
- Tutorial: Enforce multifactor authentication for B2B guest users
- Trust multifactor authentication from external tenants
User and device sign-in conditions
Use the following table to help assess policy to address risk.
| User or sign-in risk | Proposed policy |
|---|---|
| Device | Require compliant devices |
| Mobile apps | Require approved apps |
| Network location | To access confidential projects, require sign-in from an IP address range |
To use device state as policy input, register, or join the device to your tenant. To trust the device claims from the home tenant, configure cross-tenant access settings. See, Modify inbound access settings.
For network locations, you can restrict access to IP addresses ranges that you own. Use this method if external partners access applications while at your location. See, Conditional Access: Block access by location
Document access review policies
Document policies that dictate when to review resource access, and remove account access for external users. Inputs might include:
- Compliance frameworks requirements
- Internal business policies and processes
- User behavior
Generally, organizations customize policy, however consider the following parameters:
- Entitlement management access reviews:
- Change lifecycle settings for an access package in entitlement management
- Create an access review of an access package in entitlement management
- Add a connected organization in entitlement management: Group users from a partner and schedule reviews
- Microsoft 365 groups
- Options:
- If external users don't use access packages or Microsoft 365 groups, determine when accounts become inactive or deleted
- Remove sign-in for accounts that don't sign in for 90 days
- Regularly assess access for external users
Access control methods
Some features, for example entitlement management, are available with a Microsoft Entra ID P1 or P2 license. Microsoft 365 E5 and Office 365 E5 licenses include Microsoft Entra ID P2 licenses. Learn more in the following entitlement management section.
Note
Licenses are for one user. Therefore users, administrators, and business owners can have delegated access control. This scenario can occur with Microsoft Entra ID P2 or Microsoft 365 E5, and you don't have to enable licenses for all users. The first 50,000 external users are free. If you don't enable P2 licenses for other internal users, they can't use entitlement management.
Other combinations of Microsoft 365, Office 365, and Microsoft Entra ID have functionality to manage external users. See, Microsoft 365 guidance for security and compliance.
Govern access with Microsoft Entra ID P2 and Microsoft 365 or Office 365 E5
Microsoft Entra ID P2, included in Microsoft 365 E5, has additional security and governance capabilities.
Provision, sign-in, review access, and deprovision access
Entries in bold are recommended actions.
| Feature | Provision external users | Enforce sign-in requirements | Review access | Deprovision access |
|---|---|---|---|---|
| Microsoft Entra B2B collaboration | Invite via email, one-time password (OTP), self-service | N/A | Periodic partner review | Remove account Restrict sign-in |
| Entitlement management | Add user by assignment or self-service access | N/A | Access reviews | Expiration of, or removal from, access package |
| Office 365 groups | N/A | N/A | Review group memberships | Group expiration or deletion Removal from group |
| Microsoft Entra security groups | N/A | Conditional Access policies: Add external users to security groups as needed | N/A | N/A |
Resource access
Entries in bold are recommended actions.
| Feature | App and resource access | SharePoint and OneDrive access | Teams access | Email and document security |
|---|---|---|---|---|
| Entitlement management | Add user by assignment or self-service access | Access packages | Access packages | N/A |
| Office 365 Group | N/A | Access to sites and group content | Access to teams and group content | N/A |
| Sensitivity labels | N/A | Manually and automatically classify and restrict access | Manually and automatically classify and restrict access | Manually and automatically classify and restrict access |
| Microsoft Entra security groups | Conditional Access policies for access not included in access packages | N/A | N/A | N/A |
Entitlement management
Use entitlement management to provision and deprovision access to groups and teams, applications, and SharePoint sites. Define the connected organizations granted access, self-service requests, and approval workflows. To ensure access ends correctly, define expiration policies and access reviews for packages.
Learn more: Create a new access package in entitlement management
Manage access with Microsoft Entra ID P1, Microsoft 365, Office 365 E3
Provision, sign-in, review access, and deprovision access
Items in bold are recommended actions.
| Feature | Provision external users | Enforce sign-in requirements | Review access | Deprovision access |
|---|---|---|---|---|
| Microsoft Entra B2B collaboration | Invite by email, OTP, self-service | Direct B2B federation | Periodic partner review | Remove account Restrict sign-in |
| Microsoft 365 or Office 365 groups | N/A | N/A | N/A | Group expiration or deletion Removal from group |
| Security groups | N/A | Add external users to security groups (org, team, project, and so on) | N/A | N/A |
| Conditional Access policies | N/A | Sign-in Conditional Access policies for external users | N/A | N/A |
Resource access
| Feature | App and resource access | SharePoint and OneDrive access | Teams access | Email and document security |
|---|---|---|---|---|
| Microsoft 365 or Office 365 groups | N/A | Access to group sites and associated content | Access to Microsoft 365 group teams and associated content | N/A |
| Sensitivity labels | N/A | Manually classify and restrict access | Manually classify and restrict access | Manually classify to restrict and encrypt |
| Conditional Access policies | Conditional Access policies for access control | N/A | N/A | N/A |
| Other methods | N/A | Restrict SharePoint site access with security groups Disallow direct sharing |
Restrict external invitations from a team | N/A |
Next steps
Use the following series of articles to learn about securing external access to resources. We recommend you follow the listed order.
Determine your security posture for external access with Microsoft Entra ID
Discover the current state of external collaboration in your organization
Create a security plan for external access to resources (You're here)
Secure external access with groups in Microsoft Entra ID and Microsoft 365
Transition to governed collaboration with Microsoft Entra B2B collaboration
Manage external access with Microsoft Entra entitlement management
Manage external access to resources with Conditional Access policies
Control external access to resources in Microsoft Entra ID with sensitivity labels
Convert local guest accounts to Microsoft Entra B2B guest accounts