Microsoft Entra ID Governance deployment guide to govern guest and partner access

  • Article

Deployment scenarios are guidance on how to combine and test Microsoft Security products and services. You can discover how capabilities work together to improve productivity, strengthen security, also help you meet compliance and regulatory requirements.

The following products and services appear in this guide:

Use this scenario to help determine the need for Microsoft Entra ID Governance to create and grant access for your organization. Learn how to manage guest users in your environment.

Timelines

Timelines show approximate delivery stage duration and are based on scenario complexity. Times are estimations and vary depending on the environment.

  • Onboarding and discovery - 2 hours
  • Auto assign resources - 1 hour
  • Custom workflows - 2 hours
  • Convert external users - 1 hour
  • Access review - 1 hour

Scenario requirements

To enable the scenario, ensure the following requirements are met:

  • Microsoft Entra ID P1 or P2 license
  • Microsoft Entra ID Governance SKU
    • Microsoft Logic Apps and auto assignment policies
  • Two tenants, target and source
  • A cloud user account on the target tenant to approve and access
  • A cloud user on the source tenant to request access
  • An account on the target tenant:
    • User Administrator,
    • Identity Governance Administrator,
    • Privileged Role Administrator, or
    • Global Administrator

B2B collaboration and guest users

To collaborate with guest users, you can let them use their preferred identity to sign in to your app or other enterprise apps: SaaS, custom-developed, and more. Typically, B2B collaboration users are in your directory as guest users.

Learn more in the overview, B2B collaboration with external guests for your workforce.

Onboarding and discovery

With the Microsoft Identity Governance dashboard, discover usage information about identity features configured in your tenant. See the current state of your environment, determine response actions, and find links to documentation.

External user insights

Over time, external user accounts are created in the Microsoft Entra tenant. When external users, or guests, stop accessing the tenant, the external user account becomes stale.

You can monitor and clean up stale guest access accounts using access reviews.

External user attribute management

Approvers allow or deny requests for access packages. To help Approvers make access decisions about onboarding external users, you can include custom questions in an access request flow. Store Requestor information for apps or other processes.

Entitlement management

Decentralized identity solutions enable individuals to control their digital identities and manage identity data without reliance on a centralized authority or intermediary. Reduce the need for new employees or business partners to perform self-attestation. Simplify approval processes and simplify your compliance posture.

External user assignments and access packages

When external users request initial access, they're invited to your directory and assigned access. In entitlement management, use access packages to assign access to multiple resources. Ensure access packages are in a container called a catalog, which has resources you can add to access package.

Deploy external user access

  1. Add connected organization.
  2. Learn settings for external users.
  3. Create an access package in entitlement management.
  4. Change the Hidden setting.
  5. Assign users.
  6. Share a link to request an access package in entitlement management.

For more detail, see Govern access for external users in entitlement management.

Assign and remove resources

To learn how to assign access, remove it, and more guidance, go to Scenario 2: Assign employee access to resources.

Custom workflows with Azure Logic Apps

To create and run automated workflows with Azure Logic Apps, learn about custom use cases and more, or go to Scenario 2: Assign employee access to resources.

Manage the external user lifecycle

In entitlement management, external users have three states: governed, ungoverned, and blank. External users invited to your tenant are ungoverned. The ungoverned can lose their last access package assignment yet remain in the tenant indefinitely. To manage the lifecycle, convert the ungoverned to governed while they have access.

Learn to govern access for external users in entitlement management.

Deploy guest user lifecycle

Access reviews

To learn to enable recurring access reviews, go to Scenario 2: Assign employee access to resources.

Multistage reviews

Learn about multistage reviews that ease reviewer burdens, go to Scenario 2: Assign employee access to resources.

Inactive users

You can conduct inactive user reviews to discern stale accounts. To learn more, go to Scenario 2: Assign employee access to resources.

User-to-Group Affiliation

The User-to-Group Affiliation feature helps you make access decisions based on machine-learning derived recommendations. To learn more, go to Scenario 2: Assign employee access to resources.

Guest user risk in Microsoft Teams and Microsoft 365 Groups

Access reviews include new groups with guest users and groups with recently added guests. Review recommendations are based on last sign-in details. As an option, denied guests are blocked from sign-in, then the account is deleted.

Learn more:

Guest user access reviews

When conducting access reviews, you can review groups that have guest user members. Or you can review apps with assigned guest users. Guests are inactive after 30 days with no sign-in.

The New access review dialog, with the Review type tab, and guest user options highlighted.

Screenshot of the New access review dialog with guest user options highlighted.

Access review history report

To learn more about downloadable review-history reports, see Scenario 2: Assign employee access to resources.

Deploy access review guide

For deployment instructions, go to Scenario 2: Assign employee access to resources.

Next steps