How to invite external users to your Azure subscription

2019-02-18 | Toni Pohl

Modern collaboration allows to use shared resources and to give access to external users from other organizations. See how this works for shared Microsoft Azure subscriptions here!

So, see this step-by-step process here with the following sample of an Admin giving access to an external guest and some troubleshooting tips.

Check your source AAD and subscription

Signing-in with admin@M365x321500.onmicrosoft.com to the Azure portal. Our source subscription 18e* and it's bound to AAD M365x321500.onmicrosoft.com.

image

We want to invite a guest as contributor from another AAD, that's AlexW@M365x055874.onmicrosoft.com. So, let's paste that email address and click on the found user object.

image

Now we can save that role assignment for AlexW. A quick info in the top right corner informs about the operation.

Check on the guest side

Currently, AlexW does not have access to any Azure subscription in the Azure portal.

image

When checking the emails, we should see the invitation for the AAD. Click on the "Get Started" button to follow the included hyperlink.

image

The redirection opens the consent. AlexW needs to "Accept" that app permissions. The URL looks similar as
https://invitations.microsoft.com/redeem/redeeming?tenant=<tenant-id>&user=<user-id>&ticket<some-id>&ver=2.0

image

The Azure portal opens and AlexW should now have access to the Azure subscription. Note that AlexW has now two AAD's to switch:
His own organization's AAD M365x055874.onmicrosoft.com, and the guest access to M365x321500.onmicrosoft.com.

image

So, Alex needs to switch between the AADs if he wants to access Azure subscriptions (currently there is none) in his home organization or to his guest organization.

Full access to the Azure subscription

As contributor, AlexW can fully work and manage objects in the Azure subscription. Here's an example for creating a new storageā€¦

image

Of course, the access can be permitted just to specific Resource Groups or other services if required. It's the same process for giving access to a full Azure subscription or to specific resources.

Manage external users

The source organization still has full control over such guests. Guest are of user type "Guest" as here (and can be filtered in the AAD portals as well as in Microsoft Graph API).

image

So, when deleting the user in the organization's AAD, the role assignment is deleted as well.

image

Sure, the guest user can stay and the role assignment can be changed as well, there are a bunch of options, depending on the desired access level.

Troubleshooting the invitation

What if the guest did not receive the invitation by email? So, we invited another user from a guest AAD: MeganB@M365x055874.onmicrosoft.com

Until now, she has not clicked on the invitation-link. As inviter, we can see that the user type is "Guest", and the Source shows "Invited user" which means, the user has not confirmed.

image

Can MeganB access the Azure subscription without email invitation? The answer is No:
MeganB does not have access without the consent. Her Azure portal only knows her own organization's AAD.

image

So, the invitation and accepting the consent is required for external guests.

Resend the email or use an invitation URL

Back to the Admin side: If a guest has not received an invite-email, ask the Admin to resend the invitation to the external user in his AAD as shown below.

image

Thankfully, Microsoft has improved that process and allows to "Resend" an invitation. When clicked, the page shows an invitation URL as well. That can be copied and sent to the user in another form.

Note that the "Resend" operation creates a new ticket ID in the URL. Anyway, both invitations (the original and the newly created one) work for the guest user. Just, they are not valid forever. If the invitations are expired, the Admin needs to create new invites. See more at Azure Active Directory B2B collaboration invitation redemption

Happy contributing

Tip: If possible, try to invite work accounts (Office 365 accounts), and not Microsoft accounts (MSA). When working with external Office 365 users, management, security, and governance, etc. is still in the target organization. So, e.g. if the Admins of AlexW's company M365x055874.onmicrosoft.com define conditional access and MFA, this account needs to comply with the policies to access your subscription. Also, if AlexW leaves the organization, and his account is blocked or deleted, he will no longer have access to our Azure subscription (and our AAD).

I hope this article helps to follow the steps and to clarify the process.. Happy contributing in Azure subscriptions!

Categories: Azure, Cloud, English, Microsoft, Office365, Security

Source: https://blog.atwork.at/post/2019/02/18/Invite-external-users-to-your-Azure-subscription