question

DiptiChhatrapati-8731 avatar image
0 Votes"
DiptiChhatrapati-8731 asked ·

What is the difference between Identity Governance and Organizational Relationships in Azure AD?

Hello,

I am learning about partner collaboration in Azure AD, where I see that there are couple of ways to collaborate with partner organization as follows:

1) Organizational relationships - Identity providers 2) Identity Governance - Connected organizations

Can you please share the key difference between the above two features in Azure AD?

Best Regards,

azure-active-directoryazure-webappsazure-ad-b2cazure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@DiptiChhatrapati-8731

Organizational relationships - Identity providers: In standard B2B scenario, if you invite a guest user e.g. user@gmail.com, the invited user's identity is created as a Microsoft account in the inviting organization’s directory as part of invitation redemption process. However, if you have Organizational relationship configured with Google, invited user's identity will not be created as a Microsoft account and user will be redirected to Google's authentication page and authentication will be performed by Google.

Identity Governance - Connected organizations Users from connected organization that have a user principal name that matches the policy can request access packages. You can read more about access packages here: https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-first


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Amanpreet,

Thank you for providing information, however, I am still unclear with the second part as follows:

Identity Governance - Connected organizations Users from connected organizations ( How organizations are getting connected here? What does connected Organization mean?) that have a user principal name that matches the policy ( which policy?) can request access packages ( Access packages are group of application/tools that are accessible by user groups or individual user who asks for the access request to access set of application - Is that correct understanding? )

Can you please share a simple example to explain above?

Best Regards,

0 Votes 0 · ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @DiptiChhatrapati-8731 Please find below the answers of your questions.

What does connected Organization mean? How organizations are getting connected here?

A connected organization is an external Azure AD directory or any public domain that you have a relationship with. To add connected organization, navigate to Azure portal > Azure Active Directory > Identity Governance > Connected organizations > click Add connected organization.

Example: Suppose you work at Woodgrove Bank and you want to collaborate with two external organizations: Graphic Design Institute and Contoso. You've been told by your contact at Graphic Design Institute that they use Azure AD, and that Graphic Design Institute's users have a user principal name that ends with graphicdesigninstitute.com. And you've been told by your contact at Contoso that they do not yet use Azure AD, but that Contoso's users have a user principal name that ends with contoso.com. You can configure two connected organizations -- one for Graphic Design Institute with the domain graphicdesigninstitute.com, and one for Contoso with the domain contoso.com. If you then add those two connected organizations to a policy, users from each organization that have a user principal name that matches the policy can request access packages.

Which policy?

When you create a new Access Package by navigating to Azure portal > Azure Active Directory > Identity Governance > Access packages > New access package, on the Requests tab, you create a request policy. A policy defines the rules to access an access package. For example, an access package can have policies for employees to request access as well as for external users (users in connected organization) to request access.alt text

You have correct understanding of Access Packages.


Please "Accept as answer" wherever the information provided helps you to help others in the community.


untitled.png (50.8 KiB)
· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DiptiChhatrapati-8731, Do you have any further questions on this thread?

0 Votes 0 · ·