What is the difference between Identity Governance and Organizational Relationships in Azure AD?

Dipti Chhatrapati 11 Reputation points
2020-01-16T13:00:25.09+00:00

Hello,

I am learning about partner collaboration in Azure AD, where I see that there are couple of ways to collaborate with partner organization as follows:

1) Organizational relationships - Identity providers
2) Identity Governance - Connected organizations

Can you please share the key difference between the above two features in Azure AD?

Best Regards,

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,826 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,383 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2020-01-21T06:33:16.503+00:00

    Hi @Dipti Chhatrapati Please find below the answers of your questions.

    What does connected Organization mean? How organizations are getting connected here?

    A connected organization is an external Azure AD directory or any public domain that you have a relationship with.
    To add connected organization, navigate to Azure portal > Azure Active Directory > Identity Governance > Connected organizations > click Add connected organization.

    Example: Suppose you work at Woodgrove Bank and you want to collaborate with two external organizations: Graphic Design Institute and Contoso. You've been told by your contact at Graphic Design Institute that they use Azure AD, and that Graphic Design Institute's users have a user principal name that ends with graphicdesigninstitute.com. And you've been told by your contact at Contoso that they do not yet use Azure AD, but that Contoso's users have a user principal name that ends with contoso.com.
    You can configure two connected organizations -- one for Graphic Design Institute with the domain graphicdesigninstitute.com, and one for Contoso with the domain contoso.com. If you then add those two connected organizations to a policy, users from each organization that have a user principal name that matches the policy can request access packages.

    Which policy?

    When you create a new Access Package by navigating to Azure portal > Azure Active Directory > Identity Governance > Access packages > New access package, on the Requests tab, you create a request policy. A policy defines the rules to access an access package. For example, an access package can have policies for employees to request access as well as for external users (users in connected organization) to request access.alt text

    You have correct understanding of Access Packages.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    3 people found this answer helpful.
  2. AmanpreetSingh-MSFT 56,301 Reputation points
    2020-01-16T18:02:50.573+00:00

    @Dipti Chhatrapati

    Organizational relationships - Identity providers:
    In standard B2B scenario, if you invite a guest user e.g. user@Stuff .com, the invited user's identity is created as a Microsoft account in the inviting organization’s directory as part of invitation redemption process. However, if you have Organizational relationship configured with Google, invited user's identity will not be created as a Microsoft account and user will be redirected to Google's authentication page and authentication will be performed by Google.

    Identity Governance - Connected organizations
    Users from connected organization that have a user principal name that matches the policy can request access packages. You can read more about access packages here: https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-first

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.