Invite guest users and assign Azure resource roles in Privileged Identity Management
Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. When you combine B2B collaboration with Azure AD Privileged Identity Management (PIM), you can extend your compliance and governance requirements to guests. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests:
- Assign access to specific Azure resources
- Enable just-in-time access
- Specify assignment duration and end date
- Require multi-factor authentication on active assignment or activation
- Perform access reviews
- Utilize alerts and audit logs
This article describes how to invite a guest to your organization and manage their access to Azure resources using Privileged Identity Management.
When would you invite guests?
Here are a couple examples of when you might invite guests to your organization:
- Allow an external self-employed vendor that only has an email account to access your Azure resources for a project.
- Allow an external partner in a large organization that uses on-premises Active Directory Federation Services to access your expense application.
- Allow support engineers not in your organization (such as Microsoft support) to temporarily access your Azure resource to troubleshoot issues.
How does collaboration using B2B guests work?
When you use B2B collaboration, you can invite an external user to your organization as a guest. The guest can be managed as a user in your organization, but a guest has to be authenticated in their home organization and not in your Azure AD organization. This means that if the guest no longer has access to their home organization, they also lose access to your organization. For example, if the guest leaves their organization, they automatically lose access to any resources you shared with them in Azure AD without you having to do anything. For more information about B2B collaboration, see What is guest user access in Azure Active Directory B2B?.
Check guest collaboration settings
To make sure you can invite guests into your organization, you should check your guest collaboration settings.
Sign in to Azure portal.
Select Azure Active Directory > User settings.
Select Manage external collaboration settings.
Ensure that the Admins and users in the guest inviter role can invite switch is set to Yes.
Invite a guest and assign a role
Using Privileged Identity Management, you can invite a guest and make them eligible for an Azure resource role.
Open Azure AD Privileged Identity Management.
Select Azure resources.
Use the Resource filter to filter the list of managed resources.
Select the resource you want to manage, such as a resource, resource group, subscription, or management group.
You should set the scope to only what the guest needs.
Under Manage, select Roles to see the list of roles for Azure resources.
Select the minimum role that the user will need.
On the role page, select Add member to open the New assignment pane.
Click Select a member or group.
To invite a guest, click Invite.
After you have selected a guest, click Invite.
The guest should be added as a selected member.
In the Select a member or group pane, click Select.
In the Membership settings pane, select the assignment type and duration.
To complete the assignment, select Done and then Add.
The guest role assignment will appear in your role list.
Activate role as a guest
If you are an external user, you must accept the invite to be a guest in the Azure AD organization and possibly activate your role assignment.
Open the email with your invitation. The email will look similar to the following.
Select the Get Started link in the email.
After reviewing the permissions, click Accept.
To activate your role assignment, open the email with your activate role link. The email will look similar to the following.
Select Activate role to open your eligible roles in Privileged Identity Management.
Under Action, select the Activate link.
Depending on the role settings, you'll need to specify some information to activate the role.
Once you have specified the settings for the role, click Activate to activate the role.
Unless the administrator is required to approve your request, you should have access to the specified resources.
View activity for a guest
You can view audit logs to keep track of what guests are doing.
As an administrator, open Privileged Identity Management and select the resource that has been shared.
Select Resource audit to view the activity for that resource. The following shows an example of the activity for a resource group.
To view the activity for the guest, select Azure Active Directory > Users > guest name.
Select Audit logs to see the audit logs for the organization. If necessary, you can specify filters.