Skip to content

AzureTracks

Real world business tracks leading towards Azure Services

  • Home
  • About Me
  • Privacy Policy
  • SoundCloud
  • AzureTracks Videos

Azure Active Directory Guest Users Configuration

  • Home
  • 2020
  • May
Andrew Posted on May 4, 2020 9:28 am 0 Comments

Azure Active Directory Guest Users Configuration

Today we’ll take a look at Azure Active Directory and Guest Users. I wanted to take a few minutes to talk about the common questions that a lot of companies have. With the forced remote working situation world-wide right now, a lot of companies have either jumped into remote user management, or expanded it rapidly. We will look at configuring your Azure tenant Guest accounts to use some improved security that will help protect your organization.

We’ll cover some of the basics without going too deeply into secondary configurations and details. This is intended to get you started, and help improve your configuration if you are just launching your Azure AD services, have jumped in head first, or just want to look at what the deal is.

First, log into your Test tenant. This is really important as we are going to be looking at user authentication changes. Use your Azure Test tenant credentials and log into the Azure portal.

Now browse to Azure Active Directory.

Then click on User Settings.

Now on the blade User Settings, scroll down to External Collaboration Settings.

There are a few things to talk about here in External Collaboration Settings:

I want to jump right to the awesome preview feature for ‘Enable One-Time Passcode for Guests (Preview)‘. If you’re anything like me, I saw this and thought it was a perfect addition for Guest account security. We now get the option to force a second factor (2FA) one-time passcode to have a guest account authenticate. Here are the notes:

Note that this will only impact new invited guests.

Now, let’s take a look at Collaboration Restrictions at the bottom of this blade. Typically, most companies know their partners and can have IT Security manage approved domains. This is one section where in most cases, we can select Allow Invitations only to the Specified Domains and white-list our allowed collaborators. If it is at all possible, I do recommend that this be set as ‘Allow specified‘ for the best security; but I do also acknowledge that it will need to be managed so please ensure this finds its way into your procedural documentation if you do enable it.

For the remainder of the settings, I typically suggest using some discussion with IT Management and Senior staffers to determine what is right for your own organization; but the typical settings are as follows:

Guest Users Permissions Limited = Yes > This limits the guests ability to get into trouble. Guests are not able to read directories of users, groups, and resources.

Admins and Users in the Guest Inviter Role Can Invite = Yes > This will allow your admins and users that belong to this role to invite others.

Members can Invite = Yes > This one is important. This is the setting that allows your users to invite others to resources such as SharePoint Online sites in Office 365 for collaboration.

Guest can Invite = No> This one is important as well. This is the setting that can allow a Guest account to invite other Guests. We almost always want to have this set to No. This can help prevent data exfiltrations by restricting account invites right out of the gate. Easy win to set this to No.

We have already covered the other settings, so go ahead and Save. Now, using a Private Session in Edge Chromium or your other favourite browser, go create a guest user and test out your settings!

Note: I’ve noticed in these extremely busy times with Azure resources, that it can take a full 1hour + to propagate settings depending on what you change and what region your tenant is in; so please enjoy a lovely cup of coffee or tea or review some other settings while waiting!

Post navigation

Virtual Machine Scale Sets – What are they for anyways?
Can you Enable SMBv1 on Azure VMs?

Social Media

RSS YouTube Channel

  • @AzureTracks Live!
  • Microsoft Ignite 2022 - Day 1 Azure Infrastructure
  • Basic Authentication Deprecates

Recent Posts

  • Deploying Microsoft Sentinel with PowerShell – Part 2
  • Azure Updates – Number 59 – March 11, 2023
  • Deploying Microsoft Sentinel with PowerShell
  • Azure Updates – Number 58 – February 28, 2023
  • Azure Updates – Number 57 – February 11, 2023
Tweets by azuretracks

Categories

  • Application Gateway (5)
  • Arc (1)
  • Automation (10)
  • Azure (164)
  • Azure Active Directory (19)
  • Certification (2)
  • CLI (16)
  • Compute (59)
  • Cost Optimization (9)
  • Data Replication (5)
  • Firewall (3)
  • Governance (12)
  • IaaS (7)
  • Load Balancer (5)
  • Migration (14)
  • Monitoring (11)
  • Optimization (11)
  • Paas (3)
  • PowerShell (20)
  • Pre-Migration (14)
  • SaaS (1)
  • Scale Sets (1)
  • Security (21)
  • Sentinel (73)
  • Storage (18)
  • Uncategorized (1)
  • Virtual Machines (9)
  • Virtualization (28)
  • Windows Server (12)

Recent Tags

#azureactivedirectory #storage aad aadconnect active directory aks ARM automation azure azuread azureapi azurecloud azureinfra azurenews backup CLI cloud costalert cost analysis cost management costmanagment cost reduction defender demo deployment file shares getting started howto kql mfa microsoft microsoftazure mscqf netapp news PowerShell resource groups security sentinel sql tags virtual machine vm vnet windows server active directory

2023 AzureTracks

Theme Yala Mag by YalaThemes