This post is part of the Secure External Sharing Series.

Now that we have enabled external sharing in Office 365 and SharePoint Online, it’s time to secure your organisation’s Azure Portal from users – such as external users from looking up information in Azure Portal they should not be looking at!

Quick recap of the terminology – External User in Office 365 Services, such as SharePoint Online is the same / equivalent to Guest Users in Azure Portal.

Pre-requisites:

Summary of steps:

  • Update All Users Group Membership *
  • Create a Dynamic Group for Guest Users
  • Configure Conditional Access Policy

*Note: Ensure that administrators and members are not locked out

Detailed steps – Update All Users Group Membership

  1. Enable All Users Group from the Users and groups > Group Settings (Link)
  2. Save and navigate back to Users and groups > All groups (Link)
  3. Select All Users and navigate to Dynamic membership rules
  4. Configure the Dynamic membership rules for the All Users group so that it contains all users that are not guest users, per screenshot below
  5. Advanced rule query can be used – (user.userType -ne “Guest”)
  6. Save and refresh to now see that in All Users group, Guest users (if you had any before) will not be members of the All Users group

Detailed steps – Create a Dynamic Group for Guest Users

  1. Navigate to Users and groups > All groups (Link)
  2. Create New Group External Users
  3. Configure the Dynamic membership rules for the External Users group so that it contains Guest user types only, per screenshot below
  4. Advanced rule query can be used – (user.userType -eq “Guest”)
  5. Save and refresh to now see that in External Users group, only Guest users (if you had any before) will be members of the External Users group

clip_image002

Detailed steps – Configure Conditional Access Policy

  1. Navigate to Conditional access – Policies page (Link)
  2. Create a New Policy – Block – External Users – Portal
  3. Under Users and groups, select External Users group
  4. Under Cloud apps, Include > Select apps > Microsoft Azure Management
  5. Under Access controls > Block Access
  6. Enable Policy set to On
  7. Create

This will complete block any guest user in your Azure Active Directory from accessing Azure Portal. Guest user, aka external user will be presented with this screen when they try to browse to Azure Portal

In the following blog posts, I will cover more on securing Azure Portal for external users and internal users, in addition to configuring settings to securely enable external sharing – in your Azure AD and Office 365 tenancy.

Stay tuned – subscribe to RSS – for post updates or email newsletter (for regular updates and zero spam) to get updates as I post blog posts.