The case
Two companies (for example, parent and affiliate) have their own Microsoft tenants. Both companies are big, let's say more than 10000 users each. Everyday companies hire and fire employees.
The first company (parent) has an Internal website on SharePoint Online. Employees of the second company (child) have to get access to this website. Someone else shouldn't have rights.
Standard approach of Azure B2B "invite each user" is not a suitable option. You (or someone else) can't (it's possible, but I assume you do not want this) manually send an individual invitation for each new user of child company.
Is there another way? Yes, but it's not perfect.
The solution
Microsoft Clouds (Office 365 and Azure) are constantly updated. The information from the post is current as of 25.07.2021.
In our case greater convenience gives us Identity Governance of Entitlement Management. Pay attention - entitlement management require Azure AD Premium P2 license (included in Microsoft 365 E5 pack).
Step 1 - Configue SharePoint website
This step is performed in SharePoint Online Admin Center (https://<tenantname>-admin.sharepoint.com) of parent company.
Limit external sharing by domain of child company.
Microsoft article - https://docs.microsoft.com/en-us/sharepoint/restricted-domains-sharing
Step 2 - Connect the partner organization
This step is performed in Azure Active Directory of parent company.
This is the main part of the story. You just need to follow the instructions from Microsoft article https://docs.microsoft.com/en-us/microsoft-365/solutions/b2b-extranet?view=o365-worldwide.
Step 3 - Get access
This step is performed by users of child company.
If the Access package (in parent company) is not hide each user of child company on My Access portal should see (takes some time) a request that should accept.
Or you can use the "My Access portal link". Just send it to all users who would access SharePoint site of parent company.
In a few minutes (takes some time) users could try to access the website. Then accept the requiest and that's it.
Conclusion
From my point of view sharing resources between related organizations should be simple and silent, without any additional actions from users. But at the moment I don't find other ways.
I have prepared a scheme of my test envieronment for clarity.
Hope it helps someone.
No comments:
Post a Comment