Identity Governance – Self Service Access Package for External Users
In This post I am going to show you how to create an access package (Containing a SAAS App) that can be serviced by users who are external to your organization who are not even already invited as a guest.
Creating an Access Package
- Navigate to Portal.azure.com
- Go to Azure Active Directory
- Click on Identity Governance
- Select Create an Access Package
- Enter a Name
- Enter a Description
- Choose which Catalog (I am sticking with the default which is general)
- Click Next
In the resource roles section this is where you would add resources to the access package. I am going to keep this post simple and just choose the salesforce application
- Add the required resources you wish the guest to have access to and click next
- Next you have the option to create a policy now or later. We are going to create the Policy Now.
- Select “For Users not in your Directory” As we want this to be available to external users who are not already guests.
- You can select specific directories/domains which users can request access from or leave it open to any
- I have chosen require approval since I have left the directory settings at Any.
- Choose your specific approvers
- Modify any other settings you wish i.e. justification or expiration dates.
- Enable the Policy.
- Click Review + Create
- Review your settings and click create
Requesting Access as an external user
- Navigate to http://firstname.lastname@example.org (changing the @t67services.co.uk to match the tenant your requesting access to)
- Sign in with your external account (this would typically be your azure ad account from another organization).
- After sign in select the access package we just created and choose request access
- Enter the justification
- Accept the terms
- Click Submit
- Now with the account that you selected as the approver sign into https://myaccess.microsoft.com
- Choose Approvals
- Select the approval and click Approve
Accessing the Apps
- With my external account I can now go to https://myapps.microsoft.com/t67services.co.uk
- Salesforce is now available for me to use
As you can see that was a very quick introduction to the power of identity governance and how i was able to request access to the salesforce app as an external user. More to come.