Access O365 On Demand, Part 1
Recently one of my customers posed the following problem.
They have O365 SharePoint Online and they need to provide access to this site to many of their external customers.
They want to ensure high level of assurance of those users and it requires some type of multi factor authentication. One of their requirements is that external users should be able to access to their O365 SharePoint site on demand, without a long verification process for account creation.
The customers would come from a known set of e-mail domains or from a set of the trusted Identity Providers.
With O365 there is really no build in process to automate any of it so right now they have to create accounts in O365 for each of the new users by hand and provide full account management to these users, such as password management.
They are not happy about all of this overhead for multiple reasons:
- Account creation for external users takes too long. They have to verify the identity of the user via some type of out of bound process.
- They don’t want to get into business of managing passwords and other account management issues.
- They would have to pay premium for multifactor authentication with O365 for all those external users.
So they posed a question – is there any type of solution that would allow some type of automated account creation in O365 for external users, as long as they are coming from trusted known Identity Provider or they belong to organization with trusted known e-mail domain name?
While the requirements might sound not very complicated, in reality it is actually fairly hard problem to solve. I started thinking about possible solutions to this problem, trying to figure out if some of other integration solutions would allow us to provide a solution to this customer.
To satisfy the first requirement we’d have to come up with self registration solution. This is actually have been done and we can create accounts for external users based on their e-mail domain or register them if they are coming from trusted Identity Provider.
The second problem can be addressed by implementing SSPR solution with the account creation system or it can be fully outsourced to the trusted Identity Provider who manages accounts for those users.
The third problem can be addressed if the trusted Identity Provider can assure that they use some type of multifactor authentication.
And of course on top of all of this we have to figure out all the technical details and see if any of the possible solutions will actually work with O365.
Stay tuned for the next installment. I’ll share some details on how it can be done and some limitations.
From → AD FS, Azure AD, Cloud Security, O365, Office 365, Security
Security and Identity in the Cloud 
Trackbacks & Pingbacks