HOWTO: Provide access to Employees Only in Azure AD

Reading Time: 4 minutes

Azure Active Directory

Azure Active Directory is extremely versatile and offers profound ways to share applications, data and functionality with people outside your organization. However, sometimes you don't want to share things with people outside your organization. Here's how.

 

The problem with All Users

One of the first things you need to realize in Azure AD when it comes to user management is that the All Users group, really includes all users. The All Users group includes guest accounts, too.

Guest accounts are user objects that stem from an invitation that was sent out by (a user in) your organization to a person that you(r organization) want(s) to collaborate with. Default settings in Azure AD allow any person with a user object in Azure AD to invite others, and allows invited people to allow others, as well. It's a gift that keeps on giving…

In Conditional Access, an 'All Guests' option is available, but no 'Employees-only' option. To compound to the challenge is the fact that certain Conditional Access mechanisms only work when you apply the policy to the All Users scope. For instance, the Office 365 app may work in unexpected ways when you don't apply it to the All Users scope.

 

 

Differentiating between Employees and Guests

Guest accounts have two distinct attributes that set them apart from user accounts:

  • Their userPrincipalName attribute contains the string '#EXT#@'
  • Their user type is typically 'Guest', not 'Member'.

Note:
Azure AD admins can change the usertype for a guest to make the account become a member.

 

HOWTO: Create an Azure AD group with employees only

To create an Azure AD group with employees only, perform these steps:

  • Sign in to the Azure AD portal using an account that has the Global administrator or Groups administrator role assigned.
  • In the left navigation pane, click on (the icon of) Azure Active Directory.
  • In Azure AD’s navigation menu, click on Groups.
  • Click + New group.
  • In the New Group pane, specify the following information:
    • For Group Type select Security from the drop-down list
    • As the Group name specify a group name that fits the organization’s naming convention.
    • Use the Group description to denote that this group contains employees only.
    • As the Membership type select Dynamic User.
  • Click the Add dynamic query link.
  • Click + Add expression.
  • First, select userType. Select the Equals operator and then Member as the value.
  • Click + Add expression again.
  • Select userPrincipalName. Select the Not Contains operator and then #EXT#@ as the value.
  • The Rule syntax field now displays:

(user.userType -eq "Member") and (user.userPrincipalName -notContains "#EXT#@")

  • Click the Save button at the top of the Dynamic membership rules pane.
  • Click the Create button at the bottom of the New Group pane.

 

Use this group with Conditional Access

As this is a security group, you can use the group in your Conditional Access policies to differentiate between guest users and employees, as soon as the group is populated.

Note:
Dynamic group population may take up to an hour.

Perform these steps:

  • Sign in to the Azure AD portal using an account that has the Global administrator or Conditional Access administrator role assigned.
  • In the left navigation pane, click on (the icon of) Azure Active Directory.
  • In Azure AD’s navigation menu, click on Security.
  • In the Security navigation menu, click Conditional Access.
  • Click the + New policy link at the top of the Policies pane.
  • In the New pane, for the Name field, provide a name for the Conditional Access policy that fits the organization’s naming convention.
  • Click the 0 users and groups selected link beneath Users and groups in the Assignments area.
  • Click Select users and groups and then Users and groups.
    The Select blade appears.
  • Type the name of the previously created group in the search box. Select its search result.
  • Click the Select button at the bottom of the Select blade to select the group and close the blade.
  • Specify the rest of the Conditional Access policy's Assignments and Access controls.
  • Set the Enable policy switch to On at the bottom of the New pane.
  • Click the Create button.

Once the group is populated, Conditional Access provides the access controls to  employees only.

 

Use this group to provide access to applications

When you want to use this group to assign applications, and effectively lock out guest users, perform these steps:

  • Sign in to the Azure AD portal using an account that has the Global administrator or Application administrator role assigned.
  • In the left navigation pane, click on (the icon of) Azure Active Directory.
  • In Azure AD’s navigation menu, click on Enterprise applications.
  • From the list of available cloud apps, select the app for which you want to provide access to employees only.
  • In the app's navigation menu, click Properties.
  • On the Properties pane for the app, set the option for User assignment required? to Yes.
    This option prevents guest users from accessing the application using a shared url.
  • In the app's navigation menu, click Users and groups.
  • Click the + Add user/group link at the top of the Users and groups pane.
  • Click the None Selected link underneath Users and groups.
    The Users and groups blade appears.
  • Type the name of the previously created group in the search box. Select its search result.
  • Click the Select button at the bottom of the Users and groups blade to select the group and close the blade.
  • Click the Assign button at the bottom of the Add Assignment pane.

Once the group is populated, the app is accessible to employees only.

Note:
Dynamic group population may take up to an hour, so you might want to wait for population of the group, before limiting access to apps…

 

Concluding

An 'Employees only' group would probably be a good idea for Azure AD.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.