Using Entitlement Management to Provide External Access to SharePoint Online
Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.
Entitlement management allows your organization to manage access to groups, applications and SharePoint Online sites for internal users and users outside the organization with controls like self-service request, approval workflows and expiration policies. Entitle management does this by creating and managing access packages which are a collection of resources grouped together to be requested in a single go.
Example of a Real-World Scenario
You are required to grant a partner company access to your SharePoint online intranet. Specifically, this partner company requires 20 users access to a Project Management subsite in your SPO intranet for the next 3 months. At a high level an access package would be created to grant access for the 20 users to your SPO engineering subsite. The access package could be scoped to the partner company’s external domain to protect the access package from unauthorized use. You can then add time restrictions on the access so the partner company can only access the subsite for the next 3 months.
At a high level the following requirements would have to be defined for an access package:
– What are you granting access to? For example, SPO site, library and etc.
– Who or what domains require this access?
– How long do they need this access for?
After these requirements above have been identified for an access package. A url would be generated at the creation of the access package and that URL would be used to invite external users and grant access to a SharePoint online site based on the resources specified in the access package.
Entitlement Management Requirements
Entitlement management requires an Azure AD Premium 2 license.
License Limitations
Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have:
- Member users who can request an access package.
- Member users who request an access package.
- Member users who approve requests for an access package.
- Member users who review assignments for an access package.
- Member users who have a direct assignment to an access package.
For guest users, licensing needs will depend on the licensing model you’re using. However, the below guest users’ activities are considered Azure AD Premium P2 usage:
- Guest users who request an access package.
- Guest users who approve requests for an access package.
- Guest users who review assignments for an access package.
- Guest users who have a direct assignment to an access package.
Azure AD Premium P2 licenses are not required for the following tasks:
- No licenses are required for users with the Global Administrator role who set up the initial catalogs, access packages, and policies, and delegate administrative tasks to other users.
- No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager.
- No licenses are required for guests who have the privilege to request access packages but they do not choose to request them.
“Thank you for reading this post! If you enjoyed it, I encourage you to check out some of our other content on this blog. We have a range of articles on various topics that I think you’ll find interesting. Don’t forget to subscribe to our newsletter to stay up to date with all of our latest content.”