AZ-104 Microsoft Azure Administrator Exam

Configure and Manage Guest Access

Guest Access in Azure allows external users to collaborate securely with your organization. This involves configuring who can invite guests, managing their permissions, and ensuring compliance with security policies.

Guest User Invitations

Inviting guest users requires careful control over who can send invites. You can:

• Restrict invitations to administrators and users with the Guest Inviter role.
• Allow all Member UserType to invite guests if security requirements permit.
• Determine if Guest UserType can invite other guests, with Guest being the default Microsoft Entra B2B user account.

Managing invitations effectively ensures that only authorized personnel can extend invitations, which helps prevent unauthorized access to organizational resources.

External User Information

To make informed access decisions, it's critical to collect relevant information from external users. Use Microsoft Entra entitlement management to configure questions for external users during access requests. For self-service portals, API connectors can gather user attributes required for assigning access. These steps ensure that approvers have all necessary details when granting user permissions.

Troubleshoot Invitation Redemption

Invitation redemption issues can arise due to various reasons:

• The user domain not being on an allowlist.
• Partner's home tenant restrictions preventing collaboration.
• The user not being present in the partner Microsoft Entra tenant.

These problems can sometimes be resolved by implementing email one-time passwords (OTP), facilitating smoother user access and integration.

External User Access

Controlling what external users can access is crucial for maintaining security:

• Limiting guest access restricts browsing groups and other properties in the directory.
• Blocking access to employee-only apps using Conditional Access policies enhances security.
• Blocking access to the Azure portal unless exceptions are made ensures only necessary access is granted.

These measures help secure organizational data from unauthorized explorations by guest users.

Remove Users Who Don’t Need Access

Regularly reviewing and removing users who no longer need access helps maintain security. Utilize Microsoft Entra ID Governance for efficient management of this process, ensuring that external users and those with member accounts are promptly removed when their services are no longer required.

Assign Azure Roles to External Users

Using Azure role-based access control (Azure RBAC) enables you to manage permissions for external users effectively. By granting only the access necessary for tasks, the entire infrastructure remains protected from potential vulnerabilities. This approach is particularly useful in collaborating with vendors, freelancers, or support engineers.

By following these guidelines, you can ensure secure and efficient collaboration with external users in Azure, maintaining control over access and compliance with security policies.