Cross-tenant Collaboration with Connected Organizations and Azure AD Entitlements – Hands On!

Cross-tenant Collaboration with Connected Organizations and Azure AD Entitlements – Hands On!

  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share
This entry is part 2 of 2 in the series Connected Organizations

Now that we’ve configured the nuts and bolts of a connected organization, catalog, and access package, let’s take a look at the user experience!

If you missed out on that excitement, go back to that post ūüôā

In this thrilling installment, we’re going to take the My Access portal link that was the result of the last post and distribute that to users in remote tenant.¬† We’re going to customize the app launcher in the remote tenant to display the shared My Access Portal page, and then walk through the requesting and access of an entitlement.

Publishing a Custom Tile

Giving folks an easy way to access the resources in shared or collaborative environments is usually half the battle of driving down service calls.  For Microsoft 365 users, the easiest way to do it is to publish a tile on the App Launcher.  You can tab over to https://docs.microsoft.com/en-us/microsoft-365/admin/manage/customize-the-app-launcher?view=o365-worldwide to see a general process, or you can just stick around here to see how I do it.

You don’t have to do this step.¬† You can simply distribute the link to people.¬† But, you can also resign yourself to answering countless emails like “Where did you put it?” and “Can you send it to me again?”¬† Honestly.¬† No one needs that.

In this set of steps, the resource is located in the o365ninja.onmicrosoft.com tenant and the guests are coming from the undocumentedfeatures.onmicrosoft.com tenant.

The My Access Portal Link we created in the last post is located here:

It’s a combination of the My Access URL, a tenant hint, and the package ID:¬† https://myaccess.microsoft.com/@o365ninja.com#/access-packages/a485e025-640f-4de4-a7a9-f91057ddb79a

For creating a tile, you may want to drop the individual access package link ID, as it will mean you try to gain access to the package every time you follow the link.

  1. Log into the Microsoft 365 admin center as an admin for the guest tenant (where we want to publish the tile).
  2. Expand Settings and then select Org settings.
  3. Select the Organization profile tab, and then select Custom app launcher tiles.
  4. Click the + Add a custom tile link.
  5. Populate the fields.  For the URL, use the My Access Portal access link from the access package overview page.  Enter a publicly accessible URL for the image tile.  Add a description.  Click Save when finished.
  6. After a few minutes, verify that the tile has been published on the app launcher.

With this new-found power, you can now walk through …

Requesting Access

Once you’ve got a link to an access package, you can use it to … you know.

  1. If you followed the steps above to create the tile to the access package, go ahead and click it.¬† You know you want to.¬† Otherwise, just paste the link into a browser session when you’re logged in as user of the¬†guest tenant.
  2. Read the dialog box describing the permissions requested.  Click Accept to proceed.
  3. Read the flyout panel.¬† If you’ll recall, we configured some¬†questions for people to answer as they request access to a package. Answer as appropriate.¬† If you didn’t configure any questions, just provide the business justification and click Submit.
  4. If you have enabled automatic approval, just wait to be granted access.¬† You’ll see a progress bar at the top of the window. If manual approval has been configured, you’ll see a notification that your request has been sent.¬† Either way, you’ll land on the¬†Request history page.
  5. You can click on View to see the details of your request.
  6. Click Access packages in the navigation bar.
  7. You’ll be presented with a list of access packages which you are eligible to request.¬† You can click the¬†V at the end of the entry to show the details, and the¬†+¬†icon to request access to the package.
  8. In this case, I already have access since I followed a link specifically for this access package.  However, if there were other access packages configured that I was eligible to request, then they would be displayed here.

I feel like I just rolled a +7 configuration and successfully cast a gain resources spell.

Accessing the Resources

You can now Browse to the access packages and try opening resources.

  1. On the My Access Portal in the host environment, select Access Packages and then click the Active tab.
  2. Click the V on an access package entry, and then select a resource you wish to use.
  3. Select Open.
  4. You’ll be redirected to the resource.

That’s it!¬† Users can continue to access their access packages or the portal.

If you were granted access to a Microsoft Team, you should see a UI indicator in the Teams interface in your primary tenant (near your account) that shows you now have access to new resources.

As an end user, you can now use the icon to switch back and forth between your “home” or primary tenant and the “guest” resource tenant!

Reviewing the Admin Settings

So, now you’ve seen it from the user side.¬† We’re going to circle back around to the Azure AD side and see what the configuration looks like.

There are a handful of things we can go take a look at.

Access Package Data

By selecting the the Access Package itself, you can see the assignments.  To get to it, inside the Azure AD Portal, navigate to Identity Governance | Access Packages | <Access Package Name>.  The overview tab will show how many users the package has been assigned to:

You can further drill down into the individual assignment detail, requests, and access reviews for the packages.

Groups

You can also look under Azure AD | Groups and search for the groups that you’ve included as part of your access package.

You can further expand the group, select¬†Members and see the object that’s been added:

That about wraps it up for using entitlements to grant access to resources for connected organizations!

 

Series Navigation<< Cross-tenant Collaboration with Connected Organizations and Azure AD Entitlements!

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.