Central management of guest accounts in hybrid environments – AD and Entra ID

Managing access control and permissions for guest accounts or external accounts in hybrid environments is complex. This article highlights the challenges and possible solutions, particularly in the context of using AD groups to control access for guest accounts. In these cases, the accounts are partially managed from within AD.

Parallel to this, it is of course also possible to create guest accounts only in Entra ID. In this case, however, the accounts are managed separately from the management of the other accounts, which are synchronized to Entra ID via Active Directory, for example. In the following, we show different options and their advantages. 

What are guest accounts and what are their benefits?

Guest accounts in Entra ID and M365 offer a flexible way of integrating external users into company networks, especially in hybrid environments with local Active Directory (AD). These guest accounts make it possible to securely and efficiently integrate partners, suppliers or customers into your own resources without granting them full access to the internal network.

In a hybrid configuration, Entra ID Connect synchronizes the user accounts between the local AD and Entra ID, ensuring seamless integration. This also plays an important role, for example, in cloud services in M365, such as Microsoft Teams or SharePoint. 

Guest users receive access rights according to the assigned roles and groups, which is controlled in detail by the policies in Entra ID and M365. This structure ensures that security requirements and compliance specifications are implemented efficiently. At the same time, collaboration with external partners is optimized.

Challenges and risks of guest accounts

The use of guest accounts in Entra ID and Microsoft 365 poses several security risks and challenges. A key risk is the potential expansion of the attack vector, as external users may adhere to less stringent security policies than internal users. This can lead to unwanted access to sensitive data, especially if guest accounts are not properly monitored and managed.

Another problem is managing the identities and access rights of guest users, as these are often dynamic and the required access rights can change frequently. There is a risk that access rights will not be adjusted or withdrawn in time, which can lead to increased security incidents. Adherence to compliance guidelines also poses a challenge, as external users may be subject to different data protection regulations.

The integration and synchronization of guest accounts in hybrid environments can also be complex and error-prone. It is making administration considerably more difficult and potentially creating security vulnerabilities. To minimize these risks, careful planning, regular monitoring and the implementation of strict security policies are essential.

Contact our team

Manage guest accounts in AD and Entra ID

In general, there are various options for using guest accounts in hybrid environments and connecting them to Entra ID.

1. Admins can create the accounts in AD and synchronize them with Entra ID using Entra ID Connect. The accounts are primarily managed in the local Active Directory.
2. At the same time, it is of course also possible to create the guest accounts in Entra ID and synchronize them in AD. Of course, the administration takes place primarily in Entra ID.

Depending on the scenario in question, this quickly results in error-prone and complicated workflows, often in mixed operation.

If guest accounts are required, it is usually better to manage them centrally for security reasons. This ensures that the guest accounts are available exactly where they are needed and that the central administration provides an overview of rights and areas of application.

Centralized administration also offers further advantages. Guest accounts that admins create in Entra ID are neither visible nor usable in AD. If an external user needs access here too, additional accounts are sometimes required. This increases the attack vectors, as there are more accounts than necessary in the company.

In addition, there is inconsistent administration in multiple systems. Incorrectly set authorizations pose a further security risk in such a scenario. Security gaps quickly arise here, which can lead to considerable problems in the hybrid network. Even with correctly set authorizations, complex structures are created that are difficult to keep under control.

Keep guest accounts centrally under control in hybrid environments

If guest accounts are available in Active Directory, there are various scenarios for dealing with them:

• If the guest accounts are primarily required in Active Directory, they can also be managed centrally here. If required, they can be synchronized to Entra ID in the cloud. This makes them available in Entra and M365, for example for guest access to MS Teams or SharePoint.
• It is also possible to create guest accounts as conventional user accounts and use different attributes. Unused attributes or the “msDS-User-Account-Control-Computed” attribute are possible.

The attribute “msDS-User-Account-Control-Computed” in Active Directory enables the identification and handling of external and guest accounts. This attribute is a bit-masked number that reflects various account settings that are dynamically calculated by the system. For the differentiation and management of external user accounts and guest accounts, the attribute is used to set specific flags that mark these accounts as such.

For example, the flag for a guest account is set to restrict access to sensitive resources and to apply specific policies that are suitable for temporary or restricted users. External user accounts are also marked by corresponding bits in this attribute. This automatically adjusts the administrative measures, such as

• Password requirements,
• registration rights and
• access rights.

It enables precise and automated management of these special user groups, which are tailored to the company’s specific security and access requirements.

This is used when guest users should not only access resources in the cloud, but also local workloads or data in the local data center (on-premises). The reverse is also conceivable. Central administration in an IAM system, such as the FirstWare IDM-Portal, makes managing guest accounts much easier. It avoids security gaps caused by incorrect settings or an unnecessarily high number of accounts in Entra ID or the local Active Directory.

IDM portal helps with the central management of guest accounts

For centralized management of guest accounts, companies can use the FirstWare IDM-Portal to manage guest accounts in Active Directory and Entra ID in parallel.

As the IDM-Portal writes directly to the AD, it can also create, read and edit guest accounts in AD in addition to the conventional user accounts:   

This is done via a user-friendly interface that displays all relevant attributes. As the IDM-Portal works without its own database, creating and maintaining guest accounts is extremely quick. Access permissions are automatically tailored to roles and attributes so that guest users are only allowed to do what is necessary.

You can also edit the guest accounts in Entra ID in the IDM-Portal, both from a user and a group perspective. For example, guests can be easily added to Entra groups using a drag & drop function: 

The IDM-Portal uses the my-IAM RealIdentity and my-IAM RealGroup business services to access Entra identity data. These services retrieve the identity data from Entra ID and make it available for further processing in the IDM-Portal. All changes are immediately transferred to Entra ID.

my-IAM RealIdentity and my-IAM RealGroup are cloud services of the my-IAM platform. They ensure the provision and management of identities and groups from various sources, such as Entra ID, but also other external systems. RealGroup enables centralized management and assignment of group permissions, especially for guest accounts, which keeps access to company resources secure and controlled. 

The big advantage of using the IDM-Portal:

• This provides administrators with an interface for managing both directories.
• It makes administration much easier, as control over the guest accounts is centralized.
• The creation and maintenance of guest accounts is extremely fast.
• It reduces inconsistencies and security risks through automated processes.
• Administration can also be delegated to specialists.

Summary

Guest accounts are becoming increasingly relevant for many companies, as there is a proliferation of different systems and external identities. How best to manage these external users is an important topic, especially because important security aspects are involved.

Seamless integration of the cloud and Active Directory into the IDM-Portal allows administrators to manage guest accounts in one central location. It increases security and improves administrative efficiency. 

More about FirstWare IDM-Portal

FirstWare IDM-Portal from FirstAttribute is an integrated Identity and Access Management (IAM) solution that enables the automated management of users and their authorizations, whether on-premises or in the cloud.

This portal integrates all facets of identity and access management and enables centralized access to identity and directory services.

Contact us know