ASD's Blueprint for Secure Cloud

External Identities

This section describes the design decisions associated with external identities (e.g. B2B Collaboration, B2B Direct Connect and Entra ID B2C from other tenants) for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

Microsoft Entra External ID provides the ability within Entra ID and Microsoft 365 to collaborate with other tenants through use of B2B (Business-to-Business) collaboration, B2B direct connect, and Entra ID B2C (Business-to-Customer).

Organisations can configure collaboration with other organisations where:

  • A business requirement exists
  • Both organisations choose to collaborate
  • The organisations trust each other
  • Organisations staff possess the appropriate clearance levels
  • Risk assessments have been completed
  • Collaboration is based on the lowest classification level of any involved organisation or organisations

Collaboration between organisations assessed and operating at the same security level is relatively straightforward, while collaboration between organisations operating on networks that have been assessed at different security levels presents additional considerations and risk. The additional risks and considerations are similar to those that already exist for organisations, with activities such as personnel clearances, physical security requirements, and the secure creation, storage and destruction of physical artefacts. These considerations will need to be assessed on a case by case basis and risks accepted.

ASD’s Fundamentals of Cross Domain Solutions provides guidance on connecting networks with differing security classifications. At the time of writing, there are no automated options for external collaboration from a PROTECTED environment and user validation for external collaboration remains a manual process. This is particularly the case should organisations adopting this service seek to collaborate from a PROTECTED environment to an environment that is operating at a lower classification. ASD’s ISM stipulates that all users of a PROTECTED environment must have a valid security clearance. It is recommended that users of the higher classification organisation collaborate into the lower classification organisation, and that unified labelling be configured as per the Blueprint with PROTECTED content restricted to external sharing.

For organisations operating at a PROTECTED level seeking to collaborate, B2C collaboration is not suitable as it enables authentication through publicly accessible domains such as Google and Facebook. Entra B2B enables authentication between Microsoft 365 tenants to provide a higher level of assurance.

B2B enables the most secure sharing of an organisation’s applications, services, and data with external guest users from other organisations while maintaining maximum control over corporate data. The collaboration options between two or more organisations can use the following platforms:

  • Teams
  • Planner
  • SharePoint Online
  • OneDrive for Business

Entra supports several B2B access scenarios to enable users within external organisations to collaborate with a host organisation. Users will be authenticated using an external identity source (e.g., Entra ID tenant credentials) which then generates a linked guest account within the host Entra ID tenant.

When an external user is invited to collaborate, the following items are checked:

  • Is collaboration with the external domain allowed by B2B at the Entra ID level?
  • Is guest access allowed by the application?
  • Is external access with the external domain allowed by the application?

When the above are all true, the external user can be invited generating an invitation email. The user must accept the invitation by clicking on the link contained within the email causing a linked guest account to be created in the hosting Entra ID tenant. When the guest account has been created it is available for use by any of the applications that are configured to allow guest access.

B2B only requires a small amount of user information (name and email). However, it is recommended that organisations create a process outside of technology to ensure organisational identity requirements are met. The identity requirements should include the properties listed in the table below and the external user’s nationality and clearances held.

The following table describes the identity properties that should be a minimum requirement before collaboration is enabled for all organisations and implementation types.

FieldExampleJustification
FirstNameJohnSearch and identify the user.
LastNameSmithSearch and identify the user.
UserName (UPN) = EmailAddressjohn.smith@organisation.gov.auUser’s organisation and contract address.
UserNamejohn.smithIdentity in Microsoft.
EmailAddressjohn.smith@organisation.gov.au
.
User’s email contact.
OfficePhone612xx xxxxxxUser’s phone contact.
MobilePhone04xx xxx xxxUser’s phone contact.
JobProfileFinanceUser’s job description in identifying appropriate contact.
OrganisationAustralian Signals DirectorateUser’s organisation.
ManagerJulie CitizenUser’s manager for further consultation.
PhotoID.JPEGViewing and identifying the user.

In addition to the above, Conditional Access policies should be enforced requiring external individuals to use Multi Factor Authentication, block legacy authentication, and block from disallowed locations.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra