Issue

Today, external users are provided with a Syensqo account and subsequent Google Workspace license. Microsoft has “External ID” capabilities that would avoid consuming a license for externals using M365, but require operating model changes on which there is currently no consensus.

Recommendation

Background & Context

Microsoft Entra (formerly Azure Active Directory) offers robust Business-to-Business (B2B) collaboration features, enabling organizations to securely work with external partners, suppliers, vendors, and customers. Here’s what it provides:

1. Secure External Collaboration

• Invite External Users: Organizations can invite users from any domain (e.g., partners, suppliers) to access specific resources, apps, or services.
• Flexible Identity Options: External users can sign in with their own credentials (Microsoft, Google, or other email accounts), reducing friction and improving user experience.

2. Granular Access Management

• Conditional Access Policies: Apply security policies (like MFA, location-based access, or device compliance) to external users, just as you would for internal users.
• Role-Based Access Control (RBAC): Assign precise permissions to external users, ensuring they only access what’s necessary.

3. Seamless Integration

• Single Sign-On (SSO): External users can access shared apps and resources without needing to remember new passwords.
• Collaboration Across Tenants: Enables cross-organization collaboration in Microsoft Teams, SharePoint, and other Microsoft 365 services.

4. Lifecycle Management

• Automated User Provisioning/Deprovisioning: Easily add or remove external users as business relationships change.
• Self-Service Capabilities: External users can manage their own profiles and reset passwords if needed.

5. Compliance and Security

• Audit Logs and Monitoring: Track external user activities for compliance and security purposes.
• Privacy Controls: Organizations retain control over their data and can enforce privacy requirements.

6. Feature Pricing

Assumptions

Constraints

Impacts

Options considered

Option 1: B2B + DLP Integration via LEAP Project

Approach:

Deploy Microsoft Entra B2B with Data Loss Prevention (DLP) as a dedicated stream.

Governance:

Close collaboration with SYWAY program for streamlined onboarding/offboarding.

Benefits:

• Suppliers use their own identities and licenses.
• Reduces internal M365 license consumption.
• Minimizes process overhead.
• Aligns with conservative security and compliance posture.

Considerations:

• Requires redesign of complex processes and use cases.
• May involve a few additional licenses (e.g., for DLP or admin roles).
• Using Microsoft Entra B2B for identity federation.
• Applying DLP policies to protect sensitive data.
• MFA and Conditional Access: for securing guest access.
• Enabling auditing and monitoring for external access
• External collaboration settings: To manage who can invite guests and which domains are allowed.
• Cross-tenant access settings: To control access at the user, group, or app level.

Option 2: Status Quo - Internal Identity Creation

Approach:

Continue creating identities (SuccessFactor) internal accounts for all external users. (Entra / AD)

Governance:

Close collaboration with SYWAY program for streamlined onboarding/offboarding.

Implications:

• M365 license required per user (P2, F3, E3, E5) with long-term commitment (5 years).
• Higher operational overhead.
• Future B2B adoption would require a separate transformation project.

Evaluation

	Option 1 B2B + DLP Integration via LEAP Project	Option 2 Status Quo - Internal Identity Creation
Technical Feasibility
User Impact
Support Impact
Operational Complexity
Cost

See also

LM01-KDD001 - Migration Strategy