Why B2B Guest Collaboration is the Path Forward

The Challenge: Outdated and Unsecure Collaboration

Historically, our approach to external collaboration relied on simple domain whitelisting. While this allowed some level of interaction with partners, it came with significant limitations and risks:

• Lack of Control: No granular management of who could access what information.
• Security Risks: Unrestricted sharing increased the risk of data leaks and unauthorized access.
• Inefficient Collaboration: Partners and external stakeholders faced barriers, slowing down projects and innovation.

The Opportunity: Embracing B2B Guest Collaboration

As we migrate from Google Workspace to Microsoft 365, we have a unique opportunity to modernize how we collaborate externally. B2B Guest Collaboration offers a structured, secure, and flexible way to work with partners, suppliers, and customers:

• Granular Access Control: Assign specific permissions to each guest, ensuring the right people have access to the right resources—no more, no less.
• Enhanced Security: Monitor and manage external access, reducing the risk of data breaches and ensuring compliance with internal and external regulations.
• Seamless Collaboration: External partners can securely access shared documents, participate in Teams meetings, and contribute to projects as if they were part of our organization—without compromising our data.
• Scalability: Easily onboard and offboard guests as projects evolve, maintaining agility without sacrificing control.

The Vision: Towards Entitlement Management

Our long-term goal is to implement Entitlement Management—a system that automates and governs access rights for both internal and external users. This will allow us to:

• Automate Access Lifecycles: Grant, review, and revoke access based on business needs and project timelines.
• Ensure Compliance: Maintain a clear audit trail and demonstrate compliance with industry standards.
• Empower Business Owners: Enable project leaders to manage access without IT bottlenecks, accelerating innovation.

Conclusion

By moving away from unsecure, manual processes and embracing B2B Guest Collaboration, Syensqo positions itself as a modern, agile, and secure organization—ready to drive scientific breakthroughs through seamless and trusted partnerships.

Personas

Guests Are external users outside of Syensqo who only require access to content shared in M365 (e.g. Sharepoint), and to collaborate with Syensqo users on this content. Their work is generally not carried out using Syensqo IT systems, and their work is generally not directed by Syensqo employees or governed by Syensqo policies and procedures. 

Examples of External Users could be:

• an external auditor
• an employee of a customer of Syensqo collaborating on product specifications
• an Account Executive of an IT outsourcing provider collaborating with Procurement on an IT Services contract
• external legal counsel

Contingent workers are non-employee workers who are represented in the SuccessFactors org structure and may fulfil a number of different roles at Syensqo. They do require access to IT systems beyond M365 in order to perform their work, and their work is generally directed by Syensqo personnel and carried out in accordance with Syensqo policies and procedures. 

Examples of External Users could be:

• contractors who are back-filling a permanent employee on long-term leave
• Employees of an IT outsourcing provider performing work in Syensqo IT systems, such as consultants working on projects such as SyWay or LEAP
• Employees of a 3PL provider working in the warehouse owned by the 3PL, but processing logistics transactions using Syensqo systems.
• User who need to access a syensqo asset such as server or workstation.
• User who need to get elevated privileges.

By definition, Guest users and Contingent workers are non-overlapping sets. All, or the vast majority of, the ~3,966 people in SuccessFactors flagged as 'External' are by definition not External users as per above. 

Because they perform work in Syensqo systems other than M365, and are subject to Syensqo policies (thus requiring access to learning systems, The Hub intranet, etc.), they will require a proper Syensqo EntraID account and some kind of M365 license. 

The exact type of license can be determined based on need, and we should not assume that an E5 license is needed by default. Lower-cost licenses such as F3 may suffice for their work.

Recommendation

Scenario 5: B2B + Entitlement Management

Background & Context

No information on Google personal MyDrive document sharing with externals.

154 domains whitelisted between AODocs and Shared Drive.
That represent External sharing with 1572 users, not covered by contingent worker identity (Guests)

.
In addition 2368 contingent worker users covered by a microsoft license.

• 2368 Contingent users =  $2,64M$/4y → potential optimisation on some F3 moving to Guest and few E5
• 1572 Guest Users → eligible to B2B collaboration

Identities

*some contingent worker might be eligible to Guest, while only using GWS / M365 platform.
No need to provide a workstation.
No need to access other Syensqo applications.

Collaborate with 3rd parties using M365?

Options considered

Option 1: no external sharing → Solution by default without consensus

1. 1. Major Business impact

Option 2: TODAY in GWS (uncontrolled sharing and  domain whitelisting*)

1. 1. Major Security risk (domain whitelisting only)
   2. Teams chat need an account to collaborate
   3. Sharepoint will rely on anonymous or link-based sharing with very limited control (no Conditional Access, no MFA, no lifecycle management).

Option 3: External using contingent worker identity only

1. 1. Expensive

Option 4: B2B + DLP Integration

1. 1. Not improving the security risk of external sharing and guest management
   2. Reduce the cost while not obliged to provide license to all externals

Option 5: B2B + Entitlement Management

1. 1. Requires new processes and governance to manage the guest collaboration
   2. Improve licenses : 1600 external guest users and an additional 1600 contingent workers who might not need Syensqo accounts.

Why: Scenario 5: B2B + Entitlement Management

The decision was made to select Option 5, as it ensures the same level of security and collaboration. Additionally, during the transition from GWS to M365, we will be able to achieve stronger security through measures such as disabling anonymous sharing, blocking external sharing, and enforcing sharing link expiration.

This is only the beginning of the external collaboration journey, referred as Phase 1: Foundation & Risk Mitigation, and it serves as a directional guide for the future.

The subsequent phases — Phase 2: Controlled B2B Pilot, Phase 3: Operationalization & Governance, and Phase 4: Expansion & Application Access — represents the path toward the target operating model and require deeper and broader analysis, which is  outside the scope of the M365 Migration project.

Phase 2: Controlled B2B Pilot

Objective: Enable secure collaboration for Guest

Actions:

• Enable Microsoft Entra B2B to accept guests
• Restrict access to M365 suite only (Teams, SharePoint, OneDrive)
• Apply DLP policies to shared content
• Collaborate with SYWAY to identify any impact on OnOffboarding

Phase 3: Operationalization & Governance

Objective: Institutionalize B2B collaboration
Extend to (RFP/project-based)

Actions:

• Define the governance model for entitlement management and access package. Time-Bound Access Packages
• Integrate with SYWAY for full lifecycle management
• Establish reporting & compliance dashboards
• Enforce Supplier control to optimise M365 licenses.
• Communicate new process

Phase 4: Expansion & Application Access

Objective: Broaden guest access to additional apps

Actions:

• Define application access tiers for guests
• Extend Conditional Access and DLP to other applications.
• Monitor usage and refine policies
• Evaluate license impact and optimize

Reference Material from Avanade:

See also

The following section describes relevant documentation:

LM01_KDD001 - Migration Strategy