Entra ID External User invitations enabled

August 18, 2015

The UW Windows Infrastructure has enabled External User invitations in our enterprise Entra ID.

 

What and When:

Entra ID External User invitations can now be initiated by any user in our enterprise Entra ID, i.e. anyone with a UW NetID. This enables the possibility of collaborative sharing with non-UW identities for those applications which rely on Entra ID for identity.

 

What You Need to Do:

No action is required, but if you run an application that relies on Entra ID you can now evaluate whether you want to enable External User sharing in your application. If you do enable External User sharing in your application, we advise the following:

  1. Regularly review access to your application and where no longer necessary, remove any External Users access. We suggest you do this at least once a year.
  2. If there is a setting to distinguish between UW users and External Users, we suggest you enable that setting to help avoid granting access to mistaken identities.

 

More Info:

The External User capability allows a user account in another Entra ID tenant or a Microsoft account to be represented as a guest in our Entra ID tenant. As a guest, they can be granted access to applications and data, but they do not have the same default level of permissions as a UW user. At this time, guests can not invite other External Users. External users authenticate to their Entra ID tenant or the Microsoft Account identity provider.

 

If you’d like to read more about the Entra ID External User capability, we recommend the following:

-See https://msdn.microsoft.com/en-us/library/azure/hh967632.aspx, review the section entitled “Create and use external users”

-See https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85, for the Office 365 application settings related to External Users.

 

NOTE: Just as other applications may need to do something to take advantage of this change, this change does not enable External User capability for any Office 365 application. The MSCA service will need to separately enable that capability for each Office 365 application, as it deems appropriate.

 

Our enterprise Entra ID is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it.

 

The UWWI service is following the guidance of the Entra ID governance team, put into place by the UW Enterprise Architecture program. Many thanks to the sage advice of that team.

 

Brian Arkills

UW Windows Infrastructure Service Manager