Information technology tools and resources at the UW
20150818: Azure AD External User invitations enabled
The UW Windows Infrastructure has enabled External User invitations in our enterprise Azure AD.
What and When:
Azure AD External User invitations can now be initiated by any user in our enterprise Azure AD, i.e. anyone with a UW NetID. This enables the possibility of collaborative sharing with non-UW identities for those applications which rely on Azure AD for identity.
What You Need to Do:
No action is required, but if you run an application that relies on Azure AD you can now evaluate whether you want to enable External User sharing in your application. If you do enable External User sharing in your application, we advise the following:
- Regularly review access to your application and where no longer necessary, remove any External Users access. We suggest you do this at least once a year.
- If there is a setting to distinguish between UW users and External Users, we suggest you enable that setting to help avoid granting access to mistaken identities.
The External User capability allows a user account in another Azure AD tenant or a Microsoft account to be represented as a guest in our Azure AD tenant. As a guest, they can be granted access to applications and data, but they do not have the same default level of permissions as a UW user. At this time, guests can not invite other External Users. External users authenticate to their Azure AD tenant or the Microsoft Account identity provider.
If you’d like to read more about the Azure AD External User capability, we recommend the following:
-See https://msdn.microsoft.com/en-us/library/azure/hh967632.aspx, review the section entitled “Create and use external users”
-See https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85, for the Office 365 application settings related to External Users.
NOTE: Just as other applications may need to do something to take advantage of this change, this change does not enable External User capability for any Office 365 application. The MSCA service will need to separately enable that capability for each Office 365 application, as it deems appropriate.
Our enterprise Azure AD is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it.
The UWWI service is following the guidance of the Azure AD governance team, put into place by the UW Enterprise Architecture program. Many thanks to the sage advice of that team.
UW Windows Infrastructure Service Manager