I'm trying to figure out how to securely give an external vendor access to configure Azure resources. They have remote workers who need to access these resources using a guest account from a different tenant, but here's the catch: they can't use multi-factor authentication (MFA) because the account needs to be open for any team member to access, and their support staff is spread out across various locations. What's the best way to set this up while ensuring security?
4 Answers
It's actually risky to allow a shared account without MFA. I recommend pushing for MFA and suggesting they use modern password managers that support it for their team members. If they struggle with this setup, it raises serious questions about how they handle other sensitive accesses. In our setup, we only allow named contacts and require that guests be added to the tenant for access.
Before proceeding, consider discussing with the vendor the importance of a secure setup. Relying on shared credentials is a huge risk, especially for support roles that need access. Shared accounts really limit your audit trails, and I suggest ensuring that they know about proper setups for guest accounts. If they don’t know how to manage MFA, you may want to think twice about continuing that partnership.
I think giving each remote worker their own guest account is a much better approach! This way, you ensure non-repudiation and proper tracking. You can configure conditional access to require MFA and use Privileged Identity Management (PIM) to enforce activation and time limits on their access to roles. This setup offers much more security and control.
The ideal way to do this is by inviting them as external users instead of giving shared access. If they are unfamiliar with how to implement MFA or share TOTP codes, it might be time to rethink your relationship. Plus, using tools like Entra Identity Governance can help manage onboarding through access packages, making it a smoother and more secure process.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures