Our department needs to manage accounts for volunteers, contractors, and interns, while clearly indicating that they are not employees. I'm considering two options: creating a new domain (like %company%external.com) or setting up a subdomain (like external.%company%.com). These users will go through a formal HR process and sign an acceptable use policy. We plan to restrict their M365 functions and won't allow external emailing or collaboration for now, although that may change in the future. Has anyone tackled a similar situation? What important pros and cons should I be aware of?
1 Answer
Treat them like employees in terms of access. If you don't trust them as much as your full-time staff, then they probably shouldn't be using your systems at all. I recommend using the same domain but creating separate Organizational Units (OUs) and managing access with role-based groups. Just label their display names with a distinction, like *Jane Doe (Intern)*. This way, you maintain clarity without complicating your domain structure.
That makes sense. Using role-based access control (RBAC) sounds like a solid plan. The pressure to distinguish these users in their email addresses is understandable, though.