azureazure-active-directoryrbacb2bazure-security

How to use RBAC in Azure for user in another tenant


I have some Azure Resources I would like to control access to via RBAC. This works fine for users in the same tenant, but I would also like to grant users in another tenant read access to some of my resources via RBAC?

What is the best way to do this? Do I need to first invite the guest user via B2B, and then add RBAC to the guest user?

Is there a way to do this for an Azure Group in the guest tenant -- (i.e. invite the Azure Group via B2B and then assign RBAC to the entire group)?


Solution

  • What is the best way to do this? Do I need to first invite the guest user via B2B, and then add RBAC to the guest user?

    Yes,your thought is right. You need to invite guest users via Azure AD B2B first. Then, you can assign a Role to the guest user in Azure AD which you invited.

    Example : Assign a role from a resource group to a guest user

    Go to Azure portal > select the resource group > IAM > Add > select a role and select the user in Azure AD > save

    enter image description here

    is there a way to do this for an Azure Group in the guest tenant -- (i.e. invite the Azure Group via B2B and then assign RBAC to the entire group)?

    Of course you can do it. From that above screenshot , we can see that you can select Assign access to Azure AD users, group, or application. Before doing this, you should already have add guest users to a group in Azure AD.

    enter image description here

    Please let me know if it helps.