Delegating external parties access to Azure

May 14, 2021 

In Microsoft Azure you can grant an external user ("contractor") guest access to your Azure subscription. The approach is quite different from what AWS uses (see Delegating external parties access to AWS).

Here we grant access to [email protected] using the Azure Portal. Preferably [email protected] would already exist as a Microsoft account.

  1. Login to your Azure Portal
  2. Type "Users" in the search box
  3. Click on the "Users" service
  4. Click on "New guest user"
  5. Select "Invite User"
  6. Fill in the fields. The email address should be the one given by the external user.
  7. Click on "Invite" at the bottom
  8. The external user will receive an invite to your Azure in the email address you defined above.

Now the user has been created. However, it is lacking permissions to do anything useful. We will fix that in the next steps by assigning it a role:

  1. Type "Subscriptions" to the search box
  2. Click on the "Subscriptions" service
  3. Click on the subscription you want to grant access to
  4. Select "Access control (IAM)" from the left-hand side pane
  5. Click on "+ Add" button to open an action menu
  6. Click on "Add role assignment"
  7. For full read access select "Reader" role. For read-write access use "Contributor" role (excludes user, group and access control management).
  8. Ensure that "Assign access to" is set to "User, group or service principal"
  9. Select the guest user you created in the previous step
  10. Click on "Save"

Once our imaginary John has accepted your invitation all he needs to do is to switch to different Azure Active Directory to get to work. This can be done in the Azure Portal as well as with Azure CLI and Azure Powershell. For more details see the official documentation.

It should be added that there are other ways to grant access to external users. For example, you can create a Service Principal that authenticates using a client secret or a client certificate. Service principals are, however, usually used to grant applications, not people, access to Azure resources. They also require passing sensitive data back and forth, which always risky unless you know what you're doing (e.g. use GPG-encrypted email).

If you want to limit the scope of access you have two options:

  • Apply the role at a resource group level rather than at the subscription level. This was the external party on has access to resources within that resource group.
  • Select role or roles that only grant permissions to certain Azure services.
Samuli Seppänen
Samuli Seppänen
Author archive