Managing access to other organisations

31 May 2021 5-minute read Al Eardley
Collaboration Identity Management Microsoft 365
Azure Active Directory

With Microsoft 365 many of us are collaborating via guest access to many tenants owned by clients, partners, communities or even family. Some of these will be following best practice and implementing additional security controls such as MFA. So what happens when you get a new phone or new authentication app and need to change all of those tenants to look at a new authenticator app?

You may also have been granted access to apps and groups, or be eligible to request access packages as part of Azure Active Directory Entitlement, or be an approver as part of Access Reviews.

All of these can be difficult to find unless you know where to go in the interface, especially when you need to change the context of the tenant you are connected to.

Before continuing, let me apologise. There will no images from the Microsoft Authenticator app as all of the information is sensitive, and if you try to take a screen grab, it is blocked.

A word of warning: all of those tenants are going to carry on using the app on the old phone, so even if you have removed the sim, you might want to keep the phone going for a little while, especially if any of them are only using the app.

A quick word on terminology

While the word tenant is commonly used in a technical context to describe where our accounts and services are hosted, form an interface perspective, the word organisation is used instead. From here on, I will use “organisation” to stay in line with the interfaces that I am describing.

Log in to your home tenant

The first step towards managing the access to all of the organisations is to log in to your home organisation in a browser. Once you are authenticated, select “View Account” by clicking on your profile in the top right of the browser:

Account options when clicking in top right corner

This takes you to the page to manage all aspects of your account. From here there are some very useful options on the menu on the left:

left menu from my account page

The option we are interested in is “Organisations”. Clicking this option takes us to a view of all of the organisations that we have access to:

List of organisations your are a member of

Your home organisation is shown at the top and then every other organisation is shown below.

Leave an organisation

For each other organisation your are a member of, you can use the “Leave organisation” button if you want to remove yourself from it. This will work if your authentication works, however, if your account is disabled in either your home tenant or the external tenant, this will fail.

When you click on the “Leave organisation” button, you are authenticated into that organisation, and prompted to confirm that you want to leave it:

Redacted image showing the confirmation dialogue

Clicking “Leave” will remove your access from the tenant and your account soft deleted and hard deleted after 30 days.

Manage your authentication to external tenants

You can change the context of tenant you are accessing using the organisations icon in the top left corner of the screen:

Change organisations dialogue

Selecting one of the organisations shown will authenticate you into that organisation. The branding in the top left corner will change and the the organisation that you are authenticated with will show as “Signed in”:

Image showing which organisation you are logged in to

In addition, the navigation will also change, giving you access to organisation specific options.

Warning: This is where the interface gets confusing!

If you want to change the authentication method, then you select the “Security info” option. In an ideal world, this would take you to a page where the information presented is related to the organisation you are signed in to and the branding would remain related to that organisation. In reality, the branding reverts to your home organisation, even though the information presented relates to the organisation you are signed in to.

Image showing security info with wrong branding in top left corner

This screen will allow you to remove the authentication app and re-add it so you can scan the QR code.

Other useful tools

Being able to easily switch organisations has other benefits that it is good to be aware of.

Starting from the My Account page, there are options to navigate to see a list of the apps and groups that you have been given access to:

Image of navigation to My Apps and My Groups

This can be a really useful way to get to information you have permissions to access, but which are sometimes difficult to find. And

My Apps (microsoft.com) - See all the apps that you have been granted permission to access.
Access Panel Groups (windowsazure.com) - See all of the groups that you have been granted permission to access.
My Access (microsoft.com) - See all of the entitlements that you have been given permission to request, and it you are part of the approval process for access reviews or entitlements you can see that as well.

Summary

It is now quite easy to change the authentication methods for organisations that you have access to, but it is, at times, confusing due to the inconsistency of the interface and the branding. It is also easy to change the context of the organisation you are working within, but only when you know where to go to change organisation.

Comment on this post: