Managing access to other organisations
With Microsoft 365 many of us are collaborating via guest access to many tenants owned by clients, partners, communities or even family. Some of these will be following best practice and implementing additional security controls such as MFA. So what happens when you get a new phone or new authentication app and need to change all of those tenants to look at a new authenticator app?
You may also have been granted access to apps and groups, or be eligible to request access packages as part of Azure Active Directory Entitlement, or be an approver as part of Access Reviews.
All of these can be difficult to find unless you know where to go in the interface, especially when you need to change the context of the tenant you are connected to.
Before continuing, let me apologise. There will no images from the Microsoft Authenticator app as all of the information is sensitive, and if you try to take a screen grab, it is blocked.
A word of warning: all of those tenants are going to carry on using the app on the old phone, so even if you have removed the sim, you might want to keep the phone going for a little while, especially if any of them are only using the app.
A quick word on terminology
While the word tenant is commonly used in a technical context to describe where our accounts and services are hosted, form an interface perspective, the word organisation is used instead. From here on, I will use “organisation” to stay in line with the interfaces that I am describing.
Log in to your home tenant
The first step towards managing the access to all of the organisations is to log in to your home organisation in a browser. Once you are authenticated, select “View Account” by clicking on your profile in the top right of the browser:
This takes you to the page to manage all aspects of your account. From here there are some very useful options on the menu on the left:
The option we are interested in is “Organisations”. Clicking this option takes us to a view of all of the organisations that we have access to:
Your home organisation is shown at the top and then every other organisation is shown below.
Leave an organisation
For each other organisation your are a member of, you can use the “Leave organisation” button if you want to remove yourself from it. This will work if your authentication works, however, if your account is disabled in either your home tenant or the external tenant, this will fail.
When you click on the “Leave organisation” button, you are authenticated into that organisation, and prompted to confirm that you want to leave it:
Clicking “Leave” will remove your access from the tenant and your account soft deleted and hard deleted after 30 days.
Manage your authentication to external tenants
You can change the context of tenant you are accessing using the organisations icon in the top left corner of the screen:
Selecting one of the organisations shown will authenticate you into that organisation. The branding in the top left corner will change and the the organisation that you are authenticated with will show as “Signed in”:
In addition, the navigation will also change, giving you access to organisation specific options.
Warning: This is where the interface gets confusing!
If you want to change the authentication method, then you select the “Security info” option. In an ideal world, this would take you to a page where the information presented is related to the organisation you are signed in to and the branding would remain related to that organisation. In reality, the branding reverts to your home organisation, even though the information presented relates to the organisation you are signed in to.
This screen will allow you to remove the authentication app and re-add it so you can scan the QR code.
Other useful tools
Being able to easily switch organisations has other benefits that it is good to be aware of.
Starting from the My Account page, there are options to navigate to see a list of the apps and groups that you have been given access to:
This can be a really useful way to get to information you have permissions to access, but which are sometimes difficult to find. And
- My Apps (microsoft.com) - See all the apps that you have been granted permission to access.
- Access Panel Groups (windowsazure.com) - See all of the groups that you have been granted permission to access.
- My Access (microsoft.com) - See all of the entitlements that you have been given permission to request, and it you are part of the approval process for access reviews or entitlements you can see that as well.
It is now quite easy to change the authentication methods for organisations that you have access to, but it is, at times, confusing due to the inconsistency of the interface and the branding. It is also easy to change the context of the organisation you are working within, but only when you know where to go to change organisation.