Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

Managing Third-Party Supplier Access with Microsoft Entra B2B and Heimdal PASM

Last updated

Organizations often need to provide third-party suppliers, contractors, consultants, and support providers with access to critical systems while maintaining strong security controls and compliance requirements. Traditionally, this has required creating and managing local accounts for external users, resulting in additional administrative overhead and increased complexity around onboarding and offboarding processes. 
By leveraging Microsoft Entra B2B (Business-to-Business) collaboration together with Heimdal Privileged Access and Session Management (PASM), organizations can securely manage external users using identities that remain under the control of the supplier organization while benefiting from PASM's privileged access controls and auditing capabilities.
Note: The exact authentication and authorization flow depends on the customer's PASM deployment, Microsoft Entra configuration, identity provider integrations, and access governance policies. This article describes a recommended architecture and integration approach.

1. Benefits
2. How the integration works
3. Identity Lifecycle Management
4. Offboarding and Access Revocation
5. Recommended Architecture

Benefits

Using Microsoft Entra B2B together with Heimdal PASM provides several advantages:

  • Centralized identity management
  • Reduced administrative overhead
  • Simplified onboarding and offboarding processes
  • Strong Multi-Factor Authentication (MFA) enforcement
  • Conditional Access policy enforcement
  • Reduced risk of orphaned privileged accounts
  • Improved auditability and compliance
  • Enhanced visibility into third-party access
  • Scalable management of external suppliers and contractors

How the Integration Works

Traditional Approach

In a traditional environment:

  1. The customer creates local accounts for supplier technicians.
  2. Permissions are assigned manually.
  3. The customer relies on the supplier to notify them when an employee leaves.
  4. Access must be reviewed and revoked manually.

While functional, this model can become difficult to manage at scale and may increase the risk of outdated or unnecessary privileged accounts remaining active.

Microsoft Entra B2B and PASM Approach

Using Microsoft Entra B2B, external users are managed as guest identities within the customer's Microsoft Entra tenant. The high-level process is:

  1. The supplier technician is invited to the customer's Microsoft Entra tenant.
  2. The technician authenticates using their existing corporate identity.
  3. Microsoft Entra enforces MFA and Conditional Access requirements.
  4. The customer approves and assigns access through groups, roles, or governance workflows.
  5. The user accesses systems through Heimdal PASM.
  6. PASM provides privileged access control, session monitoring, auditing, and session recording capabilities.

This approach eliminates the need for separate local accounts while maintaining security and accountability.

Example Workflow

Step 1 – Invite the Supplier User

A customer administrator invites a supplier technician as a guest user through Microsoft Entra B2B.

Example: supplier.engineer@vendor.com

The invited user receives an invitation and authenticates using credentials managed by their own organization.

Step 2 – Enforce Security Controls

Microsoft Entra can enforce organizational security requirements, including:

  • Multi-Factor Authentication (MFA)
  • Conditional Access Policies
  • Device Compliance Requirements
  • Geographic Access Restrictions
  • Risk-Based Authentication Policies
  • Sign-In Risk Evaluations

This ensures external users meet the same security standards as internal users.

Step 3 – Assign Access

Once approved, supplier users can be assigned access through:

  • Microsoft Entra Security Groups
  • Role-Based Access Control (RBAC)
  • Access Packages
  • Entitlement Management
  • Approval Workflows

This allows organizations to maintain full control over which systems external users can access.

Step 4 – Access Systems Through Heimdal PASM

After authentication and authorization are completed, users access systems through Heimdal PASM. PASM provides:

  • Privileged Access Management
  • Session Management
  • Session Recording
  • Access Auditing
  • Session Monitoring
  • Centralized Access Control

This allows organizations to maintain visibility and control over privileged activities performed by third-party users.

Identity Lifecycle Management

One of the key advantages of combining Microsoft Entra B2B with Heimdal PASM is centralized lifecycle management for external users. Organizations can manage supplier access using their existing governance processes, including:

  • User onboarding
  • Access approval workflows
  • Periodic access reviews
  • Role changes
  • Offboarding procedures

When a supplier technician no longer requires access, permissions can be removed through standard identity governance processes.

Offboarding and Access Revocation

Proper offboarding is essential when working with third-party suppliers. Access can be revoked by:

  • Removing the guest user from Microsoft Entra
  • Removing the user from assigned groups
  • Revoking assigned access packages
  • Disabling the associated identity
  • Removing PASM permissions where applicable

This helps ensure that access remains aligned with business requirements and reduces the risk of unauthorized access.

Recommended Architecture

Supplier Identity -> Microsoft Entra B2B -> MFA & Conditional Access -> Guest User Approval -> Heimdal PASM -> Protected Servers and Systems

Best Practices

To maximize security and operational efficiency, Heimdal recommends the following:

  • Use Microsoft Entra B2B for all third-party users.
  • Enforce Multi-Factor Authentication.
  • Apply Conditional Access policies.
  • Assign permissions through groups rather than individual users.
  • Use Entitlement Management for onboarding workflows.
  • Schedule regular Access Reviews for guest accounts.
  • Follow the principle of least privilege.
  • Enable session recording where appropriate.
  • Review supplier access periodically.
  • Remove unused or inactive guest accounts promptly.

Common Use Cases

Managed Service Providers (MSPs)

Allow MSP engineers to securely access customer environments while maintaining full auditing and visibility.

Software Vendors

Grant temporary access to application vendors for maintenance, troubleshooting, or upgrades.

External Consultants

Provide controlled access for project-based consultants without creating permanent local accounts.

Healthcare Organizations

Allow approved external specialists and support providers to access systems while maintaining compliance and audit requirements.

Public Sector and Critical Infrastructure

Support secure third-party access while enforcing strict governance and accountability controls.

Additional Resources

Microsoft Entra B2B Collaboration

https://learn.microsoft.com/en-us/entra/external-id/what-is-b2b

Microsoft Entra Entitlement Management

https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview

Microsoft Entra Access Reviews

https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.