The Consultant's Dilemma: Architecting Trust When Your License is in Another Castle

Senior Asked at: Microsoft, Consulting Firms, Large Enterprises, MSPs

Q: "You're a consultant working on a project in your own development tenant. You need Entra ID P2 features for a proof-of-concept, but you can't activate a trial. Your client has a P2 license in their separate production tenant. You need Global Admin rights to configure the POC. How do you securely and pragmatically solve this without buying a new license or compromising their production environment?"

Why this matters: This is not a textbook problem. This is a messy, real-world scenario that tests your understanding of cloud identity beyond a single, clean environment. Your answer reveals if you can architect solutions across complex organizational and trust boundaries—the hallmark of a senior cloud professional.

Interview frequency: Very high for senior, principal, and architect roles, especially in consulting or enterprise environments.

❌ The Death Trap

The candidate proposes an insecure or naive solution that ignores the trust boundary, such as creating a new native account or asking for credentials.

"Most people say: 'I'd ask the client to create a new user for me in their tenant with Global Admin rights.' or 'They could just add my user as a Global Admin.' These answers are tactically simple but strategically disastrous. They fragment identity, ignore the principle of least privilege, and create massive security holes."

🔄 The Reframe

What they're really asking: "Can you articulate a formal model for cross-organizational trust and temporary privilege elevation? Show me that you understand identity is portable, but resources are sovereign, and you can architect a secure bridge between the two."

This reveals: Your mastery of identity federation, guest access models (B2B), and governance patterns for privileged access. It shows you think in terms of auditable, time-bound relationships, not just static permissions.

🧠 The Mental Model

Use the "Visiting Specialist Surgeon" analogy. It clarifies the relationships between identity, organization, and resources.

1. Your User Account is the Surgeon. This is your single, persistent professional identity. A surgeon doesn't get a new medical license for every hospital they visit.

2. The Client's Tenant is the Major Hospital. It's a sovereign organization with its own rules, staff, and expensive, specialized equipment (the P2 license).

3. The Solution is Issuing Visiting Privileges. The hospital doesn't hire the surgeon as a full-time employee. Instead, it vets their credentials and issues a temporary 'Visiting Physician' badge. This is Azure's B2B guest user model.

4. Global Admin is the Key to the Operating Room. After being granted visiting privileges, the hospital administration (an existing GA) explicitly grants the surgeon access to the specific, high-security area they need to work in for a defined period.

📖 The War Story

Situation: "I was leading a security hardening project for a financial services client. We needed to implement Privileged Identity Management (PIM), a P2 feature, to secure their admin accounts. My team operated from our own company tenant, but the work, and the license, was in theirs."

Challenge: "The client's security policy rightly forbade the creation of new 'cloud-native' admin accounts in their tenant. They needed a way to grant my identity—`benito@myconsulting.com`—the necessary rights in their `client.com` tenant, while maintaining a clear audit trail that I was an external party."

Stakes: "Without a secure and auditable way to do this, the project would stall. A misstep could grant a permanent, untracked admin account to an external party, a finding that would fail any future compliance audit and could cost the client millions in fines."

✅ The Answer

My Thinking Process:

"The core principle here is to never fragment identity. My professional identity is a constant. The solution isn't to create a new me, but to create a new relationship. I need to bring my identity to their resources, not the other way around. The formal mechanism for this is Azure B2B collaboration."

The Architectural Solution:

"My proposed solution was a two-step process based on the 'Visiting Surgeon' model:

Step 1: Establish Formal Visiting Privileges. I instructed the client's Global Admin to invite my user, `benito@myconsulting.com`, into their tenant as a Guest. This created a new object in their Entra ID, looking something like `benito_myconsulting.com#EXT#@client.com`. This is the 'Visiting Physician' badge. It formally recognizes my external identity within their directory, making all my future actions auditable as an external consultant.

Step 2: Grant Temporary, Just-in-Time Access to the 'Operating Room'. Once my guest account was established, I instructed them to assign the Global Administrator role *to that guest object*. Critically, we would wrap this assignment in PIM, so that my Global Admin rights were not standing but had to be activated for a justified, time-bound session (e.g., 4 hours). This gave me the keys, but only when I needed them, and with a full audit log."

The Outcome:

"I could seamlessly switch directories in the Azure portal to the client's tenant, using my own credentials. I had the necessary P2-backed GA rights to configure PIM for their internal teams, but my identity was always clearly marked as external. When the project concluded, they simply removed my guest account, cleanly severing all access without leaving behind any orphaned credentials. The solution was secure, auditable, and professionally sound."

What I Learned:

"The messy reality of enterprise IT is that licenses, resources, and people rarely live in the same clean box. A senior architect's value is in knowing the patterns to securely bridge these boundaries. The solution is rarely to create new things; it's to create new, well-defined relationships between existing things."

🎯 The Memorable Hook

"Don't move the hospital to the surgeon. You issue the surgeon a visitor's badge and a temporary key to the operating room. That's the architecture of professional trust."

This analogy makes the complex pattern of B2B collaboration and privilege elevation instantly intuitive and demonstrates a deep, first-principles understanding.

💭 Inevitable Follow-ups

Q: "What if the client is resistant to granting a guest account Global Admin rights, even with PIM?"

Be ready: "That's a valid concern. We'd then pivot to a paired-working model. I would architect the changes and document the exact steps, then get on a screen-share with their internal admin who would execute the commands. It's slower, but it respects their risk posture. My role then shifts from operator to trusted advisor."

Q: "How does this scale? What if you're managing 20 clients this way?"

Be ready: "This manual B2B guest model is for ad-hoc, single-client engagements. For managing multiple clients at scale, the strategic solution is **Azure Lighthouse**. It's the formalized, multi-tenant version of this pattern, allowing a managing organization to project roles into customer tenants without needing guest accounts for every engineer. It's the difference between being a visiting surgeon and running a hospital management company."

🔄 Adapt This Framework

If you're mid-level: Focus on mastering the B2B guest user concept. Being able to clearly explain why inviting an external user is more secure than creating a new native one is a significant step up in architectural thinking.

If you're an Architect: The conversation should immediately go to Azure Lighthouse. Frame the B2B approach as a tactical solution and Lighthouse as the strategic platform for any organization that needs to manage customer environments at scale, discussing its benefits for security, auditing, and operational efficiency.