Managing vendor DevOps access to environments

How are vendor DevOps access managed in your environment?

Here vendors are onboarded like contractors. They get accounts on our network, access to virtual desktops, etc… Our AzDO instances are not accessible from outside the corporate network.

All vendors/consultants have to have an AAD account created, which also has MFA enabled on that. They get onboarded to their specific project and work like our own employees. We dont use any Azure Devops Server instances.
For pipelines hosted in out internal jenkins server and bitbucket, then we have 2 options, one is a citrix option and one is our VPN software installed on their machines again logging in AD account with MFA.

I work with 2 kindsof clients:

  1. They invite my existing AAD users as a guest into their subscription, layer extra security on that of needed and add me into Azure DevOps. I love that, as it carries my subscriptions into their environment as well and won’t give me an email address in their org. Some setup a forwarding mailbox. I like that even better. 1 mailbox. 1 calendar, one Edge propile and everything just works
  2. They create a new AAD users in their subscription and onboard me as a contractor. I HATE THAT.