Methods of secure resource authorization for external identities using remote principal objects are performed by systems and devices. An external entity creates a user group and defines entitlements to an owning entity's secure resource as a set of permissions for the group. An immutable access template with the permissions and an access policy for the secure resource are provided to the owning entity for approval. On approval, a remote principal object is created in the owner directory according to the permissions and access policy. A remote principal that is a group member requests access via an interface to the owner domain using external domain credentials. The identity of the remote principal is verified against the remote principal object by a token service. Verification causes generation and issuance of a token, with the enumerated entitlements, to the remote principal interface affecting a redirect for access to the secure resource.