Why do you need Azure AD B2B Collaboration?

 

Microsoft Azure AD B2B collaboration (sometimes known as ‘External Identities’) provides secure, managed collaboration for your organisation’s external relationships.

What this means is that when you work with organisations and users outside of your organisation to get things done, you don’t need to create new users and passwords in your directory and closely manage user access and lifecycles.  You can use the built-in federation capabilities of Azure Active Directory to add a user with credentials elsewhere, and choose from a number of options for inviting/approving the user and managing their ongoing access.

Why collaborate?
From sharing a SharePoint or Teams site with a supplier or customer, to giving access to a project management or HR application to contractors or joint venture partners – most organisations need to collaborate with external parties for one reason or another.  
But at the same time, external users often don’t have the same onboarding and offboarding mechanisms as regular staff, so it can be a challenge to keep your environment secure against exploits of more lax controls.
For example, if you create username and password credentials for an external user, and they leave their organisation, removing the reason they have for working with you, they may still be allowed to sign in to your organisation with the credentials you created.

Federation without the complexity
One way of mitigating against the kinds of threat mentioned above is to have your external users sign in with their own organisational credentials.
Previously, organisations relied on on-premises federation capabilities to collaborate with externals in this manner. 
With Azure Active Directory, this complexity is removed, and you can federate with any other Azure Active Directory tenant simply by sending a guest user invitation.  Additionally you can federate with other organisations (whose identity provider supports SAML or WS-Fed) by uploading their data into a simple Azure form – no complicated ADFS infrastructure in sight!
 
For partners of all shapes and sizes.
Many organisations work with external businesses of all shapes and sizes.  Some of these externals will rely on Azure Active Directory, while others may use competing identity systems such as Google Workspace, and still others may not have an industry standard system for managing identity.  B2B guest collaboration caters for all of these cases.
 
Established identity providers outside of AAD (e.g. Google Workplace) can be ‘federated’ (in other words linked to your AAD tenant for the purpose of collaboration) via the ‘External Identities’ panel in Azure.  
When you invite a single user via the Azure portal of the Microsoft Graph API, you can send the invitation to any email address and Azure takes care of the onboarding mechanism.
Users without a AAD or a federated identity system are challenged with an email-based one time passcode (OTP) as a means of sign-in
Access Packages work in the same way, except that the end user applies for the package using the Microsoft Access Portal, and then goes through an approval process before finally receiving access to the applications/resources they applied for.
External Identity user flows give you the ability to onboard users automatically, with no manual approval, by checking their details against an API you create – so for example you can check supplier codes against addresses before allowing access.

Secure
With Azure AD you can rely on security in-depth.
At the sign-in page Azure detects the threat level posed by the user and the session
During sign in Azure uses industry-strength authentication protocols to communicate with front-end applications
In the directory, the credentials are encrypted and hashed.  External user credentials live in their own tenant and are not copied across to the tenant hosting the resources.


Connected
Azure Active Directory connects with all of your front-end applications, web and native.  
For off-the-shelf applications, many thousands of commercial applications already use SAML or OAuth protocols and can be connected to AAD by making simple configuration changes
For developers, there is a great deal of help available for migrating your applications to AAD, including samples and libraries from the Microsoft website and github accounts.
Applications which fall through the gaps can still be integrated with AAD single sign on via mechanisms such as Azure App Proxy.

Azure Active directory’s external identities feature connects with your back office too:
During the sign-up and sign-in user flow, policies can make API calls to your web APIs to retrieve validity information or write information to your data store.
Outside of policies, you can access AAD data via Microsoft’s Graph API.   This access can be triggered by a scheduled task or a specific event on your back office system.


Comments

Post a Comment

Popular posts from this blog

Microsoft CIAM debuts at Build 2023

Image
For a long time we've been aware of Microsoft's efforts towards converging Azure Active Directory B2C and Azure Active Directory. They are making this change in order to provide a single stable product for the back end portal and other aspects of these identity services.  New developments will see a 'CIAM' product sitting on top of AAD - this replaces (or will eventually replace) B2C.   CIAM will also provide better experiences for developers hoping to build user journeys (sign in, sign up, etc.). Microsoft continues to support AAD B2C.  At time of writing it provides a fuller feature set.  However, B2C as-is will eventually retire, and migration paths will be important. The CIAM solution will offer more back-end management features, and an event-driven programming paradigm for user journeys. I will make more information available as and when!
Read more

LinkedIn now uses Verified ID for Employee verification

Image
  Microsoft Verified ID is a digital identity verification solution that enables individuals to obtain digital "credentials" from organisations that know them, or more accurately, that know some aspect of their identity.  For example, their name, their educational qualifications, or in this case, their employment status.  These credentials can then be shared with third-party organizations, such as employers or educational institutions, in a secure and trusted manner.  LinkedIn, which is owned by Microsoft, has integrated with Microsoft Verified ID to allow LinkedIn members to verify their employment status. Using this new integration, employers can create a custom process for verifying employees, and employees, once they have done this, can present the credential to LinkedIn in order to obtain the new green "check mark" on their LinkedIn profile. Currently this requires the LinkedIn app - at time of writing there is no announcement yet about migrating this feature t
Read more

Keeping safe beyond sign-in

Image
As The Register reports today , Microsoft briefly exposed a plethora of passwords and other secrets due to a bulk upload of data to GitHub recently. The data was a set of AI training data - data used to teach AI models how to understand the world around them. It makes no sense having the best locks on your front door if you leave the back door open... so what can we learn from this episode? Protecting passwords and other sensitive information from exposure to the wider world is essential for maintaining your online security. Here are some measures you can take: Use Strong, Unique Passwords: Create strong, complex passwords that are difficult to guess. Use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid common dictionary words or phrases. Ensure your passwords are at least 12-16 characters long. Use a passphrase, which is a sequence of random words or a sentence that's easy to remember but hard to crack. Use a Password Manager: A password man
Read more