Azure Active Directory External Identities Commercially Released

Microsoft this week announced the "general availability" (GA) commercial release of its External Identities capability in the Azure Active Directory service.

In addition, some enhancements to the Azure AD B2C (Business to Consumer) service were described.

Plus, there was a ton of Azure AD news from last week's Ignite conference.

External Identities GA
External Identities, sold as part of Azure AD Premium P1 or P2 plans, lets organizations build branded forms for users to input their credentials, with the aim of granting network access to external users, such as an organization's partners or customers. The credentials used in these forms can be from a Microsoft account or from social media identity providers, such as Facebook or Google.

Microsoft had previewed External Identities back in May 2020 during its Build developer event. It was also one of the Azure AD features highlighted at this month's Ignite event as having reached GA status.

Some notable External Identities features include:

  • Facebook and Google ID support
  • One-time passcode support via e-mail
  • Microsoft accounts support
  • Ability to define what user attributes to collect on forms
  • API connector support for validating a user's identity or form input, or sending information to another workflow
  • Microsoft Graph API support

Back in May, Microsoft had said that External Identities would work with the Azure AD B2B (Business-to-Business) and B2C services when used to invite guest users. This week's announcement described some External Identity capabilities for Azure AD B2C that would be reaching GA status "in the next few weeks."

These coming External Identity Azure AD B2C capabilities are:

  • Simplified B2C user flows
  • Phone sign-ups during one-time password processes
  • API connectors for extending B2C signups
  • Apple ID support for B2C signups

In addition, External Identities support for "Identity Protection and Conditional Access policies for Azure AD B2C" is expected to reach GA status sometime "later this spring" for Premium P2 plan subscribers.

The Azure AD B2C service additionally will be getting its service-level agreement uptime bumped up to "four nines" (99.99 percent), starting on May 25, as previously announced.

Azure B2B Perks
The announcement also described two new Azure AD B2B capabilities that aren't exactly associated with the External Identities capability. They are mostly IT pro perks.

A new ability to send invitations to guest users whose accounts were created before the rollout of the Azure B2B service is now at the GA release stage. This feature is called "Invite internal users to B2B collaboration." It simplifies matters for IT pros overseeing Azure B2B tenancies, as they don't have to "manually delete and re-invite the user or reassign resources."

Another new Azure B2B capability is a "Reset redemption status for a guest user" capability, which is at the preview stage. This capability helps organizations deal with changes made by end users, such as wanting to use a different e-mail address or identity provider for their credentials. The reset redemption capability lets IT pros use "PowerShell or the Microsoft Graph invitation API to reset the user's redemption status and reinvite the user while retaining the user's object ID, group memberships, and app assignments," Microsoft explained.

Ignite Announcements
Microsoft made a bunch of Azure AD announcements during last week's Ignite event.

ADFS Report: One of the more timely items, given the recent "Solorigate" advanced persistent threat group activity (now called "Nobelium"), is the GA of an "Active Directory Federation Services (AD FS) activity and insights report." It's designed to assess "all AD FS applications for compatibility with Azure AD." It also provides guidance on how to migrate applications to use the Azure AD service. The report may be useful since the Solorigate attackers reportedly leveraged old applications with too many privileges and ADFS to gain access to Microsoft 365 Exchange Online e-mails. 

Passwordless GA: The "passwordless authentication" FIDO2 capability for use in "hybrid" environments (cloud services plus on-premises solutions) was described as having reached GA status after being in preview for more than two years. It's at GA because of Azure Portal integrations, improved reporting capabilities, easier Microsoft Authenticator setups and Windows Hello support on Windows 10 machines for face-scan user authentications, among other enhancements. 

Temporary Access Pass Preview: Microsoft announced a preview of Temporary Access Pass, which is "a time-limited passcode that allows users to register passwordless methods authentication and recover access to their account without a password."

Authentication Context Preview: Microsoft indicated that a preview of feature called "Azure AD Conditional Access authentication context" would be coming soon. It's designed to enable the setting of "more granular policies" based on what an end user is trying to do.

AWS Single Sign-On App: Microsoft announced the availability of the AWS Single Sign-On app in the Azure App Gallery, which connects the Azure AD service with Amazon Web Services' single sign-on service. It facilitates centralized management of employee access to AWS services.

Header-Based Authentication GA: The Azure AD App Proxy service now has "native support for header-based authentication." Microsoft also previewed the Azure AD App Proxy "traffic optimization by region" feature, which lets organizations indicate which Azure service region to use to "reduce latency and improve performance" when users access apps.

Access Reviews GA: IT pros can create access reviews for guests, which might get sent to guests or to decision makers in an organization to check if group or team membership should still be allowed. The access reviews capability is now at the GA stage for Microsoft Teams and Microsoft 365 Groups.

Verifiable Credentials Preview: Microsoft's Azure AD verifiable credentials approach is near the preview stage, with a sign-up page here. It's apparently based on the decentralized identity approach described by Microsoft last year. At that time, Microsoft described its participation in an open source Identity Overlay Network blockchain ledger project, which is designed to ensure that only users have control over their identity information.

New Cert: Lastly, there's a new Microsoft Identity and Access Administrator Certification. IT pros have to search for it at the Microsoft Security Resources portal.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube