Microsoft Adding Azure Active Directory External Identities Perks
Microsoft this week announced some External Identities enhancements for Azure Active Directory users.
External Identities, commercially released last year, provides identity support that lets organizations access each other's networks with governance capabilities. It works with the Azure AD B2B (Business-to-Business) and B2C (Business-to-Consumer) service offerings and requires a subscription to an Azure AD Premium P1 or P2 plan.
New SAML or WS-Fed Options for Azure AD B2B
Newly announced is the "general availability" (commercial release) of Azure AD B2B federation using Security Assertion Markup Language (SAML) or Web Services Federation (WS-Fed) protocol-based identity providers.
Microsoft used to refer to this SAML or WS-Fed option as "direct federation in Azure Active Directory," according to this Microsoft document. Organizations may want to go this route so that guest users are able to use their own identity-provider organizational accounts for collaborations. It avoids having to set up separate Azure AD accounts for them, according to the document.
"We have now added the capability for your partners to approve federations for their domains to prevent them from being phished and for them to specify the SAML endpoint they want to accept requests from," Microsoft's announcement explained.
Cross-Cloud Azure AD B2B Preview
Microsoft's public cloud services typically rely on shared datacenter resources, but Microsoft also offers dedicated-infrastructure cloud services to government entities. A new ""Microsoft cloud settings for B2B collaboration," announced at preview, provides a way for so-called "cross-cloud" collaborations across different tenancies to work.
The cloud settings for B2B collaboration preview was built on top of Microsoft's Azure AD External Identities "cross-tenant access settings," which was also described as being at the preview stage.
The cloud settings for B2B collaboration preview was built to address customer requests to have a collaboration be specifically dependent on customer decisions. For it to work, "each partner mutually agrees to configure B2B collaboration with each other," this Microsoft document explained.
The preview enables Azure AD B2B collaborations across Microsoft's government clouds, including Microsoft Azure Government and Microsoft Azure China 21Vianet. Prior to the preview, there was "no easy way to collaborate with those users," the announcement indicated.
"With the public preview of Microsoft cloud settings for B2B collaboration, developers can build applications for their organization and leverage B2B collaboration to invite users from another instance of a Microsoft cloud, including US Government and China clouds, to access that application using their main organizational identity," the announcement explained.
Custom Extensions Enhancement Preview
Microsoft is planning to release a public preview this summer of an easier way to use Azure AD application tokens with external-source information.
The preview is an enhancement of Microsoft's "custom extensions" capability, where tools such as Azure Functions, Logic Apps or various API development platforms are used to specify actions during an authentication process. With custom extensions, organizations can use those tools instead of manually configuring the processes, Microsoft had explained back in February:
Being able to use specific events in entitlement management -- such as when an access package request is approved or when user access expires -- to trigger custom workflows can extend entitlement management with a bevy of native Microsoft cloud applications as well as external applications like Salesforce and ServiceNow to allow automation of formerly manual processes.
The coming summer preview will "enrich your Azure Active Directory application's tokens with information from external sources using custom extensions," the announcement promised.
The announcement offered some scenarios where this enhancement to the custom extensions capability may be useful:
You may have legacy identity systems or user stores, like LDAP stores, that hold information about your employees or collaborators. In cases where you can't immediately migrate or synchronize that information into Azure Active Directory, you can use custom extensions to fetch it on every sign-in. Or, you can use custom extensions to get information from other cloud-based systems like those used for human resources or authorization management.
Microsoft's announcement also described improved an improved cross-cloud governance capability with Azure AD B2B entitlement management. This improvement extends "the ability to create Connected Orgs and Access Packages targeted at organizations from a different Microsoft cloud."
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.