Azure Active Directory B2B Collaborations Now Work Across Microsoft Clouds
Microsoft announced on Thursday that it now permits organizations using different Microsoft hosted cloud services products to collaborate, if that's mutually agreed, after performing some setup steps.
This new Azure Active Directory B2B (Business to Business) cross-cloud collaboration capability, announced at the "general availability" commercial-release stage, applies to the following hosting options:
- Azure Commercial and Azure Government clouds
- Azure Commercial and Azure China clouds (operated by 21Vianet).
The announcement explained that prior to this cross-cloud collaboration capability being available, organizations using different Microsoft hosting services often had to set up duplicate accounts to collaborate.
We heard you also need to share and collaborate with organizations hosted by Microsoft clouds that are different from the cloud hosting your organization. Until now, to do this, you’ve had to go through the complex process of setting up tenants in multiple clouds and issuing different accounts to the same user. But now, your users can collaborate seamlessly across Microsoft clouds using their primary identities, whether your organizations are in the Azure Commercial, Government, or China clouds.
Microsoft's example is an organization using its government cloud service needing to collaborate with a partner using Microsoft's commercial cloud service. It's now possible for the organizations to collaborate if both sides make certain settings changes for "External Identities" in the Azure Portal. IT pros need Global Administrator or Security Administrator roles permissions to enable such settings, which are described in this Microsoft document on Azure AD B2B collaboration.
When enabled, the cross-cloud collaboration lets organizations access files and collaborate using various apps. If an external organization is added as a trusted domain in the Azure Portal, then those external users can "self-service onboard and be governed" by the host organization's access policies, including Azure AD Conditional Access policies, such as requiring multifactor authentications or compliant devices.
The new cross-cloud collaboration capability apparently is helping some organizations move away from using Active Directory Federation Services (ADFS), according to an anonymous testimonial statement that was included in Microsoft's announcement. The anonymous organization indicated that it had been using ADFS because it needed to collaborate with workers in China.
ADFS, a Windows Server role for on-premises authentications, has apparently been difficult to secure, and was used by the Nobelium nation-state attackers to skim off Exchange Online e-mails. Such ADFS shortcomings were characterized last year when Microsoft described so-called "MagicWeb" attacks. Microsoft's new free alternative to ADFS is Azure Active Directory certificate-based authentication, which doesn't require maintaining complex deployments on premises and allows direct authentications to Azure AD.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.