Tutorial / Cram Notes
Azure AD External Identities is a set of capabilities that enable organizations to secure and manage customer, partner, and vendor access to their corporate apps and services. It allows users without an Azure AD account to sign in using their own credentials or social identities such as Facebook, Google, or Microsoft.
Azure AD B2B (Business to Business)
Azure AD B2B collaboration provides secure sharing of your company resources to external partners. These users can be given access through a variety of methods, such as a direct invitation or through self-service sign-up.
Inviting External Users:
Admins can invite external users to their organization using the Azure portal, PowerShell, or APIs. Invited users receive an email with a redemption link to access shared resources.
Self-Service Sign-Up:
Azure AD allows external partners to sign up via user flows that admins can customize depending on the application’s requirements. With this capability, you can manage who can access what, enforce multi-factor authentication (MFA), and automate user provisioning.
Azure AD B2C (Business to Customer)
Azure AD B2C is a customer identity access management solution that enables you to customize and control how customers sign up, sign in, and manage their profiles when using your applications. It differs from B2B collaboration as it focuses on app-specific user bases, typically end customers.
Policy and User-Flow Configurations:
Identity experiences are configured through user flows or custom policies allowing full control over branding, languages, and user experiences.
Conditional Access Policies
With external identities, enforcing Conditional Access policies is crucial for maintaining security. These policies allow organizations to define conditions under which users are allowed access, including user risk, device compliance, IP location, and more.
For example, you might enforce a policy that requires all external partners to perform MFA when accessing certain resources or block access from specific countries.
Governance and Lifecycle Management
Azure AD provides tools for governing external user access. Access Reviews is a feature allowing you to assess if users still require access to your resources. You can also automate responses or involve resource owners in the decision-making process.
Entitlement Management is another tool that automates access package assignments (which consist of resources, applications, and SharePoint sites) for external users. This tool streamlines the process of managing user lifecycles and access.
Monitoring and Reporting
Monitoring external user activity is essential. Azure AD offers auditing and reporting features which give insights into sign-ins, changes made, and security incidents, among others.
Azure AD reporting tools can generate reports such as:
- Sign-in logs: Shows sign-in activity of your external users.
- Audit logs: Details configuration changes and other significant events.
- Risky sign-ins: Highlights sign-in attempts that could indicate a security risk.
Example Implementation
Consider a scenario wherein Company A collaborates with Partner Company B. Company A can invite specific individuals from Company B to collaborate on a project by using Azure AD B2B. An invite is sent, and upon redemption, Company B’s users can securely access resources shared by Company A, such as documents on SharePoint.
To ensure security, Company A sets Conditional Access policies that require MFA from external users accessing the project resources from outside Company A’s network. If any user’s risk profile suggests suspicious activity, access can be blocked, or they can be required to reauthenticate.
Moreover, with Access Reviews set up, Company A periodically reviews the access of Company B’s users to evaluate whether they still need access or if their permissions should be modified or revoked.
In conclusion, Azure AD offers a comprehensive set of tools to manage external identities securely and efficiently. By leveraging capabilities such as Azure AD B2B, B2C, Conditional Access, Governance, and Monitoring, organizations can extend their networks, collaborate seamlessly with external users, and maintain a strong security stance. Following these best practices can help candidates understand the key concepts of managing external identities in preparation for the AZ-500 exam.
Practice Test with Explanation
True/False: External identities in Azure AD cannot be managed without enabling Azure AD B2B.
- Answer: False
External identities can be managed using Azure AD B2B (Business to Business), allowing organizations to provide access to external users.
True/False: Guest users invited to Azure AD have the same access levels as regular users by default.
- Answer: False
Guest users have limited permissions by default, but these can be adjusted by an administrator depending on the desired level of access.
Which of the following is a feature of Azure AD B2C (Business to Consumer)?
- A) Work account collaboration
- B) Social identity provider integration
- C) On-premises directory synchronization
- D) Organizational chart creation
- Answer: B) Social identity provider integration
Azure AD B2C is a customer identity management service that supports integration with social identity providers like Facebook, Google, and others.
In which scenario is an Azure AD Conditional Access policy NOT used?
- A) Enforcing multi-factor authentication for certain users
- B) Restricting access to specific applications based on user attributes
- C) Automatically creating user accounts from external identity providers
- D) Blocking access from specific locations or IP addresses
- Answer: C) Automatically creating user accounts from external identity providers
Conditional Access policies are used to secure resources, not for the automated creation of user accounts.
Which type of external identity requires an Azure subscription to authenticate into Azure AD?
- A) Microsoft accounts
- B) B2C users
- C) B2B guest users
- D) None of the above
- Answer: D) None of the above
External identities do not require their own Azure subscription to authenticate into Azure AD; they use their own credentials or external identity providers.
True/False: Azure AD supports the provisioning of users from non-Azure AD directories, such as Google’s G Suite.
- Answer: True
Azure AD supports user provisioning from various external directories, including Google’s G Suite, through identity federation or synchronization.
Single select: Which feature allows the recovery of deleted Azure AD B2B guest users?
- A) Azure AD Privileged Identity Management
- B) Azure AD Access Reviews
- C) Azure AD Identity Protection
- D) Azure AD Soft delete
- Answer: D) Azure AD Soft delete
Azure AD Soft delete allows the recovery of deleted guest users within a certain period after deletion.
Multiple select: Which of the following can be used to enforce multi-factor authentication for external users?
- A) Azure AD Conditional Access
- B) Azure AD Identity Protection
- C) Azure AD Password Protection
- D) Azure AD B2C
- Answer: A) Azure AD Conditional Access, B) Azure AD Identity Protection
Both Azure AD Conditional Access policies and Azure AD Identity Protection can be configured to enforce multi-factor authentication for external users.
True/False: A user can be part of only one Azure AD tenant at a time.
- Answer: False
A user can be part of multiple Azure AD tenants as a guest, with different roles and permissions in each tenant.
Which Azure service would you use to provide single sign-on for external partners and suppliers?
- A) Azure AD App Proxy
- B) Azure AD B2B
- C) Azure AD Domain Services
- D) Azure AD B2C
- Answer: B) Azure AD B2B
Azure AD B2B is designed to manage external identities, providing secure access for partners and suppliers, including single sign-on capabilities.
True/False: It’s mandatory to create an Azure AD tenant to use Azure AD B2C.
- Answer: True
Azure AD B2C requires an Azure AD tenant, as it’s a feature of Azure Active Directory used for managing customer identities.
Interview Questions
What are external identities in Azure AD?
External identities in Azure AD are identities that represent users who are not members of the organization’s directory, such as customers, partners, or vendors.
What are some of the user properties that can be managed for external identities in Azure AD?
Some of the user properties that can be managed for external identities in Azure AD include display name, user name, email address, password, country/region, job title, and department.
How do you invite an external user to an Azure AD tenant?
To invite an external user to an Azure AD tenant, you can create a guest user account and send an invitation email that includes a redemption link.
What is the redemption experience for external identities in Azure AD?
The redemption experience for external identities in Azure AD is the process by which an external user redeems their invitation and sets up their account in the Azure AD tenant.
What is the first step in the redemption experience for external identities in Azure AD?
The first step in the redemption experience for external identities in Azure AD is the invitation email, which includes a redemption link.
What information does the external user need to provide during the redemption experience for external identities in Azure AD?
During the redemption experience for external identities in Azure AD, the external user needs to provide their first and last name, choose a user name, verify their identity by providing their email address and phone number, and set up their credentials by choosing a password or using multi-factor authentication.
How do you manage external user properties in Azure AD?
You can manage external user properties in Azure AD by going to the user’s settings and updating their display name, user name, email address, and other attributes.
How do you configure external user access in Azure AD?
You can configure external user access in Azure AD by assigning roles and permissions, and configuring policies such as multi-factor authentication.
How do you manage external user groups in Azure AD?
You can manage external user groups in Azure AD by adding or removing external users from groups by going to the group’s settings in the Azure portal.
What are some common use cases for managing external identities in Azure AD?
Common use cases for managing external identities in Azure AD include providing access to resources and applications for customers, partners, and vendors, simplifying access management, and ensuring compliance with security and privacy regulations.
Great post! I found the section on managing guest users particularly useful.
Can anyone explain how conditional access policies work with external identities?
How do B2B and B2C differentiate in managing external identities?
Is there any specific role needed to manage external identities in Azure AD?
Does anyone know if there’s a way to automate the invitation of guest users?
Thanks for the insights! This really helped me understand external identities better.
Can we restrict guest users to specific applications?
Is MFA mandatory for external identities?