Tutorial / Cram Notes
Understanding different external identity types is crucial for managing access to corporate resources securely. External identities refer to users who are outside the organization’s directory – essentially anyone who is not an employee, such as partners, vendors, or customers. These identities can be managed through services like Azure Active Directory (Azure AD). Here we will describe several key external identity types and their characteristics.
1. Managed Identities:
A managed identity is one created and managed in an external organization’s directory service, such as another Azure AD tenant. When collaborating with another company, the users from that company would use their own credentials to access your resources. Azure AD B2B (Business to Business) is an example that facilitates this type of identity.
Example: A user from a partner company who accesses your Azure resources for project collaboration using their own company’s credentials.
2. Guest Users:
Guest users are similar to managed identities but are explicitly invited to access your resources through Azure AD B2B. These users are given access permissions directly into your tenant, and you can impose governance over what they can access. Guest users can sign in with their own credentials from another Azure AD organization, a Microsoft account, or even a Google ID.
Example: A consultant from a partner firm is invited to access your team’s SharePoint site and logs in using their own organization’s Azure AD credentials.
3. Social Identities:
Social identities are those that users create with social identity providers such as Facebook, Google, or LinkedIn. Azure AD B2C (Business to Consumer) enables the integration of these identity providers so that organizations can facilitate customer access to applications and services using familiar, pre-existing social accounts.
Example: A user signs up for a retailer’s application using their Facebook account, providing a seamless experience without the need to remember new login credentials.
4. User-Owned Identities:
These identities are ones users create and control themselves. This can include Microsoft Accounts (MSA) created for personal use. Azure AD B2C allows organizations to interface with these identity types, offering consumers the ability to access services with their own chosen credentials.
Example: An individual uses their personal Microsoft account to log into a gaming platform that uses Azure AD B2C for authentication.
Comparison Table:
| Identity Type | Managed by | Used by | Use Case |
|---|---|---|---|
| Managed Identities | External Org’s AD | Partner company employees | Secure collaboration between businesses with their respective AD tenants |
| Guest Users | Your Org’s AD | Partners, vendors, external advisors | Inviting external users to access specific resources within your corporate boundary |
| Social Identities | Social ID Provider | General public | Accessing consumer-facing applications with pre-existing social media accounts |
| User-Owned Identities | Individual Users | Consumers | Accessing services with individual-owned Microsoft Accounts or other personal IDs |
Managing these external identity types effectively is important for maintaining security and governance in an organization. Depending on the specific type, administrators can employ different settings and policies to control resource access, enforce multi-factor authentication (MFA), and audit user activity for compliance.
Azure AD’s B2B and B2C are pivotal components that support these external identity types, providing a customizable cloud identity platform to facilitate secure access control for every user regardless of where they come from or what identity they bring. The SC-900 exam covers these scenarios, showcasing the importance of understanding identity and access management (IAM) in a diverse and interconnected business environment.
Practice Test with Explanation
True or False: External identities in Azure Active Directory are limited to users from other Azure AD tenants.
- True
- False
Answer: False
External identities in Azure Active Directory are not limited to users from other Azure AD tenants; they can include any users outside of an organization, including those with Microsoft Accounts, users from other identity providers, and even guests with no specific provider.
Which of the following can be considered an external identity in Microsoft’s security framework?
- Users from other Azure AD tenants.
- Users with a Microsoft Account.
- Users from federated organizations.
- Internal users within the same Azure AD tenant.
Answer: Users from other Azure AD tenants, Users with a Microsoft Account, Users from federated organizations.
External identities refer to users that are external to the organization’s directory, which includes users from other Azure AD tenants, users with a Microsoft Account, and users from federated organizations. Internal users within the same Azure AD tenant are not considered external identities.
True or False: Guest users invited to an Azure AD tenant have the same access levels as native users by default.
- True
- False
Answer: False
Guest users invited to an Azure AD tenant do not have the same access levels as native users by default. Access for guest users is typically limited and governed by organizational policies and can be adjusted as needed.
Which of the following statements about B2B (Business-to-Business) external identities is correct?
- B2B users cannot access resources in the host Azure AD tenant.
- B2B collaboration requires external users to create a new Azure AD account.
- B2B allows external users to bring their own identities to collaborate with a host organization.
- B2B is intended exclusively for use with Microsoft partners.
Answer: B2B allows external users to bring their own identities to collaborate with a host organization.
B2B (Business-to-Business) collaboration in Azure AD allows external users to bring their own identities, whether from another Azure AD tenant, a Microsoft Account, or another identity provider, to collaborate with the host organization.
True or False: Only paid Azure AD licenses can invite external users through B2B collaboration.
- True
- False
Answer: False
Azure AD allows for B2B collaboration and the invitation of external users regardless of whether the licenses are paid or free. Paid licenses may offer additional features or capabilities.
In the context of Microsoft Identity Platform, what does B2C stand for?
- Business-to-Commercial
- Business-to-Cloud
- Business-to-Customer
- Business-to-Company
Answer: Business-to-Customer
B2C stands for Business-to-Customer in the Microsoft Identity Platform, and it refers to services that enable businesses to provide identity and access management solutions for their customers.
Which Azure AD feature enables users to sign in with social media accounts?
- Azure AD B2E
- Azure AD B2B
- Azure AD B2C
- Azure Multifactor Authentication
Answer: Azure AD B2C
Azure AD B2C (Business-to-Customer) is the feature within the Microsoft Identity Platform that enables integration with social media accounts, allowing users to sign in using their existing social identities.
True or False: External identities must always be manually provisioned within Azure AD.
- True
- False
Answer: False
External identities can be provisioned in various ways, including self-service sign-up, invitation by organization members, or through automated provisioning processes. They do not always have to be manually provisioned.
Which of the following support self-service sign-up for external identities?
- Azure AD B2B
- Azure AD B2E
- Azure AD B2C
- Azure AD Domain Services
Answer: Azure AD B2B, Azure AD B2C
Both Azure AD B2B and Azure AD B2C support self-service sign-up features, enabling external users to create their identity and access management on their own. Azure AD B2E focuses on internal employees, and Azure AD Domain Services is more about domain-related features.
True or False: External identities are only for non-Microsoft services and cannot use Microsoft account credentials.
- True
- False
Answer: False
External identities can include Microsoft account credentials, allowing users to sign in with their personal Microsoft accounts (such as those used for services like Xbox, Outlook.com, or OneDrive) for access to organization resources.
In Azure AD B2B collaboration, which feature ensures that external users comply with the security standards of the host organization?
- Conditional Access policies
- Custom branding
- Self-service password reset
- External collaboration settings
Answer: Conditional Access policies
Conditional Access policies in Azure AD B2B collaboration allow the host organization to enforce its security standards on external users by requiring certain conditions to be met before access is granted.
True or False: B2C tenants are completely isolated from B2B and cannot share resources between them.
- True
- False
Answer: False
While B2C and B2B serve different purposes and have separate configurations, resources can be shared between them under certain circumstances and with proper configurations. B2C focuses on customer-facing applications while B2B focuses on collaboration with external business partners, but interoperability can be achieved if needed.
Interview Questions
What is Azure AD External Identities?
Azure AD External Identities is a set of capabilities that enable organizations to secure and manage identities of customers, partners, and suppliers outside their organization.
What is B2B collaboration in Azure AD?
Business-to-business (B2B) collaboration is a feature in Azure AD that enables organizations to collaborate with external users outside their organization.
What is the difference between B2B and B2C in Azure AD?
B2B collaboration allows collaboration with external users in partner organizations, while B2C allows authentication for end users or customers from social media or local accounts.
What is Azure AD External Identities User Flow?
Azure AD External Identities User Flow is a feature that allows organizations to customize user experiences for sign-up, sign-in, and password reset scenarios.
What is an external identity?
An external identity is a user or contact that belongs to a different organization or domain.
What is Azure AD B2B collaboration invitation?
Azure AD B2B collaboration invitation is a feature that allows organizations to invite external users to collaborate with them.
What is Azure AD B2B collaboration guest user?
Azure AD B2B collaboration guest user is an external user invited by an organization to collaborate with them.
What is Azure AD B2B collaboration settings?
Azure AD B2B collaboration settings are configurations that enable or disable features for external users.
What is a B2B tenant in Azure AD?
A B2B tenant is an organization that collaborates with other organizations using Azure AD External Identities.
What is a B2C tenant in Azure AD?
A B2C tenant is a dedicated Azure AD tenant that provides identity management for external-facing applications, typically for customer or citizen-facing scenarios.
What is a guest user in Azure AD?
A guest user in Azure AD is a user who is invited to collaborate on resources or applications within an organization but is not a member of that organization.
What is the difference between a guest user and a member user in Azure AD?
A member user in Azure AD belongs to the same organization, while a guest user is an external user who is invited to collaborate on resources or applications.
What is an Azure AD External Identities custom domain?
An Azure AD External Identities custom domain is a domain that an organization can add to their Azure AD tenant to use in external identity scenarios.
What is a federation partner in Azure AD?
A federation partner in Azure AD is an organization that has established a federation trust with another organization.
What is a multi-tenant application in Azure AD?
A multi-tenant application in Azure AD is an application that can be used by users from multiple organizations.
Can someone explain the different types of external identities used in SC-900?
What specifically differentiates a guest user from an external partner?
I appreciate the detailed breakdown of external identities!
How does B2C differ from B2B external identities in Microsoft Azure?
Thanks for the useful information.
Can external identities be integrated with other security measures in SC-900?
Nice to see the community sharing knowledge like this. Keep it up!
I think more details could be provided on the security implications of external identities.