AZ-900 Microsoft Azure Fundamentals Exam

Integrate External Identities with Applications

Integrating external identities with applications in Azure is crucial for enabling collaboration and access for users outside of your organization. This involves using services like Azure Active Directory (Azure AD) to manage identities for both business-to-business (B2B) and business-to-customer (B2C) scenarios. B2B allows you to invite guest users from other organizations to access your resources, while B2C enables you to manage identities for your application's customers.

Business-to-Business (B2B)

Azure AD B2B collaboration lets you securely share your applications and resources with external partners. This is done by inviting guest users to your Azure AD tenant. These guest users can then access your resources using their existing work or school accounts, or even social media accounts. This simplifies collaboration and eliminates the need to create and manage separate accounts for external users.

Business-to-Customer (B2C)

Azure AD B2C is designed for managing customer identities in your applications. It allows your customers to sign up and log in using their preferred social media accounts, email addresses, or usernames and passwords. This provides a flexible and customizable authentication experience for your customers. B2C also offers features like multi-factor authentication and password reset, enhancing the security of your applications.

Service Connector

The Service Connector is a tool that simplifies the process of connecting Azure services to each other. When integrating external identities, it helps configure the necessary settings for authentication and authorization. This includes setting up app settings, configuring network access, enabling system identity, and assigning the required roles. Using Service Connector reduces the complexity of integrating external identities with your applications.

Authentication Methods

When integrating external identities, you can use different authentication methods. These include using connection strings or identity-based authentication. Identity-based authentication is more secure and uses system-assigned or user-assigned managed identities. This method eliminates the need to store sensitive credentials in your application's configuration.

Understand Azure AD B2B Collaboration

Azure AD B2B collaboration allows your organization to securely share applications and services with external partners, or guest users, while maintaining control over your data. This feature enables collaboration with individuals outside your organization, regardless of whether they have their own Azure AD accounts. Guest users can sign in using their existing work, school, or social identities, eliminating the need for you to manage external accounts or passwords.

Managing B2B Collaboration

B2B collaboration is enabled by default, but you have comprehensive admin settings to control both inbound and outbound collaboration. Cross-tenant access settings determine if users can authenticate with external Microsoft Entra tenants, applying to both incoming and outgoing collaborations. External collaboration settings control which users in your organization can send invitations to external guests. These settings work together, with the most restrictive setting taking precedence. For example, if you block a domain in external settings but allow it in cross-tenant settings, users cannot send invitations to that domain.

Inviting Guest Users

Administrators can easily invite guest users through the Azure portal. This process involves creating a new guest user, assigning them to apps or groups, and sending an invitation email with a redemption link. Alternatively, you can send a direct link to a specific application. Guest users follow a simple process to sign in, and once they redeem their invitation, they are represented in your directory as a user object, typically with a "guest" user type and a #EXT# identifier in their user principal name.

Self-Service Sign-Up and Customization

Azure AD B2B also supports self-service sign-up, allowing guests to sign up for access to your apps. This feature can be customized with different identity providers and can collect user information. You can also use API connectors to integrate with external systems for custom approval workflows and identity verification. Furthermore, you can customize the onboarding experience for B2B guest users using Microsoft Entra entitlement management and B2B collaboration invitation APIs.

Security and Control

To ensure secure collaboration, you can use authentication and authorization policies, such as Conditional Access policies and multifactor authentication, at the tenant or application level. You can also delegate guest user management to application owners, allowing them to add guest users directly to the applications they manage. This provides a balance between control and flexibility.

Integration and Identity Providers

Azure AD B2B integrates with various identity providers, including social accounts like Facebook, Microsoft accounts, and Google, as well as enterprise identity providers. This allows guests to sign in with their existing accounts, simplifying the process. Additionally, B2B collaboration works across different Microsoft Azure clouds, enabling collaboration between global and national cloud instances.

Evaluate Security Implications

Microsoft Entra B2B collaboration allows organizations to invite external users as guests to access their resources, enhancing collaboration but also introducing security considerations. Cross-tenant access settings and external collaboration settings are crucial for managing this. Cross-tenant settings control authentication with external Microsoft Entra tenants, while external collaboration settings dictate who can send invitations to external users. It's important to note that the most restrictive setting applies when these settings conflict.

When setting up B2B collaboration, organizations must consider how these settings interact. For example, if a domain is blocked in external collaboration settings but allowed in cross-tenant settings, users cannot send invitations to that domain. However, existing guests from that domain may still have access. This highlights the need for careful configuration to prevent unintended access. Additionally, for users performing cross-tenant sign-ins, their home tenant branding is displayed, which can help users identify the context of their access.

To enhance security, organizations can use policies such as Conditional Access and Multi-Factor Authentication (MFA). These policies can be enforced at the tenant level, application level, or for specific guest users, ensuring that corporate data is protected. Furthermore, application and group owners can be delegated to manage their own guest users, streamlining the process while maintaining control. This allows for a more flexible and secure approach to managing external access.

Microsoft Entra External ID also supports integration with various identity providers, such as Facebook, Google, and other enterprise providers. This allows guests to sign in with their existing accounts, reducing the need to create new ones. This integration simplifies the user experience while maintaining security. Additionally, organizations can customize the onboarding experience for B2B guest users using Microsoft Entra entitlement management and B2B collaboration invitation APIs.

In summary, while B2B collaboration offers significant benefits, it's essential to carefully manage security implications. By using cross-tenant and external collaboration settings, implementing Conditional Access policies, and integrating with various identity providers, organizations can securely collaborate with external partners. Proper configuration and management are key to ensuring that external access is both efficient and secure.

Configure and Manage External Identities

External identities in Azure allow users outside your organization to access your resources. This is primarily achieved through Business-to-Business (B2B) and Business-to-Customer (B2C) collaborations. B2B collaboration focuses on enabling partners and guests to access your company's applications and services, while B2C is geared towards providing access to consumers or business customers.

B2B Collaboration

B2B collaboration allows you to invite external users to your organization as guests. These users can access your resources using their existing work, school, or social identities. This eliminates the need for you to manage external accounts or passwords. You can control B2B collaboration through cross-tenant access settings and external collaboration settings. Cross-tenant settings manage authentication with external Microsoft Entra tenants, while external collaboration settings control who can send invitations to external users. The most restrictive setting applies when both are configured.

Managing B2B Guest Users

Administrators can easily add guest users through the Microsoft Entra admin center. This involves creating a new guest user, assigning them to apps or groups, and sending an invitation email with a redemption link. Guest users can also sign up for apps through self-service sign-up flows, which can be customized with different identity providers and data collection options. You can also use API connectors to integrate these flows with external systems.

Security and Policies

To ensure secure access, you can use authentication and authorization policies, such as Conditional Access policies and multifactor authentication (MFA). These policies can be enforced at the tenant or application level, or for specific guest users. You can also delegate guest user management to application owners, allowing them to add guest users directly to their applications.

B2C Collaboration

B2C collaboration is used when you want to provide access to your applications for consumers or business customers. This involves creating a separate tenant with an external configuration. In this tenant, you register your apps, create sign-up and sign-in user flows, and manage the users of your apps. These users are added to the tenant directory with limited default permissions.

Types of User Accounts

In Azure AD, there are different types of user accounts: work accounts, guest accounts, and consumer accounts. Work accounts are for employees, guest accounts are for external users invited to collaborate, and consumer accounts are for users of your B2C applications. Each type has different permissions and access levels.

Examine Azure AD B2C Capabilities

Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM) service that allows businesses to provide identity solutions for their customer-facing applications. It enables customers to use their preferred social, enterprise, or local accounts to access applications and APIs with single sign-on (SSO). Azure AD B2C is designed to handle millions of users and billions of authentications daily, ensuring scalability and security by monitoring and mitigating threats like denial-of-service and brute force attacks.

Azure AD B2C is built on the same technology as Microsoft Entra ID but serves a different purpose. It is a separate service that allows businesses to create customer-facing applications where anyone can sign up and sign in without user account restrictions. This service is used by IT administrators and developers who need a white-label authentication solution for their web or mobile applications. In addition to authentication, Azure AD B2C also handles authorization, such as controlling access to API resources for authenticated users.

One of the key features of Azure AD B2C is its custom-branded identity solution. This allows businesses to customize the entire user experience to match their brand, ensuring a seamless integration with their web and mobile applications. Businesses can customize every page displayed by Azure AD B2C during sign-up, sign-in, and profile modification, using HTML, CSS, and JavaScript to create a native-like experience. This level of customization helps maintain brand consistency and enhances user engagement.

Azure AD B2C supports standard authentication protocols like OpenID Connect, OAuth 2.0, and SAML, making it compatible with most modern applications and commercial software. It acts as a central authentication authority, enabling businesses to build SSO solutions across their web applications, mobile apps, and APIs. This centralization allows for the collection of user profile and preference information, as well as detailed analytics on sign-in behavior and sign-up conversion rates.

Furthermore, Azure AD B2C can integrate with external user stores. While it provides a directory that can hold 100 custom attributes per user, it can also connect to external systems like CRM or customer loyalty databases. This allows businesses to use Azure AD B2C for authentication while relying on external systems for customer data. This integration is also useful for meeting data residency requirements, where user data needs to be stored in specific regions or on-premises, even though the Azure AD B2C service itself is globally available.

Finally, Azure AD B2C offers features like progressive profiling, which allows businesses to collect minimal user information initially and gradually gather more data on subsequent sign-ins. It also supports third-party identity verification and proofing, where user data is passed to external systems for validation and trust scoring before account creation. These features enhance the user experience and security by allowing for flexible data collection and robust identity verification processes.

Conclusion

This section covered how Azure handles external identities, focusing on B2B and B2C scenarios. We explored how to integrate external identities with applications using Azure AD, the Service Connector, and different authentication methods. We also examined Azure AD B2B collaboration, including managing guest users, self-service sign-up, and security considerations. Additionally, we evaluated the security implications of using B2B and B2C, emphasizing the importance of Conditional Access and MFA. Finally, we discussed how to configure and manage external identities, and the capabilities of Azure AD B2C for customer-facing applications. Understanding these concepts is crucial for managing external access to your Azure resources securely and efficiently.