Collaborate more securely with new cross-tenant access settings

Kind of small step in the right direction, but I would love if the identity team could even add more of the external identities, the part we have been using in Azure B2C our identity playground. I love the possibilities where tenant and the identity owner could have even more control. In B2C you can easy require through different Conditinal Access principles such as different elevation through different MFA factors; even yet another ID(entity)P(rovider) as a yet another MFA factor or even control the MFA handling OnPrem or in a different cloud. You can in B2C inspect and see if the external IDP or in the case above (multitenant tenant authentication) if the user has gone through the required way to identify the user (through different MFA factors) in a different tenant, if not do require a specific or some other MFA factor in the B2C tenant. In B2C we can also consider different groups or roles to pass through or transform to different authorization concepts, also different rule set to different Azure tenants and of course the ability to restrict different tenants. A very nice feature in B2C is also the possibility to have One Cloud identity to multiple identities belonging to different IDP’s. This makes it easy to migrate to a another and different IDP and make it also possible to use a federated IDP as yet another MFA factor. 

To my friends in the identity team I have described a concept of A(zure)(External)I(dentity)G(ateway) where we not only are using the CAE concepts, but more wisely also use the whole benefit of Azure Sentinel to be a more active part adding possibilities through AI and more dynamic protect customers tenants, systems and solutions in a far more secure and active way: that’s the future of Z(ero)T(rust)A(rchitecture) and why we control (C)IAM concepts from the Azure Cloud.

Regarding the post bellow, I did also ask another friend of mine Vittorio when he was in the MS identity team the possibility to get some more info about the different tenants, sort of a lookup or the ability to do a callback; where the other tenant owner could accept or not to expose some human readable information on the tenant e.g. the tenant name; to the caller also dependent on callers tenant id. 

It should be possible to use a lot more of the benefits we are using in B2C with Custom Policies also in the main tenant, not everywhere but at least in the different E(neterprice)App(lication)s. Some years ago, a friend of mine said this is something the office team will not allow and my replay just wait and see; the office team will love it when they know the benefits with those concepts and will take it even further. My dream is still One True Strong Identity in the clouds and if anyone is concerned with the ability to apply different licenses or other ways to control different features; they will have a lot more options. Customers are tenants in the clouds and would be even more satisfied customers if they can use more beneficial features. Just yet another reason why the customer will not be considering a different Cloud provider in the future or why new customers will choose the Azure Cloud or be part of their multi-Cloud strategy.

BTW:

As we have shown Azure External Identities can be used in Azure, different clouds and/or OnPrem where the tenant owner no longer have to steer on belfies, assumptions, feelings and their past, but on actual events and observations giving also the customers better insights on their future directions, development and investments. When the customers are in the clouds there’s a lot more and far better options to build secure and reliable systems. Another dream would be that Sentinel was just part of the Azure platform; just as Azure AD, making if far easier for customers to stay secure in the clouds.

Best regards

MrSmith