Collaborate more securely with new cross-tenant access settings

Are there any negatives for using this over Azure Lighthouse if all you need from Lighthouse is identity management and not other resource management?

Do we have an estimation date for this feature to be ready for production? I think is super interesting 😍

Hey, Robin Goldstein - this could be a little misleading.  Cross cloud typically means a user in a commercial tenant accessing a resource in a sovereign cloud (21v or GCC High), and vice versa.  This article makes no reference to sovereign tenants so im assuming the scenarios outlined here are really directed at users in a commercial tenant accessing resources in a separate commercial tenant?

Can you clarify please?

Thanks.

Kind of small step in the right direction, but I would love if the identity team could even add more of the external identities, the part we have been using in Azure B2C our identity playground. I love the possibilities where tenant and the identity owner could have even more control. In B2C you can easy require through different Conditinal Access principles such as different elevation through different MFA factors; even yet another ID(entity)P(rovider) as a yet another MFA factor or even control the MFA handling OnPrem or in a different cloud. You can in B2C inspect and see if the external IDP or in the case above (multitenant tenant authentication) if the user has gone through the required way to identify the user (through different MFA factors) in a different tenant, if not do require a specific or some other MFA factor in the B2C tenant. In B2C we can also consider different groups or roles to pass through or transform to different authorization concepts, also different rule set to different Azure tenants and of course the ability to restrict different tenants. A very nice feature in B2C is also the possibility to have One Cloud identity to multiple identities belonging to different IDP’s. This makes it easy to migrate to a another and different IDP and make it also possible to use a federated IDP as yet another MFA factor. 

To my friends in the identity team I have described a concept of A(zure)(External)I(dentity)G(ateway) where we not only are using the CAE concepts, but more wisely also use the whole benefit of Azure Sentinel to be a more active part adding possibilities through AI and more dynamic protect customers tenants, systems and solutions in a far more secure and active way: that’s the future of Z(ero)T(rust)A(rchitecture) and why we control (C)IAM concepts from the Azure Cloud.

Regarding the post bellow, I did also ask another friend of mine Vittorio when he was in the MS identity team the possibility to get some more info about the different tenants, sort of a lookup or the ability to do a callback; where the other tenant owner could accept or not to expose some human readable information on the tenant e.g. the tenant name; to the caller also dependent on callers tenant id. 

It should be possible to use a lot more of the benefits we are using in B2C with Custom Policies also in the main tenant, not everywhere but at least in the different E(neterprice)App(lication)s. Some years ago, a friend of mine said this is something the office team will not allow and my replay just wait and see; the office team will love it when they know the benefits with those concepts and will take it even further. My dream is still One True Strong Identity in the clouds and if anyone is concerned with the ability to apply different licenses or other ways to control different features; they will have a lot more options. Customers are tenants in the clouds and would be even more satisfied customers if they can use more beneficial features. Just yet another reason why the customer will not be considering a different Cloud provider in the future or why new customers will choose the Azure Cloud or be part of their multi-Cloud strategy.

BTW:

As we have shown Azure External Identities can be used in Azure, different clouds and/or OnPrem where the tenant owner no longer have to steer on belfies, assumptions, feelings and their past, but on actual events and observations giving also the customers better insights on their future directions, development and investments. When the customers are in the clouds there’s a lot more and far better options to build secure and reliable systems. Another dream would be that Sentinel was just part of the Azure platform; just as Azure AD, making if far easier for customers to stay secure in the clouds.

Best regards

MrSmith

Robin Goldstein 

Nice post and upcoming features. 🙂

One point that is always complicated is that a tenant is always displayed with an ID and nobody nether know what is what...

If a user access an external tenant, we will see an ID in logs and the user will see a name for the tenant in his client applications. By this way, we have no chance to make corresponding things and perform a consistent analysis. How can I say to my user: "Hey you access Xyz.com company with Teams and we will change that behavior soon!"?

In the other hand, when an external tenant access my tenant I also see an ID and the only way to find who could be owner of the tenant is to deal with email addresses that could give me an information.

I think that the information of the admin contact and organization name of tenants need to be displayed, linked to the tenant ID, in logs.

Do you think that there is a way to achieve that?

Robin Goldstein  that makes sense 🙂

joeyvldn Great question!  One of the most frequent pieces of feedback we got from existing customers who enable B2B collaboration is that they wanted to minimize friction while still enabling secure collaboration. So if an organization I trust, say my main customer or supplier, has MFA policies for users who authenticate in their tenant, then I'm OK not asking that user to register for MFA in my tenant. It's a better user experience and less error prone.  However, not all customers will have that level of trust with other organizations and tenants, that's why the policy is configurable.

Resource tenants within the same organization its useful, cuts down on the overhead of subscribing another MFA.

I don’t get it. Why would u enable this

“Trust security claims from external Azure AD organizations for MFA” ?

sounds like the complete opposite of Zero Trust. And we never know how the trusted AAD organization verified their identity.