Home
%3CLINGO-SUB%20id%3D%22lingo-sub-735133%22%20slang%3D%22en-US%22%3EAzure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-735133%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20been%20making%20it%20easier%20to%20work%20with%20your%20partners%20by%20enabling%20you%20to%20collaborate%20with%20them%20using%20their%20existing%20identities%2C%20regardless%20of%20whether%20they%20use%20Azure%20AD%20or%20not.%20We%20already%20support%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-AD-B2B-Collaboration-support-for-Google-IDs-is-now-in%2Fba-p%2F245459%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EGoogle%20social%20IDs%3C%2FA%3E%20as%20well%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-AD-makes-sharing-and-collaboration-seamless-for-any-user%2Fba-p%2F325949%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eany%20email%20account%3C%2FA%3E.%20As%20a%20next%20major%20step%20in%20this%20direction%2C%20I%E2%80%99m%20excited%20to%20announce%20that%20we%20have%20a%20new%20capability%E2%80%94direct%20federation%E2%80%94now%20in%20public%20preview!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDirect%20federation%20makes%20it%20easier%20for%20you%20to%20work%20with%20partners%20whose%20IT%20managed%20identity%20solution%20is%20not%20Azure%20AD.%20It%20works%20with%20identity%20systems%20that%20support%20the%20SAML%20or%20WS-Fed%20standards.%20When%20you%20set%20up%20a%20direct%20federation%20relationship%20with%20a%20partner%2C%20any%20new%20guest%20user%20you%20invite%20from%20that%20domain%20can%20collaborate%20with%20you%20using%20their%20existing%20organizational%20account.%20This%20makes%20the%20user%20experience%20for%20your%20guests%20more%20seamless.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20direct%20federation%2C%20your%20guest%20users%20sign%20in%20with%20their%20organizational%20account%2C%20satisfying%20any%20security%20requirements%20that%20your%20partner%20organization%20has%20already%20implemented.%20Any%20additional%20security%20controls%20you%20implement%20for%20guest%20users%2C%20such%20as%20stronger%20proof%20of%20ownership%20for%20Multi-Factor%20Authentication%20(MFA)%2C%20also%20applies%20to%20these%20users.%20When%20your%20guest%20leaves%20their%20organization%2C%20they%20no%20longer%20have%20access%20to%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122090iBA87E43C4D2D09FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Direct%20federation%201.png%22%20title%3D%22Direct%20federation%201.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201.%20User%20authentication%20journey%20using%20direct%20federation.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20walk%20through%20what%20happens%20when%20a%20user%20signs%20in%20with%20direct%20federation%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20direct%20federation%20user%20clicks%20a%20link%20to%20an%20application%20or%20resource%20you%20have%20shared%20with%20them.%3C%2FLI%3E%0A%3CLI%20aria-setsize%3D%22-1%22%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2CCalibri_MSFontService%2CSans-Serif%22%20data-listid%3D%226%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%3EAzure%20AD%20checks%20to%20see%20if%20the%20user%20has%20been%20invited.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW242316007%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW242316007%22%3EThe%20user%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW242316007%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW242316007%22%3Eis%20re-directed%20to%20their%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW242316007%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW242316007%22%3Eidentity%20provider%20for%20sign-in.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAfter%20successful%20sign%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ein%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20user%20is%20returned%20to%20Azure%20AD%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20AD%20validates%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etoken%20then%20sends%20the%20user%20to%20app%20for%20access%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%20%3CSPAN%20data-contrast%3D%22auto%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFigure%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E1)%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EWatch%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fvideoplayer%2Fembed%2FRE2PBup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20video%3C%2FA%3E%20to%20learn%20more%20about%20how%20direct%20federation%20works%20and%20other%20identities%20we%20support.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122001i6B3BBFCEF75D04AC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Direct%20federation%202%20v2.PNG%22%20title%3D%22Direct%20federation%202%20v2.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202.%20Setting%20up%20direct%20federation%20in%20Azure%20AD%E2%80%94Organizational%20relationships.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETo%20try%20direct%20federation%20in%20the%20Azure%20portal%2C%20%26nbsp%3Bgo%20to%20%3CSTRONG%3EAzure%20Active%20Directory%3C%2FSTRONG%3E%26gt%3B%20%3CSTRONG%3EOrganizational%20relationships%20-%20Identity%20providers%3C%2FSTRONG%3E%2C%20where%20you%20can%20populate%20your%20partner%E2%80%99s%20identity%20provider%20metadata%20details%20by%20uploading%20a%20file%20or%20entering%20the%20details%20manually.%20(Figures%202%20and%203)%20During%20public%20preview%2C%20we%20only%20support%20direct%20federation%20with%20an%20identity%20provider%20whose%20authentication%20URL%20matches%20the%20target%20domain%20for%20direct%20federation%20or%20belongs%20to%20a%20standard%20identity%20provider.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20556px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121967iBB3827CF0F5CE3FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Direct%20federation%203.png%22%20title%3D%22Direct%20federation%203.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%203.%20Populating%20direct%20federation%20metadata%20in%20Azure%20AD.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EGo%20ahead%20and%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fb2b-direct-fed%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edive%20into%20the%20documentation%3C%2FA%3E%20to%20try%20out%20direct%20federation%20and%20learn%20more!%20Let%20us%20know%20what%20you%20think%20by%20taking%20our%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fdirect-fed-survey%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ebrief%20survey%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20as%20always%2C%20connect%20with%20us%20for%20any%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2Fbd-p%2FAzureAD_B2b%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ediscussion%3C%2FA%3E%20or%20send%20us%20your%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3Fcategory_id%3D165471%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efeedback%20and%20suggestions%3C%2FA%3E.%20You%20know%20we%E2%80%99re%20listening!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E%E2%80%AF)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-735133%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20new%20capability%E2%80%94direct%20federation%E2%80%94makes%20it%20easier%20to%20work%20with%20partners%20whose%20IT%20managed%20identity%20solution%20is%20not%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122089iF348270A88A7286F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Direct%20federation%201.png%22%20title%3D%22Direct%20federation%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-735133%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20and%20Access%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744031%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20previe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744031%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%20great%20article%20and%20nice%20to%20have%20this%20capabilities%20at%20AAD%20level%20however%2C%20how%20will%20be%20the%20deletion%20of%20those%20Guest%20accounts%20that%20no%20longer%20can%20authenticate%20by%20their%20identity%20provider%3F%20is%20there%20any%20mechanism%20that%20will%20keep%20clean%20and%20tidy%20the%20AAD%20for%20guest%20accounts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744033%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20previe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744033%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Gamaliel%20-%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGreat%20question.%20Azure%20AD%20Access%20Reviews%20and%20Entitlement%20Lifecycle%20Management%20are%20both%20great%20options%20for%20automating%20the%20review%20and%2For%20removal%20of%20guest%20accounts%20from%20you%20tenant.%20I%20would%20recommend%20getting%20started%20by%20reading%20this%20blog%20post%20from%20a%20few%20months%20back%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAnnouncing-a-new-Azure-AD-identity-governance-preview%2Fba-p%2F480864%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAnnouncing-a-new-Azure-AD-identity-governance-preview%2Fba-p%2F480864%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20Regards%2C%3C%2FP%3E%0A%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744304%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20previe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744304%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20stuff%2C%20keep%20it%20coming!%20Been%20waiting%20for%20this%20feature.%20Will%20surely%20be%20a%20choice%20for%20many%20of%20our%20customers!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744341%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20previe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744341%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20improvement.%20Is%20there%20any%20way%20to%20merge%20the%20existing%20guest%20accounts%20(Microsoft%20accounts)%20into%20the%20direct%20federation%20account%3F%20e.g%20unnie%40abc.com%20(MS%20account)has%20access%20to%20a%20shared%20app%20within%20contoso.%20Now%20contoso%20has%20direct%20federation%20with%20abc.com%20AD%20%2C%20how%20will%20the%20existing%20unnie%40abc.com%20behave%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744899%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20previe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744899%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20resolve%20the%20previous%20issues%20with%20Gmail%20authentication%20integration%20where%20users%20visiting%20non-tenant%20specific%20login%20pages%20(e.g.%20Teams.microsoft.com)%20could%20not%20log%20in%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-746032%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20previe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-746032%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%20nice%20work!%20%26nbsp%3BCouple%20of%20questions...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20how%20does%20role%20and%20attribute%20mapping%20work%20in%20this%20model%3F%20%26nbsp%3BI%20assume%20the%203rd%20party%20IDP%20is%20just%20for%20identity%2C%20and%20the%20Azure%20Enterprise%20App%20is%20still%20used%20for%20the%20authorisation%20and%20SAML%20token%20attribute%20mapping%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20do%20you%20need%20the%203rd%20parties%20IDP%20metadata%3F%20%26nbsp%3BIs%20it%20a%20formal%20SAML%20(metadata%20exchanged)%20relationship%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EJohn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763762%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20collaboration%20direct%20federation%20with%20SAML%20and%20WS-Fed%20providers%20now%20in%20public%20previe%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763762%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20really%20exciting%20feature!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20we%20use%20this%20to%20federate%20with%20another%20Azure%20AD%20tenant%3F%20We%20work%20very%20closely%20with%20them%20and%20need%20to%20give%20their%20users%20access%20to%20some%20of%20our%20apps%2C%20the%20guest%20accounts%20work%20for%20now%20but%20there%20is%20a%20scale%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

 

We’ve been making it easier to work with your partners by enabling you to collaborate with them using their existing identities, regardless of whether they use Azure AD or not. We already support Google social IDs as well as any email account. As a next major step in this direction, I’m excited to announce that we have a new capability—direct federation—now in public preview!

 

Direct federation makes it easier for you to work with partners whose IT managed identity solution is not Azure AD. It works with identity systems that support the SAML or WS-Fed standards. When you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account. This makes the user experience for your guests more seamless.

 

With direct federation, your guest users sign in with their organizational account, satisfying any security requirements that your partner organization has already implemented. Any additional security controls you implement for guest users, such as stronger proof of ownership for Multi-Factor Authentication (MFA), also applies to these users. When your guest leaves their organization, they no longer have access to resources.

 

 

Direct federation 1.pngFigure 1. User authentication journey using direct federation.

 

Let’s walk through what happens when a user signs in with direct federation:

  1. The direct federation user clicks a link to an application or resource you have shared with them.
  2. Azure AD checks to see if the user has been invited. 
  3. The user is re-directed to their identity provider for sign-in. 
  4. After successful sign-in, the user is returned to Azure AD. 
  5. Azure AD validates the token then sends the user to app for access. (Figure 1)  

Watch this video to learn more about how direct federation works and other identities we support.

 

Direct federation 2 v2.PNGFigure 2. Setting up direct federation in Azure AD—Organizational relationships.

To try direct federation in the Azure portal,  go to Azure Active Directory > Organizational relationships - Identity providers, where you can populate your partner’s identity provider metadata details by uploading a file or entering the details manually. (Figures 2 and 3) During public preview, we only support direct federation with an identity provider whose authentication URL matches the target domain for direct federation or belongs to a standard identity provider.

 

Direct federation 3.pngFigure 3. Populating direct federation metadata in Azure AD.

Go ahead and dive into the documentation to try out direct federation and learn more! Let us know what you think by taking our brief survey.

 

And as always, connect with us for any discussion or send us your feedback and suggestions. You know we’re listening! 

 

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

7 Comments

Hi Alex, great article and nice to have this capabilities at AAD level however, how will be the deletion of those Guest accounts that no longer can authenticate by their identity provider? is there any mechanism that will keep clean and tidy the AAD for guest accounts?

Hi Gamaliel -

 

Great question. Azure AD Access Reviews and Entitlement Lifecycle Management are both great options for automating the review and/or removal of guest accounts from you tenant. I would recommend getting started by reading this blog post from a few months back: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Announcing-a-new-Azure-AD-ide...

 

Best Regards,

Alex

Contributor

Great stuff, keep it coming! Been waiting for this feature. Will surely be a choice for many of our customers!

Contributor

Great improvement. Is there any way to merge the existing guest accounts (Microsoft accounts) into the direct federation account? e.g unnie@abc.com (MS account)has access to a shared app within contoso. Now contoso has direct federation with abc.com AD , how will the existing unnie@abc.com behave?

 

Thanks 

Contributor

Does this resolve the previous issues with Gmail authentication integration where users visiting non-tenant specific login pages (e.g. Teams.microsoft.com) could not log in?

Occasional Visitor

Hi Alex, nice work!  Couple of questions...

 

1. how does role and attribute mapping work in this model?  I assume the 3rd party IDP is just for identity, and the Azure Enterprise App is still used for the authorisation and SAML token attribute mapping?

 

2. do you need the 3rd parties IDP metadata?  Is it a formal SAML (metadata exchanged) relationship?

 

Thanks

John

Regular Visitor

This is a really exciting feature!

 

Can we use this to federate with another Azure AD tenant? We work very closely with them and need to give their users access to some of our apps, the guest accounts work for now but there is a scale issue.

 

Thanks!