Attestation/account verification for Viral/Just in time users

%3CLINGO-SUB%20id%3D%22lingo-sub-85228%22%20slang%3D%22en-US%22%3EAttestation%2Faccount%20verification%20for%20Viral%2FJust%20in%20time%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EFor%20viral%2FJIT%20client%20users%2C%20we%20need%20to%20have%20validation%20set%20at%20regular%20intervals%20to%20ensure%20the%20user%20is%20still%20a%20part%20of%20their%20organisation.%20%26nbsp%3BCurrently%2C%20there%20is%20no%20validation%20in%20place%20for%20these%20JIT%20users.%20%26nbsp%3BAre%20there%20any%20plans%20to%20address%20this%20and%20timings%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287211%22%20slang%3D%22en-US%22%3ERe%3A%20Attestation%2Faccount%20verification%20for%20Viral%2FJust%20in%20time%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287211%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20will%20be%20handled%20by%20NOPA%20(passwordless%20account)%20whereby%20a%20validation%20code%20will%20be%20sent%20to%20the%20corporate%20email%20address%20when%20the%20user%20requires%20access.%26nbsp%3B%20Interested%20to%20hear%20others%20views%20on%20this...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-216815%22%20slang%3D%22en-US%22%3ERe%3A%20Attestation%2Faccount%20verification%20for%20Viral%2FJust%20in%20time%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-216815%22%20slang%3D%22en-US%22%3E%3CP%3EWas%20there%20any%20more%20info%20provided%20on%20this%20possible%20capability%20to%20verify%20periodically%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-180699%22%20slang%3D%22en-US%22%3ERe%3A%20Attestation%2Faccount%20verification%20for%20Viral%2FJust%20in%20time%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-180699%22%20slang%3D%22en-US%22%3E%3CP%3EMark%2C%20do%20we%20have%20an%20update%20on%20the%20periodic%20account%20verification%20for%20viral%2FJIT%20users%3F%20I%20have%20checked%20but%20couldn't%20find%20any%20news%20about%20that%20in%20the%20Enterprise%20mobility%20blog.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85286%22%20slang%3D%22en-US%22%3ERe%3A%20Attestation%2Faccount%20verification%20for%20Viral%2FJust%20in%20time%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85286%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20it%20does%2C%20periodic%20reviews%20to%20confirm%20the%20user%20is%20still%20receiving%20emails%20at%20their%20home%20organization%20email%20address%26nbsp%3B%20(e.g.%2C%20%40live.com%20or%20%40contoso.com)%20are%20not%20yet%20in%20preview.%20%26nbsp%3B%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85251%22%20slang%3D%22en-US%22%3ERe%3A%20Attestation%2Faccount%20verification%20for%20Viral%2FJust%20in%20time%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85251%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Mark.%20%26nbsp%3BWe've%20tested%20the%20access%20review%20and%20this%20does%20not%20meet%20our%20needs%20around%20attestation.%20%26nbsp%3BOur%20ideal%20scenario%20would%20be%20to%20have%20periodic%20(i.e.%20MFA%20only%20required%20every%2060%2F90%20days)%26nbsp%3Bwhere%20the%20MFA%20was%20tied%20to%20email%20address.%20%26nbsp%3BDoes%20that%20make%20sense%3F%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85241%22%20slang%3D%22en-US%22%3ERe%3A%20Attestation%2Faccount%20verification%20for%20Viral%2FJust%20in%20time%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85241%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Bally%2C%20we%20have%20heard%20this%20ask%20from%20several%20customers%20and%20it%20is%20definitely%20on%20our%20roadmap.%26nbsp%3B%20For%20background%2C%20we%20have%20access%20reviews%20today%20in%20Azure%20AD%20as%20part%20of%20Azure%20AD%20PIM%20for%20a%20different%20scenario%20-%20attestation%20of%20users%20who%20have%20privileged%20roles%20assigned%20to%20them.%26nbsp%3B%20Currently%20we%20plan%20to%20leverage%20this%20access%20reviews%20approach%20to%20enable%20organizations%20to%20ensure%20their%20invited%20guest%20users%20confirm%20they%20have%20a%20continued%20need%20for%20access.%26nbsp%3B%20This%20is%20particularly%20important%20for%20organizations%20engaging%20with%20guests%20which%20come%20from%20an%20un-managed%20tenant%20which%20has%20no%20user%20lifecycle%20process%20in%20place.%20No%20dates%20yet%20but%20when%20we%20have%20more%20updates%20in%20this%20area%20we'll%20post%20to%20the%20Enterprise%20Mobility%20blog%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F%26nbsp%3B%3C%2FA%3E%20Thanks%2C%20Mark%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

For viral/JIT client users, we need to have validation set at regular intervals to ensure the user is still a part of their organisation.  Currently, there is no validation in place for these JIT users.  Are there any plans to address this and timings?

6 Replies
Highlighted

Hi Bally, we have heard this ask from several customers and it is definitely on our roadmap.  For background, we have access reviews today in Azure AD as part of Azure AD PIM for a different scenario - attestation of users who have privileged roles assigned to them.  Currently we plan to leverage this access reviews approach to enable organizations to ensure their invited guest users confirm they have a continued need for access.  This is particularly important for organizations engaging with guests which come from an un-managed tenant which has no user lifecycle process in place. No dates yet but when we have more updates in this area we'll post to the Enterprise Mobility blog: https://blogs.technet.microsoft.com/enterprisemobility/  Thanks, Mark

Highlighted

Thanks Mark.  We've tested the access review and this does not meet our needs around attestation.  Our ideal scenario would be to have periodic (i.e. MFA only required every 60/90 days) where the MFA was tied to email address.  Does that make sense?  

Highlighted

Yes it does, periodic reviews to confirm the user is still receiving emails at their home organization email address  (e.g., @live.com or @contoso.com) are not yet in preview.   Thanks!

Highlighted

Mark, do we have an update on the periodic account verification for viral/JIT users? I have checked but couldn't find any news about that in the Enterprise mobility blog.

Highlighted

Was there any more info provided on this possible capability to verify periodically?

Highlighted

This will be handled by NOPA (passwordless account) whereby a validation code will be sent to the corporate email address when the user requires access.  Interested to hear others views on this...