We’ve been making it easier to work with your partners by enabling you to collaborate with them using their existing identities, regardless of whether they use Azure AD or not. We already support Google social IDs as well as any email account. As a next major step in this direction, I’m excited to announce that we have a new capability—direct federation—now in public preview!
Direct federation makes it easier for you to work with partners whose IT managed identity solution is not Azure AD. It works with identity systems that support the SAML or WS-Fed standards. When you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account. This makes the user experience for your guests more seamless.
With direct federation, your guest users sign in with their organizational account, satisfying any security requirements that your partner organization has already implemented. Any additional security controls you implement for guest users, such as stronger proof of ownership for Multi-Factor Authentication (MFA), also applies to these users. When your guest leaves their organization, they no longer have access to resources.
Figure 1. User authentication journey using direct federation.
Let’s walk through what happens when a user signs in with direct federation:
The direct federation user clicks a link to an application or resource you have shared with them.
Azure AD checks to see if the user has been invited.
The user is re-directed to their identity provider for sign-in.
After successful sign-in, the user is returned to Azure AD.
Azure AD validates the token then sends the user to app for access. (Figure 1)
Watch this video to learn more about how direct federation works and other identities we support.
Figure 2. Setting up direct federation in Azure AD—Organizational relationships.
To try direct federation in the Azure portal, go to Azure Active Directory > Organizational relationships - Identity providers, where you can populate your partner’s identity provider metadata details by uploading a file or entering the details manually. (Figures 2 and 3) During public preview, we only support direct federation with an identity provider whose authentication URL matches the target domain for direct federation or belongs to a standard identity provider.
Figure 3. Populating direct federation metadata in Azure AD.