Today I am announcing the end of unmanaged (“viral”) accounts for B2B collaboration in Azure Active Directory (Azure AD), part of Microsoft Entra. The presence of unmanaged accounts has been a major pain point for many customers, contributing to increased support costs, and making it harder to manage access and user lifecycle. Thanks to the team for delivering the Azure AD B2B bring your own identity capabilities that make this possible and make collaboration even more secure.
At the inception of Azure AD B2B collaboration, we introduced the concept of self-service sign up for email-verified users (also known as unmanaged accounts) to enable collaboration for users without an Azure AD based identity This allows invited guest users to create Azure AD accounts by validating ownership of their work email address when their domain is not verified in Azure AD. However, this sometimes means that users would create accounts in a tenant not managed by the IT department of their organization. This has several unintended consequences such as challenges with user lifecycle management, support costs due to password reset issues and information disclosure between users in the Azure Portal.
The Solution: No new unmanaged accounts will be created with Azure AD B2B collaboration
Some owners of these unmanaged tenants have resolved the issue by taking over the tenant and making it a managed tenant. For the cases where this is not appropriate, we now provide additional ways to authenticate users without the need to create unmanaged Azure AD accounts. This includes the ability to federate with SAML and WS-Fed identity providers, federate with Gmail accounts, and support for collaboration using an email One-Time Passcode (OTP).
New invitation redemption flow for B2B Collaboration
We have modified the logic of the redemption flow as follows:
- At step #1, existing unmanaged AD accounts will not be considered for redemption. Users will only be able to redeem with managed Azure AD accounts.
- Unless you have explicitly opted out, email OTP is now enabled by default across all Azure AD tenants as of July 2022.
- If you have disabled email OTP, and we are unable to find an identity provider for an invited user (steps 1-4), the user will be prompted to create a consumer Microsoft Account with the invited email (step 7). We will support creating a Microsoft account with work emails with domains that are not verified in Azure AD.
Click here to learn more about changes to the invitation redemption flow.
Accounts that have previously been invited and redeemed with unmanaged Azure AD accounts will continue to work.
Clean up existing unmanaged accounts from your tenant today!
You can now use this sample application or the MSIdentity Tools PowerShell Module to identify the unmanaged Azure AD accounts that exist in your tenant and optionally reset their redemption status. By resetting their redemption status, these guest accounts will maintain all existing access and permissions but will be forced to use a different redemption method Learn more about cleaning up unmanaged Azure AD accounts.
Lots of customers have already started using this new solution and the feedback has been super-positive, like this example from a large financial services firm:
“We had thousands of unmanaged accounts in our tenant causing support, lifecycle management and security concerns. Through the PowerShell cmdlets we successfully identified unmanaged accounts and converted them into managed accounts via redemption status reset.”
We love hearing from you, so please share your feedback on these updates through the Azure forum or by tagging @AzureAD on Twitter.
Director of Product Management, Microsoft identity
Learn more about Microsoft identity: