Hello friends,
Today I am announcing the end of unmanaged (“viral”) accounts for B2B collaboration in Azure Active Directory (Azure AD), part of Microsoft Entra. The presence of unmanaged accounts has been a major pain point for many customers, contributing to increased support costs, and making it harder to manage access and user lifecycle. Thanks to the team for delivering the Azure AD B2B bring your own identity capabilities that make this possible and make collaboration even more secure.
At the inception of Azure AD B2B collaboration, we introduced the concept of self-service sign up for email-verified users (also known as unmanaged accounts) to enable collaboration for users without an Azure AD based identity This allows invited guest users to create Azure AD accounts by validating ownership of their work email address when their domain is not verified in Azure AD. However, this sometimes means that users would create accounts in a tenant not managed by the IT department of their organization. This has several unintended consequences such as challenges with user lifecycle management, support costs due to password reset issues and information disclosure between users in the Azure Portal.
Some owners of these unmanaged tenants have resolved the issue by taking over the tenant and making it a managed tenant. For the cases where this is not appropriate, we now provide additional ways to authenticate users without the need to create unmanaged Azure AD accounts. This includes the ability to federate with SAML and WS-Fed identity providers, federate with Gmail accounts, and support for collaboration using an email One-Time Passcode (OTP).
We have modified the logic of the redemption flow as follows:
Click here to learn more about changes to the invitation redemption flow.
Accounts that have previously been invited and redeemed with unmanaged Azure AD accounts will continue to work.
You can now use this sample application or the MSIdentity Tools PowerShell Module to identify the unmanaged Azure AD accounts that exist in your tenant and optionally reset their redemption status. By resetting their redemption status, these guest accounts will maintain all existing access and permissions but will be forced to use a different redemption method Learn more about cleaning up unmanaged Azure AD accounts.
Lots of customers have already started using this new solution and the feedback has been super-positive, like this example from a large financial services firm:
“We had thousands of unmanaged accounts in our tenant causing support, lifecycle management and security concerns. Through the PowerShell cmdlets we successfully identified unmanaged accounts and converted them into managed accounts via redemption status reset.”
We love hearing from you, so please share your feedback on these updates through the Azure forum or by tagging @AzureAD on Twitter.
Robin Goldstein
Director of Product Management, Microsoft identity
Twitter: @RobinGo_MS
Learn more about Microsoft identity:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.