Jul 06 2017
09:12 AM
- last edited on
Jan 14 2022
04:48 PM
by
TechCommunityAP
Jul 06 2017
09:12 AM
- last edited on
Jan 14 2022
04:48 PM
by
TechCommunityAP
For viral/JIT client users, we need to have validation set at regular intervals to ensure the user is still a part of their organisation. Currently, there is no validation in place for these JIT users. Are there any plans to address this and timings?
Jul 06 2017 09:18 AM
Hi Bally, we have heard this ask from several customers and it is definitely on our roadmap. For background, we have access reviews today in Azure AD as part of Azure AD PIM for a different scenario - attestation of users who have privileged roles assigned to them. Currently we plan to leverage this access reviews approach to enable organizations to ensure their invited guest users confirm they have a continued need for access. This is particularly important for organizations engaging with guests which come from an un-managed tenant which has no user lifecycle process in place. No dates yet but when we have more updates in this area we'll post to the Enterprise Mobility blog: https://blogs.technet.microsoft.com/enterprisemobility/ Thanks, Mark
Jul 06 2017 09:24 AM
Thanks Mark. We've tested the access review and this does not meet our needs around attestation. Our ideal scenario would be to have periodic (i.e. MFA only required every 60/90 days) where the MFA was tied to email address. Does that make sense?
Jul 06 2017 09:36 AM
Yes it does, periodic reviews to confirm the user is still receiving emails at their home organization email address (e.g., @live.com or @contoso.com) are not yet in preview. Thanks!
Apr 09 2018 06:21 AM
Mark, do we have an update on the periodic account verification for viral/JIT users? I have checked but couldn't find any news about that in the Enterprise mobility blog.
Jul 18 2018 11:16 AM
Was there any more info provided on this possible capability to verify periodically?
Nov 15 2018 07:37 AM
This will be handled by NOPA (passwordless account) whereby a validation code will be sent to the corporate email address when the user requires access. Interested to hear others views on this...