It’s a new year and a fresh start for Build 2022 at Microsoft. After a couple years of feeling disconnected from each other, it is so great to be collaborating in a hybrid environment. With this new frontier of collaboration, the team is more committed than ever to bringing features that allow everyone to more easily onboard and manage External Identities, with Zero Trust strategy as the foundation. Today we are announcing three advances we've made to help break down barriers and enable more flexibility for orgs and developers:
Public Preview of Microsoft cloud settings for B2B Collaboration
General Availability of SAML and WS-Fed federation for External Identities
Custom extensions for token enrichment coming in Summer 2022
Please welcome Senior Product Manager, Josh Douglas, to the blog to talk more about this new frontier of collaboration.
Thanks, Robin! Our Build 2022 announcements are all about improving collaboration and expanding on the flexibility of our External Identities capabilities. Specifically:
Collaboration across Microsoft clouds with External Identities and Identity Governance
Enabling users from different companies not in Azure AD to connect with any identity they have.
Introducing new ways to extend identity processes on Azure Active Directory by integrating with external systems to enrich the information your applications receive in tokens.
Collaborate across Microsoft clouds
We’ve heard many times that being able to support identities across the different Microsoft clouds is a critical scenario for businesses that are multi-national or handle government contracts. In these scenarios, identities could be split across the different Microsoft clouds and, until now, there was no easy way to collaborate with those users. With the public preview of Microsoft cloud settings for B2B collaboration, developers can build applications for their organization and leverage B2B collaboration to invite users from another instance of a Microsoft cloud, including US Government and China clouds, to access that application using their main organizational identity. Below is an example of the flow for how this can work:
Example of cloud-to-cloud collaboration between commercial and government clouds
When it comes to collaborating with organizations in a different Microsoft cloud, we’ve heard two major pieces of feedback:
Organizations use a specific Microsoft cloud for a reason and opening collaboration across Microsoft clouds should be a customer decision.
Organizations want to have granular controls to choose who they collaborate with and whether those organizations should be able to come inbound or let users go outbound.
Based on this feedback, we built cloud-to-cloud access on top of cross-tenant access settings to provide full control over who you collaborate with outside of your home cloud.
You can choose which Microsoft clouds to collaborate with
Once you enable the Microsoft cloud(s) you’d like to collaborate with, you can use cross-tenant access settings to add the organization from that cloud. At that point, you can control the inbound and outbound settings just like you would for any other organization.
Once both organizations take action to enable collaboration across Microsoft clouds, you can take advantage of Azure AD B2B collaboration to start inviting users. These guest users can access your resources (such as LOB/SaaS apps), SharePoint sites, and OneDrive files.
Streamlined onboarding of users from another Microsoft cloud with Entitlement Management
We know that you want to include governance from the start when collaborating with external users. To help bake governance into collaborating across Microsoft clouds, we’ve extended the ability to create Connected Orgs and Access Packages targeted at organizations from a different Microsoft cloud. This allows you to easily provision users in the directory, give them access to what matters, and govern the user’s lifecycle.
We’re announcing GA of federation with SAML and WS-Fed identity providers for B2B collaboration. We know you always have security and trust on top of your mind as you federate with the identity providers of your partners to enable guest users to sign in with their own credentials. We have now added the capability for your partners to approve federations for their domains to prevent them from being phished and for them to specify the SAML endpoint they want to accept requests from.
You can federate with any SAML or WS-Fed identity provider
Extend your authentication experiences using custom extensions
In February, we shared how you can use custom extensions to extend processes for managing onboarding and off-boarding users to access packages by triggering your own external business logic. We’re continuing to expand the ways in which you can integrate your identity processes and workflows with external systems. In Summer 2022, we’re releasing into public preview the ability to enrich your Azure Active Directory application’s tokens with information from external sources using custom extensions.
Diagram of flow for enriching tokens with information from external sources
You may have legacy identity systems or user stores, like LDAP stores, that hold information about your employees or collaborators. In cases where you can’t immediately migrate or synchronize that information into Azure Active Directory, you can use custom extensions to fetch it on every sign-in. Or, you can use custom extensions to get information from other cloud-based systems like those used for human resources or authorization management. You can create your custom extension using Azure Functions, Logic Apps, or the API development platform of choice.
We love hearing from you, so share your feedback on these new features through the Azure forum or by tagging @AzureAD on Twitter.
More to learn at Build 2022
No matter where you are in the world, you can join us at Build 2022 live, or on-demand. There are plenty of live and pre-recorded sessions. To register, use the Session scheduler to attend, and interact with us live at Build:
Identity team Breakout sessions
ODBRK05 - “Creating secure identities for apps using the Microsoft identity platform”
Meet SMEs on the following topics between May 24th 11am PDT – May 26th 5am PDT
Creating a Secure Multi-Tenant Application on Identity Platform
Microsoft Defender for Cloud
Product roundtables: Participate in 60-minute Teams meetings in a focus-group style session to share thoughts and feedback on the latest security innovations. Registered attendees can apply to participate in these sessions:
Building and driving adoption for applications in the Enterprise
How can you secure your apps & scale speedily from test to production while maintaining a high security bar?
Let's make secrets invisible for Developers.
What would you like to know about how your apps registered in Azure AD are doing?
Would you like to lower the adoption friction of your trustworthy apps?
What if we made application registration easier in Azure portal
Improvements to the Azure Active Directory application model and API