Reset guest redemption status not possible after creating Multitenant Organization (MTO)
Hi all, we're on the path to creating a Multitenant Organization (MTO) for our global organization. We already have a relationship with one partner tenant which has B2B Collaboration and B2B Direct Connect set-up and is working well. We took the step of creating a Multitenant Organization in our 365 admin center and started testing with a sandbox tenant, which has since been removed. The issue we are having now, is that guest users which are not part of B2B Collaboration or an MTO cannot have their redemption status reset. I first found this wasn't possible from the error in a Power Automate workflow using Microsoft Graph, then confirmed I got the same error in Entra ID. The documentation for MTO was updated a few days ago and includes this, saying that as part of a multitenant organization, reset redemption for an already redeemed B2B user is currently disabled. But should this be the case for guest users not part of B2B Collaboration or Multitenant? Is this an error or expected behaviour, I wonder? Thanks!
Azure AD B2B Direct Connect - giving access to Enterprise Apps / App Registrations
Greetings, my company is looking to manage identity access for our webapp through Azure AD B2B. Currently we are doing B2B collaboration (inviting guest users), but now we are looking into using B2B Direct Connect by setting up cross-tenant communication with our client/partner. My question: Is it possible to give access to the webapp's Enterprise App in our directory to the client's accounts in their directory through B2B Direct Connect? Specifically, without inviting their users into our directory as guests but using the cross-tenant communication of B2B Direct Connect. Thanks in advance!Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community HubHow to map a user custom security attribute to OIDC id and access token ?
We are integrating keycloak with azure entra via OIDC. We have created custom security attribute to map some extension fields for the user. We tried to map these as tokens, but the custom security attributes doesn't show up in the dropdown under the token > add optional claims We then tried to define them under the Enterprise App > Single SignOn > Attributes & Claims; but unable to find these custom security attributes in the drop down there either ! Any help for this problem is deeply appreciated. Thanks, Raghav
Cross tenant SQL Server Authentication using B2B Collaboration
Introduction The purpose of this article is to detail the proof of concept developed to showcase that existing SQL resources hosted in various Azure service models and leveraging Azure AD authentication methods (users, service principals, certificates, etc…) at Company A can have authentication succeed if such authentication methods are initiated by identities (Users) in the new company B tenant. Architecture Overview Company B has Azure SQL instances and SQL Server VMs hosted on tenant A Company B needs to carve out, for business reasons, and move into their own Azure Tenant. Company B cannot move those servers immediately because of on-premises dependencies that will cause unacceptable downtime during a move. Company B needs to validate that if they migrate their users to their own Azure tenant and, as such, identities reside in the new Tenant B Azure tenant, those users will be able to authenticate to the Azure SQL instances and Azure SQL servers located in the Tenant A B2B Collaboration Configuring cross-tenant access settings for B2B collaboration will allow the Company B identities to be invited as guest users to the Company A tenant. Using the external identities cross-tenant access settings to manage the collaboration between the two tenants. These settings determine both the level of inbound access and the level of outbound access for invited users. Default Settings Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. Default settings for Company A Default Settings for Company B Organization Settings Adding the organization will configure a specific Azure AD organization. Any Azure AD organizations not listed here will use the default settings. Adding Company B as an organization to Company A will override the default settings and the defined settings for inbound and outbound settings will take precedence. Adding Company A as an organization to Company B will override the default settings and the defined settings for inbound and outbound settings will take precedence. Organization settings for Company A Organization settings for Company B Inbound Access Settings With inbound access settings, you select which external users and groups will be able to access the internal applications you choose. Specify the users that will be allowed to be invited from the Company B tenant to be added as guests in the Company A tenant. Define the users by adding the Object ID of each user. Define a group by adding the Object ID of the group. Any user not added in the inbound access settings cannot accept the invitation and will be blocked. B2B Collaboration inbound settings for Company B organization on Company A tenant As it’s a one-way trust from Company B to Company A. We will be blocking any inbound access coming from the Company A users. Users from the Company A cannot be invited and added as guests in the Company B tenant. B2B Collaboration inbound settings for Company A organization on Company B tenant Outbound Access Settings With outbound settings select which of your users and groups will be able to access the external applications you choose. As it’s a one-way trust from Company B to Company A, outbound access will be blocked coming from the Company A users. B2B Collaboration outbound settings for Company B organization on Company A tenant Specify the users that will be allowed to be invited from the Company B tenant to be added as guests in Company A tenant. Any user not added in the inbound access settings cannot accept the invitation and will be blocked. B2B Collaboration outbound settings for Company A organization on Company B tenant Guest Users You can invite guest users (Company B Users) to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources using the invitation email they received. The guest user will appear on Azure AD with a UPN and an Identity as external Azure AD user. SQL Cross-Tenant Permissions To grant your invited users’ permissions to access SQL databases, you can add them to a security group with access to the database(s). Granting an individual invited user access to SQL databases can be done by connecting to the SQL database instance using SQL admin rights, selecting the database, and run the following query: *Make sure to use the UPN of the invited user as it appears in Company A tenant. The user is added to Company A directory with a user principal name (UPN) in the format emailaddress#EXT#@domain, for example, user_CompanyB.onmicrosoft.com#EXT#@companyA.onmicrosoft.com, where: user_CompanyB.onmicrosoft.com is the email address invited from user_CompanyB directory #EXT# is the external identifier companyA.onmicrosoft.com is the organization from which you sent the invitations. CREATE USER [user_CompanyB.onmicrosoft.com#EXT#@companyA.onmicrosoft.com] FROM EXTERNAL PROVIDER And you user will appear in the Users security section of the database Try to access the database using the invited user’s credentials, to verify a successful sign in Summary In summary, B2B collaboration access settings secured a trust relationship between the two tenants for successful cross-tenant SQL authentication.
Allowing an external org to access my application (registered in azure ad) with their credentials?
Hi all, I have created a single tenant application that works well for my organisation, however I need to add another organisation (external) to be able to use my application. The organisation that I want to add has an Azure AD. Hence my goal is to enable for people from the 2nd organisation to be able to sign into my app without needing to register. How am I suppose to go about this? I've looked into the "app registrations" page but have not seen such ability and I've looked online to find a solution to this problem to no avail. I'm aware I will need to change the application to "multi-tenant" and also change the urls from tenant specific to /common. However, I have no idea how to go about enabling a specific organisation to be able to access my application (while not allowing other orgs) and use my app after signing on using their microsoft org credentials without registration. I'm looking for suggestions on how I should go about this, or a resource I can use to do this as I'm a bit lost on how to do this - still a bit of a noobie with Azure AD. Appreciate any help! Thanks,
Guest MFA - require register phone as well as authenticator app
Hi all So I am aware of cross-tenant MFA settings and we are testing this feature, but it does not help in all scenarios e.g. guest has AAD but doesn't have MFA enforced in their home tenant. So Guests are forced to register for MFA in our tenant using a conditional access policy. This uses the authenticator app by default, unless they click the text 'I want to set up a different method' at the bottom (which no one notices). Now using the app for Guests is problematic. Frequently they change phones and forget to move their authenticator app over, resulting in loss of access. When that happens, they have no way of getting back in since the app is their only authentication method. They don't have the number of our helpdesk since they are external, so don't know how to call support and get their authentication methods reset. So they basically get locked out forever and just give up try to access content shared with them. So I would like to do one of the following: Force them to add a phone number upon first registration Change phone number to default, before app registration Or better still - use email as a fall back, since we already have their external email address they could just be sent a one-time code. I think the last option is the best, since SMS is not exactly secure. There is an option 'email one-time passcode for guests', however this only applies to Guests who don't have an AAD or MS account. It would be great if this option also applied to AAD guests who lost their app. Does anyone know a way around this situation? We can't ask guests to go in via myapps, switch tenants, and add a method, that's just not going to happen. Thanks Hal
Access Panel allows for potential enumeration attack.
Use Case: We allow for particular guest users (having the guest inviter role) to invite other B2B guest users using the groups Access Panel. However we would like to limit what they can see as much as possible as we deal with multiple B2B tenants. For instance currently the tenant guest setting is set to "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)". However with this setting these guest users cannot add new guests to the groups they own on the Access Panel. As soon as they do it breaks and throws an error. To work around this these users were also given the "Directory Readers" role. However now they can enumerate ALL users in AAD using the Join Group function: This is too permissive as it allows these users to enumerate all users in the tenant including the other B2B guest users which they should not be able to see. Problem: The group Access Panel which can be found here: https://account.activedirectory.windowsazure.com/r#/groups Can be potentially exploited to perform an enumeration attack. By design this allows you to enumerate all groups and their members and email addresses in Azure AD. by using the "+Join Group" feature or by adding a new member to a group you own and typing an initial letter which shows an autocomplete menu with all members having that letter. Solution: Add a setting under the Azure AD Groups settings to disable the "Join Group" functionality on the Access Panel Do not throw an error if the Guest inviter does not have the Directory readers role when inviting new users. The behavior should rather be: When the inviter adds an existing user to another group they own, only enumerate the users that are members of groups the guest inviter is owner of for the auto complete menu. When adding a new guest user, show the guest invitation menu (as is currently the case) If complete enumeration is required then the Directory Readers role can be assigned (like we currently did for the workaround) I hope these changes can be considered as they have been highlighted a few times already by security experts see: https://clement.notin.org/blog/2021/03/01/risks-of-microsoft-teams-and-microsoft-365-groups/ https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/ https://blog.fraktal.fi/azure-ad-data-exposure-to-guests-a98d4338113f https://helloitsliam.com/2021/11/18/azure-active-directory-account-enumeration/
Azure AD B2B SPO and OD integration + Whitelisting in AAD
Hi! I got some scenarios I'd love your input on: Configuration 1: - Whitelisting/allow list used in Azure AD - SPO and OD Azure AD B2B integration activated (and OTP) - SharePoint/OneDrive external sharing settings set to New and Existing guests Question: - This setup will block sharing from SPO and OD with any external not included in the whitelist, as the integration will try to add the recipient to AAD as a guest? Configuration 2: - Whitelisting/allow list used in Azure AD - SPO and OD Azure AD B2B integration and OTP disabled - SharePoint/OneDrive external sharing settings set to New and Existing guests Questions: - The whitelist will not prevent sharing with any externals, as SPO and OD will still be using the old ad-hoc external sharing solution? - Is this the only possible setup if you want whitelisting on guest access but don't want to limit external sharing from OD and SPO using the "Specific people" option?
