azure ad b2b
221 TopicsJoin Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub77Views1like0CommentsHow to map a user custom security attribute to OIDC id and access token ?
We are integrating keycloak with azure entra via OIDC. We have created custom security attribute to map some extension fields for the user. We tried to map these as tokens, but the custom security attributes doesn't show up in the dropdown under the token > add optional claims We then tried to define them under the Enterprise App > Single SignOn > Attributes & Claims; but unable to find these custom security attributes in the drop down there either ! Any help for this problem is deeply appreciated. Thanks, Raghav394Views1like3CommentsEnable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.250Views0likes1CommentGuest accounts and MFA via Conditional Access in MS Entra
Hi experts, trying to get some help on my scenario and issue that external users started to experience since I've enabled MFA for external identities & guest users via Conditional Access. We have lots of external partners that we share some documentation with from our SharePoint. Some time ago, I have enabled "MS Entra B2B Integration for SharePoint and OneDrive" so that any external user that access shared files/folders in our SharePoint gets a GUEST account created in our tenant. This was also preparation for enabling MFA for External users via Conditional Access. I believe these are called "B2B Collaboration guests" Now, few days ago, I have enabled MFA via Conditional Access for all external users and guests, enabled for all cloud apps and require MFA to grant access. Until now, I got feedback from two external partners that their existing access doesnt work anymore - and they need to go through MFA (which is expected). The problem is that when they go through MFA set up, it ends up in a "loop" - meaning, they go through all steps but when completing the last step they are returned back to the very 1st step again. So they: scan QR code successfully authenticate get the page that it was successful get back to the 1st step asking to install or use MS Auth app The user tried different browsers also with Incognito tabs... When I am checking sing-in logs: guest account is created fine the status is: "Interrupted" additional details: The user was presented options to provide contact options so that they can do MFA. conditional access forcing MFA is marked as FAILED as MFA was not completed Both external partners that reported this are using MS Entra and I see their IDENTITY as ExternalAzureAD. Have not heard back from anyone else using other than ExternalAzureAD so not sure if there is something extra that needs to be configured. Anyone experienced this issue? Any idea what can be wrong? I do not have any cross-tenant collaboration etc configured...1.9KViews0likes4CommentsB2B Direct Connect + cross tenant access enables switch tenants functionality?
We have set up a b2b direct connect connection with another company. We have enabled the cross-tent sync settings. We want to use Shared channels in Teams. This works fine. It is now possible for the other company to switch tenants in Teams and log into our tenant and then they see the entire team and not just the shared channel. The can also access SharePoint sites. Is this works as designed because I can't find this functionality in the Microsoft documentation.Solved647Views0likes2CommentsIs it possible to disallow proxyAddress as Sign-In Identifier?
As part of a revised naming scheme for user accounts we're planning to roll out, I'd like to disallow Exchange Online email addresses and proxyAddresses from being used instead of the User Principal Name as an alternative identifier when users sign in to their accounts. This is supposed to strengthen security as users don't share one of the authentication factors with every email they send and the user names can't be easily guessed because they don't use the actual first or last name of the user behind them. This is the only Microsoft Learn article I found that was describing something similar: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-use-email-signin Basically I want to do the opposite of what the article is describing and I'm not synching my users using Microsoft Entra Connect. I disabled the "Email as alternate login ID" option described in the article anyways but unsurprisingly, that didn't have the desired effect. Does anyone know if this is even possible and if so, how to do it? Thanks in advance! This is my first post in this community. If I did something wrong (like choosing the wrong label) please be kind, tell me, and I'm going to adapt my post.Solved852Views0likes2CommentsPhishing resistant MFA options for Entra ID Guest users
What are the phishing resistant MFA options for Entra ID B2B guest users who authenticate from an IDP that is not configured for inbound cross tenant trust? From our testing, there does not appear to be any way to use fido2/passwordless/certificate-based authentication with the guest account on the resource tenant. The following links appear to indicate that this is not supported. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strength-advanced-options#certificate-based-authentication-advanced-options-1 https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#supported-scenarios-1 When we enable MFA requirements in conditional access policy for Guest users, the only option that seems to work is MS Authenticator which the user can enroll for on our tenant. Would switching the account from a B2B guest to an internal Guest allow something like CBA to function or is the only real option to enable cross tenant trust and force the user to enable MFA on the account in their home IDP?565Views0likes0CommentsAzure B2B, B2C or Entra External ID for OneDrive/SharePoint external collaboration
Dear Community, We have a business requirement that internal staff needs to collaborate files with external customers. Staff share individual files from OneDrive for Business or SharePoint Online library. External customers will be required to register as guests. External customers will be required to use MFA for authentication. I am able to get it somewhat working by enabling https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration. The benefit is that external customers will be added as guests even when you share single files, which is not possible by default. Then the default guest CAP will require guests to have MFA turned on during first registration. The reason I said somewhat working is that the user experience is not that great. For example, the page for guest registration cannot be customised so the process seems clunky and confusing for non-technical user, so as the guest registration email. The SharePoint file sharing email that customers receive are also not customisable. It looks like a spam. It seems like without using Azure B2C or now the next generation of External ID, I cannot use separate company branding just for my guests. When comparing different features, it also comes to my understanding that even with an external tenant, the customised signup/signin user flow needs to associated with an enterprise app. And this document specifically called out OneDrive/SharePoint cannot be used to trigger the signup/signin user flow. https://learn.microsoft.com/en-us/entra/external-id/self-service-sign-up-user-flow The above link is for B2B but I think for B2C, it is the same deal, even though it didn't say explicitly. https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers Any advice is welcome. Thank you so much! nhtkid768Views0likes0Comments