microsoft entra
18 TopicsMTO/Cross Tenant Sync Identity Considerations
In the current Azure environment, a user from another tenant can be represented by various identity objects. Most users have a cloud guest account, while a subset also possesses Mail contacts, alongside their guest user status. Additionally, some users have licensed accounts. In this blog post, we will explore each of these representations and the process of merging/rationalizing these to ensure a single representation of the user in the resource tenant. This unified representation will be enabled for B2B collaboration with their home identity and mail-enabled for integration within Exchange. Existing B2B Users A user can have the following representations: Guest account with the Invitation State as Pending Acceptance. This is usually the case when the user was invited as a guest, but they never accepted the Invitation. Cross tenant sync will fail for such accounts. Cross-tenant synchronization uses an internal attribute called the alternativeSecurityIdentifier to uniquely match an internal user in the source tenant with an external / B2B user in the target tenant. But since the invitation was never redeemed, alternativeSecurityIdentifier property will not be populated for the user. Assuming that Automatic Redemption is enabled for both the tenant, you can reset the redemption/resend the invite to populate the alternativeSecurityIdentifier. Reference Article Reset guest redemption status - Microsoft Entra External ID | Microsoft Learn https://learn.microsoft.com/en-us/entra/external-id/b2b-quickstart-invite-powershell#send-an-invitation Note: You may want to supress the invitation message to avoid end user notifications. Multiple Guest account with the Invitation State as Pending Acceptance. This typically occurs when multiple accounts are created for a user in the Home Account. Both accounts may be invited, and subsequently, one account is deleted while the email address is transferred to the remaining account. Here in example: The user had the below account in Home tenant. o Display Name: Lidia Holloway o Email: Lidia.Holloway@contoso.com User was provided with another account for administration in Home tenant. o Display Name: Lidia Holloway (GA) o Email: Lidia.Holloway@fabrikam.com User was invited as a guest in the resource tenant with email address as Lidia.Holloway@contoso.com. The user never accepted the invitation. User was invited as a guest in the resource tenant with email address as Lidia.Holloway@fabrikam.com. The user never accepted the invitation in this case as well. Lidia Holloway (GA) account was removed from the Home Tenant and the email address Lidia.Holloway@fabrikam.com was added as an alias to the Lidia Holloway account. End State Home Tenant: o Display Name: Lidia Holloway o Email Addresses: SMTP:Lidia.Holloway@contoso.com; smtp:Lidia.Holloway@fabrikam.com Resource Tenant Account1 o Display Name: Lidia Holloway o Email Addresses: SMTP: Lidia.Holloway@contoso.com o Invitation State: Pending Acceptance Account2 o Display Name: Lidia Holloway o Email Addresses: SMTP: Lidia.Holloway@fabrikam.com o Invitation State: Pending Acceptance The recommendation here would be to retain the one that matches the PSMTP Address of the Home Account and delete the other one. Note: The account scheduled for deletion may have group memberships and email threads with other users. It is advisable to transition the Legacy Exchange Distinguished Name (DN) and group memberships to the account being retained. To achieve this, capture the Legacy Exchange DN and group memberships, delete the unnecessary account, and then transfer these attributes to the retained account. Multiple Guest account with the Invitation State as Accepted and Pending Acceptance. This is similar to the previous one, except that one of the invitations was accepted. It is advisable to retain the account that is in an accepted state, as it may have permissions across various M365 workloads. There may also be situations where the PSMTP address of the home account was changed; in such cases, CTS should update the mail attribute according to the CTS configuration. If it does not automatically update despite the configuration, ondemand provisioning can be used to force the update. Note: Just like the previous scenario, it is advisable to transition the Legacy Exchange Distinguished Name (DN) and group memberships to the account being retained. Existing Contact Object Contact Object A user may be added as a Contact in the resource tenant, often when GAL Sync Solution is configured between organizations. There can be both Sync and Cloud-only contacts. These contacts might hold memberships in various synced and non-synced groups. To achieve a single representation, it is recommended to capture the Legacy Exchange Distinguished Name (DN) and group memberships from the contact object and delete it. After this, perform the scoping and let the CTS create the B2B object. Finally, transition the Legacy Exchange Distinguished Name (DN) and group memberships to the B2B account. Contact & a B2B Object A user can be added as both a Contact Object and a B2B Object in the resource tenant, often occurring when invited as a guest with an existing contact object. Provisioning in EXO depends on the email address and creation order of these objects. The B2B object’s Invitation State can be either Pending Acceptance/Acceptance state. If the B2B object’s Invitation State is Pending Acceptance, then it’s advisable to first remediate that. To achieve a single representation, the recommendation again would be to delete the contact object and transition the Legacy Exchange Distinguished Name (DN) and group memberships to the B2B account. Contact + Multiple B2B Objects A user can have a contact along with Multiple B2B Objects. In such scenarios, it is recommended to first rationalize the B2B Objects and proceed with the contact rationalization. Internal/Dual Mailbox Users Finally, there may be instances where users are classified as Internal Users in both tenants. Dual mailbox users cannot be enabled for B2B collaboration because the assigned email addresses will conflict with those of their home accounts. These dual mailbox users should be excluded from identity rationalization processes and should coexist with corresponding cloud external member objects created via cross-tenant synchronization. This setup can result in the user appearing twice in people search across Microsoft 365 applications unless one of the entries is hidden; however, hiding one entry could lead to additional complications. A final note would be to perform the rationalization during off-business hours, preferably on weekends, to allow for rollback if needed. Also, consider nested groups when transitioning group membership.NIST CSF 2.0 - Protect (PR) - Applications for Microsoft 365 (Part 1)
This blog and series will look to apply the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and, specifically, the Protect (PR) Function to Microsoft 365. Though the discussion will endeavor to focus primarily on Microsoft 365, topics may venture into Microsoft Azure topics periodically by the nature of each solution. Part 1 or any subsequent blogs in the series will not be an exhaustive review of all possible applications of NIST CSF 2.0, nor exhaustive of the technologies mentioned and their abilities to manage cybersecurity risks. Other applicable Functions or Categories found in NIST CSF 2.0 will be evoked throughout in the true spirit of the framework. PR as a function is intended to cover “safeguards to manage the organization’s cybersecurity risks” and contains five Categories. The prior CSF publication included six categories, but two were significantly edited and renamed. Let’s first dive into Identity Management, Authentication, and Access Control (PR.AA).Power Up Your ASP.NET Application with External ID Integration in Visual Studio
Microsoft Entra External ID is a comprehensive identity management solution tailored to streamline a vital component of application development;authentication. By integrating External ID, developers can leverage advanced, built-in security features that reduce the risk of vulnerabilities and ensure compliance with industry standards. This approach not only expedites the development process but also supports scalability and enhances the user experience by providing seamless and secure access. Ultimately, it empowers developers to deliver high-quality, secure applications with greater efficiency. In this blog, we walk you through the process of creating an ASP.Net application with External ID using Visual Studio. Currently the template on Visual Studio supports ASP.Net only. If you’d like to explore External ID on other samples (JavaScript, React, Angular, Node.js (Express), ASP.NET Core, Python Django, Python Flask, Java Servlet etc.), please check out the Microsoft Entra External ID extension for Visual Studio Code or the Microsoft Entra admin center wizard guide. Setting up and running your application Prerequisites Install the recommended Visual Studio version (17.11.3), along with ASP.NET and the web development workload. An external tenant on Microsoft Entra Admin Center. If you don’t have one, you can create one using our 30-day free trial or create an external tenant with an Azure subscription. If you have one continue reading. Ensure you have the application administrator role on Microsoft Entra. After meeting the above prerequisites, you can dive into the video where we show you how to integrate Microsoft Entra External ID in your app on Visual Studio or jump straight into the guide. Create your project Open Visual Studio and create a new project. o From the templates, select ‘ASP.NET Core Web App (Razor Pages)’ and clickNext. o Provide aProject Name, e.g. ‘ASP-Application’ and aLocation(where you want to create the project) and clickNext. o In theFrameworkselection, use ‘.NET 8.0 (Long Term Support)’ and underAuthentication Type, select ‘Microsoft identity platform’. Then click on Create. The following diagram shows the Microsoft identity platform at a high level, including the application registration experience, SDKs, endpoints, and supported identities or account types. Install components Install the required component,dotnet msidentity tool, and clickNext. Configure External ID Sign in to External ID with a user that has permission to create an application registration. Select your trial or external tenant from theTenants drop down. ClickCreate new and give your application a name, like “visual-studio-asp-app”. This will create an application in Microsoft Entra External ID including a linked user flow, fully defining the sign-in and sign-up experience for your users. Then click Register. 5: 'Create new' in Microsoft Entra External ID The app registration process collects and assigns these values for your app: AnApplication (client) IDthat uniquely identifies your app. ARedirect URIthat you can use to direct responses back to your app. A few other scenario-specific values such as supported account types. Next, select the application you’ve just registered then click Next. Skip the ‘Additional settings’ step shown below as it does not work with External tenant. Review theSummary of changes and clickFinish. The dependency configuration process starts as shown below. Once done, clickClose. Run and test the application To run your application, navigate toDebug>Start Without Debugging. Once your build is complete, a new browser window will open at https://localhost:7124. Complete the sign-up and sign-in process on the screen shown below: On successful sign in, you will be able to see the demo page, as shown below: You’ve successfully configured Microsoft Entra External ID on an ASP.NET core Web App and signed in your first user. Next steps Continue exploring Microsoft Entra External ID samples by checking out the Microsoft Entra External ID extension for Visual Studio Code or the Microsoft Entra admin center wizard guide. Share your feedback and tell us what you think, or suggest new features. Also, please join our research panel to receive occasional invites to participate in customer research. You can also explore other features in the Microsoft Entra portfolio by visiting our Developer center Identity blog YouTube for tutorials, deep dives, and the latest news.Implement authentication on mobile apps with Native Authentication for Microsoft Entra External ID
Native authentication empowers you to take complete control over the design of the sign-in experience of your mobile applications. It allows you to craft stunning, pixel-perfect brand-aligned authentication user flows (including design elements, logo placement, and layout) that are seamlessly integrated into your mobile apps, rather than relying on browser-based solutions. While at the same time, ensuring that sign-in and sign-up processes remain secure and frictionless. This balance of customization and security drives better onboarding, retention, and, ultimately, user trust. Authentication on Mobile: Native authentication vs Browser-delegated When it comes to implementing authentication for mobile apps on External ID, you have two options: Fully custom SDK based native authentication. Microsoft-hosted browser-delegated authentication. In the browser-delegated mobile app sign-in process, users often experience a disruptive jump during authentication. They’re taken to a browser for authentication and then redirected back to the app when the sign-in is complete. This leads to a diluted experience and branding can be compromised. While browser-delegated methods can reduce attack vectors and support single sign-on (SSO), they suffer from limited UI customization and poor user experience. Whether you choose native authentication or browser-delegated authentication, Microsoft Entra External ID supports both of them. Refer to this documentation to understand when to use native authentication and when to use browser-delegated authentication. Native authentication gives you full control over the user interface and experience. Available authentication methods Native authentication currently supports local identity provider for two sign-in methods: Email with one-time passcode (OTP) sign-in. Email and password sign-in with support for self-service password reset (SSPR). How to enable native authentication 1. Register application in the external tenant To enable your application to sign in users with Microsoft Entra, Microsoft Entra External ID must be made aware of the application you create. The app registration establishes a trust relationship between the app and Microsoft Entra. When you register an application, External ID generates a unique identifier known as anApplication (client) ID, a value used to identify your app when creating authentication requests. For Native Authentication, we use external tenant, not workforce tenant. You need to have an external tenant. If you don’t already have one,sign up for a free trial. The following steps show you how to register your app in the Microsoft Entra admin center: Sign In Microsoft Entra admin centeras at least anApplication Developer. If you have access to multiple tenants, use theSettingsiconin the top menu to switch to your external tenant from theDirectories + subscriptionsmenu. Browse toIdentity>Applications>App registrations. Select+ New registration. In theRegister an applicationpage that appears; Enter a meaningful applicationNamethat is displayed to users of the app, for exampleciam-client-app. UnderSupported account types, selectAccounts in this organizational directory only. SelectRegister. The application'sOverview pane displays upon successful registration. Record the Application (client) ID to be used in your application source code. 2. Enable public client and native authentication flows. Enable native authentication in the Microsoft Entra admin center: In Microsoft Entra admin center,browse toApplications>App registrationsand select your app. Navigate toAuthentication and select theSettingstab. Select theAllow native authentication and theAllow public client flowfield. 3. Grant admin consent Once you register your application, it gets assigned theUser.Readpermission. However, since the tenant is an external tenant, the customer users themselves can't consent to this permission. You as the admin must consent to this permission on behalf of all the users in the tenant: From theApp registrationspage, select the application that you created (such asciam-client-app) to open itsOverviewpage. UnderManage, selectAPI permissions. a) SelectGrant admin consent for <your tenant name>, then selectYes. b) SelectRefresh, then verify thatGranted for <your tenant name>appears underStatusfor the permission. 4. Create user flow in the external tenant. Follow these steps to create a user flow. Sign in to theMicrosoft Entra admin centeras at least anApplication Developer. If you have access to multiple tenants, make sure you use the directory that contains your external tenant: a) Select theDirectories + subscriptions icon in the toolbar. b) On thePortal settings | Directories + subscriptions page, find your external tenant directory in theDirectory namelist, and then selectSwitch. 3. On the sidebar menu, select Identity. 4. Select External Identities>User flows. 5. Select + New user flow. 6. On the Create page: a) Enter aName for the user flow, such asSignInSignUpSample. b) In theIdentity providers list, selectEmail Accounts. This identity provider allows users to sign-in or sign-up using their email address. c) UnderEmail accounts, you can select one of the two options. For this tutorial, selectEmail one-time passcode. Email with password: Allows new users to sign up and sign in using an email address as the sign-in name and a password as their first factor credential. Email one-time passcode: Allows new users to sign up and sign in using an email address as the sign-in name and email one-time passcode as their first factor credential. For this option to be available at the user flow level, make sure you enable email one-time passcode (OTP) at the tenant level (selectAll Identity Providers, and then forEmail One-time passcode selectConfigured, select theYesoption, and then selectSave). d) UnderUser attributes, you can choose the attributes you want to collect from the user upon sign-up. For this guide, selectCountry/Region andCity. 7. Select Create. The new user flow appears in theUser flows list. 5. Associate the application with the user flow For the customer users to see the sign-up or sign-in experience when they use your app, you need to associate your app with a user flow. Although many applications can be associated with your user flow, a single application can only be associated with one user flow. On the sidebar menu, selectIdentity. SelectExternal Identities, thenUser flows. In theUser flowspage, select theUser flow nameyou created earlier, for example,SignInSignUpSample. UnderUse, selectApplications. SelectAdd application. Select the application from the list such asciam-client-appor use the search box to find the application, and then select it. ChooseSelect. 6. Update your configuration code You can build apps that use native authentication by using our native authentication APIs or the Microsoft Authentication Library (MSAL) SDK for Android and iOS/macOS. Below are the supported languages and frameworks: Android (Kotlin, Java) iOS/macOS (Swift, Objective-C) For other languages and platforms, you can use ournative authentication API.Whenever possible, we recommend using MSAL to add native authentication to your apps. The next step is to update your application’s configuration code to support native authentication flows for Android or iOS/macOS. To do so, you need to add the challenge type field to your configuration. Challenge types are a list of values that the app uses to notify Microsoft Entra about the authentication method it supports. We have the below code samples for Android and iOS/macOS. Clone the code sample for the language or platform of your choice. Find the place holdersEnter_the_Application_Id_Here and Enter_the_Tenant_Subdomain in the configuration file highlighted in the table below and replace with the Application (client) ID and Directory (tenant) subdomain. These details can be found from Microsoft Entra admin center >Applications>App registrations then select your app. Language/ Platform Clone Code sample Code sample configuration file to be edited Android (Kotlin) https://github.com/Azure-Samples/ms-identity-ciam-native-auth-android-sample app/src/main/res/raw/native_auth_sample_app_config.json (Open on Android Studio) iOS (Swift) https://github.com/Azure-Samples/ms-identity-ciam-native-auth-ios-sample.git NativeAuthSampleApp/Configuration.swift (Open on Xcode) macOS (Swift) https://github.com/Azure-Samples/ms-identity-ciam-native-auth-macos-sample.git NativeAuthSampleAppMacOS/Configuration.swift (Open on Xcode) 7. Run and test the sample Android mobile application - To build and run your app, follow these steps: In Android Studio toolbar, select your app from the run configurations menu. In the target device menu, select the device that you want to run your app on. If you don't have any devices configured, you need to either create an Android Virtual Device to use the Android Emulator or connect a physical Android device. 3. Select the Runbutton. The app opens theEmail & OTP screen. iOS/macOS application - To build and run your code, selectRunfrom theProductmenu in Xcode. After a successful build, Xcode will launch the sample app in the Simulator. Kudos, you’ve successfully configured Microsoft Entra External ID native authentication on an android or iOS/macOS app. Next steps Continue exploring Microsoft Entra External ID Native Authentication by checking out the documentation. You can also explore other features in the Microsoft Entra portfolio by visiting our Developer center Identity blog YouTube for tutorials, deep dives, and the latest news.Start learning how Copilot can help you by watching Microsoft Copilot for Security Flight School
Where traditional approaches to enterprise security can isolate security professionals from each other and business functions across highly fragmented environments, Microsoft Copilot for Security helps by redefining what security is and how security gets done. That’s why we’re thrilled to introduce Microsoft Copilot for Security Flight School! Building on the foundational learning in Learn Live: Get started with Microsoft Copilot for Security, host Ryan Munsch, Principal Tech Specialist at Microsoft, explores several intermediate technical topics (L200+) in our flight school videos—ranging from what Microsoft Copilot for Security is (and what it isn’t) to key capabilities, experiences, and how to extend Copilot to your ecosystem. Each topical video is 10 mins or less, aligning to relevant learning modules on Microsoft Learn. This can prove valuable for IT pros looking to enhance their ability to process security signals and protect at the speed and scale of AI. Training topics include: What is Microsoft Copilot for Security? AI orchestration Standalone and embedded experiences Copilot in Entra, Intune, and Purview Manage your plugins Prompting Copilot Prompt engineering Using promptbooks Logic apps Extending Copilot to your ecosystem Check out Microsoft Copilot for Security Flight School today.Seamless authentication on Power Pages with Microsoft Entra External ID (Public Preview)
Developing a website can be time-consuming, particularly when it comes to figuring out how to authenticate users. Power Pages streamlines this process, allowing you to launch a website in just minutes. With External ID, you gain access to a comprehensive suite of resources for securing external identities, complete with extensive customization options. Integrating External ID on Power Pages simplifies authentication for your website so that you can focus on the rest of the application. Advantages of using External ID include: Enhanced security: Businesses can ensure secure access for their users, protecting sensitive information and reducing the risk of unauthorized access. Improved user experience: A streamlined authentication process reduces complexity for users, providing a smoother and more intuitive experience. Scalability: The ability to handle large numbers of users and various identity providers makes this integration ideal for businesses of all sizes. In this blog post, I will guide you through the setup of External ID on a Power Pages demo website. Prerequisites An external tenant on Microsoft Entra Admin Center. If you don’t have one, you can create one using our30-day free trial orcreate an external tenantwith an Azure subscription. Ensure you have the application administrator role and External ID User Flow Administrator role on Microsoft Entra. A Power Pages environment or sign up for a . You’ll need either a system administrator or a read-write user account. A demo site with a sign-up process (you can use Starter layout 1, 2 or 3 templates from the list of Power Pages templates. These templates have login functionality. In this demo, we use Starter layout 1). Set up External ID on your website Log in to Power Pages and click Edit on the site where you want to configure an External ID provider. Click on Security, then click on Identity providers under Manage then Configure beside Microsoft Entra External ID. A guided wizard will pop up prompting you to enter configuration details. Select your provider. Select Microsoft Entra External ID as your log in provider. The provider’s name is the label that will appear on the sign-in button. It can be something simple like ‘Microsoft Entra External ID’ or ‘Log in with External ID’. Click Next. Register your application in the Microsoft Entra admin center. Go to the Microsoft Entra admin center. Under Applications on the left, click on App registrations then New registration. Enter a name for your app. For example, ‘power-pages-app’. Under Redirect URI, Select Web as your platform and copy the Reply URL from Power Pages and paste it in the redirect URL field in the Microsoft Entra Admin Center. Click Register. On the power-pages-app Authentication tab, under the Implicit grant and hybrid flows section, select Access tokens and ID tokens and click Save. On the API permissions tab, grant admin consent. Create a user flow. The user flow is login experience Navigate to External Identities > User flows. Click create New user flow. Give the user flow a name, e.g. ‘Power-pages-user-flow’ and under Identity providers, select email with password. Click Create. Link application to the user flow. On the user flow you just created (power-pages-user-flow), click Applications > Add application. Select your application, in this case it is ‘power-pages-app’, and click Select. Go back to Power Pages and click the Next button to Configure site settings. We need to provide the client ID and Authority URL. These are available on the Microsoft Entra admin center. In the Microsoft Entra admin center, go to Applications > App registrations > All applications and select ‘power-pages-app’. Copy and paste the Application (client) ID into the Power Pages fields. Click on Endpoints and copy the authority URL and OpenID connect metadata document and paste it into your site settings and click Next. Optional settings and review. You can leave optional settings and review and click Confirm then Close. Make changes visible to your site. Go to Power Platform admin center by navigating to the site and clicking the dots next to Preview. Then select Admin center. Under Site Actions, click on Restart site. A confirmation dialog box will appear. Click Restart. It will take a few minutes to complete and for the changes to be reflected on your site. Open your site URL and head over to the sign-in page. The button you configured in step 2, ‘Microsoft Entra External ID’, will now be visible. Click on it. Sign up a new user with the sign-up flow. At the end of the user flow, you will be directed to complete the registration on the website. Enter the same email address and click Register. Finally, if you have a profile page, you can enter relevant user details, such as first and last name and click Update. Congratulations! You will now have signed up your first user with External ID on Power Pages. Let’s recap In this blog post, you have learned how to: Create an application and a user flow. Link the application to your user flow. Configure the Client ID, authority URL, and metadata address on Power Pages. Sign up and sign in an External ID user with email and password on your website. Next steps To learn more or test out features in the Microsoft Entra portfolio, visit our developer center. Make sure you subscribe to the Identity blogfor more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.Streamlining AI Compliance: Introducing the Premium Template for Indonesia's PDP Law in Purview
In today’s evolving regulatory environment, businesses must navigate complex data privacy laws while fostering customer trust, especially as AI transforms industries. To support organizations in meeting compliance requirements, we’re introducing the Premium Assessment Template for Indonesia's Personal Data Protection (PDP) Law within Microsoft Purview Compliance Manager. This powerful tool automates critical compliance tasks, simplifies assessments, and integrates seamlessly with Microsoft’s E5 security and Purview solutions, helping businesses reduce manual effort and ensure compliance more efficiently. Discover how this template can streamline your compliance efforts and build trust in an AI-driven world.