Azure AD allows collaboration seamless for any user with any account (towards the dream)

In a world where collaboration rocks we always question the security boundary. By now I do hope all agree answer relies on identity. Our application access and controls should follow identity to allow people to truly provide the required flexibility to work from anywhere whilst maintaining the required security.

In Microsoft Azure Active Directory now they are towards to that dream. Today goes the public preview of allowing to share resources (Applications and data) with people from any organization, whether or not they have Azure AD or an IT department. Earlier Microsoft work closely with Google social IDs for this task.

Under this preview mode end user can use any of their e-mail ID type to access resources on another organization for true B2B collaboration. This is happening via email one-time passcodes (OTP).By using this new capability, you allow guest users to use their work email account for authentication while making sure your corporate resources are protected by the same security standards that are mandated by your partner organization. Once end user get the code and verified that session is valid for 24 hours. OTP codes are valid for 30 minutes. These settings carefully applied with security in mind.

In addition, we can apply additional security through conditional access and Multi-Factor Authentication (MFA) which available under AAP (Azure Active Directory Premium)

Guest user will get one-time passcode if below scenarios are true,

  • They do not have an Azure AD account
  • They do not have a Microsoft account
  • The inviting tenant did not set up Google federation for @gmail.com and @googlemail.com users

OTP 1
(Picture credits goes to Microsoft Techcommunity)

Ok let’s get into action to enable this feature now.

Log into Azure portal and go to Azure Active Directory –> Organizational relationships –> Users from other organizations –> Settings

select “Enable Email One-Time Passcode for Guests (Preview) after that save the changes.

image

Well that’s all you have to do. Head back to “Users from other organizations” and add the users. Once above task completed it might take little time to apply.

After that when you share the resources with the outside party.

image

When the first time user get the email he/she has to go through the redemption procedure and accept the company policies. Once completed when they try to access the company resources they will be request to sign in prompt and request for a code. Below is such example situation,

OTP 2OTP 3
(Picture credits goes to Microsoft Techcommunity)

What is exciting is the new doors this is opening for companies to allow securely access to their resources to external parties knowing the control they have.

Extending on premise Active Directory to Azure

Microsoft Azure is one of the biggest buzz word in the technical world (at least in my world Smile ) Whenever I have conversation about this with my customers some of the questions and concerns they have as follows,

1. Why should I care about another directory service when I already have Active Directory to manage my users and computers

2. How can I extend my Active Directory

3. Can I dump my on-prem Active Directory and use 100% Azure active directory?

Most of the time I end up explaining Azure Active Directory using couple of pictures,

image

Above picture gives an idea about similarity between Azure AD and On-prem AD. This is an easy way to give someone an idea what is AD normally do (I’m talking about business owners)

Next picture about how Azure ID can be used in hybrid method and open whole new world on Cloud based Apps to an organization.

image

Now that is all about some nice icing layer before we start the work Smile

My first attempt is to help you guide through how we can setup Azure AD and then integrate that with you local Active Directory.

First you need to have an Azure subscription. If you already have Azure subscription then login to the main portal,

image

On the right hand side scroll down until you find the section called “Active Directory”

image

You can see couple of Active Directories created by my in the right hand side. Please note Default directory is pre-created by Microsoft Azure. You can start using that or create your own Azure Directory. to create you own AAD (Azure Active Directory) click new,

image

Select directory and click “Custom”

image

Put your own values for this, (Note: make sure the Domain name you provide is a unique one)

image

Once you complete the wizard you’ve completed with creating your AAD Smile

image

In the above picture you’ll spend time creating users and groups for the new AD. For more information about this area please visit here. In the next article we’ll talk about how to integrate Azure AD with on-prem AD.