What's New in Entra ID for May 2024

Reading Time: 4 minutes

Microsoft Entra ID

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID, through the Microsoft 365 Message Center, The What's New hub in the Entra Portal and Build's Book of News, Microsoft communicated the following planned, new and changed functionality for Entra ID for May 2024:

 

What's Planned

Changing default accepted token version for new applications Generally Available

Service category: Other
Product capability: Developer Experience

Starting August 2024, new Microsoft Entra applications created using any interface (including the Microsoft Entra admin center, Azure portal, Powershell/CLI, and the Microsoft Graph application API) will have the default value of the requestedAccessTokenVersion property in the app registration set to 2. This is a change from the previous default of null (meaning 1). This means that new resource applications receive v2 access tokens instead of v1 access tokens, by default. This improves the security of apps.

 

What's New

$select in signIn API Generally Available

Service category: Microsoft Graph
Product capability: Monitoring & Reporting

The long-awaited $select has been implemented into the signIn API. Utilize the $select to reduce the number of attributes that are returned for each log. This should greatly help organizations who deal with throttling issues, and allow every organization to run faster, more efficient queries.

 

Multiple Passwordless Phone Sign-in for Android Devices Generally Available

Service category: Authentications (Logins)
Product capability: User Authentication

People can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported Android device. Consultants, students, and others with multiple accounts in Microsoft Entra can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same Android device. The Microsoft Entra accounts can be in the same tenant or in different tenants. Guest accounts aren't supported for multiple account sign-ins from one device.

 

Platform Single Sign-on for macOS with Microsoft Entra ID Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Platform Single Sign-on (Platform SSO) is an enhancement to the Microsoft Enterprise SSO plug-in for Apple devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO works with Microsoft Intune. Other Mobile Device Management (MDM) providers are coming soon.

 

External authentication methods for multifactor authentication Public Preview

Service category: Multi-factor authentication (MFA)
Product capability: User Authentication

External authentication methods enable organizations to use their preferred multi-factor authentication (MFA) solution with Microsoft Entra ID.

 

Bicep templates support for Microsoft Graph Public Preview

Service category: Microsoft Graph
Product capability: Developer Experience

The Microsoft Graph Bicep extension brings declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. It allows developers and IT professionals to author, deploy, and manage core Microsoft Entra ID resources using Bicep template files, alongside Azure resources. Organizations can now use familiar tools to deploy Azure resources and the Microsoft Entra resources they depend on, such as applications and service principals, IaC and DevOps practices. It also opens the door for organizations to use Bicep templates and IaC practices to deploy and manage their tenant's Entra resources.

 

Workflow History Insights in Lifecycle Workflows Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Lifecycle Management

Organizations can now monitor workflow health, and get insights throughout all their workflows in Lifecycle Workflows including viewing workflow processing data across workflows, tasks, and workflow categories.

 

Configure Lifecycle Workflow Scope Using Custom Security Attributes Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Lifecycle Management

Organizations can now leverage their confidential HR data stored in custom security attributes in addition to other attributes to define the scope of their workflows in Lifecycle Workflows for automating joiner, mover, and leaver (JML) scenarios.

 

Enable, Disable and Delete synchronized users accounts with Lifecycle Workflows Public Preview

Service category: Lifecycle Workflows
Product capability: Identity Lifecycle Management

Lifecycle Workflows can now enable, disable, and delete user accounts that are synchronized from Active Directory Domain Services (AD DS) to Microsoft Entra. This allows organizations to ensure that the offboarding processes of employees are completed by deleting the user account after a retention period.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added ClearView Trade in the Entra Application Gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for this newly integrated app.

 

What's Changed

LastSuccessfulSignIn Generally Available

Service category: Microsoft Graph
Product capability: Monitoring & Reporting

Due to popular demand and increased confidence in the stability of the properties, Microsoft has now brought the LastSuccessfulSignIn and LastSuccessfulSigninDateTime properties into Microsoft Graph v1.0.

 

Windows Account extension renamed to Microsoft Single Sign On Generally Available

Service category: Authentications
Product capability: Single Sign-on (SSO)

The Windows Account extension is now the Microsoft Single Sign On extension in docs and Chrome store. The Windows Account extension has been updated to represent the new macOS compatibility. It's now known as the Microsoft Single Sign On extension for Chrome, offering single sign-on and device identity features with the Enterprise SSO plug-in for Apple devices. This is just a name change for the extension, there are no software changes to the extension itself.

0  

On-premises Identity-related updates and fixes for May 2024

Reading Time: 3 minutes

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for May 2024:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5037763 May 14, 2024

The May 14, 2024, update for Windows Server 2016 (KB5037763), updating the OS build number to 14393.6981, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses a known issue that might affect domain controllers (DC). NTLM authentication traffic might increase.
  • This update affects next secure record 3 (NSEC3) validation in a recursive resolver. Its limit is now 1,000 computations. One computation is equal to the validation of one label with one iteration. DNS Server Administrators can change the default number of computations.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5036896 May 14, 2024

The May 14, 2024, update for Windows Server 2019 (KB5037765), updating the OS build number to 17763.5820, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update affects next secure record 3 (NSEC3) validation in a recursive resolver. Its limit is now 1,000 computations. One computation is equal to the validation of one label with one iteration. DNS Server Administrators can change the default number of computations.
  • This update addresses an issue that affects Active Directory. Bind requests to IPv6 addresses fail. This occurs when the requestor is not joined to a domain.
  • This update addresses a known issue that might affect domain controllers (DC). NTLM authentication traffic might increase.

KB5039705 May 23, 2024

The May 23, 2024, update for Windows Server 2019 (KB5039705), updating the OS build number to 17763.5830, is an out-of-band update to address a known issue when installing the KB5036896 May 14, 2024 updates for Windows Server 2019. You may experience:

  • error code 0x800f0982 when installing the update on a Windows Server 2019-based Domain Controller with the English (United States) language pack.
  • error code 0x80004005 when installing on a Windows Server 2019-based Domain Controller without this language pack installed.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5037782 May 24, 2024

The May 24, 2024, update for Windows Server 2022 (KB5037782), updating the OS build number to 20348.2461, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses a known issue that might affect domain controllers (DC). NTLM authentication traffic might increase.
  • This update addresses an issue that affects Wi-Fi Protected Access 3 (WPA3) in the Group Policy editor. HTML preview rendering fails.
  • This update addresses an issue that affects a server after you remove it from a domain. The Get-LocalGroupMember cmdlet returns an exception. This occurs if local groups contain domain members.
  • This update affects next secure record 3 (NSEC3) validation in a recursive resolver. Its limit is now 1,000 computations. One computation is equal to the validation of one label with one iteration. DNS Server Administrators can change the default number of computations.
  • This update addresses an issue that affects a workstation that is not in a domain. When you connect from it to a share and use an IPv6 address, you get the error:

ERROR_BAD_NET_NAME

  • This update addresses an issue that affects Group Policy Folder Redirection in a multi-forest deployment. The issue stops admins from choosing a group account from the target domain. Because of this, they cannot apply advanced folder redirection settings to that domain. This issue occurs when the target domain has a one-way trust with the domain of the admin. This issue affects all Enhanced Security Admin Environment (ESAE), Hardened Forests (HF) and Privileged Access Management (PAM) deployments.
0  

Four vulnerabilities in Veeam Backup Enterprise Manager were addressed in v12.1.2.172

Reading Time: 2 minutes

Last week, Veeam addressed several vulnerabilities in components of its Backup Enterprise Manager, that allows attackers to bypass authentication mechanisms and execute arbitrary code.

 

About Veeam Backup Enterprise Manager

Veeam Backup Enterprise Manager is a supplementary management and reporting application that allows admins to manage multiple Veeam Backup & Replication (VBR) installations from a single web console. With a number of Veeam Backup & Replication instances installed on different servers, Veeam Backup Enterprise Manager acts as a single management point. It allows admins to:

  • control license distribution,
  • manage backup jobs across the backup infrastructure,
  • analyze operation statistics of Veeam backup servers,
  • perform restore operations.

 

About the vulnerabilities

Veeam Backup Enterprise Manager v12.1.2.172, released on May 21st, 2024, addresses four vulnerabilities:

 

CVE-2024-29849

Severity: Critical
CVSS v3.1 Score: 

This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user.

 

CVE-2024-29850

Severity: High
CVSS v3.1 Score: 

This Vulnerability in Veeam Backup Enterprise Manager allows account takeover via NTLM relay.

 

CVE-2024-29851

Severity: High
CVSS v3.1 Score: 

This vulnerability in Veeam Backup Enterprise Manager allows a high-privileged user to steal the NTLM hash of the Veeam Backup Enterprise Manager service account if that service account is anything other than the default Local System account.

 

CVE-2024-29852

Severity: Low
CVSS v3.1 Score: 

This vulnerability in Veeam Backup Enterprise Manager allows high-privileged users to read backup session logs.

 

Call to Action

The above vulnerabilities were addressed in Veeam Backup Enterprise Manager v12.1.2.172. For installations running v12.1.0.2132, an Updater is available. Older installations of Veeam Backup Enterprise Manager (starting with version 10.0.1.4854) can be upgraded using the ISO and the Upgrade Checklist.

Veeam Backup Enterprise Manager is a supplementary application. If it is not deployed in your environment, that environment would not be impacted by the above vulnerabilities.

Further reading

KB4510: Release Information for Veeam Backup & Replication 12.1 and Updates
KB4581: Veeam Backup Enterprise Manager Vulnerabilities

Related blogposts

A Critical Remote Code Execution vulnerability in Veeam Backup for Azure was automatically addressed
A Critical Vulnerability in Veeam Backup for Google Cloud was automatically addressed (CVE-2022-43549)

0  

A Denial of Service vulnerability threatens the availability of virtual Domain Controllers on VMware ESXi (VMSA-2024-0011, Important, CVE-2024-22273)

Reading Time: 2 minutes

Virtualization

This week, Broadcom VMware released an update that addresses a vulnerability in ESXi. This vulnerability could be abused to negatively impact the availability of virtual Domain Controllers running on ESXi hosts.

Note: 
The vulnerability exists in VMware Cloud Foundation, too.

The vulnerability was responsibly disclosed to Broadcom VMware.

 

About the DoS vulnerability

The vulnerability that an adversary can abuse to negatively impact the availability of virtual Domain Controllers running on ESXi hosts is a Denial of Service (DoS) vulnerability in the storage controllers on VMware ESXi, Workstation, and Fusion. These controllers have an out-of-bounds read/write vulnerability.

VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1 on VMware Workstation and VMware Fusion, and a CVSSv3 base score of 7.4 on VMware ESXi and VMware Cloud Foundation.

The vulnerability is tracked as CVE-2024-22273.

How an adversary could abuse the vulnerability

An adversary with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition. In conjunction with other issues, an adversary could even execute code on the hypervisor from a virtual machine.

Workarounds

There are no workarounds available

Responsibly disclosed

Hao Zheng (@zhz) and Jiaqing Huang (@s0duku) from TianGong Team of Legendsec at Qi'anxin Group have responsibly disclosed the vulnerability to Broadcom VMware.

 

The link to virtual Domain Controllers

Many Active Directory Domain Controllers run as virtual machines on top of VMware ESXi.

Abusing the vulnerability, an adversary can make the ESXi host unavailable from within a virtual machines running on the ESXi host. As virtual Domain Controllers typically run on ESXi hosts that also host other virtual machines, abusing the vulnerability may negatively affect the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.

When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations.

 

Addressing the vulnerability

VMware addressed the vulnerabilities in the following versions:

  • For ESXi 8.0, versions ESXi80U2sb-23305545 and up are no longer vulnerable
  • For ESXi 7.0, versions ESXi70U3sq-23794019 and up are no longer vulnerable.
  • ESXi 6.5 and ESXi 6.7 do not receive updates to addresses the vulnerability.

 

Concluding

Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2024-0011.

Further reading

Support Content Notification VMSA-2024-0011 – Support Portal
VMware finally addresses privilege escalation vulnerability in vCenter Server
VMSA-2022-0030 updates for VMware ESXi and vCenter Server
VMware ESXi 7.0 Update 3c’s cURL version is vulnerable
VMSA-2021-0014 updates for VMware ESXi and vCenter

0  

I’m co-presenting a session at Experts Live Netherlands 2024

Reading Time: 2 minutes

NBC Nieuwegein

Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Tuesday June 4th, 2024 at Conference Center NBC in Nieuwegein. It’s a privilege to share the stage again with my buddy Raymond.

 

About Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. In its 15th year in existence, Experts Live organizes its Dutch knowledge event. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, aiming at 1750 visitors this year.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

 

About our session

Raymond and I are scheduled to deliver a 50-minute session in the Security track:

ALI BABA AND THE ENTRA ID TOKENS: SCRIPT AUTHENTICATION WITH THE MICROSOFT GRAPH

Event Hall II, 10:10 AM – 11:00 AM

As the AzureAD and MSOnline PowerShell modules get deprecated, we're adapting to accessing Entra ID using the Microsoft Graph. This session clarifies how to authenticate in new ways, focusing on App Registrations, Mg*-modules, tokens, and App Permissions. We'll debate the need for App Registrations, the advantages and drawbacks of secrets versus certificates or federated authentication, and the practicalities of these methods. Attendees learn about federated authentication's applicability, Mg*-modules' authentication compatibility, and the functionalities of access tokens.

We share our first-hand experiences in developing scripts for this new authentication framework. Join us to gain insights and practical skills for a smooth transition to scripting with the Microsoft Graph for Entra ID.

 

Join us!

Experts Live Netherlands hasn’t sold out yet, but there’s only a handful of tickets left. Snag yours before it’s too late Dutch and join us!

Further reading

I’m co-presenting a session at Experts Live Netherlands 2022
I’m speaking at Experts Live Netherlands 2019
I’m speaking at Experts Live Netherlands 2018
I’ll be co-presenting two sessions at Experts Live 2016
I’ll be co-presenting two sessions at Experts Live 2015
I'll be presenting at Experts Live 2014
I’ll be speaking at Experts Live 2013

0  

Entra's Cross-tenant Access Settings, Part 3: How to optimize end-user experiences and privacy

Reading Time: 6 minutes

Microsoft Entra ID

Entra External ID, Microsoft's Business to Business (B2B) collaboration feature, has recently gained significant functionality to customize the end-user experience when people in the organization collaborate in Entra-integrated functionality, when this functionality is integrated in the Entra tenant of another organization.

In this  series of blogposts, I share how Entra's Cross-tenant Access Settings can be used to optimize the end-user experience. This information is useful both for Entra administrators who have people collaborating in another tenant and for Entra admins who have guest accounts in their tenant to facilitate access to their functionality.

Note:
In this series, I merely talk about the Entra External ID functionality that is based on Entra to Entra collaboration.

The first post in this series defined the settings. In the second blogpost I explained how to manage common B2B collaboration scenarios. Today, it's time to optimize the experience and privacy exposure of end-users in your organization.

 

The default redemption process

By default, when a person in your organization is invited to collaborate by a person in another organization using Entra, the process looks like this:

Entra External ID Default Flow (click for larger image)

 

The flow is triggered by a person or admin in the third party organization when he, she or they invite a person from your organization. Entra ID automatically creates a guest account if the DNS domain name of your organization is allowed to send invitation to. Then, an invitation is sent. The person in your organization receives the invitation and clicks on the link to get access to the shared functionality. This triggers an update to the guest account, as the invitation has been redeemed. In the Entra tenant of the third party organization, the person then needs to provide consent to his, her or their data. Then, multi-factor authentication (MFA) registration is required in the third party Entra tenant. The MFA registration is subsequently stored in the guest account. Then, the person can access the shared functionality.

 

How Cross-tenant access settings can be used to optimize the end-user experience

Cross-tenant access settings can modify the way end-users in your organization collaborate.

The External collaboration settings pane in Entra, and the Sharing Policies in SharePoint Online both offer options to limit the organizations where people in your organization can send invitations to. Cross-tenant access settings is the only pane where admins (of other Entra tenants) can configure the way people in your organization can redeem invitations and how they sign in to collaborate.

Making your MFA methods work in partner organizations

With default settings, when people in your organization get invited by partner organizations, when they first sign in, they need to register a multi-factor authentication (MFA) method to use in the Entra tenant for the partner organization. This is a change that is in effect since last year, that may have already prompted a change in your organization's guest access processes in the context of Entra External ID.

In this case, the flow is changed to the following flow:

Entra External ID flow without registering Multi-factor Authentication (click for larger image)

From a privacy and security point of view, you might want to have a partner organization trust the multi-factor authentication (MFA) methods that people in your organizations have registered when they access resources in partner organizations. This prevents people in your organization provide personally identifiable information (PII) like their phone number to another organization, outside of the control of your organization. In the processing agreement, terms of conditions, terms of use and/or security agreement and/or security addendum with the partner organization:

  • Agree upon multi-factor authentication (MFA) methods that are allowed for both organizations.

Tip!
Agree upon allowing and/or requiring phishing-resistent MFA methods and blocking phone- and/or text message-based methods, wherever possible.

  • Request an admin to perform the following steps:
    • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
    • In the left navigation pane, expand the External Identities  menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
    • Click the Organizational settings tab.
    • Under Organizational settings, follow the + Add organization link to onboard your organizations by specifying your organization's DNS domain names or tenant IDs.
    • After onboarding, for your organization n the list of organizations, under Inbound access, click the Inherited from default link. This takes you to the Outbound access settings pane for your organization.
    • Click the Trust settings tab.
    • Select the Customize settings option to deviate from the Default settings.
    • Select the Trust multifactor authentication from Microsoft Entra tenants option.
    • Click Save at the bottom
  • Optionally, request an admin to perform the following steps:
    • Configure a dynamic group that includes all guest users from your organization and configure this group as the scope for a Conditional Access policy to require phishing-resistant multi-factor authentication using the Require authentication strength option as the Grant option.

Making your device compliance work in partner organizations

With default settings, when people in your organization get invited by partner organizations, when they sign in, their device compliance is not used for authorization decisions in Conditional Access settings in the Entra tenant for the partner organization. From a security point of view, you might want to have a partner organization require device compliance to allow access for people in your organization. Device compliance is a strong security requirement that allows for a more holistic access approach beyond merely requiring multi-factor authentication 'at the gate'.

This does not change the flow from the point of view of a person in your organization.

Note:
Each partner organization that you work with on device compliance as a security measure needs Entra Premium licenses to use Dynamic Groups and Conditional Access.

In the processing agreement, terms of conditions, terms of use and/or security agreement and/or security addendum with the partner organization:

  • Agree upon device compliance as a security measure between your organizations.
  • Request an admin to perform the following steps:
    • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
    • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
      • Click the Organizational settings tab.
      • Under Organizational settings, follow the + Add organization link to onboard your organizations by specifying your organization's DNS domain names or tenant IDs.
      • After onboarding, for your organization n the list of organizations, under Inbound access, click the Inherited from default link. This takes you to the Outbound access settings pane for your organization.
      • Click the Trust settings tab.
      • Select the Customize settings option to deviate from the Default settings.
      • Select the Trust compliant devices option.
      • Click Save at the bottom.
    • In the left navigation menu, expand the Groups menu node and click the All groups menu item. This takes you to the Groups | all groups pane.
      • Follow the + New group link. This takes you to the New Group pane.
      • Enter a Group Name.
      • Change the Membership type from Assigned to Dynamic User.
      • Follow the Add dynamic query link. This takes you to the Dynamic membership rules pane.
      • In the table of rules, in the Property column, select the userPrincipalName attribute. In the Operator column, select the Match operator. In the Value column, customize domaintld in the following string for your organization to match your domain.tld DNS domain name (without dots):

_domaintld#EXT#@

      • Click outside of the Value field and then click Save at the top of the Dynamic membership rules pane. This takes you back to the New Group pane.
      • Click Create at the bottom of the New Group pane.
    • In the left navigation menu, expand the Protection menu node and click Conditional Access. This takes you to the Conditional Access | Overview pane.

Tip!
The steps below create a new Conditional Access policy. When a policy has already been created for other partner organizations, edit that policy to include the additional dynamic group in its scope instead of creating a new policy. This avoids reaching the current limit of 195 Conditional Access policies per Entra tenant.

      • Click + Create new policy. this takes you to the New pane.
      • Enter a Name for the Conditional Access policy.
      • Under Assignments and then Users, follow the 0 users and groups selected link. Under Include, select Select users and groups and then Users and groups. The Select users and groups blade appears.
      • Select the group created earlier for the partner organization and click Select at the bottom of the blade.
      • Under Assignments and then Target resources, follow the No target resources selected link. Under Include, select All cloud apps.
      • Under Access controls and then Grant, follow the 0 controls selected link. The Grant blade appears. Select the Require device to be marked as complement option and click Select at the bottom of the blade.
      • At the bottom of the pane, under Enable policy, select On. Then, click Create.

 

Concluding

If security and privacy concerns govern the way your organization does B2B collaboration, Entra's cross-tenant access settings allow for optimizing it throughout the supply chain.

Take advantage, today!

0  

Multi-Factor Authentication Server versions 8.1.15.1 and 8.1.16.1 address an AD FS Adapter installation issue

Reading Time: 2 minutes

Microsoft Azure Multi-Factor Authentication

On May 13th, 2024, Microsoft released versions 8.1.15.1 and 8.1.16.1 of its MFA Server product that allows organization to add multi-factor authentication to RADIUS-, AD FS-, IIS-based and other on-premises authentication scenarios.

 

Versions 8.1.15.1 and 8.1.16.1

MFA Server v8.1.15.1 is intended for  use on:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

MFA Server v8.1.16.1 is intended for  use on:

  • Windows Server 2019
  • Windows Server 2022

 

What’s New

The release notes mention one change. These version address an issue with the Multi-Factor Authentication Active Directory Federation Services (AD FS) adapter installer. This issue prevented successful installations.

 

Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2, and up.

 

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal and/or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.

 

Download

You can download Azure Multi-Factor Authentication Server 8.1.15.1 and 8.1.16.1 here.
The downloads weigh 145,8 MB and 149 MB, respectively.

 

Version information

These are versions 8.1.15.1 and 8.1.16.1 of Multi-Factor Authentication Server.
It was signed off on May 13th, 2024.

FURTHER READING

Existing Azure MFA Server deployments stop working starting September 30, 2024
TODO: Migrate from Azure MFA Server to Azure multi-factor authentication
Multi-Factor Authentication Server version 8.1.10.1 addresses service crashes during activation
Multi-Factor Authentication Server version 8.1.9.1 offers improved migration abilities

0  

Entra's Cross-tenant Access Settings, Part 2: How to manage common B2B collaboration scenarios

Reading Time: 6 minutes

Microsoft Entra ID

Entra External ID, Microsoft's Business to Business (B2B) collaboration feature, has recently gained significant functionality to customize the end-user experience when people in the organization collaborate in Entra-integrated functionality, when this functionality is integrated in the Entra tenant of another organization.

In this series of blogposts, I share how Entra's Cross-tenant Access Settings can be used to optimize the end-user experience. This information is useful both for Entra administrators who have people collaborating in another tenant and for Entra admins who have guest accounts in their tenant to facilitate access to their functionality.

Note:
In this series, I merely talk about the Entra External ID functionality that is based on Entra to Entra collaboration.

In the first blogpost, I discussed the settings. Now, let's look at managing common B2B collaboration scenarios.

 

Cross-tenant access settings can modify the way end-users in your organization collaborate.

The External collaboration settings pane in Entra, and the Sharing Policies in SharePoint Online both offer options to limit the organizations where people in your organization can send invitations to. Cross-tenant access settings is the only pane where admins can configure the organizations from which invitations can be redeemed and accessed.

 

Block a specific organization in Entra External ID

 

Blocking a specific organization

To block a specific organization for collaboration, for instance because they are a competitor, you can perform these steps while using the default settings for cross-tenant access:

  • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
  • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
  • Click on the Organization settings tab.
  • Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to block your people to work together in by specifying the DNS domain names or tenant IDs.
  • After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
  • Change the radio option from Default settings to Customize settings.
  • Under Users and groups, change the Access status setting to Block access.
  • Click Save at the bottom of the Outbound access settings pane for the organization.

 

Block a specific organization for a specific group

Blocking a specific organization for specific people in your organization

To block a specific organization for collaboration for specific users, based on a group membership, you can perform these steps while using the default settings for cross-tenant access:

  • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
  • Create a group in Entra, or synchronize a group from Active Directory with a name that indicates the usage of the group, adhering to your organization's naming standard.
  • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
  • Click on the Organization settings tab.
  • Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to block your people to work together in by specifying the DNS domain names or tenant IDs.
  • After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
  • Change the radio option from Default settings to Customize settings.
  • Under Users and groups, change the Access status setting to Block access.
  • Under Users and groups, change the Applies to setting to Select users and groups.
  • Follow the Add users and groups link. the Select Item blade appears.
  • Select the group you created or synchronized earlier. Click the Select button at the bottom of the blade to save the selection and close the blade.
  • The selected group is added to the list on the the Outbound access settings pane for the organization.
  • Click Save at the bottom of the Outbound access settings pane for the organization.

 

Block external access to a specific app

Blocking a specific application for external users

To block a specific organization for collaboration for specific users, based on a group membership, you can perform these steps:

  • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
  • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
  • Click on the Default settings tab.
  • Under Inbound access settings, click the Edit inbound defaults link. This takes you to the Inbound access settings – Default settings pane.
  • Click the B2B collaboration tab, then click the Applications tab.
  • Change the Access status setting from Allow access to Block access.
  • Under Applies to, select Select applications.
  • Follow the Add Microsoft applications and/or Add other applications links.
  • Select the application(s) to block access for external users to. Then, click the Select button at the bottom of the blade.
  • Click Save at the bottom of the Inbound access settings – Default settings pane.

 

Only allow specific partners to collaborate with

Limiting the partner organizations to collaborate with externally

To limit the partner organizations to collaborate with externally, perform these steps:

  • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
  • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
  • Click on the Default settings tab. This takes you to the Default settings pane.
  • Scroll down to Outbound access setttings and click on the Edit outbound defaults link. This takes you to the Outbound access settings – Default settings pane.
  • Under Users and groups, change the Access status setting from Allow access to Block access.
  • Click Save at the bottom of the Outbound access settings – Default settings pane.
  • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal again or click on Cross-tenant access settings in the breadcrumbs. This takes you back to the External Identities | Cross-tenant access settings pane.
  • Click on the Organization settings tab.
  • Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to allow your people to work together in by specifying the DNS domain names or tenant IDs.
  • After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
  • Change the radio option from Default settings to Customize settings.
  • Under Users and groups, change the Access status setting to Allow access.
  • Click Save at the bottom of the Outbound access settings pane for the organization.

Tip!
Microsoft Defender for Cloud Apps can be used to create an inventory of partner organizations people in your organizations collaborate with, based on sign-ins. This information can be used to define existing partner organizations.

 

Only allow a specific partner organization for a specific group

Limiting working with a specific partner organizations based on a group membership

Assuming you have already limited the partner organizations to collaborate with externally (previous action), to limit working with a specific partner organizations based on a group membership, perform these steps:

  • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
  • Create a group in Entra, or synchronize a group from Active Directory with a name that indicates the usage of the group, adhering to your organization's naming standard.
  • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
  • Click on the Organization settings tab.
  • Under Organizational settings, follow the + Add organization link to onboard the organizations for which you want to block your people to work together in by specifying the DNS domain names or tenant IDs.
  • After onboarding, under Outbound access, per organization, click the Inherited from default link. This takes you to the Outbound access settings pane for the organization.
  • Change the radio option from Default settings to Customize settings.
  • Under Users and groups, change the Access status setting to Allow access.
  • Under Users and groups, change the Applies to setting to Select users and groups.
  • Follow the Add users and groups link. the Select Item blade appears.
  • Select the group you created or synchronized earlier. Click the Select button at the bottom of the blade to save the selection and close the blade.
  • The selected group is added to the list on the the Outbound access settings pane for the organization.
  • Click Save at the bottom of the Outbound access settings pane for the organization.
  • Create a group in Entra, or synchronize a group from Active Directory with a name that indicates the usage of the group, adhering to your organization's naming standard.
  • Under Organizational settings, Onboard the DNS domain names or tenant IDs for the organization in which you want to allow specific people to work together in, or navigate to the partner organization in the list of organizations to change its settings.
  • Per organization, change the Organizational settings to only allow the group to collaborate with that organization.

Tip!
Microsoft Defender for Cloud Apps can be used to create an inventory of partner organizations people in your organizations collaborate with, based on sign-ins. This information can be used to define existing partner organizations.

 

Concluding

Entra's cross-tenant access settings allow for managing common B2B collaboration scenarios, that were previously unmanageable on a per organization through Entra's external collaboration settings, Entra's Identity Providers, SharePoint's sharing policies and even through Conditional Access.

In the next blogpost in this series, let's look at optimizing the end-user experience and privacy settings through the same cross-tenant access settings.

0  

Identity-related sessions at Microsoft Build 2024

Reading Time: 4 minutes

Microsoft Build 2024

Microsoft organizes Microsoft Build 2024 as a free digital event between Tuesday May 21st 6 PM CEST and Friday May 24th 11 AM CEST.

Microsoft Build is Microsoft’s annual conference event, aimed at software engineers and web developers using Windows, Microsoft Azure and other Microsoft technologies. First held in 2011, it serves as a successor for Microsoft's previous developer events, the Professional Developers Conference (PDC) and MIX.

During Build 2024, you can enjoy the following Identity-related sessions:

 

Break-out sessions

Break-out sessions are 45-minute sessions that can be enjoyed both online and in person in Seattle. These sessions will be recorded.

BRK221 Secure your Intelligent Applications with Microsoft Entra

Speakers: Pamela Fox, Matt Gotteiner
Date: Wednesday May 22nd, 8:45 PM – 9:30 PM CEST

Join this session to learn how to automatically setup authentication for your intelligent apps, and how to add access control to your app and data. See how to register your AI apps via Microsoft Graph API or Bicep and discover best practices for token validation and refresh with MSAL libraries. We'll walk through how to choose the right OAuth flows for server-side or Single-page applications, use App Service’s built-in authentication and filter output based on the authenticated user.

 

On-demand sessions

On-demand sessions are available during Build for online viewing by both attendees online and in person in Seattle. These sessions have previously been recorded.

OD503 The Latest in Windows Security for Developers

Speaker: Katherine Holdsworth

Let's explore the cutting-edge features that secure Windows. We will discuss the newest silicon assisted security, key protection, Win32 app isolation, privilege protection for admin users, passkeys, Personal Data Encryption, attestation, and more. Discover how you can build more secure applications and protect your data and identities. Don't miss out on learning about the future of Windows Security and how you can benefit as a developer.

 

Demo sessions

Demo sessions are available for people attending Microsoft Build in person in Seattle. These sessions are not recorded.

DEM710 GenAI Gateway Capabilities in Azure API Management

Speakers: Nima Kamoosi, Bruce Moe
Date:
Tuesday May 21st, 11:30 AM – 12:30 PM PST

We will demonstrate how API Management can be configured for authentication and authorization for OpenAI endpoint, enforcing rate limits based on OpenAI tokens used, load balancing across multiple OpenAI endpoints and more.

 

DEM760 Create secure applications in minutes with VS Code and External ID

Speaker: Katherine Legg
Date: Tuesday May 21st, 11:30 AM – 12:30 PM PST

Learn how to use the Microsoft Entra External ID extension for Visual Studio Code to create your first External ID application completely within your IDE. Bootstrap your development with pre-configured sample applications to quickly get you started.

 

DEM766 Simple and secure app authentication with authentication brokers

Speakers: Medhir Bhargava, Den Delimarsky
Date: Wednesday May 22nd, 2:45 PM – 3 PM PST

e delve into the integration of Web Account Manager (WAM) on Windows through various MSAL libraries such as MSAL.NET, MSAL Python, and MSAL Java. The session will highlight the seamless authentication experiences enabled by WAM, which simplifies account management on Windows devices. We’ll explore how MSAL libraries facilitate public client authentication flows with Microsoft Entra ID, enhancing web, mobile, and desktop applications.

 

DEM768 Create pixel perfect authentication experiences for native mobile apps

Speaker: James Casey
Date: Thursday May 23rd, 12:45 PM – 1 PM PST

The Authentication API and SDK in External ID allow developers to create pixel perfect UX for sign in and sign up experiences in their mobile applications. Join our product experts to explore the APIs and SDKs for Microsoft Entra External ID that give you the control and flexibility to create fully custom and secure login experiences on mobile devices.

 

Lab sessions

Lab sessions are available for people attending Microsoft Build in person in Seattle. These sessions are not recorded.

LAB360 Implement security through a pipeline using Azure DevOps

Speakers: Charles Pluta, Anthony Shaw
Date: Tuesday May 21st, 4:45 PM – 5:45 PM PST
Thursday May 23rd, 8:30 AM – 9:30 AM PST

Managed identities offer a secure method for controlling access to Azure resources. Azure handles these identities automatically, allowing you to verify access to services compatible with Microsoft Entra authentication. This means you don't need to embed credentials into your code, enhancing security. In Azure DevOps, managed identities can authenticate Azure resources within your self-hosted agents, simplifying access control without compromising security.

 

LAB361 Securing Applications with Microsoft Entra ID

Speaker: Robert Stewart
Date: Tuesday May 21st, 11:30 AM – 12:30 PM PST
Wednesday May 22nd, 11:45 AM – 12:45 PM PST
Thursday May 23rd, 8:30 PM – 9:30 PM PST

Applications are the backbone of your organization and often have access to information and systems of critical importance. Learn how you can use identities, authentication, authorization, Conditional Access and other tools to ensure that application runs securely. Explore how to add it to Microsoft Entra ID, grant access to only resources it should connect to, control which users can work with it and how to ensure it has secure secrets to use for connect with resources using Azure Key Vault.

 

On-demand lab sessions

On-demand lab sessions are available on demand in room 320 at the Seattle Convention Center.

ODLAB390 Boost your app security with real time biometric authentication

Integrate simple-to-use APIs to upgrade your mobile, web or desktop apps with high-assurance identity verification to reduce friction and risk from account takeover and impersonation.

0  

Entra's Cross-tenant Access Settings, Part 1: Introduction

Reading Time: 9 minutes

Microsoft Entra ID

Entra External ID, Microsoft's Business to Business (B2B) collaboration feature, has recently gained significant functionality to customize the end-user experience when people in the organization collaborate in Entra-integrated functionality, when this functionality is integrated in the Entra tenant of another organization.

In this series of blogposts, I share how Entra's Cross-tenant Access Settings can be used to optimize the end-user experience. This information is useful both for Entra administrators who have people collaborating in another tenant and for Entra admins who have guest accounts in their tenant to facilitate access to their functionality.

Note:
In this series, I merely talk about the Entra External ID functionality that is based on Entra to Entra collaboration.

In this first blogpost of this series, I'll explain how Entra's cross-tenant access settings differ from other settings and what they bring to the table.

 

Cross-tenant access settings vs. other settings

First, I need to make clear that the Cross-tenant access settings are different to the settings on the External collaboration settings pane in Entra, the All Identity Providers pane in Entra and within the Sharing Policies in SharePoint Online.

External collaboration settings (Entra)

The External collaboration settings pane in Entra offers to configure:

  • Guest user access restrictions
    This setting determines whether guests have full access to enumerate all users and group memberships (most inclusive), limited access to other users and memberships, or no access to other users and group memberships including groups they are a member of (most restrictive).
  •  Guest invite restrictions
    This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources. This setting can be configured as:

    • Anyone in the organization can invite guest users including guests and non-admins (most inclusive)
    • Member users and users assigned to specific admin roles can invite guest users including guests with member permissions
    • Only users assigned to specific admin roles can invite guest users
    • No one in the organization can invite guest users including admins (most restrictive)
  • Guest self-service sign up via user flows
    This setting can be configures as Yes or No.

    • Yes means that you can enable self-service sign up for guests via user flows associated with applications in your directory.
    • No means that applications cannot be enabled for self-service sign-up by guests and require them to be invited to your directory.
  • External user leave settings
    With this setting you can allow external users to remove themselves from your organization (recommended). This setting can be configures as Yes or No.

    • Yes means that the end user can leave the organization without approval from the admin.
    • No means that the end user will be guided to review the privacy statement and/or contact the privacy contact for approval to leave.
  • Collaboration restrictions
    Although cross-tenant settings are also evaluated when sending an invitation to determine whether the invite should be allowed or blocked for DNS domain names. The collaboration restrictions can be configured as:

    • Allow invitations to be sent to any domain (most inclusive)
    • Deny invitations to the specified domains
    • Allow invitations only to the specified domains (most restrictive)

 

All Identity providers (Entra)

Recently, Microsoft has moved the Email one-time passcode settings to the All identity providers pane, where admins can configure the default identity providers (Entra ID, Microsoft Account and Email one-time passcode) and add SAML/WS-Fed-based identity providers, Google and Facebook as additional identity providers.

On the All identity providers pane, Email one-time passcode as identity provider can be enabled or disabled for guests. By default Email one-time passcode is enabled as identity provider for guests.

 

Sharing Policies (SharePoint Online)

The Policies for Sharing in the SharePoint admin center control sharing at the organization level in SharePoint and OneDrive. Here, admins can configure:

  • External sharing
    This setting configures the scope in which content can be shared, individually for SharePoint and OneDrive:
    (Sharing for each individual site and OneDrive can be further restricted beyond these settings)

    • Anyone
      User can share files and folders using links that don't require sign-in. (most permissive)
    • New and existing guests
      Guests must sign in or provide a verification code.
    • Existing guests
      Only guests already in your organization's directory.
    • Only people in your organization
      No external sharing allowed. (least permissive)
  • More external sharing settings
    These settings allow admins to enable or disable the following sharing functionality:

    • Limit external sharing by domain (followed by adding DNS domain names to allow)
    • Allow only users in specific security groups to share externally (followed by managing security groups to allow)
    • Guests must sign up using the same account to which sharing invitations are sent
    • Allow guests to share items they don't own
    • Guest access to a site or OneDrive will expire automatically (followed by specifying a number of days as the expiration period)
    • People who use a verification code must reauthenticate after this many days (followed by specifying a number of days after which guests using Email one-time passcodes need to reauthenticate)
  • File and folder sharing settings
    • File and folder links scope
      This setting specifies the type of link that's selected by default when users share files and folders in SharePoint and Onedrive:

      • Specific people (only the people the user specifies)
      • Only people in your organization
      • Anyone with the link
    • Default file and folder links permission
      This setting specifies the permission that's selected by default for sharing links:

      • View
      • Edit
    • File and folder links to anyone with the link expiration
      Specifically, for file and folder links to anyone with the link (when specified as the file and folder scope), expiration can be specified as the number of days as the expiration period.
    • File and folder links to anyone with the link granular permissions
      Specifically, for file and folder links to anyone with the link (when specified as the file and folder scope), permissions can be specified more restrictively, for files and folders separately.
  • Other settings
    Under Other settings, admins can configure these settings:

    • Show owners the names of people who viewed their files in OneDrive
    • Let site owners choose to display the names of people who viewed files or pages in SharePoint
    • Use short links for sharing files and folders

 

As you can see, some settings overlap with the cross-tenant access settings. Specifically, the domain restrictions in the context of the collaboration restrictions setting on the External collaboration settings pane in Entra, the Limit external sharing by domain setting in the SharePoint admin center (for SharePoint specifically) and the cross-tenant access settings may interact, leading to longer troubleshoot periods, potentially over multiple teams managing different aspects of the Microsoft Cloud, especially when troubleshooting access to SharePoint Online and OneDrive.

 

Cross-tenant access settings

As you might imagine, I think the settings on the External collaboration settings pane in Entra, the All Identity Providers pane in Entra and within the Sharing Policies in SharePoint Online lack. Cross-tenant access settings offer vast opportunities to manage B2B collaboration and optimize the end-user experience.

Cross-tenant access settings offer Organizational settingsDefault settings and Microsoft cloud settings:

 

Default settings

The default settings on the Cross-tenant access settings plane underneath External Identites in the Entra portal, allow admins to configure default Inbound access settings, Outbound access settings and Tenant restrictions.

For Inbound access settings, the types of settings for which an admin can configure default settings include:

  • B2B collaboration
    B2B collaboration inbound access settings lets you collaborate with people outside of your organization by allowing them to sign in using their own identites. These users become guests in your Microsoft Entra tenant. You can invite external users directly or you can set up self-service sign-up so they can request access to your resources.By default, B2B Collaboration is enabled for external users and groups for all applications. For B2B collaboration, admins can:

    • Allow or block inbound access to external users and groups
    • Allow or block all applications or merely specific applications (where a block in the previous setting also blocks all external applications)
    • Configure the redemption order for identity providers. Admins can enable and specify the order of identity providers that your guest users can sign in with when they redeem their invitation. Additionally, identity providers and fallback identity providers (currently Microsoft Account and Email one-time passcode) can be disabled granularly.
  • B2B direct connect
    B2B direct connect inbound access settings determine whether users from external Microsoft Entra tenants can access your resources without being added to your tenant as guests. By selecting "Allow access" below, you're permitting users and groups from other organizations to connect with you. To establish a connection, an admin from the other organization must also enable B2B direct connect. By default, B2B direct connect is disabled. For B2B direct connect, admins can:

    • Allow or block access to external users and groups
    • Allow or block all applications or merely specific applications (where, again, block all users also blocks all external applications)
  • Trust settings
    In the Trust settings, Admins can configure whether their Conditional Access policies accept claims from other Microsoft Entra tenants when external users access their resources. The default settings apply to all external Microsoft Entra tenants except those with organization-specific settings. This is where admins can start tailoring the end-user experience for end-users beyond simply blocking. By default, all the options under Trust Settings are disabled. Admins can choose to:

    • Trust multifactor authentication from Microsoft Entra tenants
    • Trust compliant devices
    • Trust Microsoft Entra hybrid joined devices

For Outbound access settings, the types of settings for which an admin can configure default settings include:

  • B2B collaboration
    Outbound access settings determine how your users and groups can interact with apps and resources in external organizations. The default settings apply to all your cross-tenant scenarios unless you configure organizational settings to override them for a specific organization. Default settings can be modified but not deleted. By default, B2B Collaboration is enabled for users and groups in your tenant for all applications. For B2B collaboration, admins can:

    • Allow or block outbound access to specific users and groups in the tenant
    • Allow or block all external applications or merely specific applications (where a block in the previous setting also blocks all external applications)
  • B2B direct connect
    B2B direct connect lets your users and groups access apps and resources that are hosted by an external organization. To establish a connection, an admin from the external organization must also enable B2B direct connect. When you enable outbound access to an external organization, limited data about your users is shared with the external organization, so that they can perform actions such as searching for your users. More data about your users may be shared with an organization if they consent to that organization's privacy policies. By default, B2B direct connect is disabled. For B2B direct connect, admins can:

    • Allow or block access to all users and groups in the tenant or specific users and groups in the tenant.
    • Allow or block all external applications or merely specific applications (where, again, block all users also blocks all external applications)
  • Trust settings
    The Trust settings is where admins can start tailoring the end-user experience for end-users beyond simply blocking. By default, all the options under Trust Settings are disabled. Admins can:

    • Trust multifactor authentication from Microsoft Entra tenants
    • Trust compliant devices
    • Trust Microsoft Entra hybrid joined devices

Tenant restrictions lets admins control whether their users can access external applications from their network or devices using external accounts, including accounts issued to them by external organizations and accounts they've created in unknown tenants. Within Tenant restrictions, admins can select which external applications to allow or block. These default settings apply to all external Microsoft Entra tenants except those with organization-specific settings.

 

Organizational settings

The organizational settings on the Cross-tenant access settings plane underneath External Identites in the Entra portal, allow admins to add an organization by tenant ID or DNS domain name. That way, for that Entra tenant, admins can specify Inbound accessOutbound access and Tenant restrictions for that organization only. Any Microsoft Entra tenants not in the list of organizations for Organizational settings uses the default settings.

Admins can use cross-tenant access settings to manage collaboration with external Microsoft Entra tenants.

Note:
For non-Microsoft Entra tenants, the External collaboration settings in the Entra portal apply.

Admins can use Organizational settings in two fundamental ways:

  1. Block inbound and/or outbound access in the Default settings and then allow inbound and/or outbound access through Organizational settings for specifically trusted organizations (most restrictive)
  2. Allow inbound and/or outbound access in the Default settings and then block inbound and/or outbound access through Organizational settings for specifically untrusted organizations (most inclusive)

By default, after adding an organization, the Inbound accessOutbound access and Tenant restrictions for that organization are configured as Inherited from default. This allows for admins to specifically block or allow access for either inbound access or outbound access, if they choose to do so.

The method of allow-by-default-block-when-untrusted might feel like the path of least resistance, in the long run this method might raise privacy concerns for lingering guest users in remote Entra tenants with possible private data stored in attributes that contain multi-factor authentication information (personal phone numbers). Additionally, the inability to report on standing outbound access rights for your users in remote Entra tenants might become cumbersome in the long run. The method of block-by-default-allow-when-trusted is the method to get and remain in control in the long run.

 

Microsoft cloud settings

By default, organizations using Entra with commercial Azure subscriptions are unable to collaborate with organizations with Entra with Government subscriptions or Azure China subscriptions. Microsoft cloud settings allow admins to collaborate with organizations from these different Microsoft clouds.

The Microsoft cloud settings pane offers two collaboration options:

  • Microsoft Azure Government
    This option allows collaboration with organizations using Azure Government (US Gov Arizona, AS Gov Texas, US Gov Virginia), Office GCC-High and DoD subscriptions.
  • Microsoft Azure China (operated by 21Vianet)
    This option allows collaboration with organizations using Azure China subscriptions (operated by 21Vianet)

To set up B2B collaboration, admins from both organizations need to configure their Microsoft cloud settings to enable the partner's cloud. Then admins at each organization use the partner's tenant ID to find and add the partner to their organizational settings. From there, admins at each organization can allow their default cross-tenant access settings apply to the partner, or they can configure partner-specific inbound and outbound settings.

 

Concluding

Entra's Cross-tenant Access Settings are generally available (GA). In the next blogposts in this series, we'll use them to limit B2B collaboration and optimize the end-user experience. This offers opportunities to extend your security measures across your supply chain and limit the privacy impact of collaborating.

0