The proliferation of multiple Azure and Office 365 tenants and data sovereignty issues are creating some interesting problems with user access and collaboration. If you are in the process of moving to the Microsoft cloud now or will be in the future, you will most likely want to implement Azure Active Directory B2B and/or B2C accounts to support your external customers and\or partners.
What are Azure AD B2B and B2C accounts?
According to the recent Microsoft documentation, Azure AD B2B Accounts are intended for organizations that need to authenticate users from a partner organization, regardless of identity provider. B2B identities could include employees with work or school accounts, partners with work or school accounts, or any email address.
Take for example a multi-national organization where there is a US entity that has moved to Azure AD while also syncing on-premises AD accounts. However, its Canadian counterpart and partner organization has not adopted Azure AD. This creates challenges for both IT and user collaboration.
Let’s say I’m collaborating with someone from Canada and they are allowed access to our US-based and Azure-hosted applications and documents that enable our entire business. They are not part of the Azure AD tenant or synchronized, but still need access to our systems. In order to grant this access, these users are allowed in via an Azure B2B account that the US organization would create. That account becomes a cloud-only object that otherwise does not have access.
Azure AD B2C accounts are a bit different, and are intended for inviting customers of your mobile and web apps — whether these customers be individuals, institutional or organizational customers — into your Azure AD. For example, B2C accounts could include consumer users with local application accounts (any email address or user name) or any supported social identity with direct federation.
Why should you care about this?
Most companies today are in a hybrid deployment of Azure Active Directory and Office 365, so this means the Active Directory Connector (ADC) is used to synchronize on-prem AD accounts to Azure AD. This is very helpful with populating your Azure AD tenant as well as protecting Active Directory in the event that any inadvertent changes happen because you can back it up and restore on-prem.
The problem we need to be aware of is when you introduce the Microsoft cloud, you now introduce cloud-only objects such as attributes, groups and accounts like these B2B and B2C accounts. What happens when an inadvertent change happens to your cloud-only objects such as B2B and B2C accounts, which are not synchronized on-prem via the ADC? Especially a mass change caused by an errant script, malicious or careless users or even a third-party application connector?
In the example above, if something happens to that Azure B2B user object or a group membership for that group via an entitlement, then that user no longer has access to the resources that were shared either directly to the account or the group memberships that may have also granted access. The US-based organization now needs to recreate the entire Azure AD B2B user and their full permissions sets causing unwanted downtime and lost productivity.
Here’s where Quest comes in: We are here to support our customers whether they remain on-prem, move into a hybrid deployment or into a straight cloud deployment.
Quest provides superior recovery functionality for all your recovery needs including your Azure AD environment. On Demand Recovery for Azure Active Directory is our SaaS solution that includes the following key features:
Hybrid AD and Azure AD recovery dashboard
With Quest On Demand Recovery for Azure AD, you get a single recovery dashboard to differentiate hybrid and cloud-only objects, run difference reports between production and real-time backups, and restore all changes, whether on premises or in Azure AD.
Secure Azure AD and Office 365 backups
You can back up Azure AD and Office 365 users, attributes, groups and group membership, easily and securely. Including cloud only objects such as B2B and B2C accounts. Plus, you can choose the backup retention period that best meets your company’s compliance needs, so you never have to worry about not getting back what you need.
Azure AD and Office 365 mass restores
On Demand Recovery for Azure Active Directory enables you to restore multiple users, groups (including nested groups) and group membership at the same time — with no PowerShell scripting needed. You’ll be able to recover objects faster than before (in minutes rather than hours) without having to access multiple admin interfaces in Office 365 or Azure AD.
Difference reporting
You can search or compare specific attributes from multiple sources that were modified and roll back only those changes rather than restore the entire object. You can also report on all changes made across Azure AD and highlight differences between backups and the live environment, and perform restores directly from the reporting interface.
Online granular restore
Restore users, groups and group membership as well as individual attributes (such as account settings) and binary attributes, even when the object itself has not been deleted. This enables you to restore only the required attributes without restarting domain controllers.
Recovery of hard-deleted objects
On Demand Recovery for Azure Active Directory can recreate hard-deleted objects that have bypassed the Recycle Bin, so you can easily get back anything that has been deleted, either accidentally or maliciously.
Want to learn more?
Join Microsoft MVP Tim Warner and Ian Lindsay of Quest to learn how to protect your AD users, groups, and attributes from accidental or malicious deletion.