External Identities Guest/B2B/B2C – Pick One?

[MUSIC PLAYING] Hi. My name is Jim DeSantis. I am a principal identity cloud solution architect at Microsoft. And today, we're going to be talking about external identities with guest identities, business to business, and business to consumer. You can follow me on LinkedIn. My last part is jimdes, very easy to find. And I will post and follow a lot of the Identity and what's going on in that space. So Identity is the new control plane. It's the one piece that's the hardest to control. A mobile device is easy to manage. We push policies down. We can wipe them. But with an Identity, I can take my Microsoft Identity, log in to Twitter or any other application, and use my Microsoft password. And it makes it extremely difficult for any company to control that. So what we have to do as IT professionals is implement security policies like multifactor authentication, conditional access, other ways to protect that Identity, because we have the least amount of control over it as we look at the rest of our infrastructure. Security has to be baked in in every application that we do. It used to be five years ago, security was brought in before we go to production. Now security has to be in those discussions when we're building applications, when we're looking at SaaS applications. Security needs to be involved in the beginning and not the end. If you're not familiar with Zero Trust, I would highly recommend that you understand the zero trust philosophies and the framework. Surprisingly, as much as we've talked about multifactor authentication over the years, and especially through COVID, multifactor authentication doesn't solve world hunger. It doesn't solve global warming. But it is a necessary part to securing the Identity. It's a matter of raising that bar to make the hackers less effective. And right now in Azure AD, only about 25% of the Identities are protected with MFA, which is honestly astounding. We need to move away from, it's inconvenient to the end user, to protecting our environment so we're not reading about your business in social media after you got hacked. Using conditional access policies in identity protection is very important. As we protect Identities, it's a layered approach. It's not, I use x, or I use y. It's a matter of pulling them all together with Identity protection, conditional access, device endpoint protection, and with multifactor authentication. So a Guest account is generated from Teams, OneDrive, or SharePoint where you allow your users to then invite somebody from Gmail or somebody from contoso.com. When you include them in a team, they get an invitation, they accept the invitation, and that provisions and an external Identity. And that external Identity will look like joebob_domain.com#ext#, and then your Microsoft tenant name. It's a pretty ugly Identity, but it's easy to query in your Azure Active Directory to find your external Identities. Most customers don't realize how many they have, how long they've been there, or what access there is. The other thing they don't realize is when I share a team to another company, that user Identity is deleted. It doesn't remove your Guest Identity. That becomes orphaned, which you need to clean up. I've included links all through my chat or all through my presentation. Highly recommend going to these two links. Both of them will help you identify your Guest accounts, put some policies around them, and start cleaning them up. In the Azure portal, there's a number of different places that you can assign Guest access, both in Teams, OneDrive, SharePoint. So this slide goes over some of the well-known ones under User Settings, External Users. And then I highly recommend-- it's a very detailed article from Microsoft-- to go over your Guest sharing settings. It'll walk you through all the places in the tenant that you need to look at and make sure that your Guest access lines up with your security policies. You can also use Access Reviews, which does require an Azure P2, but it only requires an Azure P2 for the people doing that review. So you only need a few Azure P2 licenses. You don't have to license it by the tenant. And this article will walk you through setting them up. What's been recently added is the ability to do Access Reviews on inactive Guest users, which I highly recommend you look at. Creating a Guest sharing environment starts with having a security policy that defines what the Guest access should be. You have to have a policy to know what you can implement. So I always recommend and encourage our customers to get security to get legal, define a policy as to what is acceptable with your company, then go and implement it. And here's another great link that walks you through implementing that. And I can't impress enough to use multifactor authentication on your Guest accounts. It may seem like it's a little inconvenient. But you're protecting your environment. In the security posture that we've seen the last 2 and 1/2, 3 years, we can never have too much security. Azure B2B-- it is Azure Business to Business. And B2B is for two different Microsoft Azure tenants. Typically it's partners, vendors, subdivisions, mergers and acquisitions. It's not supported to another B2B outside of an Azure tenant. What's recently been added is China in US government tenants, which includes DoD and GCC High. That's been a feature that's been asked for by a lot of customers. So in B2B, we're going to talk about it's more granular than it was before. You have allow and block access on each one of these settings. B2B collaboration is like I just described with a Guest account. I invite a Guest, external Identity is created, and then I can specify which other Azure tenants are allowed or blocked from my tenant. What's new within the last few months is B2B direct connect. The beautiful thing about