[MUSIC PLAYING] Hi. My name is Jim DeSantis. I am a principal identity cloud solution architect at Microsoft. And today, we're going to be talking about external identities with guest identities, business to business, and business to consumer. You can follow me on LinkedIn. My last part is jimdes, very easy to find. And I will post and follow a lot of the Identity and what's going on in that space.
So Identity is the new control plane. It's the one piece that's the hardest to control. A mobile device is easy to manage. We push policies down. We can wipe them. But with an Identity, I can take my Microsoft Identity, log in to Twitter or any other application, and use my Microsoft password. And it makes it extremely difficult for any company to control that.
So what we have to do as IT professionals is implement security policies like multifactor authentication, conditional access, other ways to protect that Identity, because we have the least amount of control over it as we look at the rest of our infrastructure. Security has to be baked in in every application that we do. It used to be five years ago, security was brought in before we go to production. Now security has to be in those discussions when we're building applications, when we're looking at SaaS applications. Security needs to be involved in the beginning and not the end.
If you're not familiar with Zero Trust, I would highly recommend that you understand the zero trust philosophies and the framework. Surprisingly, as much as we've talked about multifactor authentication over the years, and especially through COVID, multifactor authentication doesn't solve world hunger. It doesn't solve global warming. But it is a necessary part to securing the Identity. It's a matter of raising that bar to make the hackers less effective.
And right now in Azure AD, only about 25% of the Identities are protected with MFA, which is honestly astounding. We need to move away from, it's inconvenient to the end user, to protecting our environment so we're not reading about your business in social media after you got hacked. Using conditional access policies in identity protection is very important. As we protect Identities, it's a layered approach. It's not, I use x, or I use y. It's a matter of pulling them all together with Identity protection, conditional access, device endpoint protection, and with multifactor authentication.
So a Guest account is generated from Teams, OneDrive, or SharePoint where you allow your users to then invite somebody from Gmail or somebody from contoso.com. When you include them in a team, they get an invitation, they accept the invitation, and that provisions and an external Identity. And that external Identity will look like joebob_domain.com#ext#, and then your Microsoft tenant name. It's a pretty ugly Identity, but it's easy to query in your Azure Active Directory to find your external Identities.
Most customers don't realize how many they have, how long they've been there, or what access there is. The other thing they don't realize is when I share a team to another company, that user Identity is deleted. It doesn't remove your Guest Identity. That becomes orphaned, which you need to clean up. I've included links all through my chat or all through my presentation. Highly recommend going to these two links. Both of them will help you identify your Guest accounts, put some policies around them, and start cleaning them up.
In the Azure portal, there's a number of different places that you can assign Guest access, both in Teams, OneDrive, SharePoint. So this slide goes over some of the well-known ones under User Settings, External Users. And then I highly recommend-- it's a very detailed article from Microsoft-- to go over your Guest sharing settings. It'll walk you through all the places in the tenant that you need to look at and make sure that your Guest access lines up with your security policies.
You can also use Access Reviews, which does require an Azure P2, but it only requires an Azure P2 for the people doing that review. So you only need a few Azure P2 licenses. You don't have to license it by the tenant. And this article will walk you through setting them up. What's been recently added is the ability to do Access Reviews on inactive Guest users, which I highly recommend you look at.
Creating a Guest sharing environment starts with having a security policy that defines what the Guest access should be. You have to have a policy to know what you can implement. So I always recommend and encourage our customers to get security to get legal, define a policy as to what is acceptable with your company, then go and implement it. And here's another great link that walks you through implementing that.
And I can't impress enough to use multifactor authentication on your Guest accounts. It may seem like it's a little inconvenient. But you're protecting your environment. In the security posture that we've seen the last 2 and 1/2, 3 years, we can never have too much security.
Azure B2B-- it is Azure Business to Business. And B2B is for two different Microsoft Azure tenants. Typically it's partners, vendors, subdivisions, mergers and acquisitions. It's not supported to another B2B outside of an Azure tenant. What's recently been added is China in US government tenants, which includes DoD and GCC High. That's been a feature that's been asked for by a lot of customers.
So in B2B, we're going to talk about it's more granular than it was before. You have allow and block access on each one of these settings. B2B collaboration is like I just described with a Guest account. I invite a Guest, external Identity is created, and then I can specify which other Azure tenants are allowed or blocked from my tenant.
What's new within the last few months is B2B direct connect. The beautiful thing about direct connect is it doesn't create an external Identity in my tenant. The downside is only Teams channels are supported today. It was the first one out because it was the most requested by customers.
The other part of it is tenant restrictions. Now through the portal, you can add what tenants your users can get to, by either allowed or blocked, which before, we had to go to our proxy and block the tenant IDs and everything else. Microsoft has now made it easier for customers to implement that either you're blocking certain tenants or you're blocking all tenants, and you're only allowing a couple of them.
The default settings inside B2B is every tenant that is not specifically added. And I will talk about that in a minute. We have both inbound and outbound access, very similar, but you can decide either inbound or outbound. And it's inbound and outbound for collaboration and direct connect. So this is the outbound access, which you can see is, by default, blocked until you go in and go ahead and create a policy for it.
What you can also do now is that you can do it by groups. So I can do inbound access by groups and let the other tenant add people to a group and scale it down to just the group. And I can scale it down to specific applications inside of my tenant. And this is the tenant restrictions. And there's a really good link that walks you through how to set that up and how it works.
Organizational settings-- I can add a different domain name like contoso.com and give that domain-- either allow or block access to groups and users. So now my default settings might be turned off. But I can add other Azure tenants that might be a partner, that might be a vendor or a trusted business partner. And again, with the collaboration, that is the old external Guest account pound external pound.
And then direct connect is we would talk about as a federal Identity. And there is no Guest account created. And I repeat that because there's a big difference between the two. Again, only the Teams shared channel is supported today. And I would expect in the future that it will grow.
The added feature with B2B when I specify a domain name is that now, I can trust the other tenants' multifactor authentication. So it's both a technical trust and a business trust. So before, if somebody was a Guest and they MFAed in their tenant, contoso.com, they were connecting to my tenant, fabrikam.com, that user would get two MFA prompts. Now I can say I trust contoso.com. So now once they've done the MFA, I trust them. They don't get two.
You also can trust if they have compliant devices being their MDM solution, or if they have a hybrid Azure AD joined. So there is that business trust between those two companies. So there's a higher level of security involved before you go implement those.
This is where the organizational settings are. It's under Azure AD, External Tenant Access Settings, Organizational Settings. And then you'll see Add Organization. This is where I specify a specific domain name, namespace, or tenant ID. And then I can either block or allow, or I can allow inbound and block access, block outbound on that. But this is where you would add those other partners. And if there's nothing here, then the default settings take precedence over all of them.
And we can see that you can do it by a group. When you do it by a group, you're using the group object ID in the other tenant, because obviously, one Azure tenant doesn't understand a text name. So you're using your object ID. That's part of that trust factor to set up a group.
With applications, I can specify they can get to specific inbound applications. It could be Office 365. It could be Teams. But you're deciding what those users can get to by group, by everybody, or specific applications. So it needs to be planned out, thought out.
And then for direct connect, you do the same with groups. But the only difference is when you go to Applications, the only application you can assign is Teams because the only one that's supported is your Team shared channel today. So it looks like you could go and click Application and pick something else, but that's the only one that will show up today. But that would allow the other tenant to have the Identities that can access your team. And you don't have to do the lifecycle management, which I think is a really good thing.
Trust settings-- you can take the default, which goes to the default settings higher up. Or this is where you can go in and say, we'll trust your multifactor authentication, or I trust if they're an Azure AD joined device. This gets back to the business trust that that partner or vendor, you know, has security protocols that will align with your business.
Microsoft Cloud-- it's essentially you can enable either government cloud or China cloud. It's only supported for the collaboration. The direct connect isn't supported yet. I would think hopefully in the future, it will be.
Azure business to consumer. So Azure B2C is a consumer Identity access management. And we needed another acronym in the business, so they created one. This is typically in retail. We see a lot of it-- your Starbucks, your Subways, your local grocer-- because they don't want to pay for an Azure AD Identity. And it's a very inexpensive Identity for that consumer to use with limited or scaled down functionality.
Licensing on a B2C tenant is done at the tenant level. So you either do Azure P1 or Azure P2. It's done across the whole tenant. It's not done across individual users. You can create custom branding. You can create custom domains. And in this slide, I have pointed to we have our own GitHub community. We have our own sample codes to go there, the B2C documentation. So you can get more familiar with Azure B2C.
When setting up Azure B2C, this is my lab. I have three Azure B2C tenants. I like to refer to them as directories because Azure B2C sits inside of my Azure AD tenant. And if you go to the B2C tenants blade in Azure, you will see your B2C tenants.
Normally, what you will do is you will have a subscription because you have to build against it. You will create a resource group-- or I would create a resource group-- for that B2C. And then you would go to the green plus where it says, Create a Resource. Then you'd create a B2C tenant, and you will add that to your resource group. And then anything else, if you have an external IP, that will all go inside of that resource group, which then you can do RBAC and PIM against that resource group or B2C tenant.
I highly recommend development staging and production. And as I get into licensing, you don't have to worry about paying anything for development and staging because you're never going to exceed the monthly active users. And B2C licensing, where you find it, because it's a little obscure, is when you go to B2C Tenants, you click on your B2C Directory. And under Overview, you go on the right side where the red box is. And when you click on Pricing Tier, it comes up. And it will show you you're in Azure P1 or you're in Azure P2. You can switch between the two, and then over that month it will change.
One of the big things between a P1 and a P2 is as we get into the log analytics workspace in Sentinel and SIEM, you get more telemetry data with an Azure P2 because you're implementing Identity protection. So more of the attributes that are saved-- and then the telemetry is fed up to your SIEM. So then you get that extra telemetry, which will require an Azure P2 license.
B2C applications-- all your standards, your .NET, PHP, Java, single-page applications, web APIs, and mobile and native applications. For the authentication protocols, we support the industry standards, your OAuth 2.0, OpenID Connect, implicit grant flow, which we don't recommend-- it's not as secure-- SAML. And if you're porting an application to Azure B2C, we support the common protocols.
If you're developing a new application, we highly recommend using the Microsoft authentication library, MSAL, because we handle the tokens. We handle that all for you so it requires a lot less code on your part. And then we return the ticket to you. So we're trying to make it easier. And it's also more secure because Microsoft is handling that part through the APIs instead of you handling it through some of the more industry standards.
So as we talk about B2C, what you're purchasing from Microsoft is a directory. And the best practices are you want to put a web application firewall. It could be Azure Front Door, it could be Akamai, it could be Cloudflare. But you want to put something in front of your B2C directory to protect against bots, brute force attacks, all the stuff that the nasty bad actors are doing. You need to still protect that directory.
B2C is just a directory. But the beauty when we apply Identity protection is that the telemetry we're using for the Identity protection is across the whole Microsoft ecosystem. So it's the telemetry from Azure AD and from Azure B2C. So we're seeing the IP addresses the bad actors come from. We're seeing the bot attacks and the brute force attacks. And we're able to monitor that across the whole Microsoft ecosystem. So when you enable Identity protection, it's not against your tenant that we're collecting the telemetry, it's against the Microsoft ecosystem.
Very powerful, very useful-- it is a little bit more money. But you can do a conditional access policy to say on a medium risk, I want to force that user to reset their password. Or if you're using multifactor authentication, you can force that user to do MFA. And that's protecting your consumer Identities.
Today, I probably have 30 or 35 different Identities in my authenticator app. Most people today are very familiar with MFA and using authenticator or some other authenticator. So I don't think the argument of, it's inconvenient, today holds as much weight as it did years ago. And it's a very poor reason not to implement it.
Or the other thing that I've explained to our customers is at least offer it, because almost all of the customers, the vendors that I sign up to, the first thing I look for is multifactor or second factor or OTP so I can protect my own Identity. I'm in security. I may be different than others. But I think today the majority of people will do that.
And I've talked to retail customers that have got feedback that they didn't offer MFA and customers were starting to delete their accounts because they weren't confident that they weren't going to be protected. So that's the other side of the story I think, now, we need to be looking at is offering that to them, and maybe not enforcing it, but encouraging it.
Azure AD B2C conditional access-- you can still block countries. If you're a local provider of groceries and you know your customers are never going to log in from Russia or Iraq or Sweden or any country, you can go in and block those countries by default, which is highly encouraged. And the same conditional access policies that we use for Azure AD is the same technology we use for B2C.
Dynamics 365 Fraud Protection-- another level that we can implement for our customers. We still offer the Smart Lockout for failed logins. So if I typically log in from Cleveland on an iOS device, that device history is saved. But if I'm logged in and then somebody logs in from Russia or any other country on a different type of device, then that device will be locked out after they put so many bad passwords. That's our Smart Lockout technology. It's included in both Azure P1 and Azure P2.
Azure Front Door and Azure Dynamics 365 Fraud Protection-- Fraud Protection is another layer that helps our customers, as it does device fingerprinting. So it will remember the type of device, the firm or the operating system that's on it. So as that user uses that device over and over again and somebody logs in from another one, all of that telemetry data goes up into the machine learning in the artificial intelligence. So now we're better able to see where that user had a risk or if it's a valid risk.
And it's a competitive product to a lot of our customers. But what we're finding and I work with, my retail customers, is I see them implement multiple different vendors. And what happens is you're going from cloud to cloud. So there's more latency. There's more code that's developed to make all of those work when you talk about risk scores and other things. And I watch them struggle. And if you choose the other products, it's supported. But I would encourage you that if you're starting with B2C and you don't have one of the other competitors, to strongly look at Azure Front Door.
B2C also works with APIM. And you can build your own APIs, API management. So all of that stays inside of the Microsoft ecosystem. You don't have to worry about traversing clouds and the latency that goes along with competitive products.
Azure B2C, you can set up your log files, you sign-in logs, your audit logs, to go up to Log Analytics Workspace. And then from Log Analytics Workspace, you can take that and move it into Sentinel if you're a Microsoft customer, or you can ship it off to one of the other SIEMs so that you have all of that telemetry data from your consumers.
And for pricing, the way B2C works is the first 50,000 monthly active users are free. So when I was talking about development and staging, you can run that all day because you're not going to have 50,000 people. After that, in Azure P1 is roughly $3.25 per 1,000, and the Azure P2-- which includes the advanced multifactor authentication and your Identity protection-- is a little bit more. These are list prices. So you would talk to Microsoft based on your account.
A multi Monthly Active User, MAU is if one person logs in 30 times, that's one MAU. If one person logs in one time, that's one MAU. So you're only charged for the Identity that logs in that month. You can have 10 million Identities. 20,000 people log in, you are under that 50,000.
You can also do SMS texting, which is not encouraged because it's a security risk. And through our custom code, you can point to a different provider to avoid the $0.03. But I would highly encourage using some other technology biometrics. We see more customers using biometrics. And that's a development process that you're using the device, either face ID or the fingerprint.
What I've done is through the whole talk, all of the links that I have referenced, I've put in different resources to make it easy for you to go through a specific slide or a specific topic, to go and find a quick resource to learn more about it. Because this was a 30-minute talk, I obviously couldn't cover everything. So I have included a very elaborate resource section that I would encourage you to go ahead and look at. Thank you for your time.