Microsoft is ending unmanaged accounts for business-to-business collaboration in Azure Active Directory, resolving a major pain point for customers that had led to increased support costs and made access management difficult.
According to the Redmond, Wash. IT giant, this makes external collaboration more secure in Azure Active AD, now part of the company’s rebranded suite of identity solutions Microsoft Entra.
The company says it first introduced the concept of self-service sign-up for email-verified users for Azure AD B2B collaboration to enable collaboration for users without an Azure AD-based identity. This allowed invited guest users to create Azure AD accounts by validating ownership of their work email address when their domain is not verified in Azure AD.
“However, this sometimes means that users would create accounts in a tenant not managed by the IT department of their organization,” says Robin Goldstein, director of product management for the company’s identity solutions, in a Tech Community blog. “This has several unintended consequences such as challenges with user lifecycle management, support costs due to password reset issues and information disclosure between users in the Azure Portal.”
The company will now provide additional ways to authenticate users without having to create unmanaged Azure AD accounts, including the ability to federate with SAML and WS-Fed based identity providers, federate with Gmail accounts and support for collaboration using an email-based one-time passcode.
Owners of unmanaged tenants can still choose to resolve the issue by taking over the tenant and making it a managed tenant.
Microsoft is also changing the invitation redemption workflow as follows:
We have modified the logic of the redemption flow as follows:
- At step #1, existing unmanaged Azure AD accounts will not be considered for redemption. Users will only be able to redeem with managed Azure AD accounts.
- Unless you have explicitly opted out, Email One-Time Passcode (OTP) is now enabled by default across all Azure AD tenants as of July 2022.
- If you have disabled Email One-Time Passcode (OTP), and we are unable to find an identity provider for an invited user (steps 1-4), the user will be prompted to create a consumer Microsoft Account with the invited email (step 7). We’ll support creating a Microsoft account with work emails with domains that are not verified in Azure AD.
Accounts that have previously been invited and redeemed with unmanaged Azure AD accounts will continue to work, the company says.
In addition, organizations can clean up and identify their existing unmanaged accounts from their tenant with a sample application or the MSIdentity Tools PowerShell Module. Admins can optionally reset their redemption status, which will allow guest accounts to maintain all existing access and permissions, but they will be forced to use a different redemption method, such as Email One-Time Passcode.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply