Here we go again. Study guides, oh those study guides, don’t you just love them. Microsoft is making their own, excellent guides but my idea is to make them little bit better.
So sit back and enjoy!
Table of Contents
Secure Microsoft Entra users
Understanding Required Roles
The necessary level of administrative privilege for creating users and assigning roles varies based on the user type and whether role assignments are required simultaneously. While the Global Administrator role possesses the highest permissions, it’s recommended to employ the least privileged role possible for security reasons.
| Task | Required Role |
|---|---|
| Create a new user | User Administrator |
| Invite an external guest | Guest Inviter |
| Assign Microsoft Entra roles | Privileged Role Administrator |
User Types and Authentication
Before creating or inviting a new user, carefully consider the user’s role, authentication method, and access level within your Microsoft Entra tenant.
- Internal Member: A full-time employee within your organization.
- Internal Guest: An existing user within your tenant with guest-level privileges.
- External Member: A user from a different organization with member-level access to your tenant.
- External Guest: A true guest user with guest-level privileges who authenticates externally.
Authentication Methods:
- Internal members and guests: Use credentials managed within your Microsoft Entra tenant and can reset their own passwords.
- External members: Authenticate through their home Microsoft Entra tenant via federated sign-in. Password resets are managed by their home tenant’s administrator.
- External guests: Set their own password using a link provided in the invitation email.
Internal user
You can create Internal or External user.
And you can add the user the default domain or any of the verified domains.
And choose the user type from Member or Guest
And add the user directly to AU, groups and roles.
And hit create
And we have the new user with a silly display name!
Secure Microsoft Entra groups
Microsoft Entra ID simplifies access management by allowing you to assign permissions to groups of users rather than individuals. This approach aligns with the Zero Trust security principle of granting the least necessary access.
Understanding Groups and Resources
- Groups can be used to manage access to various resources, including:
- Microsoft Entra organization resources (e.g., roles)
- External applications (e.g., SaaS apps)
- Azure services
- SharePoint sites
- On-premises resources
- Group Types:
- Security groups: Control access to shared resources based on membership.
- Microsoft 365 groups: Facilitate collaboration with shared mailboxes, calendars, files, etc.
- Membership Types:
- Assigned: Manually add members.
- Dynamic user: Automatically add/remove members based on user attributes.
- Dynamic device: Automatically add/remove devices based on device attributes.
Assigning Access Rights
- Direct assignment: Assign access to individual users.
- Group assignment: Assign access to a group, granting access to all members.
- Rule-based assignment: Define membership rules for automatic access.
- External authority assignment: Manage group membership externally (e.g., on-premises directory).
Best Practices
- Least privilege: Grant only necessary permissions to groups.
- Group management: Carefully manage group membership and ownership.
- Dynamic groups: Leverage dynamic groups for efficient management.
- Review and audit: Regularly review group memberships and access rights.
Creating groups
From the Group overview page you can see the total amount of different group types with one glance.
And you can create a new group and even add Entra roles if needed.
Recommend when to use external identities
First I want to clarify Workforce and External (Customer) tenants.
- A workforce tenant is designed for internal operations, managing employees, applications, and organizational resources. While it can accommodate external collaborators like business partners and guests, its primary focus is on internal stakeholders.
- An external tenant is specifically built for customer-facing scenarios. It’s used to publish applications and services to external consumers or business customers, operating independently from the organization’s internal operations.
Microsoft chose to name it as External tenant. It makes sense and was a good move in my opinion.
See here for the comparison table from Learn.
Workforce tenant is your default tenant when you provision M365 or Azure tenant for the first time. External tenant is provisioned and connected to this primary tenant.
Below you can see the External Identities inside Workforce tenant.
Business to Business (B2B)
simplifies collaboration with external partners by allowing them to use their existing identities. This eliminates the need for your organization to manage external user accounts, passwords, or lifecycles.
Key Benefits
- Partner autonomy: Partners maintain control over their own identity management.
- Simplified administration: Reduced administrative overhead for your organization.
- Flexible collaboration: Collaborate with partners regardless of their identity provider.
Managing B2B Collaboration
- Cross-tenant access settings: Control authentication and access between your organization and other Microsoft Entra organizations.
- External collaboration settings: Manage who can invite external users into your organization and set restrictions on guest access.
By effectively managing these settings, you can securely and efficiently collaborate with external partners while maintaining control over your organization’s resources.
In my opinion there are many different approaches that could lead you to choose External Identities. Using Guest in your tenant or trusting users from different tenants and using cross-tenant features.
Read from my previous blogs how to Create and SAML IdP with ADFS and Invite user through it as Externals.
Business to Consumer (B2C)
For any consumer accounts there is Entra External ID
Creating an External ID Tenant
- Setting Up Your External Identity Environment
- Establishing a New Tenant for Consumer and Business Customers
Key Components of an External ID Tenant
- Customer Directory: Storing customer credentials and profile data.
- Application Registrations: Establishing trust between your app and Microsoft Entra ID.
- User Flows: Configuring sign-up, sign-in, and password reset experiences.
- Custom Extensions: Adding user attributes and data from external systems.
- Sign-in Methods: Enabling various authentication options.
- Encryption Keys: Managing encryption for tokens, secrets, and passwords.
User Accounts in an External ID Tenant
- Customer Accounts: Representing your app’s end-users.
- Admin Accounts: Managing tenant resources and user accounts.
Try this excellent Woodgrove demo by Microsoft. It will show you almost all the aspects of External ID.
Choosing Between Azure AD B2C and Microsoft Entra External ID
If you need a ready-to-use solution for immediate deployment, Azure AD B2C is a great option.
However, if you’re starting from scratch or in the early stages of product development, consider Microsoft Entra External ID. This newer platform offers:
- Rapid innovation: Access to the latest features and capabilities.
- Enhanced flexibility: More customization options for building identities into your applications.
Ultimately, the best choice depends on your specific requirements and timeline.
Secure external identities
Conditional Access for External Users
Organizations can apply Conditional Access policies to external users (B2B collaborators and Direct Connect users) just as they do for internal employees.
For cross-tenant scenarios:
- Trust external MFA and device compliance: If your Conditional Access policies require these, you can now trust claims from external users’ home organizations.
- Seamless sign-on: External users who meet your Conditional Access requirements can sign in without additional challenges.
Multitenant Organizations
- Multiple Microsoft Entra ID instances: Multitenant organizations often have more than one instance due to factors like cloud diversity or geographical spread.
- Cross-tenant synchronization: This service enables seamless collaboration across multiple instances, improving user experience and reducing administrative overhead.
Configuration:
- Cross-tenant synchronization settings: Configure these under Organization-specific access settings.
Conditional Access for External Users
| User Type | Description |
|---|---|
| B2B Collaboration Guest | External user with guest-level permissions, typically invited or self-signed up. |
| B2B Collaboration Member | External user with member-level access, common in multitenant organizations. |
| B2B Direct Connect | External user accessing resources via B2B direct connect. |
| Local Guest | Internal user designated as a guest for collaboration purposes. |
| Service Provider | External organization providing cloud services to your organization. |
| Other External Users | Users not categorized as internal members or any of the above types. |
See here for breakdown of the Conditional Access policy structure.
Implement Microsoft Entra ID Protection
Overview and Functionality
What it Does:
- Detects, investigates, and remediates identity-based risks.
- Feeds risk data to Conditional Access for access control decisions and SIEM tools for further analysis.
Key Features:
| Feature | Description |
|---|---|
| Risk Detection | Continuously updated to identify suspicious activities like anonymous IP usage and leaked credentials. |
| Sign-in Risk Levels | Generated during each sign-in to assess potential compromise. |
| Investigation Reports | Provide details on detected risks and risky users. |
| Automatic Remediation | Enforces access controls like MFA based on risk level (Conditional Access policies required). |
| Manual Remediation | Allows administrators to review and take action on risks. |
| Data Export | Enables sending identity data to SIEM tools for further investigation. |
Required Roles and Permissions:
| Role | Access Level | Actions | Limitations |
|---|---|---|---|
| Security Administrator | Full Access | All actions, including password reset for users. | None |
| Security Operator | View Only | View reports and overview. | Cannot dismiss risks, confirm safety/compromise, or configure policies. |
| Security Reader | View Only | View reports and overview. | Cannot configure policies, reset passwords, or set alerts. |
| Global Reader | Read-Only | View reports and overview only. | No actions possible. |
| User Administrator | Limited | Reset user passwords only. | Cannot access other features. |
Note: Currently, Security Operators cannot access the Risky Sign-ins report.
Licensing:
Requires Microsoft Entra ID P2 licenses. See the comparison table below for details.
| Feature | Microsoft Entra ID Free/M365 Apps | P1 | P2 |
|---|---|---|---|
| Risk Policies | No | No | Yes |
| Security Reports (Overview) | No | No | Yes |
| Security Reports (Risky Users) | Limited (high/medium risk only) | Limited (high/medium risk only) | Full Access |
| Security Reports (Risky Sign-ins) | Limited (no risk details) | Limited (no risk details) | Full Access |
| Security Reports (Risk Detections) | No | Limited (no details) | Full Access |
| Notifications (Risk Detection) | No | No | Yes |
| Notifications (Weekly Digest) | No | No | Yes |
| MFA Registration Policy | No | No | Yes |
Closure
So go through what we learned.
User Types and Authentication:
- Understand user types (internal/external, member/guest) and their authentication methods.
- Internal users manage passwords themselves, while external users rely on their home tenant.
Creating Users:
- Use the least privileged role for user creation and role assignment (e.g., User Administrator).
- Consider user type, authentication, and access level when creating users.
Secure Microsoft Entra Groups:
- Manage access through groups for Zero Trust security (grant least necessary access).
- Different group types exist for various resources (security, collaboration, etc.).
- Membership can be assigned, dynamic (based on attributes), or external.
- Best practices include least privilege, careful management, and regular review.
External Identities:
- Workforce tenant: Internal operations, employees, apps, and resources.
- External tenant: Customer-facing scenarios, apps, and services.
Microsoft Entra External ID:
- Collaborate/publish apps to external users.
- Options include B2B collaboration and B2C (consumer accounts).
Choosing Between B2C and External ID:
- B2C: Ready-to-use solution for immediate deployment.
- External ID: Newer platform with rapid innovation and more customization.
Securing External Identities:
- Conditional Access: Apply policies to external users for access control.
- Trust external MFA/compliance from their home tenant.
- Seamless sign-on for compliant users.
- Multitenant Organizations:
- Use cross-tenant synchronization for collaboration across instances.
- User Types for Conditional Access:
- B2B Collaboration Guest/Member
- B2B Direct Connect
- Local Guest
- Service Provider
- Other External Users
Microsoft Entra ID Protection:
- Detects, investigates, and remediates identity-based risks.
- Feeds data to Conditional Access and SIEM tools.
- Requires Microsoft Entra ID P2 licenses.
RSS - Posts