Say goodbye to unmanaged Azure AD accounts for B2B collaboration

By September 2, 2022AzureAD

Hello friends, 

 

Today I’m announcing the end of unmanaged (“viral”) accounts for B2B collaboration in Azure Active Directory (Azure AD), part of Microsoft Entra. This has been a major pain point for many customers, contributing to increased support costs, and making it harder to manage access and user lifecycle. Thanks to the team for being customer-focused and making collaboration even more secure. 

 

The Problem 

At the inception of Azure AD B2B collaboration, we introduced the concept of self-service sign-up for email-verified users (also known as unmanaged accounts) to enable collaboration for users without an Azure AD-based identity. This allows invited guest users to create Azure AD accounts by validating ownership of their work email address when their domain is not verified in Azure AD. However, this sometimes means that users would create accounts in a tenant not managed by the IT department of their organization. This has several unintended consequences such as challenges with user lifecycle management, support costs due to password reset issues and information disclosure between users in the Azure Portal. 

 

The Solution: No new unmanaged accounts will be created with Azure AD B2B collaboration

Some owners of these unmanaged tenants have resolved the issue by taking over the tenant and making it a managed tenant. For the cases where this is not appropriate, we now provide additional ways to authenticate users without the need to create unmanaged Azure AD accounts. This includes the ability to federate with SAML and WS-Fed based identity providers, federate with Gmail accounts, and support for collaboration using an email-based one-time passcode. 

New invitation redemption flow for B2B CollaborationNew invitation redemption flow for B2B Collaboration

 

We have modified the logic of the redemption flow as follows: 

  • At step #1, existing unmanaged Azure AD accounts will not be considered for redemption. Users will only be able to redeem with managed Azure AD accounts. 
  • Unless you have explicitly opted out, Email One-Time Passcode (OTP) is now enabled by default across all Azure AD tenants as of July 2022. 
  • If you have disabled Email One-Time Passcode (OTP), and we are unable to find an identity provider for an invited user (steps 1-4), the user will be prompted to create a consumer Microsoft Account with the invited email (step 7). We’ll support creating a Microsoft account with work emails with domains that are not verified in Azure AD.   

Click here to learn more about changes to the invitation redemption flow. 

 

Accounts that have previously been invited and redeemed with unmanaged Azure AD accounts will continue to work.  

 

Clean up existing unmanaged accounts from your tenant today! 

You can now use this sample application or the MSIdentity Tools PowerShell Module to identify the unmanaged Azure AD accounts that exist in your tenant and optionally reset their redemption status. By resetting their redemption status, these guest accounts will maintain all existing access and permissions but will be forced to use a different redemption method, such as Email One-Time Passcode (OTP) as described in the redemption flow earlier. Learn more about cleaning up unmanaged Azure AD accounts. 

 

What customers are saying  

Lots of customers have already started using this new solution and the feedback has been super positive, like this one from one of our customers in the banking industry: 

 

“We had thousands of unmanaged accounts in our tenant causing support, lifecycle management and security concerns. Through the PowerShell cmdlets we successfully identified unmanaged accounts and converted them into managed accounts via redemption status reset.” 

 

We love hearing from you, so please share your feedback on these updates through the Azure forum or by tagging @AzureAD on Twitter. 

 
Robin Goldstein  

Director of Product Management, Microsoft identity 

Twitter: @RobinGo_MS 

 

Learn more about Microsoft identity: 




Source link

Share this post via

Leave a Reply