This week marks a couple of special milestones for me: the 25th anniversary of my first day as a Microsoft employee, and the culmination of some great work the team is doing to empower Microsoft’s customers to do more and create great experiences with our identity services.
Last spring, I shared our vision for Azure Active Directory External Identities and encouraged customers to preview self-service sign-up, our first step toward unifying Microsoft’s identity offerings for employee, partner, and customer identity. During the past year, we’ve made significant improvements to Azure AD External Identities with the help of our preview customers, who view this work as critical to making their workflows more flexible, secure, and scalable.
Today, we are taking additional steps on this journey with the general availability (GA) of several External Identities features and a few new previews for B2B and B2C scenarios.
Flexible user experience
Delivering customized, intuitive experiences for customers and partners is a top priority for many organizations. Our customers tell us they want digital experiences that reflect their brand and reduce friction for their users.
Configure the user experience for sign-up with customer user attributes, API Connectors, and Social IDs.
Now generally available, self-service sign-up user flows for Azure AD make it easy to create, manage, and customize onboarding experiences for external users with little to no application code. You can now:
- Integrate with more external identity providers, including Google and Facebook IDs (generally available), and email-based one-time passcodes or Microsoft accounts (in preview) so that customers and partners can seamlessly bring their own identities. We’ve also improved the experience for users who sign up with a social ID, allowing them to sign in with their email address. Learn more about how to enable self-service sign-up with social IDs.
- Define localizable custom user attributes to collect on the forms that external users complete during self-service sign-up when accessing apps and services in your organization such as Supplier ID or Account Number. Learn more about customizing attributes for your apps.
- Extend your flows with API connectors to validate user input, route information to an external workflow, or perform identity verification. Client certificate authentication of the API calls is now available in preview. Learn how to use API connectors.
- Configure all of the above leveraging the power of Microsoft Graph APIs.
Configure next-generation user flows with Azure AD B2C.
To follow this, customers building consumer-facing apps can expect general availability of our improved next-generation user flows for Azure AD B2C in the next few weeks. You’ll be able to:
- Select and create B2C user flows with a new, simplified experience in the portal, and configure all features within the same user flow without the need for versioning in the future.
- Enable phone sign-up sign-in for users so they can sign up and sign in with a phone number using a one-time password (OTP) sent to their phone via SMS.
- Use API connectors, in preview, to extend and secure Azure AD B2C sign-up user flows.
- Enable users to access Azure AD B2C applications using sign-up and sign-in with Apple ID, currently in preview.
Identity Protection with risk-based Conditional Access is one of the most widely adopted security features for protecting Azure AD employee accounts. It’s now in preview for next-generation user flows and is expected to become generally available later this spring (details below).
Securing data and protecting against unauthorized access is another high priority for our customers with external users and consumer-facing apps.
Set up risk-based Conditional Access policies for your B2C apps.
In a previous post, I shared that we are expanding the power of Azure AD Identity Protection with risk-based Conditional Access to Azure AD B2C. Since then, we’ve been working closely with customers to improve this experience. That means ensuring that the common patterns for user logins can be secured and protected against suspicious or irregular access.
Risky users blades in Azure AD B2C portal.
Identity Protection and Conditional Access policies for Azure AD B2C are enabled for customers with Azure AD External Identities Premium P2, and we’re looking forward to making it generally available later this spring.
Scalable lifecycle and user management
As the number of external users in an organization grows, controlling who has access to which resources and for how long can be cumbersome. Many of you have shared that guest access reviews for Microsoft Teams and Microsoft 365 groups are helping to automate that process.
We’ve added new capabilities to help organizations manage external users in the cloud, while simplifying the admin experience for all users:
- Move guests to the cloud enables guests represented as internal users in the directory to connect and collaborate using External Identities, leaving their object ID, user principal name, group membership, and app assignments intact. Now generally available, Inviting members to B2B collaboration provides a better user experience for guests and improves overall security for the directory.
- Reset the redemption status for a guest user sends guests a new invitation to redeem their account for collaboration without having to redo existing access and memberships. Resetting redemption status, in preview, provides continuity for external users when their home tenant account is deleted, or when a new identity provider options become available.
Updating our External Identities SLA
Finally, we announced an update to our service level agreement (SLA) for Azure AD B2C tenants. Starting on May 25, 2021, our SLA for Azure AD B2C will promise a 99.99% uptime for Azure AD B2C user authentication, an improvement from our previous 99.9% SLA.
Thanks to all the incredible feedback this year, we’ve got many more great features on the roadmap to improve the experience, security, and manageability of all Azure AD External Identities scenarios. We love hearing from you, so keep trying our new features and sharing feedback through the Azure forum or by following @AzureAD on Twitter.
Learn more about Microsoft identity: