Azure Active Directory Tutorial | How to set up MFA for guest users

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

The following documentation will also help give you a walkthrough on how to do this: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-tutorial-require-mfa

👍︎︎ 1 👤︎︎ u/hazzalow 📅︎︎ Oct 06 2020 🗫︎ replies

What licensing is required for the guest in order to grant them MFA?

If the guest has problems with their MFA (like many users do), who is empowered to reset the guests MFA to allow them to set it back up via https://aka.ms/MFAsetup? Is that Auth/Global Admins in the Contoso tenant or somebody else? (I'm thinking about this, because we're already handling MFA resets for users that change/lose phones and if we implement Guest MFA, then we'll be responsible for resetting Guest MFA, too, but without any Active Directory information to validate their identity.)

EDIT: Ignore the 1st question. I found the answer: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/licensing-guidance says that Microsoft calculates a 5:1 ratio for guests to licensed users. So if I have 100 P1 licenses in my tenant, then I can require 500 guests to use MFA.

👍︎︎ 1 👤︎︎ u/Weyoun2 📅︎︎ Oct 07 2020 🗫︎ replies
Captions
so the way we work has changed a lot recently you and i we're probably working remotely if you're watching this in 2020 and i don't know maybe forever more you may not go back to an office i don't know but the way we work we're now we're not getting the face time we did before and that's with your colleagues but it's also the same probably with your customers as well and in this video i want to talk about identities and really it's awesome that we're bringing these customers into platforms like microsoft teams to be able to chat and collaborate on files but internally it's been a standard for a while now that we need to enable multi-factor authentication to secure people logging in and you know no rogue actors trying to log in in your users behalf but what i see still that a lot of organizations haven't done is securing their external and guest users you know for active directory for things like microsoft teams and so on with that same lens they're not using multi-factor authentication so in this video i want to show you how simple it is to set that up and we'll have a look at the user experience as well all right so let's just spend a minute just setting a scene of what we're going to achieve here to show multi-factor authentication for guests and i'm here inside microsoft teams and we've got a team for top secret projects you know super top secret squirrel stuff nobody can see this unless they've been invited to this team but not only is this going to be for internal users but we also want to add in guest users as well but our guest users today just aren't that secure and this is a this is a top secret project isn't it so we want to make sure that we've added multi-factor authentication to these users and today they'll just log in with their credentials that we you know invite them into in this case we're going to use a a gmail user as an example next thing i want to show you is inside azure active directory and the reason i'm going to show you this is because it's important to know the different user types you can see everyone here is a member these are all people inside my tenant inside my organization but what's going to be really interesting for this demonstration is when we go to user type and then we go to guest and right now this is going to have nobody there because we haven't invited anyone into our tenant into our azure active directory for example in teams adding them as a guest but this section is going to be really important because when we start adding this conditional access policy for requiring multi-factor authentication we're going to be saying that this is for these guest users and inside teams what happens is when we add a guest into a team is it goes and creates an account here for us a azure active directory b2b account business to business and that's what we can then set the multi-factor authentication policy against so what i'm going to do quickly is actually go and add this user now in teams in teams from our top secret project we're going to go ahead hit the more options button and add a member and here's where we can start adding that guest so in this case i'm going to choose a you know just a fake gmail account for it and you can see here what it's already doing is it knows well hang on a minute you're not part of our organization so we're going to have to add you as a guest and this is the part that we just mentioned once i hit add here that's going to go add this user into azure active directory for us i can however if i want to right now change some of the the information but want to change the user's name for this demo we'll just leave it as it is and do add and as you would imagine like any team that you're creating now you can go ahead and just hit close because they're a guest though what you can't do is make them an owner or a member there's no way of doing that they're just a guest account so just bear that in mind all right so integer id let's go ahead and refresh and look at that we now have a a guest user that's been created inside our azure active directory and this guest user is what we're going to create this multi-factor authentication for we can see here user type is guest an invitation has been sent to them they've not accepted it yet you can go ahead and edit these things like you know if you want to give it a proper the user proper first name and last name and all that kind of jazz you can do that as well but let's go have a look at it from the from the end user perspective and and go from there so once you've added in the the guest into your team the workflow is really quite simple they get an email as you can see here which says hey you've been added into contoso into this team which in this case is our top secret project what happens then really kind of depends on your identity if you're already in azure active directory or whatnot in this case we're in gmail and it's a completely new gmail account so it's never had a microsoft account attached to it or anything like that so in this case it's actually going to go ahead and help me set up this to attach my gmail to a microsoft account to allow for this simple authentication into the contoso environment so once that's all happened we can now go ahead let's just look at opening up microsoft teams and as if we're just logging in somewhat for the first time inside teams and see what happens to our user identity so right now what i'm going to do is let's just get this user account signed in with so we can see here it's just prompting me for the password but so far we've not been challenged with anything we're just signing in very simply there's no multi-factor authentication or anything like that so if anyone had this person's gmail credentials well they're now in here they're in the top secret project they can see all the files which are as we know super confidential and that's not really the experience we want necessarily for all of our guest users as we say that was pretty simple to log in so now let's go ahead and actually create this multi-factor authentication conditional access policy so we're now back in azure active directory we've seen a user logging in without multi-factor authentication now let's get a little bit more security on the board and let's set up mfa this is going to be pretty simple all we need to do is go down to security and then conditional access and we have a policy so we're going to create a new one you can see there's some here some preview ones the active directory team are doing a fantastic job of just adding things in that you would expect like blocking legacy off you know requiring nfa for admins all good stuff but we're not going to talk about that today we're going to go ahead and do new policy for new policy let's give this thing a name that makes sense like teams mfa for guests and external users we then want to go set the assignment and this has come on a long way and in the past we used to create azure active directory dynamic groups for external guests and so on and so forth now we can just go ahead and hit all guests and external users and as when we invite as we saw that user into teams that guest that then created that as your active directory b2b account what that means is now that's going to be seen as a guest user and we can attach these conditional access policies so now we've got all guests and external users set let's go ahead and choose an application of course you can change this to what you want to control in my case i'm just going to do select app and then choose teams with teams selected we're now just going to choose grant of course there's much more things you can do in here but for this we're going to keep it really nice and simple if you're a guest user and you're trying to log in we're only going to grant you access if you've used multi-factor authentication so that is a requirement to log in to our environment now with that selected you can now either report only which if you're building this in production let's just let's be real here don't go ahead and just do on select it to a bunch of users and then create and enable it because you may find that what you set up doesn't work exactly how you expect it to be in production so put it in report only see what's happening because you might see some oddities where people are getting mfa prompts when you didn't expect it to happen i'm actually just going to leave this as a report only for a second and show you another quick tool before we actually enable it so we've now got this created and what you want to do and what you can do is just try this out is use the what if tool and this allows us to say you know what if my guest account or this guest account here is logging in and they're trying to get to microsoft teams then let's see what policies actually apply to this user so we can go ahead and just do what if for example and i could see that well policies that would apply if it was enabled would be this mfa guest and external user in the reality it's going to say here look you're going to require multi-factor authentication but is currently in the report only state so you can do that you can do the report only you can use this what if tool please have a look at these before you go into production so we're going to come out of the what if let's go back to the teams mfa for guests and external users turn this back on again and now we're going to flip over to the the guest user and see what happens when we now log in with this mfa policy enabled so now let's test out the user experience with the conditional access policy forcing these guest users to use multi-factor authentication to get access so from the original email we're just going to go ahead and open microsoft teams what's then going to do is ask us to authenticate so signing in to this contoso tenant we can then go ahead put the password in but what it's going to do this time round is say more information is required and this is because we now need to set up multi-factor authentication to build a login and then from the additional security verification page we got a couple of options of how we want to be contacted to better set this up do we want to use for example the authenticator phone or do we want to use the mobile app so in my case i'm just going to go ahead and use my phone number and then ask for it to verify that by text message after completing all the wizard steps by adding the verification code what's now going to happen is this guest user will authenticate into microsoft teams you've now seen the steps that a guest user will have to go through to set up multi-factor authentication for the first time but really this just made a straight go back into teams so we're going to want to just log back out again and then let's run through logging in again to kind of emulate this guest user logging back into microsoft teams maybe for the first time of the day where they need to come in and collaborate with your organization but this time it's interesting you know now we go ahead and try and log in what we see is after putting the password in we now get a challenge from the multi-factor authentication service asking us to put in a code that they're then going to be sent to this guest mobile device that we set up earlier on and then once we go ahead and verify that code is correct it's going to go ahead and just log us in and there we go that is how you set up multi-factor authentication for your guest and external users coming into your organization's environment you know you want to make sure you are protecting your sensitive data and identity is just part of that story so i hope this has been helpful i'm hoping the demos really give you a good idea of what that experience will look like so make sure you like subscribe and we'll be back next week for another helpful tip and video around microsoft 365.
Info
Channel: Harry Lowton
Views: 1,694
Rating: undefined out of 5
Keywords: azure active directory, conditional access, conditional access app control, microsoft azure tutorial for beginners, azure ad, multi-factor authentication, microsoft azure, azure active directory domain services, azure ad b2b, azure mfa, azure ad sso, azure conditional access policy, azure conditional access best practices, azure active directory tutorial, azure active directory authentication, Azure active directory tutorial for beginners
Id: n8O9jxuF4Jw
Channel Id: undefined
Length: 13min 20sec (800 seconds)
Published: Tue Oct 06 2020
Related Videos
Azure Virtual Machine Scale Sets + Load Balancer Integration Simply
Meet Kamal Today - Cloud Mastery
175
A quick look at controlling guest account permissions to Azure AD
John Savill's Technical Training
3.6K
Secure a .NET Core API with Bearer Authentication
Les Jackson
124K
Authenticating GlobalProtect and Prisma Access remote access users against Office365 Azure AD
Consigas - Palo Alto Networks Training Channel
8K
What is Active Directory?
ManageEngine ADSolutions
200K
Get Started With Microsoft Security Attack Simulation Training
Harry Lowton
3.3K
Azure AD Connect Sync Staging Mode
Travis Roberts
1.3K
Office 365 Conditional Access Policies 1 - Block Legacy Authentication
LiftoffLearning
1.4K
Azure Files SMB Access with Windows AD
Travis Roberts
34K
New Solution for Azure AD Synchronization with AAD Cloud Sync
John Savill's Technical Training
18K
Overview of the Microsoft identity platform for developers
Microsoft Azure
16K
Top 10 Best Practices for Azure Security
Microsoft Security
17K
Azure Point-to-Site VPN with Azure AD Authentication and MFA
Travis Roberts
17K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.