Azure AD Cross-Tenant Access Settings Deep Dive

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video i want to talk about the new cross tenant access settings we have available in azure ad this is all about those guest users or b2b these could be identities from my azure ad tenant being given access to resources that trust another azure id tenant or identities from another azure tenant that i want to make guests in my tenant to give accesses to resources that trust my tenant so i'm going to dive into all of this today as always this is useful please go ahead and like and subscribe and you can hit that bell icon to get notified of new videos so my focus here is thinking about multiple azure ad tenants we're used to the idea that i have my home azure ad tenants that's an instance of azure id so i'm thinking about well every organization that's using azure or office already anything else we have my tenant so that's a particular instance of azure ad and in there i have my users my groups my service principles now they might be cloud identities created directly in azure id they might be synchronized from an on-premises active directory but they're still identities i am the account tenant and then i can think well there's other tenants so there's some other tenant out there for example this could be i'll just call it tenant one that's something else then there might be resources this could be applications it could be an azure resource source it's something else and what i'm thinking about here is well accounts from my tenant get added as guests in this other tenant and then with that resources that trust that tenant hey well that resource could be given permissions things like role-based access control now and obviously this can work the other way i might in my tenant think about hey well there's users in this tenant that maybe i add as guests in my tenant and they could give access to resources so it's in a particular direction but i'm thinking about this b to b external identities i.e guests so this is what we're focused on and really i'm focused on the control aspect of that and also something kind of cool when i think about this direction um guests people from other tenants and think about strong authentication maybe other factors i want to use mfa hybrid rady joined compliant devices we're going to talk about that at the end now today there were certain things i can do around external identities if we jump over to the portal for a second what we had right now is if i go to my azure active directory what i could do is under users and user settings we have this option over here around manage external collaboration settings and if i go into that well i can firstly define things like well what access do guest users have in terms of looking at other objects in my azure active directory i could set controls about well who can invite people to be guests in my tenant and i can even then control well do i want to restrict which dns which fully qualified domain names of other tenants i'm going to allow invites to be sent to so i could deny invitations to specific tenants i can put the names in here i could also say will allow only two specific ones from being more restrictive so those are what i kind of had today before this new set of functionality and you'll notice a key tenant around all of these configurations it's about who can i invite into my tenant there's nothing flowing the other way i have no ability to control well my users what can they be invited to and be guests in other tenants there was no way of doing that i had to do fairly complicated networking things to try and restrict that type of access and those settings still exist so about controlling sending those invites so people can be guests into mine i can still use those settings realize those settings are all about the invite and it's all about the dns name that i'm sending it to and who can send the invite so it's all about adding guests into mine but what we're going to look at now these new cross tenant access settings that give us a lot of other capabilities it enables me yes i can still have control about tenants that i can add as guests in my tenant but it gives me more granularity i can also now control the outbound who from my tenant could be added as guests in other tenants and also controls about or trusting some claims that might be made for those guests we may have heard of double mfa and the pain point of a guest having to mfa in their tenant and mind well we can actually solve that now so let's look at these new settings and what we'll see straight away is we have a lot more granularity so i'm going to go back to my azure id i'm going to go and look at external identities and we have this new cross tenant access settings available to us now it is in preview right now so the exact um portal may change eventually but for right now this is what we're looking at and we can see straight away we have organizational settings so i can actually go and add specific configurations for different azure ad tenants now a key thing i want to point out here straight away is we see kind of a name for these tenants but we're actually adding the tenant object and why that's important is hey tenant one that might have multiple dns names associated with i can have multiple custom dns names now those old settings those collaboration settings that focused on the dns name these new settings yes i may set a dns name to add a new tenant but it's then adding the id of the tenant the object id so it's for all of the domain names that may be associated with the tenant i'm not focusing on a particular name this tenant has five different dns custom domain names associated it's applying to all of them so i'm adding settings for the tenant object all of the different names that it may have within there okay so if we jump back over again then so i can see well i can add different sets of settings both inbound and outbound for specific instances of tenants and i'm going to come back to that we also have default settings so these default settings are about the collaboration with everyone who we don't have a particular organizational set of configurations for so these default settings will apply to any tenant without a specific organizational setting and by default this is going to be the behavior we have today so by default we can see we'll inbound now remember what is inbound the inbound settings if we looked at this picture inbound settings are identities users from other tenants being added as guests to ours so when i think about what we're doing inbound is this way hey i want to be inviting users from other azurely tenants to make them guests in my tenant outbound settings as you're probably going to have guessed is the other way the ability for people in my tenant to be added as guests in other tenants so where the account lives well that's the account tenant where it's been added as a guest and there's some resource that trusts it well that's the resource tenant so this is what we're focused on we have inbound settings and we have outbound settings to outbound settings is hey people from my tenant being able to be added as guests in others inbound people from other tenants being added as guests to mine so we can see we have those default configurations which by default mimic just what is the default without this capability at all so we can see for b2b collaboration we're all allowed all users or groups and it's for all applications but notice we have now this granularity i could if i wanted start to limit to particular applications i want to allow ignore the trust settings for now we're going to come back to that and also we have outbound hey any user raw group is allowed outbound to be added as a guest for any external application but we could change that and you realize the power that this now is going to start to enable me to do i could now actually restrict we start to think about a coke and pepsi well what i could actually now start to have is the idea that hey well by default i allow all of this i could go and add particular organizations and restrict it so i don't allow that type of collaboration now for i can edit these settings so i could change the defaults i might for example make the defaults now for inbound hey i'm going to block i can't add guests from anyone so then what i would have to do is now go and add organizational settings for specific organizations that i will allow so i'm kind of doing an exception based allow now if you block all users then i need to go and block all applications as well but i could also restrict that down now one thing i will kind of point out for here that i actually don't think makes a lot of sense you know is i can apply to specific external users and groups and when i do this what i'll do is add the object id of the user or group this is the default policy this probably doesn't make a lot of sense to ever set this for default to particular users and groups they're going to be from particular tenants so i'm probably never really going to use that on this one but i could also if i wanted to restrict it to particular applications and i could go and add in the particular apps that i want to allow for this and again ignore the trust settings for right now and then likewise for outbound i could allow access by default or block and i could actually make only certain users and groups are allowed those outbound to be added as guests and someone else and once again control which external applications they could actually do this for so i have that ability to change those default settings so what we're talking about right now with those default settings is hey there's my tenant and i can think about well there's a whole bunch of other azure 80 tenants out there every other tenant in the world so all of those default settings applies to everyone and again we have the idea that we have an inbound people that can be added as guests in my tenant and we have the idea of outbound people from my tenant that could be added as guests to others and then which particular applications in both of those different directions so that's for kind of all azure 80 tenants that exist and then well we can add particular organizations so in this case for example that's a particular organization i can have a particular set of inbound and outbound settings for tenant one i might also have hey tenant two so i have some other tenant and what i can have is i can inherit the defaults for one or both directions and then override it so maybe for tenant two what i'm gonna say is i'm gonna add specific inbound settings that don't inherit the default and maybe my settings here is not allowed i don't want guests from this tenant to be added into my tenant so i don't want people want users from this tenant to be added but maybe i'm okay leaving the outbound as the default people from my organization can be added as guests in this one but i have all of that flexibility i have complete control so if we go and look sue back over i've lost my page back over my cross tenant so i have the default settings i've left mine as the default so all allowed and then i can go to organizational settings so here notice i can add an organization we can type in the tenant id or a name when i put in a name it will go and find the tenant id now i've already added this one so i'm not going to add it again but it tells me the name of that particular tenant so i've got onboard to azure.cloud is this one i've got onboard to azure.com is this one and then ntfaq.com so i have three specific organizations added in my tenant and i have some different options configured for them and this is what i want to focus on first i want to focus on this idea that okay i want to maybe allow or block in a particular direction so what i've configured firstly is for this on board to azure.cloud what i've configured here for my inbound access is blocking i do not want people from onboard to azure.cloud to be able to essentially be guests to be able to authenticate into my tenant and then it's blocking all applications as well if i look at the outbound i'm also blocking outbound so there's basically no collaboration of any kind with onboard to azure.cloud now this is at authentication time this is a big difference these settings do not apply to the invite experience so even if i've blocked outbound access i could still send an invite but they won't be able to authenticate so that's the behavior today it may change in the future this is all about the authentication the authorization when i try to do something so i've completely blocked onboard to azure.cloud but i could still send an invite to them because again today they don't interact with each other so if i look at my users you can see i have added john at onboard to azure.cloud as a guest now let's see what happens when i try and use that account so here this is jonat onboard to azure sitedesk.com that's not the one i want i want to use the dot cloud so what we'll actually do a bit of fun let's just browse as guest quickly so we'll go to portal.azure.com saviletek.net and i'm going to sign in as john at onboard to azure dot cloud so i'm going to use this particular account to actually go and test this so now i have to authenticate okay and it's blocked so it's not letting me it's happening at that kind of authorization so it's restricted which organizations can access their tenant and if i look at the error message down here this resource tenants cross tenant access policy does not allow this user to access this tenant so it's completely being blocked as part of the policy so that shows it working in that direction okay so let's close that now let's see in the other direction so what i also have configured if we look at external identities if we look at ntfac.com i'm inheriting the default inbound but outbound i've configured and i'm blocking so i cannot be added well i cannot authenticate as a user from my tenant saviletech.net to ntfaq.com now if i go to ntfaq.com and look at my azure id we'll see well john at sabotage.net is added so i should be able to authenticate but remember my cross-tenant settings are saying no so now if i try this is john saviletech.net if i try and access ntfaq.com and i want to stick to it's blocked so once again it's failing tenant administrator as restricted at ntfac.onmicrosoft.com and once again now it's telling me well where is this actually being blocked so i can see the user administrator has set outbound access policy so my tenant has gone and restricted that so that's both those directions we can actually see so we're seeing those exact things in access in action i'm seeing hey i can block outbound and again that could have been for particular users and groups if i wanted to it could have been for particular applications so i can now stop users from my tenant being added as guests to others again it still lets them be added as guests but i can't use it i can't authenticate it's going to block me when i'm trying to get those tokens i can also block inbound again when it tries to get a token it's going to fail those crosstelling access settings are going to kick in and not let me do that so this is huge and again today before this i could kind of do some things about sending invites this direction based around the domain name but it was all about the invite experience it wouldn't apply if i had existing ones these new settings will apply for both inbound and outbound and it doesn't matter if they're new or existing it's happening when it's actually trying to get that authentication happening so let's talk about the other settings i said i'm not going to talk about that right now so if we go back to the portal let's go and look again let's close that and remember we had these default settings and we had this trust setting that i said let's not worry about that right now if we edit i can now by default trust mfa claims in the token i get from the account tenant where the user lives trust compliant devices i think like intune or some third third-party mdm solution i could trust its hybrid azure adjoin status i it's joined to ad and then it's registered in azure ad so we have that option now i could actually start to trust those things and where obviously i would trust those things would be in conditional access and i'll show you that in a second now i may just want to change it for everyone more commonly you might leave that i don't want to just trust everyone from every tenant in the world there might be particular companies i work with that i do want to trust so if i look at my on board to azure my inbound and outbound is just inherited from the default so why do i have a setting well actually yes the collaboration is the default but the trust settings i've overridden so for my trust settings i am going to trust mfa i am going to trust compliant devices i am going to trust hybrid azure id and you might have whichever combination of these you actually wanted so what i'm going to do to demonstrate this is i'm going to use two accounts i'm going to use that johnna ntfaq.com i showed you earlier and i'm going to use johnna onboard to azure.com so dot com not the dot cloud that we blocked this is dot com and what i created super quickly i created a group and that group just has those two users in it so i've got my members it's just john ntfaq.com and john are on board to azure.com both guests now i want to stress one thing straight away neither of these users is configured for mfa in this organization if i was to go and look at my usage and insights under monitoring and then look at authentication methods activity then look at users that are capable of multi-factor authentication nowhere in this list do you see john ntfaq.com or on john at azure.com the only external user i have is a microsoft identity that's it so neither of the two accounts i'm going to use are configured for mfa in my organization but what they're going to try and access if we go to conditional access they're going to try and access twitter and what i've configured is this mfa guest test policy that's applying only to that group that those two users are in that's applying only to the twitter application and my requirement is i require mfa so that's one of those three things and here's the other two that i can now choose to trust from other organizations as part of those inbound settings so i require mfa neither one of those users is registered for mfa in my organization remember in the past they would have had to have done that so let's try this then so let's go and look so this is my john onboard to azure.com so now if i try and open up myapps.microsoft.com for savvilletech.net there we go so i'm going to pick my john onboard to azure.com enter my password now i'll see the apps and i see twitter remember twitter requires conditional access if i select it it's thinking but it's going to require that mfa and it's then approved the request but this is requiring the request against my on board to azure it's doing my home run we can see from the approval it's onboard to azure because remember this user is not configured for mfa at savortec.net so i've accepted that and i'm now looking at the app in that tenant i didn't have to go and register for mfa in saviletech.net remember i am not configured for mfa at all in saviletech.net and actually something kind of fun while we're in here so what i'm actually going to do is i'm going to open the developer tools quickly and if i just now just to show you something if i go to portal.azure.com at saviletech.net remember i've done a strong authentication if i go and scroll up i can see the payload i can see my arm authorization header over here and there's my bearer token so i'm just going to copy the value of this and if we go and look at our token so this lets me actually have a look at the token we see some cool stuff so firstly we see the sts that actually generated the token so the sts that generated the token well this is the aad so ba211445 will be a one one two four five that's me that's saviletech.net so this user from another tenant this token is being given from saviletech.net and that's really the important thing here and if we keep looking at the token this is the cool part it has mfa so the token given to it from sapphiretech.net has mfa even though this user isn't registered for mfa because it's trusting the mfa from the token it got from onboard to azure.com and we can confirm that status if we look at the idp we'll notice the idp is this c3319 etc etc or c33193 that is the identity of its home azure id so that's why we see that so that's kind of showing the proof that hey it's actually using that it's using the mfa from my home tenant because again when i go and look at my usage and insights now even after i've authenticated just to prove i didn't do some magic behind the scenes john onboard to azure.com is not listed but very clearly in my tenant john on board to azure.com has mfa given to it from my tenant so that that's proving that point that we have trusted that configuration and we've trusted it because in my tenant i have that special configuration that's saying hey um i want to now trust for onboard to azure.com mfa that's what's making this happen and now just to kind of complete the proof if i now go back to my donna ntfaq.com remember this wasn't configured if i go to myapps.microsoft.com saviletech.net and i want to sign in as john ntfaq.com please so it's going to show me the apps and i'll see twitter there we go when i select it it's going to be very different it's going to say we have to mfa i don't trust mfa from your home organization so it's going to make me go through mfa registration because it's not trusting that configuration i have on my home tenants it's gonna for saviletech.net you see logo on the top it's driving me now through the complete onboarding of mfa so that's kind of proving the difference between those various things and this is really huge i mean this this is a game changer this idea now that hey great i can control both directions of collaboration but the fact that i can now trust as part of this inbound settings i can now if i want add trust and i have control of what i want to trust i can do mfa i can do compliant device i can do hybrid azure adjoin and now when i have conditional access on my tenant rather than making them double mfa and double register for mfa it doesn't i'm just trusting that mfa that's coming from and you you saw exactly that happening for that onboard to azure.com user you saw that only registered for mfa in their org but they passed the policy and the token showed mfa that was issued by my tenant so we saw exactly this in action so this is huge hey i can now control who my users can be added as guests to and for particular apps and i can do the inbound better than i could in the past more granularity but i can now do that trust now if you're wondering where do i start on this so there's actually a nice workbook so if i go back over to here for a second and i just go to my regular azure id and look at workbooks there's a cross tenant access activity workbook and if i select this it will show me what are the tenants i'm really collaborating with the most i can see the sign-in activity i can see the various applications i might be using i can see number of users i can see the applications and i could drill down into these if i select one i can then go and see the various activities the data that's happening so these could be places hey i'll go and start with these tenants so this is a really nice thing to use to actually work out hey okay which tenants do i want to go and give some special attention to so that was it i hope this was useful i think this is super super powerful again by default it's going to behave as it is right now and you may decide how to leave those default settings alone and then for particular organizations so particular tenants i could maybe not allow access at all maybe not allow it in one direction but now in the other and now if they are someone i i trust i collaborate with i can opt to trust claims they make about their mfa about their compliance about that hybrid azure radio joined that i configure in my conditional access policies so that was it as always a lot of work goes into these so a subscribe and like really is appreciated but until the next video take care you
Info
Channel: John Savill's Technical Training
Views: 36,727
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, mfaq
Id: Ku64fo7iZ4Y
Channel Id: undefined
Length: 33min 14sec (1994 seconds)
Published: Tue Feb 22 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.