What are Azure AD External Identities?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video i want to talk about a feature that recently gade and that is azure ad external identities and at first i was a little bit confused about what this was because we already have external identities we have b to b and we have b to c so what exactly is this new external identity feature that has g8 so in this video i'm going to dive into that first as always it is is it useful a like subscribe comment and share would be appreciated so let's really quickly review what we have today so today we think about we have an azure ad tenant so i have my regular azure 80 tenant that has various accounts now remember those accounts might be synchronized from my ad using things like azure ad connect or azure ad cloud sync so they would be kind of replicated from the ad they could be cloud accounts that i create but this is just a regular azure ad tenant now additionally there are people i collaborate with partners now these people might have well they have their own maybe azure ad accounts it could be a microsoft account it could be a gmail i.e google it could be a direct federation it could be maybe a saml or a ws fed and if it's none of those things i can use a one-time passcode every time they authenticate a passcode is emailed to them at that mailbox and so for all of these things i can add those in so they get kind of an object in my azure id as an external identity and this is b to b but these are in my regular azure ad tenant now ordinarily i'm going to send an invite to these people to their email address all of these things essentially relate to an email address and then they redeem it they may have to do some kind of consent at that point they are just objects in here i can license them now if i think about azure id there are things like premium p1 premium p2 that adds things like conditional access or mfa or produce identity management identity protections a whole slew of capabilities and the way this works historically is for every kind of one user i have licensed for a certain sku in my azure id like p1 or p2 well five guests users have the right to use that so if i have 10 people licensed for p1 then i could have 50 people that are guests using those same capabilities but it's all about that idea that hey i invite them and they redeem that now there is something called entitlement management so with entitlement management what i can essentially do is create these access packages now an access package i can think about could be hey you have access to these groups you have access to this sharepoint online you have access to these applications and then that has a particular url i can have an authorization flow i can have certain domains automatically whitelisted and will get approved and then external people can go to that url and flow through that to be added as guests and get whatever is associated with that package so it's kind of an element of self sign up that i can do with this so that's what i really think about as the b2b they're people i'm collaborating with and again that entitlement management does enable certain aspects of self sign up through a certain flow that i can configure then very separate from that i might have customers i'm going to write an app and again i should point out again once these are here all of the same licenses i can add them to groups i can give them access to applications and rbac all of that applies they're in my tenant and very separately from this i might have customers and i might think about well okay i want to write a custom app but i don't want the customers in my azure ad so we have a completely separate thing and this is azure adb 2 c this is a separate object and then what my customers can do well my customers can have a whole set of different social identities huge numbers of these or they don't want to use a social identity they can create local accounts in that azure adb to see now if we quickly look at this if i jump over one of the things we'll actually do so what i'm going to do here is firstly i'll have to change my tenant to my b to c and then when i change to my b to c i can see my b to c instance and then i can see look at all the different identity providers that are supported through b to c so if i think about b to b gave me things like okay yeah gmail i.e google a microsoft account azure ad and that was really it i have this mass number that i can actually do with b to c another huge element of b to c is it kind of talks about this customization from a user experience perspective there's this idea of kind of customize every pixel i can completely customize what that onboarding experience looks like what the css style sheets look like everything customize everything i can customize kind of the onboarding flow completely as well and what the experience what information we gather so this huge amount of control about exactly what we do there now one of the things that's interesting about this now for b to c the way i license this it's all like saying called monthly active users i don't pay any more for b2c for the number of people in the directory i just pay for did they do an authentication that month and also i pay additional for mfa and so if we actually go and look at the pricing for this so we'll jump over here now actually notice that the wording is interesting it doesn't say b to c anymore which is kind of a hint of what's coming it just says external identities but then we see it's all about hey these monthly active users and we get our first 50 000 free so here i can see hey the first 50 000 i pay nothing for and then i pay for more than 50 000 and then very separately i pay for each time there is an mfa attempt and remember for b2c i'm using kind of sms phone-based multi-factor authentication so it's built based on just those monthly active users and then if there's mfa so that's really that that key point around the b to c like this great customization this massive number of social identities that i can support through there so okay so what's external identities what's this newer thing that's g8 so if you think about today there's kind of azure adb to be and azure adb to c if i think about external identities well it's really an umbrella i can't draw an umbrella that looks like a bat or something but it's encompassing both of those features now so these kind of roll up now under external identity so it's a new family in a way that's going to encompass the functionality of azure a d b to b and b to c so that's that's what it is however with the introduction of external identities we're getting some very new nice things on this side of the house on the b2b and that's what i'm going to kind of walk through now the first thing we have to do to really start seeing these nice things is we have to enable this new self user sign up capability in my azure ad tenant so what we're going to do is i'm going to jump over and quickly close this down i'm going to go back over to my azure ad and so we have to kind of turn this on first so i go to my external identities area so if i jump back for a second that was too quick so i'm over here looking at external identities in that manage menu and then under my external collaboration settings we have this enable guest self sign up via user flow so i've set that to on now as soon as i do that it opens up a bunch of new functionalities but also it's going to go ahead and add its own app registration so if i go and look at all my app registrations it adds one called aad extensions app and notice it's saying do not modify this is kind of used by azure ad so what we're going to have the ability to do is kind of add these these custom attributes to now when i have these guests on board it has to store those somewhere so when i enable those signing user flows it creates that app because that app is going to be used to support these new custom attributes but before i get to that today we have these as these kind of guest accounts these idp providers so what external identities is adding is facebook now that's today i think what we're going to see over time is right now there's this whole number of b to c social identity supported but only in b to c over time i'd expect more and more of those to start showing up in just regular azure adb to be but the first one is facebook now i can't just add that just like i would a normal guest i can't just invite it because remember all of these have an email address well a facebook as such doesn't have an email address i can't just email a facebook account it might be associated and so the sign up process here is i have a custom application so i've created my app and i've kind of registered it to my azure ad and what i'm now going to do is essentially enable that user self sign up via my app so this facebook b2b is not just a general b2b type i need to enable it via an app user self sign up so if i can actually go and look at my azure ad tenant again so we saw that app registration if i go back to my external identities and now look at all identity providers you'll see you have this option to add facebook now i've done it already which is why you can see facebook now as one of my identity providers and all you have to do is really like when you added google i'm going to go to facebook as a developer i create a new application it's going to give me an app id and a secret and what i'm going to do is add that to my azure id and that's really it so now facebook is available to me as an identity provider now once the user goes through and goes through that self sign up they're now just a regular guest in my azure id i have one of these so i actually created a special facebook user and if i look at my users now we can actually see i've created someone called clark wayne so i've got clark wayne and you'll notice the identity issuer is facebook and you'll also notice the creation type is self service signups it wasn't an invitation it went through a self-service sign up so i now actually have a guest that's using facebook as that identity provider so that that is an option for me now i have that capability okay great another thing that i get added now with these external identities is the ability for these attributes to actually have custom kind of attributes so go ahead and add things i care about for my application um maybe i'm now remember these are still people i'm collaborating with partners i still don't want to put probably regular customers in my azure id but you might start to think over time as i get more and more features rather than having to create a b to c i could just create a separate azure ad instance i think there's kind of moving towards that kind of model so now if i go and look at my azure id and now go to my external identities we have these custom user attributes as an option now as soon as i turned on that self sign up you have to do first to be able to add facebook as well it adds a whole bunch of them but i added shirt size so i added this custom user attribute and it's just a string but it's now available to me and what will happen is when a user actually signs up that's now an extension attribute that they can populate now the way it's stored and that's why we had that special app it gets stored as an extension attribute in that application that it added for me so remember those app registrations remember that aad notice that application client id so what actually happens is the value for my custom attributes gets stored under this app id and the way it's actually going to work is it's going to get stored as a value called extension underscore the application client id minus the little dashes underscore the name of the custom attribute ie shirt size and i can show you that if i go over to cl graph explorer i've populated a query so i'm looking for user type is guest i'm filtering where the mail is clark facebookoutlook.com and then what i'm selecting from here is just the user principal name then the mail and then notice i'm getting the extension underscore the app id underscore shirt size if i run that there at the bottom we can see hey when i registered i said my shirt size was excel so those custom attributes i add i can now get from my application using the regular just graph api i don't have to do anything else it's not just available i can write those i can read them they're available to me so now i have these custom attributes fantastic well how do i how do i get those in when a user on boards so then the next part of this is this part here external identities adds this customized user flow so a user flow lets me say well what information do i want and which social identities do i want to allow as part of this user flow so if we jump back over again and this time i'll go to once again my external identity is now i can look at user flow now i could just create a new one quickly and notice all it's going to ask me is which identity providers do you want to support google facebook microsoft account and then which attributes do you want it's showing me some built-in ones but then i can add additional ones for example shirt size which is kind of that one that i custom added so i'm saying when someone on boards through that self sign up what do i want them to fill in and then i would just hit create now i've done that already and once you hit create i can go back and look at it again so i've created one already and then i can actually customize it for example i could customize the page layout so by default the order of these values might not make sense so i might move well i want given name and surname first then city then shirt size last like i can move these up i can move them down also i can change the type so shirt size originally was just a text box but i changed it to a type of radio single select and then i just entered in values i want them to be presented with when they go through the sign up so i've i've got small medium large extra large and what we store in that custom attribute is s m l or x l and that's it so now i have a user flow and that really brings it all together because that user flow obviously is using well it's using the identity provider i added ie facebook it's using those custom user attributes i.e shirt size and the last thing i do is i just link it to an application so i went ahead and actually created a savor tech external id sample app so i just click add app and then select the application i want to tie to this user flow now for that sample application all i did was i went and did a new registration i gave it a name i selected hey i just want accounts in this organization and then i just did localhost 3000. i'm going to use a node.js file that's it but i don't have to enter anything yet i can just hit register once you hit register you can actually go in and say hey help me out so i can do quick start and it will help me build an application so what i did was a single page application i did a javascript implicit flow and it will actually set it up for you so notice it says hey look your application is already configured with the required attributes that's because i've done this on this app already but if not there'd be a button i could click that would go ahead and make the changes it would set the redirect to the correct value and it would enable the implicit grant if i actually go back to the overview you can see hey look i have a redirect uris up here and it populated localhost for me and it set up the implicit grant flow value so it did everything for me and then that quick start just has a file you download so after it's made those changes you download the sample code and you can just run the thing and then obviously then i've got an app id that's what i go ahead and link to the user flow so let's actually take a look and see this kind of all the way through now what i'm going to do first is if we actually go back to my azure id i've already added that facebook user but to demo the process i'm going to delete it so it now becomes an unknown user again when i i try and use it so that's gone so now if we jump over this is that little sample app i created you can see it's kind of running using node.js so i'm going to say hey i want to sign in so it's going to say what account do you want to sign in with so i'm going to say use another account now notice at this point because of the app it's hooking into that that graph and that user flow and it's showing me the identity providers i selected in that user flow so i've selected one of these could be facebook at this point it's saying okay well what facebook and because i'm already signed in as that clark facebook account it's saying well it's not previously used you want to sign up for an external account now in this azure ad tenant well yes please i do so now it wants to just quickly verify my email address so i'm just gonna put in an email address that i'm associating with this it's just gonna send a verification code to that mailbox so if i go over here what i should hopefully see here we go is tiny tiny text that i can't read because i'm too old but it put in a code and i will put in there we go put in the code verify and at this point it's going through remember that user flow i had fields and i put them in an order so because i put them in a nice order which name first okay then city well i did metropolis what is your shirt size and to prove it's kind of using the values i'll do large instead of extra large um clark has been working out continue and that's now going to go ahead i don't need that for now and i mean i could kind of see my profile and there's kind of that very basic information if i jump back over now and refresh again well there's clark wayne is back again and you can see once again it's kind of that facebook and the self service sign up now remember i did change the search size to large so this custom attribute if i run it again because it's the same facebook account so nothing's changed about the email well now it says large and i could just as easily do kind of a port i i could change that size so hopefully that demonstrates kind of that that kind of whole flow so i have these user flows that i can associate those kind of custom attributes with i associate the user flow with an application and also the identity providers i add to that user flow so now as a partner someone i'm collaborating with i've written this application i want my partners to be able to actually go in and kind of do that self-sign up process well now they can now i could then maybe send like dynamic groups to automatically add these people to certain groups to provision them with certain things but there's no flow to do that out of the box today i would have to kind of go and add that so that's kind of the major thing when i think about what external identities is doing for to b today it's adding facebook as in a social identity i can now have for b to b it's adding these custom attributes and it's adding these customized user flows that bring those things together that i associate with an app to now make it easier for people to on board and actually hook into my azure id remember azure 80 i could already customize kind of the branding and the text and you kind of saw that the savile tech and the various things there is one other thing that i can today optionally do remember this one to five licensing i might want more guests than that and so that's kind of prohibitive for me so one of the things i can also do now with these external identities is i can move to that same monthly active users and mfa and the way i do that is i essentially associate my azure id tenant with a certain azure subscription for the kind of billing purposes of that and that's super easy to do so i would just go over to my tenant and then if i go back to my external identities i have linked subscriptions over here and i've done it already it keeps undoing i don't know what i'm doing wrong so it says not linked so i would select it i would say link subscription i can pick a certain resource group so for example this one i'm changing it to monthly active users and hit apply and now it's linked so now i'm moving instead of doing that kind of one to five licensing it's now going to use those monthly active users and from a billing perspective well it's the same as what we saw for b2c now and there's no more concept really of the one to five i could only have one p2 license where now i could have 50 000 guest users using p2 capabilities conditional access pm identity protection bear in mind the mfa is billed separately so i'm still going to get that charge on top of the free for 50 000 um each time there is an mfa performed and basically for most customers that 50 000 free is going to be way more than they currently have the rights to now whether your p1 or p2 is going to depend on your azure ad tenant whatever the highest license you have in your tenant that's what they'll be so you can see my azure 80 tenant in my overview is licensed for p2 because i have p2 licenses in my tenant so that is what all those guests will essentially have right so i don't have to give them a license there's no concept of that i now just leverage that automatically and so that today is really what external identities is all about it's the umbrella for azurity b to b and b to c because they're both types of external identities it's adding new features today to b2b with the new facebook as kind of one of those things i can be to be with the new custom attributes the user flows that bring those together for my apps again facebook i can only do that sign up via a particular app user sign up i can't just invite to a facebook user i can also change to the monthly active user's licensing b2c is not going anywhere that's still there again if it's for my customers i don't want them in my azure id i want to support far more different types of social those local accounts fantastic carry on using b2c that's what it's there for but that is what external identities is it's that umbrella for them um and that's about it i hope that was useful and until next time take care you

Info

Channel: John Savill's Technical Training

Views: 11,568

Rating: undefined out of 5

Keywords: azure, azure cloud, azure ad, b2b, azure ad b2b, azure ad b2c, guest accounts, external identities, facebook, user flows, self-service

Id: 9P10hgPDRZg

Channel Id: undefined

Length: 28min 43sec (1723 seconds)

Published: Tue Mar 23 2021