Azure AD B2B direct federation, one-time passcodes and more coming soon.

There was a great session on Ignite showing what is coming next on Azure AD B2B. Here are the facts that, I assume, you can’t await to have it in your tenant.

This are the 5 new features I will talk about:

  1. Azure B2B Direct Federation
  2. One-time Passcodes
  3. Guest Access Reviews (new enhancements)
  4. Entitlements and Access Requests
  5. Admin consent for guests

1.Azure B2B Direct Federation

It’s just some weeks ago that the Google federation was announced, but shortly (speaker says some month) you will have Direct Federation with any SAML or WS-Fed identity provider (like ADFS or similar)

This feature is currently in Private Preview so it maybe will be public shortly


2.One-Time Passcode access

There might be some partners or individuals you may collaborate with that don’t have an IT department (small organizations or self-employed people), or even are not able to federate in any case with you.

Currently for those if they don’t have an Azure AD tenant (or Google account) they will be forced to create an MSA (Microsoft Account).

Bad thing on that is, when they leave their company and don’t have access any more, those users can still access your resources because of that additionally created MSA (Seperate account with seperate password).

You may have heard about a “Code round-tripping” so I assume that new One-Time Passcode authentication is the implementation of that.

Every time such a B2B guest will access your resources, an OTP (One-time password/code) is send to their email address to authenticate. As soon as the users looses access to their company mail account no further access is possible any more.

Much better than an MSA in my opinion.

This feature is currently in Private Preview so it maybe will be public shortly



3.Guest Access Reviews (enhancements)

This feature is currently already GA (requires of course a AAD P2 license, but only for the users that do the review, not all reviewed users)
See: Azure AD Access Review Requirements

But there will be some enhancements in the near future. You will be able to not only remove users from groups or revoke application access, in addition you will be able to disable or even remove B2B guest accounts.



4.Entitlement Management and Access Requests

I already blogged about this here, but here are the key-points again:

  • Self-service and business driven sign-up of guests.
  • Guests can request access and gets auto-invited if needed.
  • Auto-approval for defined domain/tenants
  • Approvals, Guest lifetime and life-cycle, and more

This feature is currently in Private Preview so it maybe will be public shortly



5.Admin consent for guests

This is one of the most requested features and you may heard of that already as “tenant friending” or also “tenant trusts“.

Admins of the source tenant can consent on behalf of all their users for a specific destination tenant (where the users should get access to resources) and the admins of the destination tenant can skip the consent page for users from a specific tenant.

So, this is like the good old 2-way trusts of the on-Premises AD, right ?

With that users will get an seamless login to both tenants. A very useful feature in the following to scenarios:

  • Organizations that work closely with partners and already have other forms of consent or contracts in place and not every user should consent on his own.
  • Organizations that may have multiple companies with multiple tenants (as a destination or migration scenario) where users don’t need to consent on the terms of their own company.

This feature is currently in Private Preview so it maybe will be public shortly


So, there a lot coming the next few month, so have a look on the announcements.

If you want to see some demos of the upcoming new features take a look at this Ignite session:

Author: Peter Stapf

Senior Consultant Identity and Access

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.