Access Management 2

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

Microsoft Entra External ID allows you to manage identities for users outside of your organisations, such as customers or partners.
Conditional Access in Microsoft Entra ID allows you to set policies that determine under what conditions users are granted access to specific resources. These policies can be based on various factors, including user identity, device health, location, and more.

Microsoft Entra External ID

Imagine you're making an account for something online, and it turns out you don't have to enter an email and make a new password - you can just sign up with your Google or Facebook profile.

Does this sound familiar? If you've seen this before, that's External Identities at work!

An external identity means people, devices, services, or anything that exists outside your organisation.

Microsoft Entra External ID is all about securely interacting with users outside your organisation's boundaries.

Whether you're looking to collaborate with partners, suppliers, distributors, vendors, or you're a developer making consumer-facing apps, this is where you manage it all.

Hmmm, but what about single sign-on (SSO)?

External ID opens the doors for external users. In comparison, SSO is a great tool for internal users to access multiple apps in your organisation with one username and password.

What are the specific features?

  • External identity providers: External ID opens the doors for external users to "bring their own identities." Users can log in with their existing credentials from other identity providers (e.g. social identity providers like Google and Facebook, or enterprise identity providers similar to Entra ID).
  • Access control and security: You can manage access to your apps and services by setting policies and security measures. This will make sure external users' access is secure and compliant with your organisation's requirements.
  • Multi-factor authentication
  • Customisation and branding: You can customise the user interface and branding of the login and registration experiences to align with your brand's look and feel.
  • User self-service: External users can reset their passwords, recover their accounts, and other account management things on their own (without needing to call your IT team).
  • Reports and analytics: You have access to reports and analytics to monitor usage, sign-in activities, and other metrics related to external identities.

How can I use Microsoft Entra External ID?

  • Business to business (B2B) collaboration: Collaborate with external users, letting them use their preferred identities to sign in. These external users are often shown as guest users in your directory.
  • B2B direct connect: Establish a two-way trust with another Entra ID organisation for seamless collaboration. Have you ever used Microsoft Teams? B2B direct connect has a feature called Teams shared channels, which lets you connect and collaborate directly on files with other companies.
  • Entra ID business to customer (B2C): Entra ID B2C is specifically designed for consumer-facing apps and services, such as e-commerce websites or mobile apps. Azure AD B2C's features include managing user registration, login and profile customisation and a strong base for security and user privacy.

Conditional Access

Conditional Access helps companies figure out whether a user trying to sign in is someone they can trust.

When a user tries to sign in, Conditional Access collects real-time identity signals from the user. These identity signals can include who the user is, the app they're trying to access, their location, and the device they're using. It then makes decisions (called enforcements) based on these signals  - either allow or deny access, or ask the user for multifactor authentication.

How can I use Conditional Access?

Conditional Access is a handy tool when you need to:

  • Require multifactor authentication (MFA): You can make MFA a must for some users, depending on their role, location, or network. For example, administrators might need to pass MFA, but regular users might not. It could also be required for users connecting from outside your corporate network.
  • Control approved applications: You can limit which applications are allowed to access your services. For example, you could specify which email clients (e.g. Apple Mail, Outlook) can be used to log into an employee's company email.
  • Control managed devices: You can set rules that say users can access certain applications only if they're using approved devices that meet your security and compliance standards.
  • Block access from untrusted sources: Conditional Access can automatically block access from unknown or unexpected locations.