Azure Identity And Access Management Part 17 – Azure Active Directory – Business-to-Business (B2B) And Guest User 5 – Configure Conditional Access Policy And Multi-Factor Authentication (MFA) For Guest User
Hope you all are safe and doing good!!!
In our last post, we have discussed on Configure Google Federation for B2B user in detail with example. Today In this article, we will continue Azure AD Business-to-Business (B2B) And Guest User and discuss how to Configure Google Federation for B2B user.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Multi-Factor Authentication (MFA) For Guest User :
Multi-factor authentication (MFA) is a service of Azure, where a user is prompted during a sign-in process as an additional model of identification. When we go with this model of authentication, security is increased as this is asking for additional information specific to the user.
When we sharing information with B2B guest users, it’s a good idea to protect our apps with multi-factor authentication (MFA) policies.Then external users will need more than just a user name and password to access our resources. In Azure AD, we can fulfill this goal, with a Conditional Access policy that requires MFA for access.
Exercise Lab :
As this article is based on a Guest User, we need a valid Guest User Email Account and a Access to Azure AD Premium edition. In our previous articles, we have discussed many things on Guest User, like how to add and how to configure different features which supporting B2B Guest User. MFA is another service, which supports B2B collaboration. Without doing any delay, let’s go-through the following Steps to complete our exercise.
Step 1 – To proceed with our this exercise, the first step is to add invite a guest user and ask guest user to check the access after redeem the invitation. So let’s Log-In and go to Azure portal > Azure Active Directory > Users > click on +New guest user as we have done previous articles and shown in the following figure.
Step 2 – As shown in the following figure, provide details of B2B guest user and click Invite to invite the guest user.
Step 3 – As we know, after invitation, guest user will get one invitation mail and user needs to redeem the invitation by clicking the Accept Invitation link in the mail as shown in the following figure.
Step 4 – Now after redemption, for testing purpose, we access the portal with the guest user. We saw the guest user can access the portal without go through the MFA process.
Step 5 – Now let’s configure the MFA for that B2B guest user so that, the guest user needs to pass the MFA process, before successfully log-in to the Azure portal. Log-in into Azure portal as global administrator. Because we need to create a Conditional Access Policy in Azure AD to achieve this goal. go to Azure Active Directory > Security > Conditional Access as shown in the following figure.
Step 6 – As shown in the following figure, click on +New policy link from Conditional Access policy page.
Step 7 – Now it allow us to configure a new Conditional Access Policy. Conditional Access policies can be granular and specific, with the goal to empower users to be productive wherever and whenever, but also protect our organization’s resources.
In this example, we will go through all available options but will configure a basic policy to support MFA. At first we need to provide a meaningful name to our policy .
Next select Assignments section, As we can see in the following figure, there are two options as Include and Exclude. we are considering Include option here. Again there are different options to configure as per the requirement. As per our requirement, we need to select All guest and external user so that all guest and external user will have to face MFA process. Along with external user, we can also include specific user as shown in the following figure.
Step 8 – Next select Cloud apps or action section of the policy. Here we can configure, which Cloud apps or User actions should be considered under this policy as shown in the following figure.
Step 9 – Once Cloud apps or actions section done, the next one is Conditions section. Here, we can configure different action plan in different scenarios. As this articles is for MFA, I am not going into details of this section but following figure shown all available scenarios we can configure.
Step 10 – Now the next part is Access Controls. There are two options under it. One is Grant and the other one is Session. We must configure one of them before successfully create the policy. Let’s first take Grant section.
As shown in the following figure, in this section, there are many options available to configure to either Block access or to Grant access. As per our requirement, we only need to allow Require multi-factor authentication to fulfill the requirement. Please check with other options, if you want to know more about this section.
The second section of Access Controls is Sessions. In this exercise we don’t have to configure this section. But to know more of this section, let’s go into this section.
Use App Enforced Restrictions
Use Conditional Access App Control
Persistent browser session
The first option is
Use App Enforced Restrictions.This option is disabled for me, because, currently it works with Exchange Online and SharePoint Online only. Actually this option passes device information to allow control of experience granting full or limited access.
The second option is
Use Conditional Access App Control. When we chose this option, it use signals from Microsoft Cloud App Security to take following actions.
- Block download, cut, copy, and print of sensitive documents.
- Monitor risky session behavior.
- Require labeling of sensitive files.
The Third option is
Sign-in frequency. It has ability to change the default sign in frequency for modern authentication.
The fourth options is
Persistent browser session. this option allows users to remain signed in after closing and reopening their browser window.
Step 11 – Please be careful, before you follow this step an make sure you are not denying permission to any important account. I did this mistake once. So be care full. Now set Enable Policy to On and click Create button to create the policy, as shown in the above figure. We can check, if our new policy successfully created or not as shown in the following figure.
Testing MFA configuration :
Step 12 – So far So good !!!. Now time came to test our configuration. In an incognito window, I am log-in to Azure portal with my B2B guest user and as showing in the following figure, message showing More information required to log in to my azure portal. Click Next to proceed.
Step 13 – As showing in the following figure, it is asking to proceed after complete the Multi-Factor Authentication (MFA) process.
I hope, this article helps you to configure Conditional Access Policy and Multi-Factor Authentication (MFA) for B2B guest user.
To learn more on MFA in Azure, please see our following articles.
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂