The Azure Active Directory Business to Business (B2B) service now supports the use of Google as an identity provider for connecting partners, Microsoft announced on Tuesday.
The ability to provide access to organizational resources to users with Google IDs is at the “public preview” stage right now for organizations using the Azure AD B2B service. However, the preview represents the first time in which Microsoft has permitted users with non-Microsoft IDs to use this service. Previously, Microsoft had required that end users have a Microsoft account or an Azure AD account.
When set up, the federated service provides a single sign-on experience for Google ID holders. The organization can enforce multifactor authentication (MFA) security challenges, as well, if they have the licensing, according to a Microsoft spokesperson:
Azure AD Conditional Access policies apply to these users, so if the inviting companies’ policies require an MFA, the invited user will need to complete one using Azure MFA.
An MFA challenge is a secondary means of proving a user’s identity. It’s typically done via a text message response or by a response to an automated cell phone call.
The preview using Google as an identity provider works with end users that have Google Gmail accounts established. There’s some back-end work to get it going. IT pros have to set it up in two phases to enable the federation. They first create a Google developer project to enable an OAuth client ID API. Next, they use the client secret generated from that Google developer project to set up Google federation with Azure AD using either the Azure AD Portal graphical user interface or PowerShell scripts, according to Microsoft’s documentation.
The Azure AD B2B service was commercially launched worldwide last year, but up to this point it was limited to users with Microsoft accounts. The addition of Google as an identity provider is part of Microsoft’s efforts to make collaboration easier, according to the announcement by Alex Simons, vice president of program management at the Microsoft Identity Division:
Our vision is to enable you to collaborate with people from any organization in the world, whether or not they have Azure AD or even an IT department. We’re reducing friction during invitation redemption and eliminating the proliferation of credentials by enabling your partners to bring their own existing identities to collaborate with you!
According to the Azure AD B2B service scheme, external end users or guests get sent an invitation via e-mail to gain network access to an organization’s shared resources, such as OneDrive storage for file access or SharePoint Online sites for collaboration. A verified end user next gets sent a PIN via e-mail that grants access to shared resources. Guests aren’t required to be using the Azure AD service in their organizations to federate with the Azure AD B2B service.
There are limits on the resources that guests can use, though, according to the spokesperson:
Note that guest users don’t get the same things that employees get. For instance, they don’t get their own Exchange mailbox or a OneDrive; their devices can’t be MDM managed by the inviting company; their PCs can’t be Azure AD joined to the inviting companies’ tenant. They also don’t get licenses to the paid versions of the Office client apps.
The Azure AD B2B use rights appear to grant access to Azure AD free capabilities to guests. However, for “paid Azure AD features,” such as MFA and conditional access, an organization needs to ensure that it has enough Azure AD licenses to support the guest users, according to Microsoft’s licensing guidance document. The licensing ratio is five guests to one tenant, so in order to support 50 guest users, 10 licenses might be needed, depending on the paid Azure AD features being used and licensed.
Microsoft isn’t limiting the Google federation capability to specific Azure AD B2B licensing. It’ll be in all Azure AD product SKUs, the spokesperson indicated.
Microsoft possibly could be working with other non-Microsoft identity providers to enable federation with the Azure Active Directory B2B service. The effort apparently depends on working out the kinks in standards.
“We are working to add support for other standards-based identity services, but we have no additional partnership to announce at this point,” the Microsoft spokesperson explained.