Azure AD B2B and B2C Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello, Cybrarians.
00:00
Welcome to Lesson 1.10 of this course titled,
00:00
AZ-301: Microsoft Azure Architect Design.
00:00
Here are the objectives that we'll
00:00
cover in this series of lessons.
00:00
Part 1 we'll start by covering an overview of
00:00
Azure AD B2B and Azure AD B2C.
00:00
Then we'll go into more details with Azure AD B2B.
00:00
In Part 2, we'll cover Azure AD B2C in more details.
00:00
Let's get into this.
00:00
One of the first things that I want
00:00
you to understand about Azure AD B2B and
00:00
Azure AD B2C is that to a certain extent,
00:00
they serve a similar purpose.
00:00
Both Azure AD B2B and
00:00
Azure AD B2C allows us to give external
00:00
users access to resources and
00:00
services that trust our Azure AD.
00:00
What that means is in my organization,
00:00
with my Azure AD tenant,
00:00
I have certain services and applications and
00:00
resources that I need to give external users access to.
00:00
Rather than creating accounts for them individually or
00:00
separately managed in my organization's Azure AD tenant,
00:00
I can invite them with their credentials in
00:00
other Azure AD tenant or even in
00:00
other identity providers to access my resources.
00:00
That's like the overarching purpose
00:00
of these two services or these two solutions.
00:00
Now, that's about where the similarities end.
00:00
When it comes to Azure AD B2B,
00:00
it's mainly for partner collaboration.
00:00
That's talking about an organization collaborating
00:00
with their partners that they're
00:00
working or doing business together.
00:00
Whereas, Azure AD B2C, as the name implies,
00:00
business to consumer,
00:00
it's for external customer access applications.
00:00
For example, I have an e-commerce website,
00:00
where I'm going to be selling certain services or
00:00
certain products to external customers.
00:00
They're not partners that I collaborate with,
00:00
and they need to be able to
00:00
authenticate maybe to my e-commerce sites to be able
00:00
to purchase my products and services,
00:00
I can use Azure AD B2C as
00:00
the identity provider for
00:00
that external-facing application.
00:00
Let's talk a bit more about Azure AD B2B.
00:00
One of the things is,
00:00
it is a functionality of Azure AD.
00:00
It's not a different service.
00:00
This can get a bit confusing because if you go to
00:00
the Microsoft Azure Portal
00:00
>> and you type in Azure AD B2C,
00:00
>> you're going to see a different service.
00:00
There's a different service where Azure AD B2C is
00:00
different from Azure AD itself.
00:00
When we talk about Azure AD B2B,
00:00
it's not as if it's this other service
00:00
that you can go to implement.
00:00
It's just an additional functionality
00:00
that we get with Azure AD,
00:00
where we can collaborate
00:00
between organizations, Azure AD tenants.
00:00
That's essentially what Azure AD B2B is.
00:00
It helps us to avoid federation and extra servers.
00:00
In the past, if we wanted to do that,
00:00
we would have to deploy
00:00
a federation server and then configure
00:00
federation across two organizations Azure AD B2B.
00:00
That functionality of Azure AD just makes it as easy as
00:00
I invite users from
00:00
other Azure AD tenant into my organization,
00:00
and all the federation
00:00
processes and all of that or extra stuff,
00:00
that's handled almost transparently
00:00
>> to the administrator.
00:00
>> As what I mentioned earlier,
00:00
it's about inviting users from other Azure AD tenant and
00:00
inviting them into your own organization's tenant.
00:00
One of the main things to remember is
00:00
that you as an organization,
00:00
you are in control of the invitation to the other side.
00:00
You're in control as to how relaxed you want that
00:00
to be and who can invite other users from
00:00
other Azure AD tenant into your organization.
00:00
You can control that.
00:00
Let's see a visual representation of that.
00:00
There to organizations.
00:00
There's Contoso and there's
00:00
Fabrikam on the right-hand side.
00:00
Contoso as an organization,
00:00
have their Azure AD tenant and Fabrikam has
00:00
their Azure AD tenant with the identities
00:00
in each organization's Azure AD tenant.
00:00
Now, Contoso has
00:00
an application or a content that they want
00:00
users in Fabrikam to be able
00:00
to access because they're
00:00
collaborating and working together.
00:00
Now, one way to solve that would be to
00:00
create a different identity
00:00
for Fabrikam users in Contoso.
00:00
But that won't be an effective way to do
00:00
that because you have no idea.
00:00
So the life-cycle of that user
00:00
they've changed department and Fabrikam,
00:00
you're not aware of all those processes.
00:00
Ideally, you want
00:00
the users to still be managed by Fabrikam by
00:00
being able to give them access to
00:00
resources or applications in your own organization.
00:00
What you don't you invite the user
00:00
from Fabrikam into your organization,
00:00
and then you give them access to
00:00
the content and the application
00:00
that you want to be able to access.
00:00
What that means is whenever they want to access,
00:00
they do authentication against
00:00
>> Fabrikam Azure AD tenant,
00:00
>> but then they're able to use
00:00
>> that claim or that token to
00:00
>> access content or application
00:00
within your own organization.
00:00
At the end of the day, it's about
00:00
decoupling authorization from authentication.
00:00
What that means is authentication
00:00
happens in the organization where
00:00
the identity that needs access comes from,
00:00
but authorization as to access happens in
00:00
your own Azure AD tenant where
00:00
the application and the content actually is.
00:00
Here's a quick breakdown of the steps of that.
00:00
We have Contoso sign-in.
00:00
In the middle, we have the
00:00
>> Fabrikam user trying to access
00:00
>> content or application that belongs to Contoso.
00:00
User tries to access the content,
00:00
and then they're going to be redirected
00:00
to Contoso's Azure AD,
00:00
which is going to have
00:00
a look at that authentication request.
00:00
Contoso recognizes that this is
00:00
a guest user from another Azure AD tenant,
00:00
so it redirects or
00:00
recognizes that and redirects
00:00
to Fabrikam for authentication.
00:00
Fabrikam authenticates the user
00:00
and then sends Contoso organization a
00:00
token to say this user has been validated,
00:00
and then Contoso validates the token and then
00:00
sends a new token into the content for authorization.
00:00
You can see where the decoupling happens
00:00
between authentication and authorization.
00:00
When it comes to what sort of identities are supported.
00:00
It's not just about other Azure AD tenants,
00:00
even though that's a big part of that.
00:00
That is other Azure AD tenant,
00:00
it's a big part of that.
00:00
But there's also support for Google federation.
00:00
What that means is if an organization is using
00:00
the G Suite organization,
00:00
you can go ahead and invite such users
00:00
to be able to access content within your organization.
00:00
Google federation is supported.
00:00
But if you're dealing with a small business where
00:00
they don't have an Azure AD tenant,
00:00
they don't use G Suite application set,
00:00
if they have an outlook.com account,
00:00
you can actually go ahead and invite them with an
00:00
outlook.com account into your organization
00:00
to be able to access content within your organization.
00:00
Authentication will happen against outlook.com.
00:00
Authorization happens in your Azure AD tenant.
00:00
Then the other one that I put down
00:00
there that's currently in preview,
00:00
but it's direct federation where
00:00
>> you can essentially see
00:00
>> any organization that supports
00:00
the right authentication protocols.
00:00
You can just do a direct federation
00:00
with that organization to give
00:00
access to content or applications.
00:00
Some quick architectural
00:00
>> considerations for Azure AD B2B.
00:00
>> The first one is guest user MFA is enforced in
00:00
source organization requires a license 1:5.
00:00
What do I mean by this?
00:00
What we mean by this is when you invite
00:00
a user from another organization into
00:00
your Azure AD tenant and then you
00:00
configure policies
00:00
against your applications to enforce that,
00:00
MFA is required because
00:00
MFA is a licensed feature of Azure AD.
00:00
What that means is if you have
00:00
an Azure AD Premium P1 license that allows you MFA,
00:00
one license will allow you to be able to do
00:00
MFA for five guest users.
00:00
It's like 1:5.
00:00
It's not going to be 1:1 because it's not fair
00:00
because they're not going to be using all
00:00
the full functionality,
00:00
but it's the licensing is around 1:5.
00:00
Azure AD B2B is
00:00
subject to Azure AD subject virtual limits.
00:00
Remember that Azure AD B2B is
00:00
a functionality of Azure AD.
00:00
It's not a separate service by itself
00:00
the same way that Azure AD B2C is.
00:00
An Azure AD B2B collaboration is not
00:00
supported across national Cloud boundaries.
00:00
With Azure, we have different Clouds.
00:00
While we have the Azure Government,
00:00
we have Azure China which is geofenced,
00:00
Azure Germany, which is also geofenced.
00:00
For example, you can't invite users from
00:00
Azure Government to access resources
00:00
in Azure Public or vice versa.
00:00
It's not supported across
00:00
national Cloud boundaries or
00:00
what we call geofenced regions.
00:00
That's where I'll stop in this part of the video.
00:00
In the next part of the video,
00:00
I'll pick up from here,
00:00
and I'll talk about Azure AD B2C.
Up Next