Utilizing Zero Trust architecture principles for External Identities

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

As hybrid work environments become normal and we continue to collaborate, the importance of adopting zero-trust architecture principles is more vital than ever. Zero trust architecture puts emphasis on three key principles: 


  • Verify explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies. 
  • Use least privileged access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity. 
  • Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. 


Collaboration across organizations is a necessity for the successful operation of any business. Therefore, zero trust architecture effort will not be complete without encompassing external users. Azure AD External Identities already has many features that support zero trust principles to collaborate externally in a secure, flexible, and scalable manner. Below, let’s explore how these different capabilities help to implement each of the above-discussed zero trust principles. 


To help make things more relatable, let’s take a typical scenario for collaboration:  


John is the administrator for Contoso. Contoso has signed up Star Marketing for help on an internal project and John needs to enable Contoso employees on the project to collaborate with employees of Star Marketing. 


Prepare for collaboration 

Contoso used to provide local accounts to guest users and give them a username and password in the local tenant itself with a special username prefix to indicate a guest account. Thankfully, with Azure AD External Identities, that is no longer required. John can use external identities to set up a collaboration with Star Marketing and provide a better user experience to their partners in Star Marketing and in the process save money for Contoso which would have otherwise gone towards supporting account-related support tickets for Star Marketing users if they used local accounts. 


1. Verify explicitly  

Contoso uses a default block all incoming collaboration setting in Cross-tenant access settings. This ensures that collaboration is occurring only between fully vetted out partners as required by the company regulations. John then adds starmarketing.onmicrosoft.com as an organization in the cross tenant access settings. John also restricts the invitation capability to two Contoso employees who are spearheading the collaboration with Star Marketing. For general guest access to Star Marketing employees, John creates an approval process for onboarding 


Contoso also has strict security requirements for allowing access only from compliant devices and using multi-factor authentication (MFA). Additionally, John double checks that proper authentication strength requirements for external identities (such as using phishing resistant authentication methods) are configured for accessing the sensitive applications. 
You can configure cross-tenant access settings to trust MFA claims from external organizations. During authentication, Azure AD will check Star Marketing employee’s credentials for a claim to identify whether that user has completed MFA. If not, an MFA challenge will be initiated in the user's home tenant. Learn more at cross-tenant access settings. 


At the last moment, John was told that everyone who is accessing the MaxFin application should use phishing resistant authentication. John creates a dynamic group that will have all the members from Contoso and Star Marketing who will be accessing the MaxFin app. Additionally John created an Authentication strength to specify the phishing resistant methods the users will have to use to access MaxFin app. To satisfy the access requirements, John sets up a conditional access policy that utilizes the new auth strength created for MaxFin access and targets the users in the dynamic group he generated. 


2. Use least privileged access 

John wants to make sure users from Star Marketing only have access to the apps for the project and only for the project duration (i.e., 3 months). John’s onboarding process for Star Marketing employees using entitlement management has provided Contoso with the capability to easily meet the security guidelines set for the collaboration. Star Marketing employees can onboard by requesting the Access Package that contains all the access needed for the project and have lifecycle management applied.  


There are multiple benefits of using access packages, but some key reasons John chooses to use access packages over individual invitations are: 


  • Controlled accountability: An assigned approver needs to approve the request for any new request for an external user.  
  • Controlled access to only relevant resources: Using the access packages, John is now sure what are the resources to which the access is provided to the users from Star Marketing. There is no chance of variance and changes would be handled by the appropriate workflow John created. 
  • Limited access duration: John specified an expiration date for the access package and any access is not going to be more than 3 months the expected duration of the project. 
  • Automatic cleanup: If the user who was invited through entitlement management has no other access package assignments, then, when they lose their last assignment, their guest account will be blocked from signing in for a month and subsequently removed. 


3. Assume breach

John needs to keep track of how access is being used by employees from Star Marketing. He uses the cross-tenant access activity workbook to get a holistic picture of the current external users' activity in the Contoso tenant. Using these workbooks as a starting point, John can now customize them and make new workbooks specific to the business requirements. 




To ensure Star Marketing users do not accidentally or intentionally download sensitive data, John can deploy Microsoft Defender for Cloud Apps. John can then block unauthorized downloads and monitor the sessions. John can also leverage the power of AI-generated insights with Azure Sentinel. Alerts can be triggered and action automated if any risky behavior is detected by an external user from Star Marketing. 
Armed with this information, it’s easier than ever for John to create the right Access Reviews. One key concern is clearing up unused guest user accounts and John uses the instructions in Clean up stale guest accounts using access reviews  to easily create regular access reviews for Star Marketing users who have not used their access in the last 3 months. 


Future improvements 

Our current features already provide a great baseline to get your organization set up for achieving zero trust architecture around external identities. In addition to the current feature set, there are many future investments the external identities team is making to strengthen the zero trust principles. Some of the next investments are: 


  • Constant monitoring with data insights – Today, you can already leverage different logs, workbooks etc. to constantly monitor the external users' activities and react to any breach swiftly. Going forward, we will make it even easier for our customers to do such an analysis by providing data insights within the product with easy to follow up suggested actions. 
  • Higher granularity controls for redemption experience: You may need different partners to preferably use different types of authentications based on their collaboration requirement and other factors. You will see improvements that will allow you to better control which type of authentication such as Azure AD, MSA (Microsoft account), Email OTP (one-time passcode) etc. is used by a partner collaborating with your tenant. This will help you have more confidence in verifying that guests are who they claim they are. 
  • Consistent experience for managing collaboration settings for Azure AD and non-Azure AD partners: With cross-tenant access policy, you already have highly granular settings for your Azure AD partners. Soon, you will be able to manage current collaboration settings and new improved ones at one place for both your Azure AD and non-Azure AD partners. 



Collaboration with external users is an integral part of any organization’s day-to-day work. With the current features of Azure AD External Identities, you can ensure that you have the most secure collaboration amongst internal and external users based on zero-trust architecture principles.  


Features such as Cross Tenant Access Policy, Authentication Strengths, Allow-deny list etc. give you the ability to ensure your employees are collaborating with the right organizations following the most secure rules as needed by your organization. Entitlement management access packages for external users further make it easier for you to ensure the external users have the minimum required permissions for the right amount of time to be their most productive self with compliance to your organization's security principles. Detailed logs and workbooks, Microsoft Defender for Cloud Apps, and AI-driven insights with Azure Sentinel help you to identify any risks quickly and take swift action. 


Collaboration should focus on interactions, not constant concerns about security. We’ve made it easy to focus on what matters.  


Learn more about Microsoft identity: 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.