B2B Connect and Conditional Access–first tests

It used to be easy: there were tenant users and guests and I could set very well in conditional access how access to my data is controlled.

With Azure B2B Connect, there is now a further level. And with that, a few questions on my side:

  • How does a user from company A who accesses B2BConnect for the first time appear in AzureAD in company B?
  • How does this user’s SignInLog look like in the “guest tenant”
  • How can I control and secure the access of B2BConnect users in conditional access?

Test scenario:

  • Tenant A: DECKER
    In this tenant is the team with the channel that is shared with Tenant B
  • Tenant B: Contoso
    Here is the user the channel is shared with.

Test1:

Creating a channel in a team in Tenant DECKER

Sharing the channel with christian.decker@M365x54341088.onmicrosoft.com

This address is NOT a guest account in Tenant DECKER

No active CondAccess policies

As expected, upon first access, the permissions DECKER is granted must be confirmed.

The user does not appear as a guest user in DECKER’s AAD.

This is what the access looks like in the log:

image

UserType. Unknown – interesting….

Test2:

This time Melanie Decker from Contoso

However, Melanie is a guest user in the tenant

Access is possible without further requests

Test3:

Enabling a conditional access policy for guests that requires MFA.

Enabling another conditional access policy that requires MFA from all users.

Trust settings when connecting to Contoso are disabled – ie we do not trust Contoso’s MFA.

Expectation when accessing christian.decker@M365x54341088.onmicrosoft.com: Request to register MFA.

What actually happens?

image

With a little thought, it is actually logical:

The DECKER tenant does not have a user object in which it could store the MFA information – therefore the user cannot register for MFA.

Which conditional access rule applies?

As expected, the guest rule:

image

Does Melanie’s access to the shared channel work ?

This access works because Melanie has a valid MFA token from DECKER through the access of the guest user

image

Test4

We trust Contoso’s MFA

Christian accesses again – this time he gets the request to register for MFA – but correctly from the home tenant Contoso

And access works – MFA information is stored in his User Objects in his Home-Tenant.

Test5:

Now we require also “Terms of Use” from guests in the DECKER Tenant

with the next access to the teams channel the users have to accept the terms of use.

Lessons learned for conditional access:

  • B2BConnect users do not appear in the guest tenant’s AAD
  • Access from B2B Connect is secured via “All guest and external users”
  • If MFA is required and a user in the target tenant does not have a (guest) user object, the MFA of the guest tenant must be trusted

short note: All of my blog posts regarding ConditionalAccess will be in english – sorry for my bad english 😉

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.