You. Hello and welcome to the let's Talk. Azure Podcast with your hosts, Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft three six five focused It security professionals.
It's episode 18 of season four. Sam and I had a recent discussion around external identities and how Microsoft entra can assist. Microsoft entra external C brings the B two B and B to C capability under one umbrella. Here are a few things we covered. What are B to B and B to C? Identities. How are these identities used? What is Microsoft entra multitent organization and how are these identities licensed?
We have noticed a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode. So let's dive in. Hey Alan, how are you doing this week? Hey Sam, not doing too bad. It's been a busy week as always. Yeah, exactly. And lots of security copilot news starting to drop now. It feels like in the build up to ignite we're seeing more and more sort of being drip fed to us.
Yeah. This week we had some of the official sort of documentation on Microsoft Learn. Now it's not Microsoft docs because that changed quite some time ago, but yeah, we're starting to see some of the documentation now coming out to sort of explain what it is and some of the scenarios. So yeah, starting to be more visible.
Yeah, no it's really good to start to see more information about it. It's interesting Microsoft's LLM AI being layered over the top of security operations. So yeah, it's really interesting to see that technology and I sort of can't wait to get my hands on it and have a play around with it. It's going to be interesting to see how effective it is and what benefits and ROI you really get out of it.
Yeah. And we're now starting to understand exactly what products it will start to sort of sit on top of like microsoft Intune Sentinel and Defender for Endpoint. So as sort of the initial start to it all. So yeah, definitely we can start seeing where we need to focus on making sure we got that data for it to consume and help SEC Ops where it yeah, yeah, exactly. So this week Alan, external identities.
Yeah, this was a request that one of our listeners sort of brought in so I thought we'd cover it because it's something that we haven't done yet as yeah. Okay, cool. Well let's get started. So Alan, can you give us a sort of a bird's eye view, high level overview of what Microsoft Entra External ID is?
Yeah. So Microsoft Entra External IDs is really the sort of umbrella name for a couple of sort of technologies that have been in play in the sort of Azure ad or microsoft Entra or Microsoft Entra space for some time now. But yeah, so it's kind of as it kind of sounds it's your external identities that you can use either within your Microsoft three six five tenant or your Microsoft Enter ID tenant. Or it could be in effect your consumer identities for your application. So when I say sort of B to B, I'm talking to business to business. So tenant to tenant and then you got B to C, which is business to customer, business to consumer around it. So that's the kind of high level sort of areas. But there's also this new area that's in preview around Microsoft Venture multitenant organizations and we'll talk about that sort of later. There are a couple of things around B to B. Like I said, it's been there for some time. But yeah, we can dive into that in a bit.
So really it's a sort of set of technologies and controls for how you as an organization would interact with other external well, literally external identities. Right. Be that B to B, B to C, it's really that collaborative technology that it's not just Enter ID being your internal identities, but it's also bringing in other externals into sort of your environment.
Yeah, be able to collaborate with other organizations or they might be sister companies and be part of your global organization, or might just be partners or just maybe customers that are still organizations. And then you've got consumers as they're bringing consumers into your not to say into your environment directly, but maybe into your applications that you're hosting and things like that. External entities, external parties, being able to authenticate against your identity and you provide the access kind of thing.
And I suppose a question that I've got is that is this all new technologies and new concepts or was there ways to previously have this type of collaboration? Pre enter ID Azure Ad, how would you have done it? Traditionally.
B to B, B to C has been around for some time now with the branding of Azure ad. So that's been around for some time. There is some advances in those technologies since and we'll go through those sort of later. But before you had I guess before you had Office 365 and if we're going that far back now, being able to collaborate with external party, you'd have to allow them access to a web service or something on premise or in Azure. But you have to directly connect to the IAS or PaaS service and either that would be local identities to that application or it would be authentication against your active directory. So on premise sort of authentication. So it probably was quite difficult to difficult and complex to try to set that up without it and also being secure because in effect you'll get your opening a portal up for potentially in the past brute force attacks against your application, against your identities.
And would, you know, sort of traditional it. Would that type of collaboration just not know, have things like teams and OneDrive, et cetera, driven the need for this type of collaboration? Is it just new technology that's driven it? Or would you have done that previously, or would you have shared data in a different way?
I think you have shared data in a different way because there's always been a need to collaborate with information. You send an email with all of your attachments, your Word documents. Now in today's world you would share that, potentially share that via SharePoint or OneDrive, so you don't have to share a copy of it. So it's not like two or three copies of the same data kind of thing. And once it's sent in an email, then without using other technology like Purview information protection, you can't control who has access to that data once it leaves in that email. So leaving it on your data at rest, on your tenant and other users consuming it is potentially more secure or at least there's more controls at least about what they can do with it.
Okay, so yeah, let's go through some of the use cases then. So in what scenarios is B to B used?
Yes, we kind of talked about this a little bit. So there's two types now for B two B collaboration, one of them being B two B collaboration, but one of them being the new one being B two B Direct Connect and B two B collaboration is where we invite a user into your Microsoft Enter ID tenant as a guest. So they have a placeholder a guest account in your tenant which is tied to their identity on their home tenant, which then you can then give access to applications, resources, SharePoint sites, teams and things like that. And a lot of people have used this potentially. So if you wanted to talk to somebody, if you were a guest user, and you're using Microsoft Teams, you have to in effect do a switch tenant. So you switch over to the external tenant as the user that has been invited. And then you can then see what the Microsoft teams in that remote tenant and then collaborate within the teams you're allowed access to. It might be that you've been B two B'd into access an application they have that they single sign on into. It might be access to their AWS environment or their Azure environment. Maybe you're an MSP looking after a customer's Azure and infrastructure. So that's one of the scenarios. The B two B Direct is new and this is in effect creating a trust between the two tenants. So this is saying what a user is allowed to do between those tenants and that could then bring into the new. It's not necessarily new now, but it is still thinks the last six months, twelve months that it's been out. But the Microsoft Teams shared channels where a hosting tenant creates a shared channel and then they share it with the external tenant. And in effect within Microsoft teams, that user can either add it to another team, their side, and in effect it mirrors that channel into their tenant. So they don't have to do that switch tenant, which is very powerful really, because it fills from the user perspective very seamless with that, even though the data is stored on the host in tenant there. So that's kind of the two ways of using that. Like I said, it's mainly around tenant to tenant interactions and accessing SAS applications that are in one of the tenants and things like that.
Nice. That's great. I'm guessing that just really does enable effective and secure collaboration between organizations. Right, it's that fine grained relationships that can be defined and I suppose monitored.
Yeah. And in effect those users coming in, you can then using conditional access control, what they do to have access. So it could be they have to do multi factor authentication, they have to come from a certain IP address, that kind of thing. So you can then lock down that access to your SharePoint OneDrive environments or those other SaaS applications that you're allowing them into. Nice. So on the B to C side, can you give us some scenarios where that's used?
Yes. So just for clarity, I've not really used this in anger, I've more been in the B to B space, so don't shoot me if I get anything wrong. Yes, b to C is more around providing identities for your applicational website for your consumers or your customers to use. So this is an external identity provider that you can use then to with any application you create, or any website you create to provide an identity, so you can give permissions to certain areas. So this could be your shopping website, this could be your data repository and you need to provide access to it. And really that's the main goal with it. But also there's custom development apps. If you've got single sign into other SaaS application that are out there, you can use it for that. One of the main things is that the users can bring their own identities. So this could be a local identity that is in the B to C tenant. So when you do this, when you set up microventra B to C, in effect you spin up a new Azure ad. I'm getting them all mixed up now because it's still in my mind about Azure ad, but Microsoft Ventra ID sort of tenant and then the users go in there. But then you can use external identities like Facebook, Gmail and some other ones out there, as well as potentially government IDs to do that sign in for you. So you have other identity providers that a user can use, because a lot of consumers will have a Gmail, a Facebook Instagram, an Apple ID kind of thing, and they can just reuse that to, in effect, have an identity within your application and B to C, in effect, collect some Identifiers for your app, for your identity in those external ones, so it can cross reference you. But in effect that then allows those users to have access to your application or to your SaaS applications that are sat in the background. And in effect this is sort of classed as a customer Identity Access management system, a Siam, CIAM and like I said, it can use SSO, Sam'l, OpenID, Connect, OAuth. It can also be B to B users. So you can use an Azure ad or a Microsoft Venture ID Identity to also go into that B to C environment. And sort of some of the great things around this is that previously not that it was just that, but it was just that sort of data store. But in the last year, 18 months, Microsoft allowed you to use change the sort of pricing sort of around it and in effect allowed you to have conditional access and any P one P two capability within that tenant. So now they've added that enhanced security to it, which is great. So you can do MFA potentially some access reviews and some risky user kind of kind of things. One great thing as well is that the sign in interface you can in effect pretty much customize to what you need to meet your apps or your app or website sort of themes and your I can't think of the word of it now, but in Fetch you have like full control of the HTML and the CSS for it.
Yeah, I've used B to C previously to instead of roll our own identity service effectively, you utilize it because a lot of development teams, I'll say back in the day, back in my day, used to roll their own identity providers. And there are frameworks out there that you can effectively roll local identity providers, but those identities are so risky, especially in breach scenarios around password reuse and the security of those credentials. Right. And any private PII information, et cetera. Right. So there has been a general trend in sort of outsourcing and offloading that identity provider to a third party. Now there's lots of various different systems that you can and even actual companies that do it. But I think what's great about B to C is that you're effectively reusing and I don't know how it works under the hood, obviously, but you'reusing a lot of that technology that's there on the Enter ID, I'll call it like normal mode, if that makes sense. Right. And to also be able to do things like MFA and conditional access with it as well, you're starting to add a layer of protection that is from my experience, not there when devising your own solution. Right. So the fact that you can get full control of that, you can integrate with other identity providers as well. So people can reuse their identities as well is a big bonus there.
Yeah. And you're right. In effect, if you built your own one you've got to manage it. One you've got to update it to keep it secure. If you want MFA, then yes, you've got to build that capability in or jump out to a third party solution to bring that MFA in. Yeah. You've then got to build potentially got to build your interfaces to manage those identities from an application management perspective, not necessarily from a user side. User might want to update all of their information. So you got to provide that sort of view of it plus all your sign up pages, things like that. And building all those security controls that conditional access can do, checking what IP they're coming from, any risky sign ins, things like that without not saying anyone couldn't build it. But you're adding a lot of time into your build and this is almost I need this, I'm going to spin up a tenant, I put my requirements into what identities are allowed to sign in, things like that, all my conditional access and now I should hook up my application. I've never done this so I don't know if it is that simple. But in effect you've got your Identity Store there ready to be integrated within your application and Microsoft do provide you with sample codes for your Nets and things like that to be able to integrate with sort of does feel like it's there on a plate to basically just consume and let Microsoft do all the hard work for you.
Yeah. You've obviously got to have a level of development knowledge, right, to be able to integrate it. But I think if you take the simplicity of it versus rolling your own and what these developers are having to do before this right, this is like you say click, click, done, SDK, integrate, go. Right. I can imagine that some people may be cautious of outsourcing something quite so vital. It's quite natural for us because we're in sort of Microsoft's ecosystem a lot. Right. So it's kind of a no brainer really. But I can imagine some people that want to be able to not be vendor locked and things like that, there could be concerns around that. And if you don't trust cloud providers with your identities, there could be that but then you wouldn't really be looking at a hosted and managed solution anyway. But I think if you are an organization that is currently using Entraid, adopting Entraid B to C is like a logical next step, right. It's aligned into the ecosystem. It's also using from a SEC ops perspective, it's utilizing a lot of the same tooling and the same terminology and understanding. So it feels quite natural to start using that type of system.
Yeah, probably a lot of organizations or users are probably potentially where they work now as well. They're probably used to sort of the microsoft Venture ID authentication window and things like that. Whilst you can customize it, they are very used to it. And I've seen one of the water providers in the UK utilities using B to C. I've just seen it because of the URL it goes to I've been like oh there's B to C here, but didn't notice it from the start kind of thing. So it is kind of hidden that it is that technology. But again, from a security perspective you can see that the Microsoft Enter environment is so large now with multiple organizations just using it for their internal identities now. Such a big ecosystem there that Microsoft are looking after, there's so many protections there and you're just sort of just jumping on that for your consumers.
Yeah, definitely. So can we talk about sort of licensing and costs? Is it enterprise ready but also enterprise cost?
Probably talk about back in the day, back in the past we've used that twice now that in effect for B to B. So B to B and B to C kind of used to be sort of separate tooling and then it sort of came into sort of one sort of scenario kind of thing and then put under the external ID sort of umbrella. But originally B to B used to be that guests could be invited. And if you wanted to use any security products, in effect for every one license you had for your internal users, you could use five for guest users. So if you had 100, it means you'd have 500 for guests in effect. You never seen those licenses. It was more of a that's kind of like what you get with it. That was great because some organizations have little guests because most of them are internal, but it meant that you could apply MFA, use conditional access on them. And if you were P two as well, it means you could use identity protection as well. Just check, make sure they were not risky when they're coming in. And then quite some time ago, maybe 18 months, two years ago I think it was, they then brought in this new sort of model. In effect you change over to it if you already had a tenant and basically you sign up as your subscription to your Microsoft Enter ID tenant and then it's based on monthly active usage. So it's like a consumption at that point. Now it seemed when we initially heard about that being sort of quite bad because at the moment in effect you got them free. But when you dive into it, the first 50,000 external identities. So B to B users or your B to C users are free. So from an organization using B to B with their external parties, quite a lot of organizations probably are not going to hit that 50,000 mau. There will be organizations that will, don't get me wrong, but generally I don't think many will hit that monthly active usage for their internal users. So I think that's great. And even for your B to C, if you've got 50,000 consumers talking to your application, which is probably likely, if you've got an application that is heavily used, then your first 50,000 are free and that includes your P one and your P two as far as I'm aware, capability from an entry ID perspective. So that gives you conditional access, multifactor and your identity protection, your risky users. So I think that's pretty crazy. I think that's pretty good.
Yeah. Because I wonder if you blocked if you plotted all of the web applications in the world and did a histogram of how many monthly active users they had, I bet the vast majority would be under that 50,000 of all the web apps that are out there. Like if you had a B to B SaaS business, you could have a very sizable business with 50,000 and it's monthly active users as well. So.
It'S also who logs in if you've got sort of stale accounts, people not logging in, they're not counted every month unless they actually log in. Right. I assume it's consumption build at that point, right. At the end of every month. Yeah. Really good. Yeah. So now the price for over 50,000 and so there's two prices. There's one for P one capability and one for P Two capability. So in dollars per user, per monthly active user, this is probably 00:30 license.
Yeah. I worked out to $3.25 per thousand users per month. Okay. Yeah. So do you have to take at least a P one? Yeah, that's the minimum one. So you by default get conditional access and MFA and password reset, things like that. Right. Okay. So you get your first 50,000 free and then if you want everybody else have everybody on P one, you'll then pay $3.25 per thousand monthly active users per month after that. Yeah. And then the P Two price is $1.0.65, which I guess is $16.25.
Yeah, $16.25 per thousand. And what do you get for P Two? For your ex that will then include the identity protection side of things. So risky users, where they're coming from, that sort of stuff to see if they've been compromised, that kind of thing. So if they're coming from a known bad IP address or Tor browser, et cetera, they can be classed as risky and not come in. Or maybe you enhance the MFA kind of thing.
Okay. So P one, you sort of get your static rules, if that makes sense, your conditional access, your MFA and that settings. And then P two is really starting to get adaptive access at that point, right. And actually feeding in other intelligence signals into those logins.
Yeah. And so that's kind of it around the licensing cost. So there's no really barrier to entry to start because if you're developing, you're going to use your test accounts, aren't you, at that point? And you're going to have like five or ten, and they're going to be in the free tip. So you can have it all there. You can start building all of your conditional access, testing it all, and your app integrations, and then when you're ready to launch it's there and I guess that's another great thing about it is you don't have to scale it. No, it's just there it can consume what you need.
Exactly. Yeah.
And I think that for me, the front door element of it is really powerful. If you're the size of organization that's got 50,000 monthly active users, there is a potential there for you to be, well, anybody, but to be more vulnerable to like a denial of service attack, et cetera. Right. And every endpoint, every process that you have to cover with that is extra cost. Right. And Microsoft are effectively saying, hey, use our hosted service, we'll give you the first 50,000 monthly active users for free. I suppose it could really add up then. I suppose P two could add up. Right. Because if you're 100,000 monthly active users let me just do that in those numbers, that's $1,600 a month for another, for another hundred, and you'd have 150,000 monthly active users for one $600 a month. I suppose in my mind I've got to think about for one $600 a month, could I pay somebody to maintain it? The answer is probably no and host the thing. There's many different things to think about there. Plus multifactor authentication, right. Because if I'm rolling my own, I have to get feature parity. I have to also support all of these different things like conditional access, identity protection, et cetera. Right, yeah.
That or you've got to go out to a third party that can provide that for you and pay per user for that to be able to do send out a text message or have a one time password, et cetera. Yeah, definitely. Okay. Yeah.
Sounds really I obviously don't know how that scales, right. Because I've never used that at that level. Right. So it would be interesting to hear from somebody that has B to C at over 50,000 monthly active users right. To see if it's actually economically viable at that scale. But to me, I feel like you would have a very big business if you had 50,000 monthly active users, right. And you could probably support because it might be that you've got a true B to C. Maybe you're running like a social network as an example, right. You might not need p. Two. You might not go to that level because what's the risk there? You might have sort of pseudo public information people's, pictures of their dinners at restaurants and whatnot on Instagram. The content that you're protecting there might not actually be that as valuable. Right. Because there's different sort of classification levels there. So it might be that P One, for certain amount of your users is absolutely fine, or maybe even all of them. And at that point, it's kind of a no brainer, isn't it?
Yeah, definitely. Even just having the P One is so powerful. It's the same thing with Muscle venture ID. Having that P One is essential, really, or the equivalent of depending on how you get that capability, whether it's business premium, things like that. Yeah. And it would just be the sensitivity of that data and a balance of risk right. Versus ROI. But I suppose as well, and correct me if I'm wrong with identity protection, that's just like a turn on sort of deal, isn't it?
Yeah, pretty much setting up some conditional access for it, just so you're using those signals to do something, be adaptive with your access.
But identity protection gives you those signals with very minimal configuration, doesn't it? It's like black box. Right. So what you can do is you can consume that P Two license with very little SME knowledge, right. Because yeah, you've got to modify your conditional access policies that you created in your P One. Right. But layering on P Two, to me, just seems like it's a commercial and a risk decision more than it is anything else. Right. So that is also quite powerful that you can just set and forget. Right. The biggest decision is who's going to pay for it, and that's the CFO's problem. Right. So that seems pretty powerful to me, that that user experience of moving between those levels or developer experience of moving between those levels is almost frictionless. Except for commercials.
Yeah, definitely. And you can as well, not necessarily around the pricing side of things. You can also do some verification of someone's identity as well. In effect, the workflow of someone signing up could go to a third party proofing capability, maybe they've put some details about where they live, things like that, and then you need to validate it to prove their identity, kind of thing. So I think you can hook it up to some things like that as well, so you can have the extra checks when the people sign up.
Okay, yeah, that sounds great. A sort of scenario that I've sort of been thinking about, as you've been talking is mergers and acquisitions, larger multinational organizations. So some organizations I work with have multiple tenants. And how does this sort of fit that? Because organizations that have multiple tenants are kind of like B to B tenants, really, and they can actually be isolated from a corporate structure perspective. So does any of this technology help there?
Yeah, so you're right. In effect, they are B to B sort of scenarios. Not the B to C side of things, but with the new sort of B to B direct and things like that, that helps with the because really, they can collaborate, but it's not maybe the greatest experience because they have to switch tenants to find out who they are when. They're sending an email, they don't necessarily see everyone from the other organizations without someone creating contacts and trying to keep that up to date, et cetera. There's a couple of things. So Microsoft brought in this cross tent synchronization and in effect you can synchronize users between in effect automatically B to B collaborate, invite them into the other tenant and then when they leave, they then get removed. Like you said, if you've got a merger acquisition, you can almost set up automatic beta being into that tenant, that remote tenant and vice versa can be two way sync. So that then allows that automatic, as I keep saying, inviting of that user to that tenant and offboarding as well based on the source tenant managing that. So that's really good, that stops having to request to be invited and that kind of thing. But there is something in preview at the moment called multitenant organizations organization. And in effect, from my understanding of it, in effect, you create this sort of umbrella or this entity that says we're a multitenant organization. And then you in effect attach the tenants to that multitenant organization. And then you can do things like the synchronization with the other tenants as well. Sort of semiautomatically in effect. But the users from what I understand are sort of classified as external members rather than guest members. So they kind of are identified as like an internal user, but their identity is external kind of thing and you can still have your standard B to B guests non out of that multitent organization sort of coming in as well. But the kind of benefit to this is it's using the collaboration, the B, two B collaboration, but also the B to B direct sort of scenario. And what it allows, again, from my understanding, because I've never used it yet, is that you can now also directly collaborate in teams around those tents because you'll be using, in effect, share channels. And I think there might be some other functionality, but also when you're doing emails, things like that, I think you can search for users and you can collaborate a lot easier. And that's kind of what I'm seeing from the documentation. And that that it's just a better experience for users when they're in that scenario, because it's the worst thing of you've done an acquisition or a merger, et cetera. Or like you said Sam, you've got an organization, multinational organization that have got tenants in their regions due to sovereignty of data and things like that and you need to be able to collaborate easily. That is one of the trickiest parts. There are solutions out there to sort of try and help with that. But Microsoft now bringing that into this ecosystem now. So it definitely feels like it's the next stage of that merging of multitenants there.
It's such a common scenario as well, right? We see it with larger organizations. I'm going to say more often than not really, to be totally honest with you. Right. So it's great that that is a thing. I think that's going to really help and simplify things and I think generally that's going to help with that just shifting more and more into the cloud right. And letting having that more joined up ecosystem.
Yeah, definitely. And to be fair, I don't think thinking about know, we talk about Microsoft Enter ID quite a lot, but I don't think we've actually done an episode on the concept of having a cloud identity and synchronization with Active Directory and everything. It's like something we've completely missed out of everything.
It's like almost know the foundation, the building blocks. Right. So are you signing yourself up for a Enter ID? It's the right time to do an episode on it, Alan, because they have changed the you know, I'm going to call it that. We were just waiting for the rebrand. Right. And that's why. Yeah, maybe I'll do that in a couple of weeks time. Okay, cool. Anything else that you want to cover, Alan? I think you've given us a good overview there.
No, I think I've done fairly good with it. Sorry if I've butchered B to C, I hope I haven't. But yeah, the only other things is some of our previous episodes. And again we've talked about all some of the capability in Microsoft Enter ID, but never talked about Enter ID directly. So we got some things like Identity Governance, which is quite an old episode actually now, which is season two, episode ten, so we probably need to revisit that. Season Three episode one azure MFA and season three, episode four, we did Privilege, identity Management. Again, one of the other capability, if you want to continue sort of the journey of learning about Microsoft Venture ID, check those ones out and we'll continue to sort of add some other ones in as we've forgotten the foundational side of things. Sam, what's next week's episode?
I'm going to cover Azure. DDoS protection. DDoS stands for Distributed Denial of Service. It's essentially a sort of attack mechanism where adversaries will attempt to overwhelm a system with a flood of data effectively to a target system. What can happen is it can choke up sort of multiple layers of your network stack to interface into your application. And with a lot of managed and hosted products, distributed Denial of Service protection is built in so it's something that you don't need to worry about. But if you do have a need for interfacing, let's say your web servers out to the Internet, you can layer on DDoS protection on top to give you that protection. So I'm going to do an episode on covering that and what the benefits are and how it works.
Okay, great. Yeah, it'd be worth getting some of those we can find some of those stats where Microsoft have stopped a huge DDoS attack against them. Some crazy numbers there. If I remember. So, yeah, that'd be good. I think that'd be a good episode. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps reach out to more people like you. If you have any specific feedback or suggestions, we have a link in our show notes to get in contact with us.
And if you've made it this far, thanks very much for listening and we'll catch you on the next one. Yep. Thanks all.