Sunday, September 29, 2019

Be aware: join as MS Teams Live Events guest requires that one is pre-authenticated against the inviting tenant

With MS Teams Live Events produced via Teams (aka QuickStart) it is already supported to invite externals (MS Teams produced via External App will support it once the underlying Microsoft Stream Live Events capability supports guest access). Guest access in MS Teams Live Events by Teams is realized by utilizing the Azure AD B2B capability, similar as is done in the external sharing of a MS Teams instance itself with external guests, and also in external sharing SharePoint Online sites. Interesting is that the external does not need to be invited to any MS Teams instance of the inviting company. This makes sense, as a MS Teams Live Events instance itself is not tied to a particular MS Teams instance; it is scheduled from the MS Teams Calendar.
Guests can join the Live Event via the browser or via the MS Teams App. In case of the latter: In your joiner instruction to invited guests, please make sure to inform them that they first must authenticate themselves against your (the inviting) tenant, before trying to join the MS Teams Live Event via the distributed 'attendee link'.
No permission to join as guest in case not authenticated before
Authenticate as Azure AD guest to the MS Teams of the inviting tenant; first authentication is 'federated' against the invited guest identity administration, and next most likely second / multi-factor authentication against the inviting tenant
Once authenticated as AAD guest to the inviting MS Teams tenant, allowed to join the invited Live Events direct via the 'attendee link'

Saturday, September 21, 2019

In the dungeons of Azure AD B2B: properties of external Azure AD account might block creation of guest account

Collaboration between organizations in an ecosystem has become more and more essential to the value organizations create. But also in these Business-2-Business (B2B) collaboration scenarios, the authorization principle of 'need-to-known' must be adhered: employees from the partner organizations should only be granted access to the information on which they actually collaborate with the inviting organization. To be able to grant selective authorizations to the externals, requires that each of them must be known with identifying identities in the information system(s) of the inviting company.
In the Azure AD B2B model, Microsoft introduced the notion of 'guest accounts' for this, based on the concept of "bring-your-own-identity". An Azure AD B2B guest account is a lightweight account, that in fact acts as placeholder in the Azure AD context of the inviting organization to external identity managed outside the responsibility of the inviting organization. As such, Azure AD B2B collaboration supports cross-company relationships by enabling partners to selectively access your corporate applications and data using their self-managed identities
Azure AD B2B supports 2 modes to invite external guests via their corporate email addresses: a federation model from the Azure AD of the inviting organization to the external Azure AD of invited partner organization. And in the case that the invited company is itself not (yet) an user of Azure AD for their identity management, via just-in-time created accounts which are then administrated in a so-called 'viral' tenancy (see: Understand the B2B user).
Guest accounts are created in the inviting Azure AD with their own (external company) email address applied as their guest account / identity name. Azure AD requirement here is that the guest identity name is not yet in-usage as proxy-address within another account in the Azure AD tenant. The typical situation in which this could occur is when an external employee already has also a Member account in the Azure AD of the inviting organization, and has the own corporate email assigned to that Member account. When next you try to create a guest account for that external email, Azure AD refuses with error message: "The user you're inviting already exists in the directory. They can simply sign in into shared apps and resources."
The most pragmatic approach to fix this guest account provision error, is to 'free' the external corporate email address of the 'to-be AAD guest': disconnect it from assignment in the Member account in the Azure AD of inviting organization.
Another apparent feasible approach is to simple select another external corporate email as guest account name: e.g. instead of '<External>.<User>@>ExternalOrg<.com', provision a guest account via '<External>.<User>1@>ExternalOrg<.com'. This is certainly a creative alternative. But you need to be aware of some pitfalls with it. 1) Redemption in Azure AD B2B is an email-verified process. Meaning that the alternative corporate email address must actually exist and resolve to an email inbox in the domain of the invited organization. 2) In case of federated Azure AD tenants, the requirement that the proxyAddresses must be unique, is verified in the combination of the Azure AD tenants of both the inviting as the invited organizations. Resulting that in case to the alternative account in the Azure AD of the invited organization, the original corporate email of person is administrated in the proxyAddresses, then the provisioning of guest account in Azure AD of the inviting organization still blocks. See How can we improve Azure Active Directory? - Show the B2B-blocking proxy address in my tenant's logs where this is shortly described.
Code snippet to have run in the Azure AD tenant of the invited organization, to identify whether and which proxyAddress value is the cause of the blocking:
Connect-AzureAD

Get-AzureADUser -Filter "mail eq '<firstName>.<lastName>1@externalcompany.com'"
   -all $true |
Select-Object displayName, @{L = "ProxyAddresses"; E = { $_.ProxyAddresses -join ";"}} |
Export-Csv -Path C:\temp\ReportOutOnAADAccount.csv -NoTypeInformation

Sunday, September 15, 2019

Caveat with MS Teams Live Events: once started, your audience is fixed

Do you recognize this? You started "the party", and while in full flux you're friendly reminded that you forgot to invite your best friend... This metaphore also holds for webcasts with selected audience: as people move accross diverse departments in an organization, it is an easy miss to not authorize/invite someone new joined. And dependent on the content and information sensitivity of the information shared, even more important can be to retract the authorization of someone that moved to another department. With Stream Live Events, the owner aka organizer of the Live Events is enabled to on-the-fly make modifications to the authorized / invited audience of the event, also when the event is already live. With Teams Live Events this is not possible: once the planned event is started, the audience is locked: you can neither add new attendees (nor presenters), or remove persons that should not be allowed. It is even not possible to modify in MS Teams the audience after the event is ended.
As the positioning of MS Teams Live Events compared with MS Stream Live Events is that the first is aimed for webcast distribution with a typical known team (of people), the lack of dynamic authorization may in reality not be a concrete issue. But good to be aware of, also to make a judged selection between webcast via MS Teams Live Events or via MS Stream Live Events.

Friday, September 13, 2019

Just be aware: recorded data of MS Team Live Events "QuickStart" is stored outside own tenant

Microsoft Teams Live Events supports 2 flavours: Teams (formerly code-named "QuickStart"), and External App using Microsoft Stream. The charm of the Teams option is illustrated by its code-naming: it's very easy to start up and use. In the most basic and raw form, the only thing needed is a laptop with onboard camera, and Microsoft Teams desktop application installed. And then anyone granted the Teams Live Events scheduling authorisation (TeamsMeetingBroadcastPolicy -AllowBroadcastScheduling parameter = True; Who can create and schedule live events?), can self-schedule and self-produce a Live Event. However, a caveat to at least be aware of is on the location where collected data is stored: the video recording, and the data of the Moderated Q&A. When using Microsoft Stream for event webcasting, the recording is stored in your own tenant and under your direct control. The MS Teams situation is to date different:
  1. The video recordings are stored as Azure Blob in the Microsoft system instance of Azure Media Service, a generic tenant shared accross multiple customers. The AMS instance is within the same data center as your tenant (not much information on this shared, but see: Manage a live event recording and reports in Teams: "Recordings from live events produced in Teams are currently not saved in Microsoft Stream", and Teams Live Events storage location);
  2. Captured Questions & Answers are stored in a combination of Azure Tables and CosmosDb, also in a generic tenant. The QnA data is automatic deleted 180 days after end of the Live Event, unless earlier explicit deleted by yourself.
It can very well be that this outside-tenant administration of your's company data is totally irrelevant for your organization. If so, you don't need to concern yourself nor your information security. However, in case you are in a business for which legal compliance and/or data privacy holds, I do advise that you consult your information security and compliance office on whether the outside-tenant administration does not impose a continuity risk. Better be safe than afterwards sorry...