In the new B2B direct federation feature for authentication supported for autheticating a guest user as part of evaluating a users rights to consume content protected by a sensitivity label (Azure Information Protection)

Paul Docherty 6 Reputation points
2020-09-06T02:10:45.517+00:00

Microsoft has recently released into public preview a new way to authenticate B2B users that are invited to become guest users in an Azure AD tenant called direct federation with a SAML 2/WS-Fed compliant Identity Provider (IdP). The Microsoft documentation clearly indicates that Azure AD now delegates the authentication to a 3rd Party IdP when that IdP is correctly set-up via direct federation. It also confirms that direct federation takes priority over One Time Passcode (OTP) which would be the default mechanism (if enabled) to authenticate a user who was not in another Azure AD or supported Social Provider e.g. Google.

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation
https://www.microsoft.com/en-us/videoplayer/embed/RE2PBup

The following Azure Rights Management Service Documentation:

https://learn.microsoft.com/en-us/azure/information-protection/prepare

specifically says that external (guest) users can only open protected content if they can be authorised by a personal microsoft account or (if the message is sent by Office 365 Message Encryption with new capabilities to a user by federation with a social provider or using a OTP.

I am hoping this inconsistency is a function of the documentation not having been updated to ensure that the Azure Information Protection/RMS "preparing users and groups" documentation is aligned with the Azure AD B2B authentication documentation.

My understanding is that access to consume protected documents is governed by the user's identity certificates e.g. the Security Processor Certificate (relating to the device) and the Rights Account Certificate. My understanding is that this identity is used in conjunction with their user/group rights in relation to the label that has been applied to the document to determine the rights that they are granted (defined in a Use License returned from Azure RMS) to access the protected content.

My understanding is that part of this RMS authorisation flow is an authentication with Azure AD to determine the identity of the user making the request. My question is will this authentication and the subsequent authorisation work correctly with the direct federation i.e. Azure AD will (unless the user can be authenticated from their SSO) redirect to the 3rd Party IdP to enable the user to provide their credentials and for the authentication to be validated by Azure AD? All the documentation I can find refers only to federation with other Azure ADs and use of microsoft accounts if the user is a guest. Surely the advances in how Azure AD can authenticate the identity of a user will apply to RMS authorisation?

Perhaps the Microsoft program managers for the new B2B direct federation feature have an insight on this: Maria Lai? @Alex Simons (AZURE) ?

Thanks for any light anybody can shed on this as it is a critical component of the solution we are trying to implement.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
520 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,663 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,692 questions