Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect

Microsoft Entra ID External OpenID Partner

   October 29, 2024

Microsoft Entra ID External OpenID Partner is a feature within Microsoft Entra ID (formerly known as Azure Active Directory) that allows organizations to securely integrate with external partner organizations using the OpenID Connect (OIDC) protocol. OpenID Connect is an identity layer built on top of OAuth 2.0, a widely used authorization framework. This setup enables Business-to-Business (B2B) scenarios where partners can use their existing credentials from their own organization’s identity provider (IdP) to access resources in your organization.

This feature is especially useful in scenarios where organizations want to grant access to external users without creating new accounts in their directory. Instead, users authenticate through their own trusted identity provider, and Microsoft Entra ID accepts the authentication assertion, granting access based on established permissions and policies.

In this guide, we’ll go through key concepts, configurations, features, and practical examples to help beginners understand Microsoft Entra ID External OpenID Partner integration.

Overview of External OpenID Partner in Microsoft Entra ID

What is an OpenID Partner in Entra ID?

An OpenID Partner in Microsoft Entra ID allows you to establish a trust relationship with an external organization that has its own identity provider (IdP) using the OpenID Connect protocol. In this relationship:

  1. The external organization authenticates its users and provides an identity token to Entra ID.
  2. Microsoft Entra ID accepts the token and uses the information contained in it to grant access to specific resources.
  3. Single Sign-On (SSO) is established, allowing users to log in once with their own credentials and access the necessary resources in your organization.

Key Concepts

  1. Identity Provider (IdP): The partner organization’s IdP authenticates the user and issues an identity token.
  2. Relying Party (RP): Your organization is the relying party, trusting the identity information provided by the partner’s IdP.
  3. OpenID Connect (OIDC): A protocol that extends OAuth 2.0 with authentication capabilities, enabling identity information to be securely transmitted between the IdP and RP.

Key Features of Microsoft Entra ID External OpenID Partner

  1. Seamless Single Sign-On (SSO): External users can access your organization’s resources with their existing credentials, avoiding the need for additional accounts.
  2. Federated Authentication: External partners authenticate through their own IdP, and Entra ID trusts the authentication result, granting access to resources based on permissions.
  3. Conditional Access: Organizations can apply specific security policies, like Multi-Factor Authentication (MFA) or Conditional Access, based on factors like risk level and location.
  4. User Attribute and Claims Mapping: Allows you to map user attributes sent by the partner’s IdP to your own directory’s required attributes, ensuring accurate identification and authorization.
  5. Centralized Management and Monitoring: Entra ID provides centralized management for all external access, including detailed monitoring and reporting of partner access.

Step-by-Step Configuration of an External OpenID Partner in Microsoft Entra ID

Prerequisites

  1. Microsoft Entra ID Premium License: Some features, like Conditional Access, require a Premium P1 or P2 license.
  2. Partner Organization with OpenID Connect Compliant IdP: The external partner organization should have an identity provider that supports OpenID Connect (OIDC), such as Okta, Google, or other OIDC-compliant solutions.
  3. Admin Access to Microsoft Entra ID: You need administrator permissions to configure external identity settings in Microsoft Entra ID.

Step 1: Registering an Application in Microsoft Entra ID for OpenID Connect

  1. Sign in to the Azure Portal: Go to https://portal.azure.com and log in with your administrator account.
  2. Navigate to Microsoft Entra ID: In the left-hand menu, select Microsoft Entra ID > App registrations.
  3. Create a New Application:
  • Click + New registration.
  • Enter a name for the application (e.g., “OpenID Partner Access”).
  • Choose the Supported account types as Accounts in any organizational directory (Any Azure AD directory – Multitenant).
  • Set the Redirect URI (optional for now; this will be configured later based on your partner’s OpenID Connect setup).
  • Click Register to create the application.
  1. Configure API Permissions:
  • In the newly created application, go to API permissions.
  • Click + Add a permission, then select Microsoft Graph > Delegated permissions.
  • Add permissions based on what the application needs (e.g., User.Read to allow users to read their profile).
  1. Expose an API:
  • In the application settings, go to Expose an API and set up any required scopes (optional).

Example: Suppose you are creating an app to allow employees of a partner company to access a project management tool. You set up permissions for User.Read so the app can read the basic profile information of authenticated users.

Step 2: Configure Single Sign-On with OpenID Connect

  1. Go to Authentication Settings:
  • In the registered app, go to Authentication in the left-hand menu.
  • Under Platform configurations, select Add a platform and choose Web.
  • Set the Redirect URI to match the callback URL where you want the token to be sent after the partner’s IdP authenticates the user. The format usually looks like https://yourapp.com/auth/callback.
  1. Set ID Tokens:
  • Make sure the checkbox for ID tokens (used for implicit and hybrid flows) is selected. This enables the app to receive ID tokens.
  1. Save the Configuration: Click Save to apply the changes.

Step 3: Set Up Federation with the Partner’s OpenID Connect IdP

  1. Exchange OpenID Connect Metadata:
  • Obtain the Issuer URL (or OpenID Connect metadata URL) from your partner organization’s IdP. This is usually in a format like https://partner-idp.com/.well-known/openid-configuration.
  • Share your Client ID (from the app registration) and Redirect URI with the partner organization so they can configure their side.
  1. Partner Configures Their IdP:
  • The partner organization configures their IdP to accept your Client ID and Redirect URI, allowing their users to authenticate and redirect back to your application.
  1. Test the Federation:
  • Test the login flow by having a user from the partner organization log into your application. They should be redirected to their own IdP, authenticated, and then redirected back to your app with an identity token.

Step 4: Configure User Claims Mapping in Microsoft Entra ID

  1. Go to Single Sign-On Settings:
  • In the application settings, select Single sign-on > User Attributes & Claims.
  1. Edit and Map Claims:
  • Review the claims being sent by the partner IdP (such as email, given_name, and family_name).
  • Map these claims to attributes in Entra ID to ensure that users are correctly identified.
  1. Add Additional Claims if Necessary:
  • If your application requires specific claims (e.g., department, role), coordinate with the partner organization to ensure these attributes are sent in the ID token.

Example: The partner organization’s IdP sends email and name as claims. You map email to UserPrincipalName in Entra ID to uniquely identify each user.

Step 5: Set Up Conditional Access for External OpenID Connect Partners

  1. Navigate to Conditional Access:
  • In Microsoft Entra ID, go to Security > Conditional Access.
  1. Create a New Policy:
  • Click + New policy and name the policy, like “External OpenID Connect Partner MFA.”
  1. Assign the Policy:
  • Under Users or workload identities, select the external users you want this policy to apply to (you can choose all users or specific groups).
  • Specify the Cloud apps to apply this policy to, such as the application registered in Step 1.
  1. Set Conditions:
  • Add conditions based on risk levels, device state, or location.
  1. Apply Access Controls:
  • Choose Grant and select Require Multi-Factor Authentication to enforce MFA.
  1. Enable the Policy: Turn on the policy and save it.

Example: A manufacturing company allows external partners to access a collaboration portal but enforces MFA for all external users logging in from untrusted locations, adding an extra layer of security.

Step 6: Monitoring and Managing Access for OpenID Connect Partners

  1. Go to Entra ID Activity Reports:
  • In Microsoft Entra ID, go to Usage & Insights > Sign-ins.
  1. Filter for External Users:
  • Use filters to view sign-in attempts from external users authenticated through OpenID Connect.
  1. Review Access Patterns:
  • Monitor for any unusual login activity, such as logins from unexpected locations or devices.

Practical Usage Examples of External OpenID Connect Partner Integration

Example 1: Secure Access for External Consultants to Project Management Tool

Scenario: A consulting firm partners with an external marketing agency and needs to give the agency’s employees access to a project management application.

  1. Setup: The consulting firm config

ures an OpenID Connect application in Entra ID and establishes a trust relationship with the agency’s IdP.

  1. Claims Mapping: The IdP sends claims such as email and department. Entra ID maps these claims to internal attributes for access control.
  2. Conditional Access: MFA is required for all external users from the agency to ensure security.
  3. Outcome: The agency’s employees access the project management tool using their existing credentials, ensuring seamless access with additional security.

Example 2: Access Control for Partner Universities Collaborating on Research

Scenario: A research organization collaborates with multiple universities on scientific projects, sharing sensitive data through a secure portal.

  1. Federated Access with OIDC: The research organization configures OpenID Connect SSO with each university’s IdP.
  2. Role-Based Access Control: Access is granted based on claims (e.g., department, role) sent by each university.
  3. Access Review: Quarterly reviews ensure only active university members retain access.
  4. Outcome: Researchers can log in with their university accounts, maintaining security and access control without duplicating accounts.

Benefits of Using Microsoft Entra ID External OpenID Partner

  1. Improved User Experience: External users can access resources with their existing credentials, reducing the need for additional accounts.
  2. Enhanced Security with Conditional Access: Organizations can apply security policies specifically for external partners, including MFA and location-based access restrictions.
  3. Centralized Management: All external identities and access policies are managed from a single platform.
  4. Simplified User Lifecycle Management: External users automatically lose access if they leave their home organization, reducing administrative overhead.

Microsoft Entra ID External OpenID Partner provides a secure, streamlined way to allow trusted external users to access internal resources. By leveraging OpenID Connect, organizations can enable federated authentication, apply security policies, and ensure centralized control over external access.

Share: XFacebookPinterestLinkedin
Author: tonyhughes