Microsoft Security, Compliance, and Identity Fundamentals (SC-900) is an exam that covers different key concepts related to security, compliance, and identity across cloud-based and related Microsoft services. One such pivotal concept is the understanding of external identity types. These are identities that not only belong to your organization but also come from outside your organization. They play a critical role in managing the security and compliance of your organization. There are three main types: Guest, B2B Collaborator, and B2C Consumer.
1. Guest
A guest identity refers to the identity of a user who is not part of your organization but needs access to your resources. These identities are typically IT team members from other organizations or third-party vendors who need temporary access to your systems. Nevertheless, these users have no direct membership in the hosting Azure Active Directory (AAD).
In terms of rights and permissions, a guest identity does not automatically inherit any permissions or rights of the organization. Administering the rights has to be done explicitly by the IT staff managing the system.
For instance, consider a scenario where a digital marketing firm partners with a freelancing graphic designer. They could give “guest” access to him/her for the duration of the project. The freelancer would then view and edit the necessary documents, but their access could be easily revoked by the digital marketing firm once the project is finished.
2. B2B (Business-to-Business) Collaborator
B2B identities are used for users from another organization that you are working directly with on a consistent basis. The users have membership of their own AAD. The B2B scenario applies when organizations are working together, sharing resources and applications secured by Azure AD. However, unlike guest identities, B2B collaboration doesn’t require the partner organization to have Azure AD.
Let’s take an example of two tech companies who are involved in a joint venture that requires sharing of certain software tools and resources. They can use B2B collaborative identity mechanism to share necessary resources securely without creating new credentials or compromising on their in-house security policies.
3. B2C (Business-to-Consumer) Consumer
B2C identities are those who have access to your public-facing applications and platforms. The users here could be customers or any others who interact with your company in a non-employment capacity. They can use their own personal identities, such as social media or email logins, to access your resources.
For example, an e-commerce store using B2C identity management allows customers to sign in and execute transactions using their Facebook, Google, or Microsoft accounts. Here, the customer is using their B2C identity to log into the e-commerce website and purchase goods.
| Identity Type | Description | Example |
|---|---|---|
| Guest | Identities outside the organization with temporary access to resources. | Freelancer getting access to a company’s project documents. |
| B2B Collaborators | Identities from partnering organizations with consistent access. | Tech companies sharing software tools and resources. |
| B2C Consumers | Public identities with access to the company’s public-facing resources. | Customers logging into an e-commerce platform via their social media accounts. |
Understanding these external identity types can not only help in passing the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam, but it is also crucial in planning and implementing robust security policies in an organization. By efficiently managing the external identities, organizations can ensure secure and seamless collaboration with external parties, thereby improving productivity without compromising the security of the systems.
Practice Test
True or False: An external identity is an identity endorsed by the individual to whom the identity refers.
- Answer: False
Explanation: An external identity is provided by an organization or service outside of the user’s home environment. It isn’t endorsed by the individual to whom the identity refers.
True or False: Partner-managed identity is one of the types of external identities.
- Answer: True
Explanation: Partner-managed identity is indeed one of the types of external identities. It is an identity managed by the organization’s partner.
In ____ identity type, the organization allows external users to bring their existing identities.
- a) federated Identity
- b) social identity
- c) guest identity
- d) partner-managed identity.
- Answer: a) federated Identity
Explanation: Federated Identity means that an organization allows external users to bring their existing identities like Google or Facebook.
True or False: Social identity does not support self-service sign up.
- Answer: False
Explanation: Social identity generally supports self-service sign up process. It allows users to bring their consumer identities, like Google or Facebook, to sign in.
In Microsoft’s Azure, which framework is used for managing external identities?
- a) Azure Identity and Access Management
- b) Azure Active Directory
- c) Azure Data Lake
- d) Azure Kubernetes Service
- Answer: b) Azure Active Directory
Explanation: Azure Active Directory (Azure AD) provides an identity framework that can manage external identities.
True or False: Guest Identity is a type of external identity.
- Answer: True
Explanation: Yes, Guest Identity is also a type of External Identity and is widely used when sharing resources with collaborators outside of your organization.
Multiple Choice: Which of the following are types of external identities in terms of Microsoft Security and Identity Fundamentals?
- a) Federated Identity
- b) Guest Identity
- c) Partner-Managed Identity
- d) Social Identity
- Answer: a, b, c, d
Explanation: All are recognized types of external identities that an organization may encounter when interacting with external users or partners.
True or False: External Identity refers only to identities shared amongst organizations.
- Answer: False
Explanation: External Identity isn’t only about shared identities amongst organizations, but it also covers identities coming from social platforms or the identity managed by a partner organization.
True or False: Self-Service Signup Users is an example of Social Identity.
- Answer: True
Explanation: Self-Service Signup Users is an external identity which is an example of a Social Identity where users are allowed to register themselves into the application.
Federated Identity type does not involve cloud-based identity providers.
- Answer: False
Explanation: Federated Identity often involves cloud-based identity providers like Azure Active Directory. It provides the users to bring their existing identities.
True or False: In Partner-managed identity, the identity is managed by the company’s partner and not the individual company.
- Answer: True
Explanation: The Partner-managed identity type refers to the situation in which the identification and authentication mechanisms are managed by one of the company’s partners.
External User identity is always provided by the organization.
- Answer: False
Explanation: External User identity is not always provided by the organization. It can also be managed or provided by an external entity such as a partner organization or a social identity provider.
True or False: All External Identities are managed by the organization itself.
- Answer: False
Explanation: External Identities can be from a partner organization, a social identity provider like Google or Facebook, or even from an individual user. They are not always managed by the organization itself.
Which type of external identity is managed by the user’s home organization?
- a) Federated Identity
- b) Social Identity
- c) Guest Identity
- d) Partner-Managed Identity
- Answer: c) Guest Identity
Explanation: A guest identity is an external user who is invited to your tenant by using their Azure AD or Microsoft Account identity, and it’s managed by the user’s home organization.
True or False: Azure AD only supports federation with identity providers that support SAML 0 protocol.
- Answer: False
Explanation: Azure AD also supports federation with OpenID Connect besides SAML 0 protocol.
Interview Questions
What is an external identity in Microsoft Azure?
An external identity in Microsoft Azure refers to any user who is not part of an organization’s azure Active Directory. They could be users from other Azure ADs or users without any Azure AD.
Can you explain what a Guest User Identity type is?
A Guest User identity type in Azure AD is an external user identity. It is typically used for collaboration purposes where a user outside of your organization needs access to your azure resources.
What is the use of Social Identity in Microsoft Azure?
Social Identity in Microsoft Azure is used to allow users to sign in to their applications using their existing social or local network accounts. Some of the examples include Facebook, Google, or a Microsoft personal account.
How does Microsoft support users with no Azure AD account?
Microsoft supports users with no Azure AD account by the use of Email One-Time Passcode Identity. The user receives an email with a passcode which is then used for authentication.
Can you explain the role of a One-Time Passcode Identity?
A One-Time Passcode Identity is used for authentication of external users who do not have a Microsoft account or any other type of supported social identity. The user receives a one-time passcode via email to authenticate their identity.
What is Direct Federation in the context of external identities in Azure?
Direct Federation allows users from other organizations to use their own azure AD, or other on-premise identities to access your applications and resources without needing to provide them guest accounts in your Azure AD.
Can you list down the types of external identities available on Microsoft Azure?
Yes, the types of external identities available on Microsoft Azure are: Guest User, Social Identity, Direct Federation, and One-Time Passcode Identity.
How is a user’s identity validated before providing access to resources?
The identity validation is done via the authentication process. Depending on the type of external identity, the user might enter a password, use biometrics, enter a code sent to their email/phone, or use a security key.
What benefits does Azure AD B2B collaboration provide?
Azure AD B2B collaboration enables organizations to share applications and services with guest users from any other organization while maintaining control over corporate data.
What is the benefit of using the Direct Federation external identity type in Azure AD?
The benefit of using the Direct Federation external identity type in Azure AD is that it allows users from partner companies or organizations to use their existing work identities to authenticate and access resources.
What does B2B in Azure AD B2B signify?
B2B in Azure AD B2B stands for Business to Business. It simplifies the collaboration between companies or businesses allowing secure access to documents, resources, and applications while maintaining control over your own corporate data.
In what format does an external identity receive the One-Time Passcode?
The external identity receives the One-Time Passcode via email.
Are social identity providers supported for all types of azure resources?
No, Social Identity providers are not supported for all types of Azure resources. They are mainly designed for use with Azure AD B2C, although they can be used in B2B collaborations under certain circumstances.
Can external identities use Multi-Factor Authentication?
Yes, external identities can use Multi-Factor Authentication (MFA) for an additional layer of security.
Is there a charge for adding external identities in Azure AD?
Yes, there could be charges for adding more than a certain number of external identities in Azure AD. The number is subject to the licensing agreement of the organization.
extutorials.com