News

PingFederate Preview, Other Improvements Coming to Azure AD

• By Kurt Mackie
• 05/17/2018

A number of improvements are coming to Microsoft Azure Active Directory this month, including one related to Microsoft's partnership with Ping Identity.

It's now possible to test Azure AD Connect with a new option to add Ping Identity's PingFederate as a federation provider, Microsoft announced this week. The preview is available inside the Azure AD Connect portal, where it shows up as a new user sign-in option that IT pros can select. Organizations typically use Azure AD Connect to configure connections to Microsoft's Azure AD identity and access management service.

PingFederate is an enterprise-grade solution that supports "SSO [single sign-on] and identity federation by integrating silos of identities and applications inside the enterprise and across partner organizations," explained Alex Simons, director of program management at the Microsoft Identity Division, in Microsoft's announcement.

To use PingFederate with Azure AD Connect, organizations need to have PingFederate version 8.4 or higher installed, according to Ping Identity's documentation. Microsoft described the configuration process in this document.

Microsoft and Ping Identity had earlier partnered on integrating Ping Identity's PingAccess solution with Azure AD. When integrated, PingAccess works with the Azure AD Proxy service to enable SSO access to Web applications that require using HTTP header-based authentications, which is an older authentication method. Back then, in 2016, the two companies had stated that they were also planning an integration of PingFederate into Azure AD Connect, which has now occurred.

Azure AD B2B Additions
The Azure AD Business-to-Business (B2B) solution, which facilitates partner communications, got some improvements added this month.

For instance, Microsoft improved the end user experience so that guests can now just access an application directly from a link in an e-mail, instead of having to click on a link in an e-mail to get authentication first. Apparently, that's possible because Microsoft added a new "modernized consent experience" that kicks off when a guest tries to access an organization's resources. Guests will get a link to the organization's privacy policy with this new consent experience. Lastly, Azure AD B2B guests are now getting an option to leave an organization they were invited to join.

Azure AD B2C Improvements
In other Azure AD news this month, Microsoft announced new features for its Azure AD Business-to-Consumer (B2C) solution, which lets organizations collaborate with consumers. Most of the features were at the preview stage.

One new preview is the ability to customize OpenID Connect identity providers using Azure AD B2C's settings. OpenID Connect is an OAuth 2.0 authentication protocol. This feature is conceived for scenarios "in which you're talking to multiple Azure AD tenants," the announcement explained. With it, end users can get directed to "the right directory for authentication" based on something like "their e-mail domain," Microsoft explained.

Another preview is the ability to create a policy using the Resource Owner Password Credentials (ROPC) flow, an OAuth standard. "With this feature, your application will be able to gather user credentials in the context of a native mobile app without needing the user to interact with a web browser," Microsoft explained.

Microsoft also is previewing B2Clogin.com, which lets organizations use their tenant name as part of URLs, instead of "microsoftonline.com."

Lastly, a Language Customization feature is now generally available, supporting 36 languages for Azure AD B2C end users.

Risky IP Reports for ADFS Users
Microsoft also announced a preview earlier this month of a new reporting capability to aid in warding off attacks for organizations that use Active Directory Federation Services (ADFS), a Windows Server role.

The new "Risky IP Reports" preview shows up in Microsoft's Azure AD Connect Health service. The reporting tracks when there are a large number of failed login attempts. IT pros can get notifications about them via e-mail, and they can customize the thresholds for when Azure AD Connect Health determines that the login attempts should be deemed risky.

"The risky IP report helps you detect password spray or password brute force attacks quickly and without the effort involved in correlating logs across multiple ADFS servers," Microsoft explained in its announcement.