MyAccess Portal for Social Accounts

[SB-o-matic]

I submitted these questions before but it was closed before I got a response.

We used to be able to have social accounts request access packages by signing in at myaccess.microsoft.com. Now, we get an error that says you can not sign in with a personal account. Why is this the case since it remains possible to create a domain like gmail.com or outlook.com as a connected organization in Entitlement Management? Also, after landing on the myaccess portal and expanding an access package that a user has been approved for to view its resources, it used to be able for example, to open a SharePoint site or an application directly from this view by simply clicking on the resource or clicking an open Now that ability has been removing leaving us to have to send links tot he resource to users. This degrades experience substantially. Can we have this ability returned?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 5a3b8b61-463f-e439-a894-4c67977a57f1
• Version Independent ID: ff886517-c264-6e49-dbd2-c0a6388f4428
• Content: Share link to request an access package in Azure AD entitlement management - Azure Active Directory
• Content Source: articles/active-directory/governance/entitlement-management-access-package-settings.md
• Service: active-directory
• Sub-service: compliance
• GitHub Login: @ajburnle
• Microsoft Alias: ajburnle

[MarileeTurscak-MSFT]

@SB-o-matic Thanks for your feedback! We will investigate and update as appropriate.

[SB-o-matic]

Any feedback?

[MarileeTurscak-MSFT]

"Now, we get an error that says you can not sign in with a personal account."

Is this the only error message you're getting? Can you provide the exact error message or screenshot that the user is seeing?

"Now that ability has been removed leaving us to have to send links tot he resource to users. "

This feature is still present and it hasn't been removed, though if a resource doesn't have a URL then the user won't be able to click on it to go to that individual resource. If we can some details about the access package or the resource that users are facing problem with it will help us investigate this issue further.

[SB-o-matic]

Is this the only error message you're getting? Can you provide the exact error message or screenshot that the user is seeing? Yes, it is.

This feature is still present and it hasn't been removed Yes, it has.

This screenshot shows the error I get when I try to login at myaccess.micrsoft.com with my outlook.com account. Now I am limited to copying the link of the access package and sending it to the user directly. One used to able to just login to myaccess.microsoft.com with a guest account.

These next 2 screenshots show that on expanding resources in an access package, there is no longer a link that takes you straight to the resource. The first is for a SharePoint site. . The second is for an Azure AD enterprise application. There used to be a link like "Open" under the resource. It is no longer there.

[SB-o-matic]

Any feedback?

[SB-o-matic]

Please assist with this issue. It is not intuitive the way it works at the moment.

[MarileeTurscak-MSFT]

(social accounts) We don't support social accounts right now

"One used to able to just login to myaccess.microsoft.com with a guest account." - a guest account is different from a social account; not all guest accounts are from social networks

From the limited information, it's hard to tell what you were doing before when it worked; you could have used a different kind of guest account or a different URL (with a tenant hint in the URL -- possibly even auto-populated (guessed by us)

(resource links) That feature wasn't removed; the Open links only show up from the Active tab so you might be looking in the All tab.

[SB-o-matic]

Thank you for your response. I will note however, that I understand that not all guest accounts are from social networks. I maintain what I stated earlier that I used to be able to sign in to MyAccess portal with a guest account created with a social identity. As it relates to a tenant hint, if that were the case, it the still bores down to signing into the myaccess portal with a guest account using a social identity.

Moving on. If you say you don't support social identity guest accounts accessing the MyAccess Portal, why do you support adding social domains as a Connected Organization in Identity Governance Entitlement Management? Or why do you allow Access Packages to be assignable to "All Guest Users" or groups that contain guest accounts? How is that supposed to work normally?

Thank you for answering the question around the "Open" links. Never noticed it was only on the Active tab.

[SB-o-matic]

Any help around this? We are working towards moving to prod and this is a major blocker.

[MarileeTurscak-MSFT]

PG response: We don't support social accounts sign-in in My Access today, but it is something that we are actively thinking about from product side. I have a couple follow-ups: 1/ which social domains do you expect to sign-in to My Access in your organization? , 2/ Would you expect someone who signs in using a Gmail account for example, to be part of a connected org 'Gmail'? For instance, if you allow an access package to be requested by a connected org 'Gmail', then all users with Gmail accounts will be able to request that package. It would be great to know your scenario for using social accounts in My Access. Thank you!

[elisolMS]

Hi @SB-o-matic, I'm a Program Manager on the Entitlement Management team and would like to clarify what's going on here a bit more. The MyAccess portal does support users with social email addresses (like outlook.com or live.com) but only on a tenanted URL (ex: https://myaccess.microsoft.com/@{YourTenantDomain}#/access-packages). If a social user tries to go to the root URL (https://myaccess.microsoft.com) they'll get the error message you shared because we don't know what tenant they're trying to request access to and they don't have a "home" tenant they belong to.

This is good feedback for us that this isn't necessarily an intuitive solution for customers and something we can work to improve in the future.

[SB-o-matic]

First of all, I appreciate you all taking the time to respond. The responses are very helpful.

1. @MarileeTurscak-MSFT To answer the question about which Social Domains we are expecting to be allowed here, well I'd say, all. In our scenario we have allowed guest accounts created using social identities in our Azure AD tenant. I am working on moving us away from this however, but that is where we are today.
2. @MarileeTurscak-MSFT Per Connected Organizations, yes, this is how we went about handling it (creating a gmail.com connected organization) put put a 2 step approval flow in place as we felt this can also mean any one with a gmail account request the access package.
3. @elisolMS Thank you for confirming the tenanted URL that is what I figured eventually. But, it does not seem to work consistently. I just tried it now as well and it still complained about my personal account (Gmail). I have had mixed results when I login to live.com in the same browser with my GMail account first and then going to the tenanted URL.

My Questions

1. What is the correct/working way to go about accessing My Access Portal with a social account as I am 100% sure it has worked in the past. I am not sure how long you keep your logs but I am ready to spend the time working with your resource to take a look at history on my personal accounts if that helps.
2. What is the rationale behind allowing one to add a "gmail.com" in connected organization? Personally, I like the idea because of the flexibility with social identities but is there any other reason?
3. If we keep the possibility to add social identity domains in Connected Organizations, is there protection in place as it relates to possibly getting bombarded globally by identities from these domains?
4. I love what you are doing with External Identities in Azure AD where some of that B2C functionality (user flows, IdPs, API connectors, etc.) are being introduced. Is there anything to be aware of when (guest) identities from organizations with which Direct Federation have been configured are accessing Access Packages?

Some Suggestions for EM in General

1. There are lot of Hybrid environments out there as it relates to Identities. For EM (Entitlement Management) to be a complete solution, it has to manage on-premises-based resources as well. Allowing security group membership write-back from AAD to WAAD with AADConnect will be immense! In WAAD domain, using security groups is still the most common way of granting access across all resource types. If this is being considered in the slightest, we will be more than happy as an organization to test this out. If we can have EM update on-premises security groups that will be a major boost
2. Allow user's manager as a reviewer the same way a user's manager can be an approver for an access package request.
3. Add integration with common ITSM ticketing systems e.g. ServiceNow, Salesforce/Remedyforce, etc. to be able to add ticket information in access package requests. I see there is now an additional "Requestor Information" blade when creating an Access Request and that can be leveraged for this in a way but there is no validation.

[elisolMS]

@SB-o-matic, thank you for the additional information and feedback! Can you give us more details on the steps you're taking when you see errors using Gmail accounts on a tenanted URL? There are some factors that can change the behavior for Gmail accounts, such as whether Google federation or email one-time passcodes are enabled for the tenant you're trying to access.

[SB-o-matic]

Thank you for your response and apologies for the delay. We don't have Google federation enabled. We however, have OTP turned on. No special steps are taken. I construct the tenanted URL as above, enter it into a browser and hit ENTER. Get redirected to login.microsoftonline.com/xxxxxxxxxx which doesn't take a social account.

[elisolMS]

I think at this point it would be best to jump on a call and watch you go through the flow, because the steps you're describing should work. If you're interested in doing so, could you please email me at elisol@microsoft.com with some times that would work for you so we can set something up?

[SB-o-matic]

That works brilliantly, thank you.