Multi-role accounts
Typically, a user in Microsoft Entra ID would require multiple accounts to fulfill multiple roles, and each account would use a different email address, authentication method, and token.
However, with multi-role accounts you can associate a user’s multiple accounts with their primary account in Microsoft Entra ID. Primary and secondary user accounts are visible to MS Entra ID as distinct. Multiple roles are implemented by including two extension properties in a user account that is selected as a secondary role and points to the user's primary account.
This enables a user with multiple roles to access their role-specific resources from their primary account. In effect, the user is sharing the one token from their primary account with all of their alternate roles, thereby simplifying management of their tokens and credentials. Their primary account and multiple roles will correspond to a single STA user.
Implementation
To link multiple accounts to a user's primary account:
-
Go to Thales Group/sta-azure-directory-sync/Resources/MultipleIdentitiesScript and download the following two files:
- InitializeMultipleIdentityExtensionProperties.ps1
- settings.json
-
Replace the value of appRegistrationObjectId in settings.json with the object ID of the App Registration found in Microsoft Entra ID.
-
The next steps in this procedure require the Az PowerShell module. Ensure that you have the module installed, as follows:
a. Run the Get-InstalledModule Powershell script.
b. Review the list of installed modules.
c. If Az-related modules are not listed, install the module with the following command:
- Install-Module -Name Az -Repository PSGallery -Force
Alternately, if the previous command conflicts with an old AzureRM module, use the following command:
- Install-Module -Name Az -AllowClobber -Scope CurrentUser
-
Run InitializeMultipleIdentityExtensionProperties.ps1.
After successfully running this script, the extension attributes display in Microsoft Entra ID. The names will be similar to:
extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_primaryObjectId extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_isSecondary
Record these attributes for use later in this procedure.
-
Download the latest version of the schema:
-
Load the updated schema into Microsoft Entra ID console > Enterprise Application Provisioning.
-
Map the new ScimUser stauserextension attribute to the extension attributes recorded in step 4.
-
Create or select user accounts for primary and secondary roles on Microsoft Entra ID:
a. Map the values. The result should be similar to the following:
b. From Thales Group/sta-azure-directory-sync/Resources/MultipleIdentitiesScript:
-
Copy SetUserSecondaryIdentityState.ps1 and source.csv.
-
Update the CSV file.
Where:
- ObjectId = The ObjectId of the user's alternate account.
- isSecondary = “true” confirms that this is the user's alternate account.
- primaryObjectId = The ObjectId of the user's primary account.
For example:
c. Run the SetUserSecondaryIdentityState.ps1 script.
This script is an example only. You must create and verify your scripts based on the specific requirements of your configuration.
-
-
Synchronize the user accounts from Microsoft Entra ID with STA.
Only primary user accounts display in STA user lists. The secondary user accounts do not display. Tokens can only be assigned to primary user accounts. But, once assigned, are used in the authentication process for the secondary user accounts.
The STA console view
The STA Token Management console Snapshot tab displays the alternate-role login as a primary-role login.
The STA Access Management console Access Logs tab clearly distinguishes between primary-role and alternate-role access attempts.
Primary role access attempt
Alternate role access attempt
The user experience
This section shows the user experience when they log in to a protected resource in either their primary role or alternate role.
Primary role
-
The user logs in to a protected resource (for example, Microsoft 365) using their primary account and multi-factor authentication (MFA). The first factor comes from Microsoft Entra ID and the second factor comes from STA.
-
The user provides their credentials for Microsoft Entra ID.
-
The user provides their credentials for STA.
The user successfully accesses the protected resource.
Alternate role
-
The user logs in using their alternate account and multi-factor authentication (MFA). The first factor comes from Microsoft Entra ID and the second factor comes from STA.
-
The user provides their alternate role credentials for Microsoft Entra ID.
-
The user provides their primary role credentials for STA.
Even though the user logs on with their alternate account/role, STA searches for the associated primary account/role. If all of the policy requirements are met, STA grants the alternate account/role access to the protected resource.
Frequently asked questions
Here, you will get answers to frequently asked questions (FAQs) about multi-role accounts in Microsoft Entra ID for use with STA.
How can I convert a secondary role to the primary role?
To convert a secondary role to the primary role:
- Change the isSecondary property from true to false.
- In the first Microsoft Entra ID synchronization cycle, the role will be deleted from SAS.
- In the second cycle, the role will synchronized as a primary role in SAS.
How can I convert a primary role to a secondary role?
To convert a primary role to a secondary role:
- Update the isSecondary property in Source.csv.
- Delete the user from SAS.
- In the next synchronizaton cycle, the user will be assigned a secondary role in SAS.
How can I reassign a secondary role that is assigned to the wrong primary user?
To reassign a secondary role that is assigned to the wrong primary user:
- Make a correct relationship of the secondary role to a primary user.
- In the subsequent synchronization, the secondary role will be associated with the correct primary user.
What happens to secondary roles when the primary user is deleted?
In cases where the primary user is deleted, all of their primary and secondary roles are also deleted.
How can I get a list of extension properties registered with Microsoft Entra ID?
To get a list of extension properties registered with Microsoft Entra ID, use the following command:
- Get-AzureADExtensionProperty
Example response:
a1b1c1-1234-1234-1234-b1234 extension_839------d16_primaryObjectId {User}
b1c1d1-5678-5678-5678-c5678 extension_839------d16_isSecondary {User}
How can I remove an application extension property?
To remove an application extension property, use the following command:
- Remove-AzureADApplicationExtensionProperty -ObjectId
-ExtensionPropertyId
Where:
- -ObjectId is the unique ID of the application in Microsoft Entra ID hosting the property
- -ExtensionPropertyId is the extension property ID
How can I get a list of extension attributes and their values for a single user?
To get a list of extension attributes and their values for a single user, use the following command:
- Get-AzureADUserExtension -ObjectId "user UPN or ObjectId"
Where:
- -ObjectId is the object ID or the UPN of the user
Example response:
extension_839------d16_primaryObjectId ac38c9d6-3eb7-415...
extension_839------d16_isSecondary False