I wrote while ago post about creating Federation turst between organizations using Active Directory Federation Services (ADFS). AAD has taken huge steps forward and companies can leverage Azure AD B2B functionality to achieve collaboration with external partners.

Azure AD B2B (in preview)

B2B collaboration simplifies management and improves security of partner access to corporate resources including SaaS apps such as Office 365, Salesforce, Azure Services, and every mobile, cloud and on-premises claims-aware application. B2B collaboration enables partners manage their own accounts and enterprises can apply security policies to partner access.

Azure AD B2B collaboration is based on an invite and redeem model. You provide the email addresses of the parties you want to work with, along with the applications you want them to use. Azure AD sends them an email invite with a link. The partner user follows the link and is prompted to sign in using their Azure AD account or sign up for a new Azure AD account.

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-how-it-works/

B2B limitations

  • Multi-factor authentication (MFA) not supported on external users. For example, if Contoso has MFA, but Partner Org does not, then Partner Org users can’t be granted MFA through B2B collaboration.
  • Invites are possible only via CSV; individual invites and API access are not supported.
  • Only Azure AD Global Administrators can upload .csv files.
  • Invitations to consumer email addresses (such as hotmail.com, Gmail.com, or comcast.net) are currently not supported.
  • External user access to on-premises applications not tested.
  • External users are not automatically cleaned up when the actual user is deleted from their directory.
  • Invitations to distribution lists are not supported.
  • Maximum of 2,000 records can be uploaded via CSV.

At last week I received information that changes to MFA solution are coming at near future and then you can assign MFA also to external partner users.

Where users are located at your directory and how those user can be managed?

Partner users are external users in Azure AD. Following functions are available when managing external users

  • provision licenses
  • assign group membership
  • grant access to corporate apps through the Azure portal or using Azure PowerShell

If you have paid Azure AD subscription (Basic or Premium) is not necessary to use Azure AD B2B for partner access. Users can be invited to AAD tenant and following benefits are achieved:

  • Admins can assign groups to apps, providing for simpler management of invited user access.
  • Admin tenant branding is used to brand the invitation emails and redemption experience, providing more context to invited partner users.

How it works

  • Invite users from another company. Invites are send from Azure AD and csv file is used to invite users. CSV can contain maximum of 2000 lines. Sample CSV download samplefile
    • download samplefile, do necessary modifications and save file as csv-format
    • after users are imported they are added as external users to directory

2   5

  • The invited user receives an email with a link and after he/she clicks the link, user is prompted to accept the invitation and to sign in using her work credentials. If user is not in the Azure AD directory, user is prompted to sign up (If company doesn’t have Azure AD free version is created “on the fly” when adding users to your tenant)

6 7 8

  • When user has accepted request and everything goes as planned user is redirect to empty access panel until admin grants permissions to apps

9

Summary

This is the easiest way to add external B2B users to Azure AD. Application access requires still granted access to applications itself. Another option is to grant access to applications with AppPrincipalID attribute which would be used to grant permissions directly to specific application or groups.