I wrote a post about B2B collaboration end of last year. B2B functionalities has been expanded since then and multi-factor authentication has came available from inviting organization tenant. Earlier MFA was available only from home realm.
Microsoft has made refresh for B2B public preview and there are a lot of new features available:
- For administrators: get user interface enhancements in the Azure portal. For example, administrators can invite B2B users to the directory, or to any group or application
- For information workers: get B2B collaboration self-service invitation capabilities in the access panel. Information workers can invite B2B collaboration users to any self-service group or application that they manage
- Allow invited users to have any email address (I think this is one of the most wanted feature for B2B)
- Whether it’s an Office 365 or on-premises Microsoft Exchange address, an outlook.com address, or any social address (Gmail, Yahoo!, and so on), users can access the invited organization with the creation of an Azure AD or Microsoft account.
- Create professional, tenant-branded invitation email
- Customize user orientation by using the invitation APIs
- Set up multi-factor authentication for B2B collaboration users in the inviting organization
- Delegate invitations to non-administrators
- Provide PowerShell support for B2B collaboration
Provide auditing and reporting capabilities
In earlier phases you couldn’t active MFA from inviting organization. This feature has now been added to B2B functionalities.
Invite user to your tenant from Azure portal with new admin interface
I added first Microsoft account (@live.fi) to the tenant.
User received invitation email from tenant
When user accepts the invitation he/she is redicted to invitation tenant and to MyApps portal
After everything is in place I created “Conditional Access Policy” to Azure AD tenant where I’m performing following actions:
- MFA for External users
- Created group “Azure-AD-MFA-ExternalUsers” and added invited user to it
- Assign conditional access policy to group
- Target policy to include “All cloud Apps”
- At conditions section: include all locations
- Allow access but require Multi-factor Authentication to all workloads
With new functionalities you can assign MFA using conditional access to specific application in your tenant and control access to sensitive data when needed. In this example I’m requiring MFA in every application and from any location when user is external. This might not be the case in production but very useable for testing purposes:)