How to share applications & access between partner companies (Getting Started with Azure B2B)
It’s a common need, your company has other organizations that they do business with and they need to allow external access to one or more applications or security groups. Federating between domains is one option, but it’s costly in terms of effort. Wouldn’t it be nice if you could just add just the necessary folks to your AD to give them targeted external only access to just what they need, but not have to manage their accounts? Well, you can – it’s called Azure B2B.
In its simplest form: Azure AD B2B = a csv importable list of users for Azure AD. Once imported, the newly imported end users are now known to Azure AD and can be assigned applications or as security group members. It’s important to note that it’s a cloud mastered account, just as if I made a .onmicrosoft.com account. It’s also created via static only exports. It doesn’t fit every scenario to be certain but in many cases it’s a perfect match for providing vendor or external partner access to a couple things without having to onboard accounts in your AD.
Here’s a run through from the Microsoft Garage folks: https://www.youtube.com/watch?v=Wo5J61Hp_Z0
Steps to implement Azure B2B with Azure AD Premium Apps (SSO), or Azure AD Security Groups:
First, you have to have your apps or groups created in Azure. They can be internal or external, but there are limitations since the user isn’t written back to on-prem by default (for now, see note below). The basic rule is if the app or security group shows up in https://myapps.microsoft.com then you’re good.
B2B assigns user access to the unique IDs of these applications and security groups. Gather the App IDs or security groups you wish to share by running the following script.
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection
Import-PSSession $Session -DisableNameChecking -AllowClobber
MsolServicePrincipal | fl DisplayName, AppPrincipalId
Build a CSV using those IDs that has the invite text and which groups or apps you wish to add them.
email@example.com,Joe Kuster(Contoso),Hi! Here is your external access to Joe’s personal lab.,,f2ee5681-d41b-49a0-ad3f-955154b5b337,,firstname.lastname@example.org,en
email@example.com,Rich Milburn(contoso),Hi Rich! Here is your external access to Joe’s personal lab Cloud App Security demo.,,01a65629-4c1b-48c1-a78b-804c4abdd4af,,firstname.lastname@example.org,en
email@example.com,Joe Kuster(contoso),Hi Joe! Here is your external access to Joe’s personal lab Cloud App Security demo.,,03a65629-4c1b-48c1-a78b-804c4abdd4af,,firstname.lastname@example.org,en
email@example.com,Joe Kuster(contoso),Hi Joe! Here is your external access to Joe’s personal lab AWS demo.,,8b3025e4-1dd2-430b-a150-2ef79cd700f5,,firstname.lastname@example.org,en
email@example.com,Joe Kuster(contoso),Hi Joe! Here is your external access to Joe’s personal lab Twitter demo.,,230748d5-2c87-45d4-b05a-60d29a40fced,,firstname.lastname@example.org,en
Log into Azure, navigate to your AD users
Choose “Users in partner companies” and point to your CSV file
The batch import will begin. Users will receive an invite email such as:
They will be prompted to accept the invite and log in as their normal domain account.
They will be dropped into the https://myapps.microsoft.com portal and the applications will be displayed.
They can toggle between their native company’s apps and partner apps by clicking on the domain in the upper right:
When clicked on, the application will open, either federated or using password management if that’s already been saved for that group/app. Note, this is my personal joekuster.com AWS account, but being accessed by my Catapult credentials. It still uses SSO, so I only logged in once for my Catapult credentials and I can access internal and external apps for both companies.
Note: This only gives me the ability for cloud apps, what about on-prem? User writeback was in public preview for Azure AD Connect for a short period and then it was retracted. It’s still on the public roadmap and will allow you to sync cloud mastered accounts on prem. For now, this solution cloud specific, but that should change when Azure AD Connect is updated.