As organisations move to the cloud, many try to adopt the same administrative processes and governance framework as they are comfortable with on-premises.
Most system administrators at one point or another have had the need to grant third party access to a businesses resource for either support or collaboration reasons. This probably involved creating a new account within the local AD and then permissioning the application using the newly created account.
In the past that might have been acceptable but not only is there now an extra account to manage for someone that the business has limited visibility of but the third party user has another set of account credentials to remember.
With Azure AD B2B collaboration its possible to invite users from other organisations to access your resources, whilst using their own credentials.
Permissions can be assigned for guest users without the need to manage their accounts. The third party user is happy as they don’t have extra account details to remember and any account management such as password complexity or knowing when the user leaves the company and should have their account disabled is left in the hands of the users own organisation.
Key benefits:
- Partners use their own credentials
- No requirement for partners to use Azure AD
- No external directories or complex set-up required
- Provide access to any corporate app or data, while applying sophisticated, Azure AD-powered authorisation policies
- No external account or password management
NOTE: If the guest user doesn’t have a Microsoft account or an Azure AD account, one is created for them when they redeem their invitation.
Manually adding B2B collaboration users using the portal
Manually adding a collaborated user is quite simple. Login in to the Azure portal and browse to the Users blade of Azure AD. From the top ribbon, select New guest user.
In the next blade, enter the users email address and if you wish a personnel message to be sent as part of the email invite. Finally click on the Invite button.
Once invited, the collaborated user will receive a welcome email containing any personnel message included in the original invite. Permissions can then be assigned in the same way as for any other user.
Should the guest user not receive their welcome invite, it is possible to resend. To do this browse to the users profile and click on the Resend Invitation button.
Using PowerShell to bulk invite users
Adding a single guest user through the postal is fine. For larger numbers it’s possible to use PowerShell to bulk-invite users based on the contents of a .CSV file.
The first step is to create a .CSV file with the users names and email addresses. This should be in the following format.
Name InvitedUserEmailAddress
John Smith jsmith@blueclouds.com
Emma White ewhite@blueclouds.com
The next step is to import the details from the .CSV into Azure AD. The following Microsoft example script gives a good idea of how that can be achieved.
|
1 2 3 4 |
$invitations = import-csv C:\data\invitations.csv $messageInfo = New-Object Microsoft.Open.MSGraph.Model.InvitedUserMessageInfo $messageInfo.customizedMessageBody = "Hey there! Check this out. I created an invitation through PowerShell" foreach ($email in $invitations) {New-AzureADMSInvitation -InvitedUserEmailAddress $email.InvitedUserEmailAddress -InvitedUserDisplayName $email.Name -InviteRedirectUrl https://wingtiptoysonline-dev-ed.my.salesforce.com -InvitedUserMessageInfo $messageInfo -SendInvitationMessage $true} |
Licensing
Users invited as guests into your Azure AD can automatically make use of the capabilities that Azure AD Free edition offers. If you wish them to make use of a paid feature i.e. MFA then that user must be licensed. B2B collaboration guest users can be licensed in either of the following two ways.
- The owner of the tenancy the guest user has been invited into has available paid licenses. These licenses can be used to cover the B2B users at a ratio of 5.1
- The B2B guest user already has a paid Azure AD license assigned by their own organisation.
For example: Inviting ten B2B collaboration guest users to access one of your LOB applications which is access using Azure MFA would require two Azure AD Premium P1 or P2 licences to be available.
NOTE: It is not currently possible to assign licenses directly to the B2B collaboration users. Licensing is automatically calculated and reported based on the 5:1 rule.
For more information on Azure AD B2B licensing checkout the following article https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance