Azure Identity And Access Management Part 13 – Azure Active Directory – Business-to-Business (B2B) And Guest User 1 – Overview
Hope you all are doing good !!!
In our last articles we have discussed on, how to Create and Configure Access Review. Today In this article, we will continue exploring Azure AD and start with a new very important service of Azure AD is Business-to-Business (B2B) And Guest User. As the scope of this topic is very large, we will try to distributes the complete topic into several articles. Today this will be the first article on B2B collaboration service of Azure.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Business-to-Business (B2B) :
Azure AD B2B service helps to securely share files and resources with external users, so they can collaborate. An Azure admin sets up B2B in the Azure portal, and Azure AD takes care of federation between our business and our external partner. Users sign in to the shared resources using a simple invitation and redemption process with their work or school account, or any email account.
Key Benefits of B2B :
- The partner uses their own identities and credentials.
- We don’t need to manage external accounts or passwords for Guest user.
- We don’t need to sync accounts or manage account life-cycles for Guest User.
Licencing For Azure AD B2B :
With Azure AD business-to-business (B2B) collaboration, we can invite External Users (or “guest users”) to use our paid Azure AD services. B2B guest user licensing is automatically calculated and reported based on the 1:5 ratio. with following considerations.
- Available some free Azure AD features.
- For paid Azure AD features, as per Microsoft documentation, we can invite up to five guest users for each Azure AD edition license.
Azure Active Directory B2B Best Practices :
- For an optimal sign-in experience, federate with identity providers like Google.
- Use the Email one-time pass-code (preview) feature for B2B guests who can’t authenticate by other way.
- Add company branding to your sign-in page.
- Add your privacy statement to the B2B guest user redemption experience.
- Use the bulk invite (preview) feature to invite multiple B2B guest users at the same time.
- Enforce Conditional Access policies for Multi-Factor Authentication (MFA).
- If you’re enforcing device-based Conditional Access policies, use exclusion lists to allow access to B2B users.
- Use a tenant-specific URL when providing direct links to your B2B guest users.
- When developing an app, use UserType to determine guest user experience.
- Change the UserType property only if the user’s relationship to the organization change.
Configure B2B External Collaboration Settings :
With Azure AD B2B collaboration, a tenant admin can set the following invitation policies as shown in the following figure. To find the configuration page, Log in to Portal > Select Azure Active Directory > select External Identities > External collaboration settings.
- Limit the Guest user permission.
- Admins and User with Guest Inviter role can invite a guest user.
- Member can invite a guest user.
- Guest User can invite a guest user.
- Enable Email One-Time Passcode for guests (Preview)
- Enable guest self-service sign up via user flows (Preview)
We saw that, each of the above configuration has it’s default value, but we can reset those as per our requirement. Following two configurations with more details.
Email One-time Passcode Authentication :
The Email one-time passcode feature authenticates B2B guest users, when a guest user redeems an invitation or uses a link to a resource that has been shared with them, they’ll receive a one-time passcode if:
- They do not have an Azure AD account
- They do not have a Microsoft account
- The inviting tenant did not set up Google federation.
When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in.
Allow or Deny invitations To The Specified Domains :
There are few more configurations in the configuration page, which allow us to configure a list of domains, from which we would like to Deny or Allow the Guest users. As shown in the following fugue, we have allowed guest user only from few domains.
Invitation And Redemption Of Guest User To Azure AD :
We can use the Azure portal to invite B2B collaboration users. We can invite guest users to the directory, to a group, or to an application. An invitation is a procedure to ask a guest user to collaborate. An invitation of a user does not expire. When we invite a guest user , it send an Invitation mail to the user by asking to accept the invitation.
Once the inviting organisation send invitation to the guest user, it is upon the guest user, whether to accept or reject the invitation. Redemption is the procedure to accept the invitation. In this case User has to agree on the term and condition of inviting organization.
.In our next article, we will discuss in detail about this Invitation and Redemption of guest user.
Azure AD B2B User’s Key Properties :
1 – User Type : This property indicates the relationship of the user to the host tenancy. This property can have two values:
Member– This value indicating, the user is an employee of the host organization.
Guest– This Value indicating, the user is a external User, such as an external collaborator, partner, or customer.
2 – Source : This property indicates how the user signs in.
Invited User– This user has been invited but has not yet redeemed an invitation.
External Azure Active Directory– This user is homed in an external organization and authenticates by using an Azure AD account that belongs to the other organization.
Microsoft account– This user is homed in a Microsoft account and authenticates by using a Microsoft account.
Windows Server Active Directory– This user is signed in from on-premises Active Directory that belongs to this organization.
Azure Active Directory– This user authenticates by using an Azure AD account that belongs to this organization.
Limitations Of Azure AD B2B Collaboration :
Possible double MFA– User may face MFA from both side.
National clouds– National clouds are physically isolated instances of Azure. B2B collaboration can’t invite a user whose account is in a national cloud.
Azure AD directories– A single user can belong to a maximum of 500 Azure AD directories as a member or a guest. A single user can create a maximum of 200 directories.
Azure US Government clouds– Within the Azure US Government cloud, B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration.
Conditional Access For B2B Guest Users :
Multi-factor authentication for B2B users– With Azure AD B2B collaboration, organizations can enforce this MFA policies for B2B users.
Mobile application management policies for B2B– This policies cannot be applied to B2B users because the inviting organization has no visibility into the B2B user’s home organization.
Location-based Conditional Access for B2B– This policies can be enforced for B2B users if the inviting organization is able to create a trusted IP address range that defines their partner organizations.
Risk-based Conditional Access for B2B– This policies cannot be applied to B2B users because the risk evaluation is performed at the B2B user’s home organization.
Multi-Factor Authentication For B2B Guest Users :
When sharing content with our external B2B guest users, it’s a good idea to protect our content with multi-factor authentication (MFA) policies. The following prerequisite are compulsory before configure MFA for B2B user.
- Access to Azure AD Premium edition, which includes Conditional Access policy capabilities. To enforce MFA, we need to create an Azure AD Conditional Access policy. Note that MFA policies are always enforced at our organization, regardless of whether the partner has MFA capabilities. If we set up MFA for our organization, we’ll need to make sure we have sufficient Azure AD Premium licenses for our guest users.
- A valid external email account that we can add to our tenant directory as a guest user and use to sign in.
Following are the steps of the workflow for a guest user to access data with MFA.
- An admin or employee at company MSTechs invites a guest user to use a cloud or on-premises application that is configured to require MFA for access.
- The guest user signs in with their own work, school, or social identity.
- The user is asked to complete an MFA challenge.
- The user sets up MFA with company MSTechs and chooses their MFA option. The user is allowed access to the application.
We will have a separate article, on a practical session for this MFA For B2B Guest User.
Enable Self-Service Group Management For Tenant :
- User can create and manage their own security groups or Office 365 groups in Azure AD.
- Group owner can approve or deny membership requests.
- Group owner can delegate control of group membership.
- Self-service group management features are not available for mail-enabled security groups or distribution lists.
As showing in the following figure, we can navigate to this settings page by Log-in to Azure portal as a Global Administrator > select Azure Active Directory >Select Groups > Under Settings, select General
Azure AD B2B collaboration For Hybrid Organizations :
- We can allow B2B users in Azure AD access to our on-premises apps.
- We can allow locally-managed partner accounts (from On-premise) access to cloud resources.
Invite Internal Users To B2B collaboration :
Initially organizations could collaborate with distributors, suppliers, vendors, and other guest users by setting up internal credentials for them. But now we can invite them to use B2B collaboration so we can take advantage of Azure AD B2B benefits.
To invite the user, we’ll use the invitation API to pass both the internal user object and the guest user’s email address along with the invitation. When the user accepts the invitation, the B2B service changes the existing internal user object to a B2B user. This is the concept but I have not practically tested it.
As per Microsoft, invitation is one-way. We can invite internal users to use B2B collaboration, but you can’t remove the B2B credentials once they’re added. To change the user back to an internal-only user, you’ll need to delete the user object and create a new one.
Federation With Google For B2B Guest Users :
By setting up federation with Google, we can allow invited guest users to sign in to our shared apps and resources with their own Gmail accounts, without having to create Microsoft accounts (MSAs). We will try post a separate article on how to setup federation with Google.
Direct Federation With AD FS and Third-party Providers For Guest Users :
We can set up direct federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. When we set up direct federation with a partner’s IdP, new guest users from that domain can use their own IdP-managed organizational account to sign in to our Azure AD tenant and start collaborating with us. There’s no need for the guest user to create a separate Azure AD account. We have not tested it but more details can be found in Microsoft document.
Leave An Organization As A Guest User :
A guest user can’t leave an organization if their account is disabled in either the home tenant or the resource tenant. If their account is disabled, the guest user will need to contact the tenant admin, who can either delete the guest account or enable the guest account so the user can leave the organization. To leave an organization, follow these steps.
1 – Go to your Access Panel Profile page by doing one of the following steps:
- Open your Access Panel, click your name in the upper right, and next to Organizations, select the settings icon (gear).
NOTE : If you’re not already signed in to the organization you want to leave, under Organizations, click the Sign in to leave organization link next to the organization’s name. After you’re signed in, click your name again in the upper right and next to Organizations, select the settings icon (gear).
2 – Under Organizations, find the organization that you want to leave, and select Leave organization.
3 – When asked to confirm, select Leave.
User Account Removal :
When a user leaves an organization, the user account is “Soft Deleted” in the directory. By default, the user object moves to the Deleted users area in Azure AD but isn’t permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within the 30-day period. But admin can manually delete permanently the user from Deleted User list before 30 days as shown in the following figure.
Access Reviews :
We can use access reviews to periodically verify whether guest users still need access to our resources. The Access reviews feature is available in Azure Active Directory under External Identities > Access reviews . we can also search for “Access Reviews” from All services in the Azure portal. It is a very important section, we have a complete article on Access Reviews topic.
Audit Logs :
The Azure AD audit logs provide records of system and user activities, including activities initiated by guest users. To access audit logs, in Azure Active Directory, under Monitoring, select Audit logs.
we can also export these logs from Azure AD and use the reporting tool of our choice to get customized reports.
Azure Active Directory B2B Collaboration API and Customization
There are many customers want to customize the invitation process in a way that works best for their organizations. For more details on this topic can be found in this link.
I hope, this article help you to understand the basic concept of Business-to-Business (B2B) and Guest User. As the scope of this topic is very huge, we will come with few more articles for some specific features of B2B collaboration in our upcoming articles.
As I am exploring the Azure Identity and Access Management (IAM). Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂 .