Azure Active Directory B2B: How it works

By Dawid on (tags: active directory, azure, b2b, categories: azure, infrastructure, code)

B2B is based on invitation model which lets you enable access to your corporate applications from partner-managed identities. You can provide email along with the applications you want to share and send invitation to your partners, customers or anyone else who have account in Azure Active Directory. Azure AD sends them an email invite with a link. The partner user follows the link and is prompted to sign in using their Azure AD account or sign up for a new Azure AD account.

How it works

  1. You Azure AD admin can invite other users using structured CSV file which he uploads using Azure portal.
    image
  2. The portal sends invitation to all of the users specified in the uploaded file.
  3. Each user who receive such email can click generated link and will be prompted to sign in using their work credential if they are already in Azure AD. If you doesn’t have an account, B2B collaboration has a streamlined sign-up experience to provide Azure AD accounts to your business partners.
  4. Then user is redirected to an application to which they were invited.

Partner users exist in your Azure AD as external users. This means your admin can assign them to groups or roles and manage access to your apps independently of your business partner's account lifecycle.

CSV file format

Current version of B2B collaboration requires CSV file in which we are specifying users to be invited. There are two groups of fields.

Required:

  • Email – email address of user to invite
  • DisplayName – display name of user to invite
  • InviteConcatUsUrl - URL to include in email invitations in case the invited user wants to contact your organization

Optional:

  • InviteAppID - The ID for the application to use for branding the email invite and acceptance pages
  • InviteAppResources – AppIDs of applications to assign users.
  • InviteGroupResources – ObjectIDs for groups to add user to.
  • InviteReplayURL - URL to which to direct an invited user after invite acceptance. This should be a company-specific URL.

Applications IDs which we can specify in InviteAppResources can be easily retrieved using PowerShell and calling:

   1: Get-MsolServicePrincipal | fl DisplayName, AppPrincipalId

The same with ObjectsIds, you can get them by calling:

   1: Get-MsolGroup | fl DisplayName, ObjectId

Here is an example entry:

   1: Email,DisplayName,InviteAppID,InviteReplyUrl,InviteAppResources,InviteGroupResources,InviteContactUsUrl
   2: john.john@microsoft.com,John John,ee3ed2ae-as67-4563-8aa9-b67ee29a0f59,http://azure.microsoft.com/services/active-directory/,,,http://azure.microsoft.com/services/active-directory/

Please remember that first row of labels is required and spelling must match the fields specified above. It’s necessary for the CSV file to be parsed successfully. For optional fields that aren't needed, their labels can be removed from the CSV file and the entire column can be left empty.

Current preview limitations

  • Invites are possible only via CSV, individual invites and API access are not supported.
  • Only Azure AD Global Administrators can upload *.csv files.
  • There are limitations to consumer email addresses – emails such as gmail.com, hotmail.com are not currently supported.
  • Multi-factor authentication (MFA) not supported on external users.