In this Azure tutorial, we will discuss on azure AD b2b or Azure AD B2B collaboration and What is Azure Active Directory B2B collaboration (Azure AD B2B)
Table of Contents
- What is Azure Active Directory B2B collaboration (Azure AD B2B)
- Add Guest Users to Azure AD Portal
- Add Guest users to Enterprise applications
- How to implement conditional access for guest users for Organization Apps and Services
- Azure Active Directory B2B Collaboration best practices
- Azure Active Directory B2B vs B2C
- Azure AD B2C
- Azure B2B Limitations
- Azure AD B2B MFA
What is Azure Active Directory B2B collaboration (Azure AD B2B)
In an organization or an enterprise, you might be collaborating with external partners, vendors, or customers. These are popularly known as guest users. By using Azure AD b2b or Azure active directory B2B collaboration, organizations can securely share your organization’s applications and services with guest users or external users from other organizations. You will have full control of your corporate data or your organization data.
External partners can be small, medium, or large, you can work with then securely even if you do not have an Azure AD or IT department. Your guest users can access to your organization’s applications and services even by using a Gmail id.
- How to Create Azure Free Account (Step by Step tutorial)
- The term ‘get-azureadgroup’ is not recognized as the name of a cmdlet
- Azure AD group membership PowerShell
Your external business partners can use their own credentials to access your organization’s data by a simple invitation.
Microsoft also allows developers to use Azure AD (B2B) business to business APIs to customize the invitation process.
Your guest users does not required an Azure AD, they can uses their own work, school, or social identities.
As an organization also, you do not need to manage the external users or accounts and password.
Add Guest Users to Azure AD Portal
We can easily add guest users to Azure Active Directory portal.
Login to Azure AD Portal.
Then click on Users -> All users -> + New guest user like below:
Then you can provide the user details, like Name, Email Address, First name, Last name, Job title, Department etc. like below:
Once user accepts the invitation, you can give access to the guest user access to various apps & services.
You can see the user listed like below:
Add Guest users to Enterprise applications
Once you add guest users to enterprise applications in AAD (Azure Active Directory).
Click on Enterprise applications like below is the Azure Active directory admin center.
Then click on All Applications, you can see all your applications at the enterprise level.
Select the application into which you want to give access to the user.
Then in the application, you can click on Users and groups -> + Add user like below:
Then you can select the Guest user and you can click on Assign.
Then you can see the user will be having access to your enterprise application.
How to implement conditional access for guest users for Organization Apps and Services
You can also implement conditional access for your organization apps & services.
For example, you can create a policy for guest users or users outside of your network to sign in with multi-factor authentication.
Open the enterprise apps, click on Conditional Access which under Security.
There you can create new policy for guest users.
Here, you can set Require multi-factor authentication for the guest and external users.
Azure Active Directory B2B Collaboration best practices
Below are some best practices you can follow for Azure AD B2B collaboration.
- You can customize the sign-in page for your B2B guest users. You can always add your company branding to your sign-in page.
- It is better to add your company’s privacy statement link to the invitation redemption process.
- You can invite bulk guest users from a CSV file. This way you can create multiple B2B guest users.
- You can use the Google federation feature to allow B2B guest users to sign in with their Google accounts.
- You can use the Email one-time passcode (preview) feature for B2B guests who can’t authenticate by other means. Here they will receive code in their email address.
- You can also enable Multi-Factor Authentication (MFA) for your guest users with whom you want to share your company apps and services.
- In your organization, if you are enforcing device-based Conditional Access policies, then make sure to exclude your B2B guest users, else they will be blocked as they are not managed by your organization.
- Also, you can use the guest link feature to send a tenant-specific URL to your app or portal. The direct link should contain the tenant id or the verified domain name.
- If you are developing an app and want to give different user experience to you tenant users and B2B guest users, then you can use the UserType property in Microsoft Graph API to determine if the user is a guest user or a tenant user.
- You can use PowerShell to change the UserType property value from guests to members or from members to guests if the relationship of the user changes in the organization.
Azure Active Directory B2B vs B2C
| Azure Active Directory B2B | Azure Active Directory B2C |
| Using the Azure AD b2b or Azure active directory B2B collaboration, organizations can securely share your organization’s applications and services with guest users or external users from other organizations. | This can be used to support diferent customer transactions via different customized applications. |
| The identities are managed by the same directory as the employees. | The identities are managed in the application directory. |
| Supports easy integration with Office 365. | There is no support for office 365 integration as of now. |
| The security and compliance policies are managed by the host or the inviting organization. | The security and compliance policies are managed by the application. |
| Sign up and approval feature is not yet supported. | You can enable this via custom policies. |
Azure AD B2C
Azure AD B2C or Azure Active Directory B2C is basically an identity management service that actually helps you with the custom control with respect to how the customers sign up, sign in and do profile management using lists of options like Android, iOS, etc.
You can also term the Azure AD B2C as an authentication solution and that page can be customized with your own brand. You can customized the page using HTML, CSS, and JavaScript for a better user experience.
As part of the authentication, Azure AD B2C uses different protocols like OpenID Connect, OAuth 2.0, and SAML, etc.
Technical and Features of Azure AD B2C
Let’s discuss few of the key features of Azure AD B2C.
A tenant is your organization in the case of Azure AD B2C and the tenant is nothing but the directory of the users.
Primary resources for Azure AD B2C
The main resources while working with Azure AD B2C are Directory (Responsible for storing your users’ credentials and profile data), Application registrations (Helps you to register your applications with Azure AD B2C to enable the identity management), User flows, and custom policies (Provides the identity experiences for your applications), Identity providers (Provides the federation settings for your applications), Keys (Responsible for providing the encryption keys for signing in), etc.
Different Accounts in Azure AD B2C
There are different types of accounts that are defined by Azure AD B2C. Those are Work account, Guest account, Consumer account.
Protects Customers data with different mechanism
Below are the few security feature that Azure AD B2C provides to safeguard your data.
Multi-factor authentication
Azure AD B2C provides the Multi-factor authentication feature that helps you to safeguard your data with the additional form for authentication.
Complexity Of the Password
The user needs to provide a password that meets the password complexity rule. It enforces a strong password policy which intern helps you to save your data and applications.
Provides The Audit Logs
Azure AD B2C provides you with the audit logs that helps you to diagnose issues easily. It also provides the information on the resources, access tokens, etc.
Usage Insights
Azure AD B2C provides you with the usage insights that help to get all the information on how to sign up, sign in, edit profile, reset the password, etc.
Smart account lockout
Azure AD B2C also provides you the smart account lockout feature that helps you to immediately locks the account based on the IP of the request when there is a password guessing attempt.
Azure B2B Limitations
Along with the benefits, Azure AD B2B also has some limitations. Those are as below
- API accesses are not supported with the Azure AD B2B.
- Individual invites are also not supported.
- Another important thing is Multi-factor authentication (MFA) for external users is not supported.
- Gmail or Yahoo as a consumer email is not supported here.
- With the help of a CSV file, you can only able to upload a maximum of 2000 records.
- Distributed list invitation is not supported here.
Azure AD B2B MFA
Azure AD b2b supports Multi-Factor Authentication (MFA) that helps to protect your data and application with the help of Multi-factor authentication security feature. With the help of this feature the external user need to provide the username and password and along with that the user needs to fill the addition security forms.
Scenario
Below is the actual process needs to be executed For the Azure AD B2B MFA.
- The guest user needs to access the cloud applications that are configured with the Multi-Factor Authentication (MFA). The guest user already got an invite from the Admin.
- As a second step, the user has to use his/her school or work account or social account to log in.
- Now as the second step of authentication, the user will navigate to the MFA part to complete.
- Once, the user will complete the MFA setup and choose the desired option, the user is now allowed to access the application.
How to implement Azure AD B2B MFA
Let’s discuss here how to implement Azure AD B2B MFA. For that First, we need to create a test guest user in the Azure Active Directory.
Creating/Inviting a test guest user in Azure Active Directory
Follow the below steps to create the test user in the Azure Active Directory
- Log in to the Azure Portal (https://portal.azure.com/) as an Azure AD administrator.
- Click on the Azure Active Directory from the left navigation.
- Now, on the Default Directory page, click on the Users link from the left navigation.
- On the Users page, click on the +New guest user button to create the new guest user.
- Select the Invite user and provide the external email ID and then click on Invite button.
Creating a Conditional Access policy that requires MFA
Now, let’s see how to create a conditional access policy that requires MFA. Follow the below steps to create the conditional access policy that requires MFA.
- Log in to the Azure Portal (https://portal.azure.com/) as an Azure AD administrator.
- Click on the Azure Active Directory from the left navigation.
- Select the Security option from the left navigation on the Azure Active Directory page and then On the security page, click on the conditional access from the left navigation.
- Click on the New Policy button on the Conditional Access page.
- In the Name text box, type Require MFA for B2B portal access on the New page.
- Now, select the Users and groups from the Assignments section.
- The next step is, choose the Select users and groups and then you need to select the All guest users option on the Users and groups page.
- Then you need to select the Done option.
- From the Assignments section, select the Cloud apps option on the New page.
- Select the Select apps option and then choose Select on the Cloud apps page.
- Then you need to choose the Microsoft Azure Management option and then choose Select on the Select page.
- Now, select the Done option on the Cloud apps page.
- From the Access controls section, select the Grant option on the New page.
- Choose the Grant access and then select the Require multi-factor authentication check box and then select the Select option on the Grant page.
- Select the On option which is present under the Enable Policy option.
- Finally, click on the Create button.
Simulating the Sign in option
Now, let’s discuss the simulating the sign in option using the What If option using the below steps.
- Select the What If option on the Conditional – access page.
- Now, select the User option and then select the test guest user that we have created above, and then click on the Select button.
- Then select the Cloud apps option.
- The next step is to choose the Select apps option and then click on the Select option on the Cloud apps page. Then select the Microsoft Azure Management option in the applications list and then click on the Select button.
- Select the Done option on the Cloud apps page.
- On the Policies will apply tab click on the What If option and now you should able to see the new policy that you have created above, appears under the Evaluation results.
You may like following Azure tutorials:
- How to Connect to Azure in PowerShell (And Azure AD)
- How to create a user in Azure active directory
- The term ‘get-aduser’ is not recognized as the name of a cmdlet in Windows 10 PowerShell
- The term ‘connect-azuread’ is not recognized as the name of a cmdlet function Azure
In this tutorial, we learned what is Azure AD b2b or Azure Active Directory B2B collaboration. How to add guest users to portal and how to add Guest users to Enterprise applications.
Then we discussed how to implement conditional access for guest users for Organization Apps and Services and Azure Active Directory B2B collaboration best practices.