In this Azure tutorial, we will discuss on azure AD b2b or Azure AD B2B collaboration and What is Azure Active Directory B2B collaboration (Azure AD B2B)
Table of Contents
What is Azure Active Directory B2B collaboration (Azure AD B2B)
In an organization or an enterprise, you might be collaborating with external partners, vendors, or customers. These are popularly known as guest users. By using Azure AD b2b or Azure active directory B2B collaboration, organizations can securely share your organization’s applications and services with guest users or external users from other organizations. You will have full control of your corporate data or your organization data.
External partners can be small, medium, or large, you can work with then securely even if you do not have an Azure AD or IT department. Your guest users can access to your organization’s applications and services even by using a Gmail id.
- How to Create Azure Free Account (Step by Step tutorial)
- The term ‘get-azureadgroup’ is not recognized as the name of a cmdlet
- Azure AD group membership PowerShell
Your external business partners can use their own credentials to access your organization’s data by a simple invitation.
Microsoft also allows developers to use Azure AD (B2B) business to business APIs to customize the invitation process.
Your guest users does not required an Azure AD, they can uses their own work, school, or social identities.
As an organization also, you do not need to manage the external users or accounts and password.
Add Guest Users to Azure AD Portal
We can easily add guest users to Azure Active Directory portal.
Login to Azure AD Portal.
Then click on Users -> All users -> + New guest user like below:
Then you can provide the user details, like Name, Email Address, First name, Last name, Job title, Department etc. like below:
Once user accepts the invitation, you can give access to the guest user access to various apps & services.
You can see the user listed like below:
Add Guest users to Enterprise applications
Once you add guest users to enterprise applications in AAD (Azure Active Directory).
Click on Enterprise applications like below is the Azure Active directory admin center.
Then click on All Applications, you can see all your applications at the enterprise level.
Select the application into which you want to give access to the user.
Then in the application, you can click on Users and groups -> + Add user like below:
Then you can select the Guest user and you can click on Assign.
Then you can see the user will be having access to your enterprise application.
How to implement conditional access for guest users for Organization Apps and Services
You can also implement conditional access for your organization apps & services.
For example, you can create a policy for guest users or users outside of your network to sign in with multi-factor authentication.
Open the enterprise apps, click on Conditional Access which under Security.
There you can create new policy for guest users.
Here, you can set Require multi-factor authentication for the guest and external users.
Azure Active Directory B2B Collaboration best practices
Below are some best practices you can follow for Azure AD B2B collaboration.
- You can customize the sign-in page for your B2B guest users. You can always add your company branding to your sign-in page.
- It is better to add your company’s privacy statement link to the invitation redemption process.
- You can invite bulk guest users from a CSV file. This way you can create multiple B2B guest users.
- You can use the Google federation feature to allow B2B guest users to sign in with their Google accounts.
- You can use the Email one-time passcode (preview) feature for B2B guests who can’t authenticate by other means. Here they will receive code in their email address.
- You can also enable Multi-Factor Authentication (MFA) for your guest users with whom you want to share your company apps and services.
- In your organization, if you are enforcing device-based Conditional Access policies, then make sure to exclude your B2B guest users, else they will be blocked as they are not managed by your organization.
- Also, you can use the guest link feature to send a tenant-specific URL to your app or portal. The direct link should contain the tenant id or the verified domain name.
- If you are developing an app and want to give different user experience to you tenant users and B2B guest users, then you can use the UserType property in Microsoft Graph API to determine if the user is a guest user or a tenant user.
- You can use PowerShell to change the UserType property value from guests to members or from members to guests if the relationship of the user changes in the organization.
You may like following Azure tutorials:
- How to Connect to Azure in PowerShell (And Azure AD)
- How to create a user in Azure active directory
- The term ‘get-aduser’ is not recognized as the name of a cmdlet in Windows 10 PowerShell
- The term ‘connect-azuread’ is not recognized as the name of a cmdlet function Azure
In this tutorial, we learned what is Azure AD b2b or Azure Active Directory B2B collaboration. How to add guest users to portal and how to add Guest users to Enterprise applications.
Then we discussed how to implement conditional access for guest users for Organization Apps and Services and Azure Active Directory B2B collaboration best practices.