Tag Archives: Azure AD B2B

#Azure AD : All about Azure Active Directory


IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing

B2C

Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.

Advertisements

#AzureAD : B2B Licensing


In my previous post, I have covered B2B collaboration capabilities and how to use it fundamentals. When you use this service, you should be very clear about licensing requirements for B2B functionalities. There is no black and white licensing requirements for this service but it totally depends on the functionality that you extend for B2B users.

Totally confused???

Let me simplify everything here by an example.

InsideMSTech is a conglomerate and deals in multiple business that includes many subsidiaries and it works along with variety of partners. Company has centralized supporting departments such as Finance, HR, Legal and IT. Many employees of these functions belong to subsidiaries, which are running independently.

Scenario 1: InsideMSTech is inviting external partner users as a B2B guest user and offering free Azure AD features.

License Requirements: No license required as organization is offering free services.

Scenario 2: InsideMSTech is inviting external partner users as a B2B guest user and offering free Azure AD features but guest user must use MFA for dual authentication.

License Requirements: Azure AD P1 license required as organization has mandate to use MFA. Now, you will have another question that how many licenses? You need to acquire 1 Azure AD P1 license for five unique guest users.

Scenario 3: InsideMSTech is inviting external partner users as a B2B guest user and offering Azure AD P1 features but guest user must have identity protect enabled.

License Requirements: Azure AD P1 license required for guest users in 5:1 ratio. But when you enable identity protection for B2B guest users then you must acquire Azure AD P2 licenses in 5:1 ratio.

Scenario 4: InsideMSTech subsidiary employees want to Access Azure AD services as a B2B guest user.

License Requirements: Azure AD license required based on the service used by the subsidiary employees. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

Scenario 5: InsideMSTech subsidiary employees want to Access Azure AD services as a B2B guest user using their personal email address.

License Requirements: Azure AD license required based on the service used by the subsidiary employees. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

Scenario 6: InsideMSTech acquired a small company, employees of this acquired company wants to Access Azure AD services as an employee of acquired company.

License Requirements: Azure AD license required based on the service used by the employees of acquired companies. This license will not be in 5:1 ratio, it will be in 1:1 ratio.

I hope, these scenarios helped you to understand B2B licensing requirements in a much simpler way. If you have any another scenario, where you need any assistance then please write your scenario in comment section. I’ll answer your query and will add your scenario in this post.

#AzureAD : B2B Collaboration


Azure Active Directory business-to-business (B2B) collaboration is a capability of Azure AD that simplifies the provisioning of non-corporate users (who don’t have accounts in organizational Azure Active Directory in any form, neither using cloud native Azure AD identity nor with hybrid identity) to provide access on organizational resources, applications and data. It enables collaborative capabilities to work with people beyond your organizations such as partners, vendors, freelancers, government agencies etc. There is no mandate for these external people to have any kind of specific identity requirements. To make it simple, I am calling every non-corporate user as a partner of your organization in this blogpost.

Your partner can have Azure AD tenant, Hybrid identity or with no corporate identity, or even with or without an IT organization. Using this capability, Organization with Azure AD can provide access to the organizational resources, application and data to any partner. This Access can be provided on three different levels, i.e. tenant level, application level and user level. Organizations can also leverage the Azure AD B2B APIs to write applications that can connect two organizations in a simpler and secure manner so that the users can take the advantage of collaboration without any identity chaos.

Azure AD provides the following set of capabilities:

Work with any user from any partner Simple and secure collaboration No management overhead

Partners use their own credentials

Provide access to any corporate app or data, while applying sophisticated, Azure AD-powered authorization policies

No external account or password management

No requirement for partners to use Azure AD

Easy for users

No sync or manual account lifecycle management

No external directories or complex set-up required

Enterprise-grade security for apps and data

No external administrative overhead

Courtesy: Microsoft

Let me show you how to do it.

Login to the Azure Active Directory Portal and go to the “Users”.

To invite a new non-corporate users, select “+New guest user”.

Enter the email address of the user and you can also add the personal message and then click on “Invite”.

User will receive a invite from the organization on his email account.

User has to open the email message and select “Get Started” to configure his account.

Once user select “Get Started” in the email message, he/she will be redirected to the organizational login page. Here select “Next” to continue.

Create your password to access the organizational resources, applications and data, and then click on Next.

You will receive a code on your email address, enter the received code here and click on Next.

Enter the captcha to verify your authenticity and click on Next.

You will be redirected to the page if your host organization has conditional access policy such as MFA.

Once, you are done with all the pre-requisite. You will be redirected Access panel of applications.

Now, as a host you can assign access to the guest users on your organizational applications.

Once, guest user will have access on application. He/She can access application from the access panel.

However, you can directly go to the enterprise applications and invite user from their itself. To invite a new guest, select “+Invite”

Enter the email address of guest and personal message.

Once, you will invite new guest user directly from the application then he/she has to follow the same method that we had followed earlier in this blogpost.