Actually Azure active directory B2B Collaboration still in public preview but this is one awesome services from Microsoft in azure active directory so you must know this.
Azure AD B2B collaboration lets you enable access to your corporate applications from partner-managed identities. You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. Complexity is reduced because each company federates once with Azure Active Directory and each user is represented by a single Azure AD account. Security is increased because access is revoked when partner users are terminated from their organizations, and unintended access via membership in internal directories is prevented. For business partners who don’t already have Azure AD, B2B collaboration has a streamlined sign-up experience to provide Azure AD accounts to your business partners.
· Your business partners use their own sign-in credentials, which frees you from managing an external partner directory, and from the need to remove access when users leave the partner organization.
· You manage access to your apps independently of your business partner’s account lifecycle. This means, for example, that you can revoke access without having to ask the IT department of your business partner to do anything.
B2B collaboration simplifies management and improves security of partner access to corporate resources including SaaS apps such as Office 365, Salesforce, Azure Services, and every mobile, cloud and on-premises claims-aware application. B2B collaboration enables partners manage their own accounts and enterprises can apply security policies to partner access.
Azure Active Directory B2B collaboration is easy to configure with simplified sign-up for partners of all sizes even if they don’t have their own Azure Active Directory via an email-verified process. It is also easy to maintain with no external directories or per partner federation configurations.
For this scenario I have 2 user accounts
· SA@fazar.info as administrator from SA corporation
· Fazar.firstname.lastname@example.org as business partner from Infront consulting
SA as administrator want to share one web application from azure active directory to user Fazar. So Fazar can using application from SA Corporation. As we know Fazar from business partner but his company already have azure active directory so Fazar no need to sign up for accessing SA application resource.
Connect azure active directory
First we must know id application & id group which later we input into csv file along with business partner account. So Fazar as business partner can see which applications can be accessed.
The CSV file follows the format below. Add all required commas even if you don’t specify one or more options.
Email: Email address for invited user.
DisplayName: Display name for invited user (typically, first and last name).
InviteAppID: The ID for the application to use for branding the email invite and acceptance pages.
InviteReplyURL: URL to which to direct an invited user after invite acceptance. This should be a company-specific URL (such as contoso.my.salesforce.com). If this optional field is not specified, the inviting company’s Access Panel URL is generated (this URL is of the form https://account.activedirectory.windowsazure.com/applications/default.aspx?tenantId=<TenantID>).
InviteAppResources: AppIDs to which applications can assign users. AppIDs are retrievable by calling Get-MsolServicePrincipal | fl DisplayName, AppPrincipalId
InviteGroupResources: ObjectIDs for groups to add user to. ObjectIDs are retrievable by calling Get-MsolGroup | fl DisplayName, ObjectId
InviteContactUsUrl: “Contact Us” URL to include in email invitations in case the invited user wants to contact your organization.
1. Open Powershell and run the following command: Connect-MsolService .
2. At the sign-in wizard please type user name & password Azure active directory administrator.
3. Type the following command for getting InviteAppID :
Get-MsolServicePrincipal -ServicePrincipalName Microsoft.Azure.ActiveDirectory .
The InviteAppID is 00000002-0000-0000-c000-XXXXXX
4. Type the following command for getting AppPrincipalId :
Get-MsolServicePrincipal | fl Displayname, AppPrincipalId .
Example choose youtube as application resource that in sharing to my business partner.
5. Next I want all my business partner are in one group so you need to create one group in azure active directory then type the following command for getting ObjectId group:
Get-MsolGroup | fl DisplayName, ObjectId .
6. Now CSV file after I put all ID.
7. Go to Azure portal | Active Directory | Users | Add User and choose Users in partner companies.
8. Browse CSV file then click check sign.
9. Your business partner will get email notification if he got access application from your company.
10. For access your application your Fazar must click link in the email and it will trigger browser to Azure active directory B2B invitation page, click Accept.
11. Process sign in.
12. Fazar can see application from SA Company (youtube).
13. Fazar has been registered in SA Azure AD.
14. Fazar in B2B group SA Azure AD also.
15. SA as administrator can see report how many business partners has been registered.
16. SA can see what CSV importing process is ok or not also.