Azure Active Directory B2B Collaboration

image

INTRODUCING

Actually Azure active directory B2B Collaboration still in public preview but this is one awesome services from Microsoft in azure active directory so you must know this.

image

Azure AD B2B collaboration lets you enable access to your corporate applications from partner-managed identities. You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. Complexity is reduced because each company federates once with Azure Active Directory and each user is represented by a single Azure AD account. Security is increased because access is revoked when partner users are terminated from their organizations, and unintended access via membership in internal directories is prevented. For business partners who don’t already have Azure AD, B2B collaboration has a streamlined sign-up experience to provide Azure AD accounts to your business partners.

· Your business partners use their own sign-in credentials, which frees you from managing an external partner directory, and from the need to remove access when users leave the partner organization.

· You manage access to your apps independently of your business partner’s account lifecycle. This means, for example, that you can revoke access without having to ask the IT department of your business partner to do anything.

Capabilities

B2B collaboration simplifies management and improves security of partner access to corporate resources including SaaS apps such as Office 365, Salesforce, Azure Services, and every mobile, cloud and on-premises claims-aware application. B2B collaboration enables partners manage their own accounts and enterprises can apply security policies to partner access.

Azure Active Directory B2B collaboration is easy to configure with simplified sign-up for partners of all sizes even if they don’t have their own Azure Active Directory via an email-verified process. It is also easy to maintain with no external directories or per partner federation configurations.

(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/)

Scenario

For this scenario I have 2 user accounts

· SA@fazar.info as administrator from SA corporation

· Fazar.susanto@infrontconsulting.com as business partner from Infront consulting

SA as administrator want to share one web application from azure active directory to user Fazar. So Fazar can using application from SA Corporation. As we know Fazar from business partner but his company already have azure active directory so Fazar no need to sign up for accessing SA application resource.

Connect azure active directory

First we must know id application & id group which later we input into csv file along with business partner account. So Fazar as business partner can see which applications can be accessed.

The CSV file follows the format below. Add all required commas even if you don’t specify one or more options.

Email: Email address for invited user.

DisplayName: Display name for invited user (typically, first and last name).

InviteAppID: The ID for the application to use for branding the email invite and acceptance pages.

InviteReplyURL: URL to which to direct an invited user after invite acceptance. This should be a company-specific URL (such as contoso.my.salesforce.com). If this optional field is not specified, the inviting company’s Access Panel URL is generated (this URL is of the form https://account.activedirectory.windowsazure.com/applications/default.aspx?tenantId=<TenantID&gt;).

InviteAppResources: AppIDs to which applications can assign users. AppIDs are retrievable by calling Get-MsolServicePrincipal | fl DisplayName, AppPrincipalId

InviteGroupResources: ObjectIDs for groups to add user to. ObjectIDs are retrievable by calling Get-MsolGroup | fl DisplayName, ObjectId

InviteContactUsUrl: “Contact Us” URL to include in email invitations in case the invited user wants to contact your organization.

(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/)

1. Open Powershell and run the following command: Connect-MsolService .

image

2. At the sign-in wizard please type user name & password Azure active directory administrator.

image

3. Type the following command for getting InviteAppID :

Get-MsolServicePrincipal -ServicePrincipalName Microsoft.Azure.ActiveDirectory .

image

The InviteAppID is 00000002-0000-0000-c000-XXXXXX

4. Type the following command for getting AppPrincipalId :

Get-MsolServicePrincipal | fl Displayname, AppPrincipalId .

image

Example choose youtube as application resource that in sharing to my business partner.

image

5. Next I want all my business partner are in one group so you need to create one group in azure active directory then type the following command for getting ObjectId group:

Get-MsolGroup | fl DisplayName, ObjectId .

image

Example group.

image

6. Now CSV file after I put all ID.

image

7. Go to Azure portal | Active Directory | Users | Add User and choose Users in partner companies.

image

8. Browse CSV file then click check sign.

image

9. Your business partner will get email notification if he got access application from your company.

image

10. For access your application your Fazar must click link in the email and it will trigger browser to Azure active directory B2B invitation page, click Accept.

image

11. Process sign in.

image

12. Fazar can see application from SA Company (youtube).

image

13. Fazar has been registered in SA Azure AD.

image

14. Fazar in B2B group SA Azure AD also.

image

15. SA as administrator can see report how many business partners has been registered.

image

16. SA can see what CSV importing process is ok or not also.

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.