More Related Content
Similar to External collaboration with Azure B2B
External collaboration with Azure B2B
- 1.
- 2. About Me Sjoukje Zaal PrincipalExpert Microsoft / Azure MVP T: @SjoukjeZaal W: https://www.sjoukjezaal.com
- 3. Agenda What is AzureB2B? Why Azure B2B? Key Benefits and Capabilities Demos! Azure B2B & Office 365 More Demos!
- 4. What is AzureActive Directory B2B? Azure Active Directory Business-to-Business (B2B) enables any organization to work safely and securely with users from any other organization.
- 5. Why use AzureActive Directory B2B? -Gives Access to: • Azure & Office 365 resources • Custom Applications • Third Party Applications • Documents & data
- 6. Key Benefits • Workswith any user • Azure AD not required • Users can use their own identities • No external directories • Simple & Secure • Easy for admins and users • Access to any app and data • Enterprise-grade security for apps and data • No external account management
- 7. Capabilities • Invite guestusers by email • Conditional Access Policies • Sharing Policies • Azure AD Identity Protection • Auditing and Reporting • Customize onboarding using PowerShell & Invitation APIs • Licensing: 1:5 ratio
- 8. Flow of AddingGuest Users Admin adds guest user to Azure AD Guest user receives an invitation email Guest user clicks link in the invitation Guest user logs in with own account Guest user accepts the privacy statement Guest user is redirected to the App landing page
- 9.
- 10. Demo Summary • Add Guestuser with a personal Microsoft account to Azure AD • Add Guest user to a group • Add group to an application
- 11. Invitation Email • Companybranding / information • Subject • Personal Message • Redemption URL
- 12.
- 13. Demo Summary • Userreceives invitation • User accepts the invitation • User logs in using own credentials • User accepts the privacy terms • User can access the applications
- 14. Add Guest UsersWithout Invitation Guest Invitor Directory Role Sending out a direct link
- 15. APIs & PowerShell B2B collaboration invitation APIs PowerShellfor bulk invitations
- 16. Invitation Customization • WithPowerShell / API Invitations you can: • Customize email messages • Add a display name for the user • Add CCs to the messages • Suppress invitation email messages altogether • Set the invitation redirect URL
- 17.
- 19. Demo Summary • Downloadthe latest Azure Active Directory PowerShell for Graph • https://www.powershellgallery.com/packages/ AzureADPreview/2.0.1.18 • Create a CSV file with email addresses • Create accounts with PowerShell
- 20. Conditional Access • PremiumAzure AD • At Tenant, app or user level • Same policies as internal users • Easy to set policies for guest users (Preview)
- 21.
- 22. Demo Summary • Createa new Conditional Access Policy • Select “All Guest Users” • Enable MFA for guest users • Logged in as a guest user • Used MFA to access the application
- 23. Microsoft provides sample code fora Self- Service Portal on GitHub.
- 24. Azure B2B SelfService Portal • MVC sample application • Uses the Graph API • Approve / deny guest users • Custom email templates • TOC settings / Custom redirect URL
- 25.
- 26. Demo Summary • Adda guest user using Self Service Portal • Approve or deny guest user • Create custom email templates • TOC for guest users
- 27. External Sharing in Office365 VS Azure B2B • Office 365 uses Azure B2B • Except for SharePoint Online & OneDrive • Different Invitations • Different Licensing
- 28. Differences Invitation Redemptionin Azure B2B & Office 365 B2B users can be selected before accepting the invite Office 365 users can be selected after accepting the invite
- 29. Adding guest users usingPowerApps, Flow and the Graph API in SharePoint Online Demo
- 30. Solution Components PowerApp Flow AzureAD App Graph API
- 31. Demo Summary • Create anAzure AD Application • Setting the Application Permissions • Create a Flow invitation process • Call the Azure AD App from Flow • Create a PowerApp for sign-up guest users • Use the MS Graph to add guest users • Use the MS Graph to send email invitations • Detailed blog post: https://www.sjoukjezaal.com/azure-b2b- sharepoint-online-solution-using-powerapps- flow-and-the-graph-api/
- 32. Current Limitations • Possibledouble multi-factor authentication • Azure AD Directory Limits • Replication Latency
- 33.
Editor's Notes
- #5 Technically this means that all external users are added to a subdirectory inside Azure AD. External users can use their own credentials to login to all the Azure features and resources.
- #7 Enterprise Grade Security: Azure AD Premium features are also available for B2B users.
- #8 Sharing Policies User policies to delegate the invitation of guest users to other users inside your organization. Or turn off invitations. Azure Active Directory Identity Protection: Only in Azure AD Premium P2 Is a feature of Azure AD which helps you prevent and detect against identity attacks. It helps discovering compromised identities, support for investigating security events and more. Auditing and Reporting Provides information about which users are invitited, updated and deleted. When invitations are redeemed and more.
- #9 https://myapps.microsoft.com
- #10 Add Guest users to Azure AD Add Guest users to a group Add Guest users and groups to an application
- #13 - External users without a personal Microsoft account or Work / School account, need to provide an password when they log in to the site for the first time.
- #24 The subject of the email follows the following pattern: You're invited to the <tenantname> organization
- #25 Information workers can use the Application Access Panel to add B2B collaboration users to groups and applications that they administer.
- #31 Guest Invitor Directory Role The admin can to add a user, internal or guest, to the Guest inviter directory role. Then this user can add guest users to Azure AD, Groups or applications using the UI or PowerShell without the need for invitations te be redeemed. Sending out a direct link https://myapps.microsoft.com After a guest user has been added to the directory in Azure AD, an application owner can send the guest user a direct link to the app they want to share. The administrator needs to enable: Self-Service Group Management for the tenant. Create a group for the App and make the user an owner. Configure the App for Self Service and add the group to the app
- #32 Open Azure Portal -> Azure AD Groups -> General Turn on Self Service Management Go to Enterprise Applications -> Select the App Left Menu: Self Service Allow users to request access to this application – YES Add the External AD Users group Left Menu: Groups Owners : User Go to myapps.Microsoft.com Click Groups Add external user.
- #43 Azure Active Directory PowerShell for Graph - Public Preview Release 2.0.1.18
- #44 https://www.powershellgallery.com/packages/AzureADPreview/2.0.1.18 Install-Module -Name AzureADPreview -Scope CurrentUser -Verbose
- #45 Install-Module -Name AzureADPreview -Scope CurrentUser
- #46 Install-Module -Name AzureADPreview -Scope CurrentUser
- #60 https://b2bselfserviceportal-webdxysej2ftgz7g.azurewebsites.net
- #67 Azure B2B users can be selected from sharing dialog boxes before accepting the invite, O365 external users only after accepting the invitation.
- #68 Azure portal Azure AD -> Enterprise Applications -> SharePoint B2B App -> Required permissions Ms Graph enable the following permissions Application Permissions: Read and write directory data Invite guest users to the organization Hover over the settings to see the Internal names used on 3. Copy the Tenant ID, Application ID and App secret to notepad 4. Open Flow Walk to the settings 5. Open PowerApps 6. Open SharePoint Online, and add a guest user using the PowerApp. 7. Login outlook.com
- #69 PowerApps -> is a service for Power users and developers to easily build custom applications using templates. Users don’t need to have programming skills for building apps using PowerApps Flow -> With Flow you can create workflows to automate tasks and integrate various applications. This looks a lot like Logic Apps but Flow is part of the Office 365 offering. Graph API -> is the gateway to all data in Azure and Office 365. It offers a set of APIs to access data and documents inside your Azure tenant.
- #72 enable the following permissions Application Permissions: Read and write directory data Invite guest users to the organization Hover over the settings to see the Internal names used on
- #90 1. When MFA is turned on at the resource organization and at the partner organization, users might to perform MFA twice. 2. Azure AD B2B is subject to Azure AD service directory limits. For details about the number of directories a user can create and the number of directories to which a user or guest user can belong, see Azure AD service limits and restrictions. 3. Users are added to one directory instance and updated when the invitation is redeemed. When the call is made to retrieve the user object, it is possible that is retrieved from another instance. So replication latencies can occur…