Collaborating across Office 365 tenants utilizing Azure B2B

Collaborating across Office 365 tenants utilizing Azure B2B

Late last year Microsoft announced the release of the Azure B2B Collaboration capability. Azure B2B allows you to ease the management process of allowing users from different organisations to share data and collaborate with each other within applications that utilise Azure AD for authentication.

Although we refer to users from different organizations, they may in fact be users that are part of the same organization but reside within different Office 365 tenants. A good example of this is when mergers occur between organizations, or a large organization operates under a number of different brands or divisions.

The way this challenge has typically been overcome is to utilize federation methods used with AD on-premises or creating external user accounts within your on-premises AD for clients bears a number of overheads and additional challenges and constraints when utilizing cloud based applications such as Office 365 that leverage Azure AD for authentication.

Azure B2B handles this quite simply, by allowing you to “invite” external users to the Azure AD that is used to authenticate against a particular application, be it Office 365 or another Azure AD based application, such as Unily (BrightStarr’s digital workplace solution). These invited users then continue to utilize their single Azure AD account for authentication (assuming they already have one), so they don’t have to remember multiple account names and passwords. If they don’t have an existing Azure AD account, the user will be prompted to create a new external account. Either way, the account gets added to the Azure AD tenant into which they have been invited.

The rest of this article walks through the process of inviting and adding external users to an Azure AD application. In fact, we utilise Unily as a real world example to demonstrate how an Azure AD based application that integrates with SharePoint Online within Office 365 can take advantage of Azure B2B to allow multiple users who belong to different organisations with separate Office 365 tenants can collaborate with each other.

Configuration walkthrough

For detailed documentation from Microsoft on the Azure B2B feature and configuration options, please see this article.

The walkthrough below describes a real world example, how within a single invitation; one or more users can be invited to an Azure AD based application that integrates with multiple resources. In this case, we’re inviting external users to an Azure hosted application (Unily) that integrates with SharePoint for document storage.

Unily has been deployed to an Office 365 tenant for a fictitious retail aligned organisation, Daisy Kane. In this example we want to be able to add users from another Office 365 tenant to utilise Unily and take advantage of the integration features with Office 365. More specifically, Unily integrates with SharePoint Online to surface all documents that a use has access to within SharePoint Online. In this scenario we’re going to allow our external users to view documents within a specific document library within SharePoint Online.

1. Create Office 365 Security Group

The first step is to create the required Security groups in the Office 365 Administration centre. In this example we’re just creating a single group that will be later added to the SharePoint site Visitors group, to allow our external users to view SharePoint documents that reside within the BrightStarr tenant within Unily. You could create additional groups that could later be associated with higher privileged SharePoint groups.

Within the Office 365 Administration centre, you can create a new group of Type “Security Group” and give it a name.

2. Capture Group ID

Once the group has been created, we need to extract the ID of the group: Use the following PowerShell to identify Group IDs (First connect to your tenant from a PowerShell console with MSOL modules loaded):

    1. Get-msolgroup | fl displayname, objectid
    2. Make a note of the ObjectID values for the newly created group (example highlighted in yellow below).

 

3. Assign Office 365 Group to SharePoint Group

Once the Office 365 Security Group has been created, this can then be added to the appropriate SharePoint group that has the correct associated permission level. In this case the Visitors Group (which has Read access to the site).

4. Identify Unily Azure AD Application Principal ID

Next we need to identify the Application Principal ID of the Unily Azure AD Application. Use the following PowerShell to identify the App Principal ID for Unily (assuming Unily has already been registered within Azure AD)

  1. MsolServicePrincipal | fl DisplayName, AppPrincipalId
  2. Make a note of the AppPrincipalId value for the newly created group (example highlighted in yellow below).

 

5. Populate users in CSV file to invite

Next, we need to build out a CSV file with the list of users, the format is as follows (this can be copied into a text file):

  1. Email,DisplayName,InvitationText,InviteRedirectUrl,InvitedToApplications,InvitedToGroups,CcEmailAddress,Language

external3@brightstarrdevelopment.onmicrosoft.com,External3,Hi External 3! I hope you’ve been doing well.,https://daisykane.unily.com,8748284f-347e-41e2-baba-494d9268d9a2,16efa594-ff90-4333-8ab3-8bb8e0d3ea28,sam.hassani@brightstarr.com,en

  1. The fields to populate are:
      1. Email: Email address of the user
      2. DisplayName: Full name of the user
      3. InvitationText: The welcome message
      4. InviteRedirectUrl: The URL of the application (Unily)
      5. InvitedToApplications: The App Principal ID of Unily captured earlier
      6. InvitedToGroups: The Group ID to add the user to captured earlier
      7. CcEmailAddress: Any additional people to CC in the invitation email
      8. Language: Default language (en)

6. Upload CSV file to Azure B2B

Once the users have been added to the CSV with all required fields populated, we can upload this to Azure AD:

  1. Login to the Azure Portal and navigate to the Users tab within the correct directory
  2. Click Add User
  1. In the Type of User field, select the “Users in partner companies” option
  2. Browse for the csv file created above and click complete
  3. Click on the reports tab to view invitation processing status, to hopefully view “Processing finished.”

 

7. End user accepts invitation

The end user will receive the invitation email:

The end user then clicks the link, at which point they will see Azure B2B in action.

 

They will be prompted to log in with their own Office 365 credentials which redirects them to the Azure AD sign in page, assuming their organisation email address is associated with Office 365.

 

That’s it, when they hit sign-in, they’ll then be redirected to the Unily landing page

 

Finally, then can also access the SharePoint site for which they’ve been granted access, as well as seeing these documents within Unily’s document centre and other document related widgets.

 

Conclusion

Hopefully his article has illustrated how easy it is to use the new Azure B2B capabilities and how powerful this feature really is to collaborate with business partners within applications built using Azure AD.

As always, feel free to get in touch with any questions you may have!

Thanks,

Sam

Learn more about our Azure consulting services here or get in touch to arrange a demo of Unily.c

Talk To Us

Sam Hassani Principal Consultant

‘Sensible’ Sam is an asset to the consulting team. Having jumped the fence from Microsoft a few years back, he now consults and designs large scale SharePoint, O365 and Azure solutions for BrightStarr. His conscientious approach got him his nickname, and although he’s not afraid to take risks, he’s always a safe bet. Delivering stable, well thought out solutions time and time again.

In his previous job, he specialized in SharePoint, working in the field and with the product team, Sam is genuinely excited by his vocation and speaks at conferences and events with enthusiasm. Just don’t get him started on hybrid search! At the weekend Sam likes to ride his road bike and hang out with his young son.

Related Tags
Twitter Feed

Where Next? Relevant Stories and Insights.

10 reason to move your infrastructure to Microsoft Azure
10 reason to move your infrastructure to Microsoft Azure
Microsoft Azure is the crux of Microsoft’s Cloud offering and it’s getting more and more popular each year. In the fourth quarter of 2016 alone, Microsoft have reported a whopping 102% growth in Azure revenue, with usage doubling year after year.
Cloud Infrastructure
Cloud Infrastructure
As well as developing powerful business solutions, we will also plan, architect and implement cloud-hosted infrastructure using Microsoft Azure based Infrastructure and Platform offerings to effectively deliver world-class productivity solutions to our clients, employing a number of key technologies in the Microsoft Azure stack, right through from Azure Web Apps to geo-distributed Virtual Machines.
2 ways Azure Resource Manager is accelerating Microsoft’s infrastructure services
2 ways Azure Resource Manager is accelerating Microsoft’s infrastructure services
Even though the Azure platform has been around for several years now, the services that it offers have been continually evolving, bringing new features to consumers. It has not been standing still from a management point of view either and the IT professional now has a much more advanced API to use in the form of Azure Resource Manager (ARM).