Late last year Microsoft announced the release of the Azure B2B Collaboration capability. Azure B2B allows you to ease the management process of allowing users from different organisations to share data and collaborate with each other within applications that utilise Azure AD for authentication.
Although we refer to users from different organizations, they may in fact be users that are part of the same organization but reside within different Office 365 tenants. A good example of this is when mergers occur between organizations, or a large organization operates under a number of different brands or divisions.
The way this challenge has typically been overcome is to utilize federation methods used with AD on-premises or creating external user accounts within your on-premises AD for clients bears a number of overheads and additional challenges and constraints when utilizing cloud based applications such as Office 365 that leverage Azure AD for authentication.
Azure B2B handles this quite simply, by allowing you to “invite” external users to the Azure AD that is used to authenticate against a particular application, be it Office 365 or another Azure AD based application, such as Unily (BrightStarr’s digital workplace solution). These invited users then continue to utilize their single Azure AD account for authentication (assuming they already have one), so they don’t have to remember multiple account names and passwords. If they don’t have an existing Azure AD account, the user will be prompted to create a new external account. Either way, the account gets added to the Azure AD tenant into which they have been invited.
The rest of this article walks through the process of inviting and adding external users to an Azure AD application. In fact, we utilise Unily as a real world example to demonstrate how an Azure AD based application that integrates with SharePoint Online within Office 365 can take advantage of Azure B2B to allow multiple users who belong to different organisations with separate Office 365 tenants can collaborate with each other.
For detailed documentation from Microsoft on the Azure B2B feature and configuration options, please see this article.
The walkthrough below describes a real world example, how within a single invitation; one or more users can be invited to an Azure AD based application that integrates with multiple resources. In this case, we’re inviting external users to an Azure hosted application (Unily) that integrates with SharePoint for document storage.
Unily has been deployed to an Office 365 tenant for a fictitious retail aligned organisation, Daisy Kane. In this example we want to be able to add users from another Office 365 tenant to utilise Unily and take advantage of the integration features with Office 365. More specifically, Unily integrates with SharePoint Online to surface all documents that a use has access to within SharePoint Online. In this scenario we’re going to allow our external users to view documents within a specific document library within SharePoint Online.
1. Create Office 365 Security Group
The first step is to create the required Security groups in the Office 365 Administration centre. In this example we’re just creating a single group that will be later added to the SharePoint site Visitors group, to allow our external users to view SharePoint documents that reside within the BrightStarr tenant within Unily. You could create additional groups that could later be associated with higher privileged SharePoint groups.
Within the Office 365 Administration centre, you can create a new group of Type “Security Group” and give it a name.
2. Capture Group ID
Once the group has been created, we need to extract the ID of the group: Use the following PowerShell to identify Group IDs (First connect to your tenant from a PowerShell console with MSOL modules loaded):
- Get-msolgroup | fl displayname, objectid
- Make a note of the ObjectID values for the newly created group (example highlighted in yellow below).
3. Assign Office 365 Group to SharePoint Group
Once the Office 365 Security Group has been created, this can then be added to the appropriate SharePoint group that has the correct associated permission level. In this case the Visitors Group (which has Read access to the site).
4. Identify Unily Azure AD Application Principal ID
Next we need to identify the Application Principal ID of the Unily Azure AD Application. Use the following PowerShell to identify the App Principal ID for Unily (assuming Unily has already been registered within Azure AD)
- MsolServicePrincipal | fl DisplayName, AppPrincipalId
- Make a note of the AppPrincipalId value for the newly created group (example highlighted in yellow below).
5. Populate users in CSV file to invite
Next, we need to build out a CSV file with the list of users, the format is as follows (this can be copied into a text file):
firstname.lastname@example.org,External3,Hi External 3! I hope you’ve been doing well.,https://daisykane.unily.com,8748284f-347e-41e2-baba-494d9268d9a2,16efa594-ff90-4333-8ab3-8bb8e0d3ea28,email@example.com,en
- The fields to populate are:
- Email: Email address of the user
- DisplayName: Full name of the user
- InvitationText: The welcome message
- InviteRedirectUrl: The URL of the application (Unily)
- InvitedToApplications: The App Principal ID of Unily captured earlier
- InvitedToGroups: The Group ID to add the user to captured earlier
- CcEmailAddress: Any additional people to CC in the invitation email
- Language: Default language (en)
6. Upload CSV file to Azure B2B
Once the users have been added to the CSV with all required fields populated, we can upload this to Azure AD:
- Login to the Azure Portal and navigate to the Users tab within the correct directory
- Click Add User
- In the Type of User field, select the “Users in partner companies” option
- Browse for the csv file created above and click complete
- Click on the reports tab to view invitation processing status, to hopefully view “Processing finished.”
7. End user accepts invitation
The end user will receive the invitation email:
The end user then clicks the link, at which point they will see Azure B2B in action.
They will be prompted to log in with their own Office 365 credentials which redirects them to the Azure AD sign in page, assuming their organisation email address is associated with Office 365.
That’s it, when they hit sign-in, they’ll then be redirected to the Unily landing page
Finally, then can also access the SharePoint site for which they’ve been granted access, as well as seeing these documents within Unily’s document centre and other document related widgets.
Hopefully his article has illustrated how easy it is to use the new Azure B2B capabilities and how powerful this feature really is to collaborate with business partners within applications built using Azure AD.
As always, feel free to get in touch with any questions you may have!
Learn more about our Azure consulting services here or get in touch to arrange a demo of Unily.c