By now, hopefully you’ve already read my first blog post from today announcing the exciting news about the preview releases of Azure AD B2B and our Azure AD Collaboration features. This second post is a by Arvind Suthar, the Principal PM in our PM team who has lead our B2B efforts. I hope you’ll find it interesting and give these new capabilities a try!
And we’d love to receive any feedback or suggestions you have!
Alex Simons (Twitter: @Alex_A_Simons)
I’m Arvind Suthar, a PM in the Identity Division at Microsoft. Today, I’m going to walk you through the new public preview of Azure AD B2B. This is a new set of capabilities that enable simple and secure collaboration with your business partners, providing a simple sign up process regardless of what kind of identity systems they have in place.
Collaboration between organizations has become essential to the value companies create. Many companies take on projects that require partnering with other companies to spread risk or assemble expertise. Many companies, including Microsoft, have extensive supply chains and partner networks made up of large and small companies that are essential to delivering customer value. And identity and access management is at the core of each and every one these collaborations; you need to give your partners access to key applications and data, but you also need to make sure these assets don’t end up in the hands of the wrong people.
Traditionally, there have been two ways organizations have tried to solve this problem:
- Inter-company federation relationships
- Internally managed partner identities
Setting up inter-company federation relationships is the classic approach but has problems:
- Most large companies do business with many smaller companies that don’t have the expertise and can’t afford the server infrastructure to setup and manage federation.
- Complexity grows linearly when you have to manage a federation relationship with each partner. Managing thousands of federation relationships becomes untenable.
- With federation, you have very limited user level visibility making compliance and audit challenging.
These difficulties lead many companies to create directories of internally managed partner identities, a practice with its own security and management concerns:
- Accounts in these internally managed directories can easily provide too much access and put the whole organization at risk.
- These accounts are disconnected from the partner’s identity system, so they are not disabled when partner employees change jobs or are terminated.
- This is yet another set of usernames and passwords for partners to remember and yet another set of identities for you to manage (provision, de-provision, reset passwords, etc.).
We believe that the ideal cross company identity model is one where each partner has the ability to manage their own employee identities, integrated into their existing IT systems, according to their own corporate policy, in a way that works for their business while providing rich cross-company visibility, and world class compliance and control.
And Microsoft is uniquely positioned to help you achieve this ideal.
Azure AD is the identity platform for Microsoft’s enterprise cloud services (including Office 365 and Azure) and the foundation for cross-company collaboration features. With over 6 million organizations already using Azure AD, many of your business partners already have (or will soon have) their own Azure AD tenant. And Azure AD supports hundreds of millions of users, billions of authentications per day, and has a high availability design with state of the art, constantly evolving detection and protection systems.
Introducing Azure AD B2B Collaboration
Azure Active Directory B2B collaboration lets you enable access to your corporate applications from partner managed identities. You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. Complexity is reduced as each company federates once with Azure AD and each user is represented by a single Azure AD account. Security is increased as access is lost when partner users are terminated from their organizations and unintended access is not granted by membership in internal directories. For business partners that don’t already have Azure AD, B2B collaboration has a streamlined signup experience to provide Azure AD accounts to your business partners.
Let’s walk through Azure AD B2B from the admin and partner end user perspectives.
Walkthrough: Admin Experience
B2B collaboration allows a company administrator to invite and authorize a set of external users by uploading a comma-separated values (CSV) file to the Azure management portal. The portal will send email invitations to these external users. The invited user will either sign in to an existing work account with Microsoft (managed in Azure AD), or get a new work account in Azure AD. Once signed in, the user will be redirected to the app that was shared with them.
CSV file format
Azure AD B2B supports uploading a CSV file that contains information to brand the invitation and redemption experience and authorize access for the invited user.
Uploading a CSV file
The Azure portal “Add User” dialog has been updated with a “Users in partner companies” option. The CSV file format as well as a sample CSV file are documented here.
Invitation Summary Report
Once the CSV file is uploaded, the status of processed invitations can be reviewed in the “Invitation summary” report in the “Reports” tab of the inviting directory in the Azure management portal.
Invitation Detail Report
Clicking on any Batch ID in the Invitation Summary report will launch an invitation detail report for that batch showing the email, processing timestamp, and status of each invited user. From this report you are able to download the errors in a CSV file that can be corrected and re-uploaded. You are also able to download the original CSV file from this page if needed.
Walkthrough: End User Experience
The email that partner employees receive is branded with the tenant branding of the inviting organization and with the application branding of the application specified by the InviteAppID in the CSV. The user is prompted to go to the provided link to accept the invitation.
Invitation Accept Landing Page
The invitation accept landing page provides some context for the invited user on how to accept the invitation. The landing page below explains that the user is about to create an email verified account in Azure AD. The topic of email verified accounts and unmanaged tenants and how they can be brought under admin control are covered in this article on self-service signup.
Under different scenarios, this landing page may explain that the user is about to sign in or that the user is signed in with a different account so needs to sign out first.
Simplified Signup for Partners Without Azure AD
When the user clicks “Accept” in the screen above, they get the Azure AD signup screen below prompting them to enter a password, display name, and region.
Once the user signs in with his new credentials, he is redirected to the InviteReplyURL specified in the CSV. If the InviteReplyURL is blank, the partner user will be directed to the access panel in the inviter tenant. Applications specified in the InviteAppResources field should appear here.
The invited user will be added to groups specified in the InviteAppResources field. If the user is added to a group that has been granted access to SharePoint Online resources, the user should be able to access these resources as shown below.
I hope you’ll take the time to try this new set of capabilities out. We’d love to hear from you as your input will help us ensure that we are delivering a solution that is exactly on target for enabling simple and secure cross-organization collaboration.
If you have any suggestions, questions, or comments, please let us know!
Arvind Suthar (@arvindsuthar)
Principal Program Manager
Azure Active Directory