Azure Active Directory (Azure AD) enables team members to access external resources including cloud applications. As an Identity as a Service, Azure AD provides access to applications across cloud and on-prem.
In this article we are going to see how to implement an Azure Active Directory (Azure AD) B2B Connect using Azure External Identities. Companies migrating to Azure often seek external Cloud SME expertise to rapidly achieve digital transformation. This feature of Azure Active Directory enables seamless collaboration with guests, consultants and other organizations while maintaining strict security controls.https://youtu.be/85-bp7XxWDQ
Let’s assume there are two Azure AD tenants named “Marvel” and “DC”, by default guest users can be invited from any tenant to the Marvel tenant, if the inviter has the proper privileges. If two organizations are collaborating this model would not be scalable as the number of users increases. Instead by leveraging Azure Active Directory (Azure AD) and External Identities, as we will see below, it is possible to delegate user access between organizations while maintaining security controls.
Consider the other tenant named “DC” and for compliance reasons we need a setup where only users from the DC tenant can be invited as a guest user into Marvel tenant. To do so we have to navigate to Azure AD->External identities->external collaboration settings and under collaboration restriction, select “Allow invitations only to the specified domains (most restrictive)” and we can add the domain name of the DC tenant there.
Now only DC tenant users can be invited as guest users in the Marvel tenant. Imagine that they’re going to be hundreds of users from DC who need guest access to the Marvel tenant. Inviting and constantly managing each individual would be an overhead to the administrator of the Marvel tenant. So, we are going to implement a setup where there will be a delegator in the Marvel tenant who will provide privileged access to a delegatee in the DC tenant. This delegatee will then invite the DC tenant users to Marvel tenant and manage the lifecycle of those guest users. To do so, the delegator can assign the “Guest inviter” role to the delegatee. Here in our example Ironman from Marvel tenant is the delegator and Batman from DC tenant is delegatee. In the below picture you can find that the user Batman is invited and assigned with Guest inviter role in Marvel tenant.
So, now Batman can invite guest users from only the DC tenant to the Marvel tenant and can’t invite users from any other tenant since only the DC tenant is added under Azure external identities settings. In the below picture Batman under Marvel tenant, tries to invite users from another tenant and is prompted with an error.
Now assume Batman invited all the four users in DC to the Marvel tenant. And all the four users have redeemed the invitation. Now the setup will be looking like the illustration below.
Now we have another requirement that not all the invited users from the DC tenant should be able to access the Marvel tenant at any time. Only a few specific users from DC should be able to access the Marvel tenant from time to time and the solution should be scalable. For this we are going to leverage the Azure external identities B2B Connect feature. First, we need to create an Azure AD group in the DC tenant and add the users who should be given access to the Marvel tenant into that group, like the below snip.
Copy the object ID of this AD group and save it for the steps that we are going to do perform next.
Then in the Marvel tenant navigate to Azure AD->External identities->cross-tenant access settings and select the inbound access settings of the DC tenant which is highlighted below.
After selecting the Inbound access, under the B2B collaboration menu select the ‘customize settings’ option and select the ‘Allow access’ then select the ‘Add external users and group’ option.
Now paste the object ID of the group we copied earlier and click the save button.
Now only the users in the “Multi-Universe-Group” can access the Marvel tenant. If any other user from DC tries to access Marvel they will be prompted with an error as below.
The setup will be looking like the one below after implementing this procedure.
Note: This particular feature of adding object id of group/user needs Azure AD Premium P1/P2 license.
Now let’s assume there is a VM named Krypton-VM in Marvel tenant and guest users with the job title “Kryptonians” should only be able to access it dynamically. For this requirement we can use Azure AD Dynamic Group. We can create a dynamic group with a rule of job title=”Kryptonians”. Then users with that job title will be automatically added into that group. In the below snip you can see a group with such a membership rule.
Note: We can create an Azure AD dynamic group only if we have Azure AD Premium P1/P2 License.
The users Superman and Supergirl are having the attribute Job title as “Kryptonians”. So, they’ll be automatically added into this dynamic group.
Then the appropriate RBAC role is assigned to the dynamic group. So, all the users in the group will inherit the access.
The final setup after doing all the steps mentioned above will be as depicted below.