Azure AD B2B SHAREPOINT ONLINE COLLABORATION WITH EXTERNAL PARTNERS MADE SIMPLE Jose L Arbelaez – Enterprise Architect

Jeff Teper, Microsoft Corporate Vice President of OneDrive and SharePoint, will lead us in discussing the future of the platform and then take your questions. Join us at 4pm for our final SPS Nashville session for all attendees in the State Farm room (volunteers will be providing directions to the hall). What is the future of SharePoint? Discussion led by Jeff Teper

About Me  Enterprise Architect for Digital Collaboration, Communications and IoT  8 years of SharePoint experience  Favorite things in SharePoint: building workflows, forms, search  I love solving technical problems  Music composer: film scores, electronic and classical music 3

Connect with Me 4

Terms and Concepts  B2B: Business to Business  Authentication: Where identities are validated  Authorization: Where Access is defined  Federation: A pair of realms or domains that have established a federation trust  STS: Secure Token Service  Azure ACS: Azure Access Control Service 5

Before Azure AD B2B, companies had two ways to solve this problem: Internal Managed partner identities Inter-Company Federation relationships Background 5

Issues: Accounts are not disabled when the partner employee leaves the company Overhead on your internal IT to manage yet another directory (account provisioning, password resets, profile information changes, etc) Internal Managed partner identities 6

Inter-Company Federation relationships Partner users Company Azure ACS Company ADFS trust Partner STS SAML token Cloud Company users Azure AD Requires coordination and work with partner’s IT Issues: Smaller companies do not have the server infrastructure to configure and manage federation. Complexity around managing multiple federation relationships with multiple partners. Difficulty in compliance due to limited user visibility 7

Azure AD B2B allows partner managed identities to access your corporate applications like SharePoint online without having to manage the identity itself. Azure AD provides a single point for federation where each user has a single Azure AD account. Azure AD also allows non federated business partners to sign up for Azure AD accounts How does AZURE AD B2B solve this problem ? 8

Company Azure AD Company ADFS trust SAML token Azure AD Company users SAML token New Partner Azure AD Partner users without 365 tenancy SAML token Partner users With existing 365 Tenancy Existent Partner Azure AD SAML token trust Cloud AZURE AD B2B model 9

Caution! You are about to see a DEMO Let’s hope not to upset the DEMO gods

Prerequisites: 1.Install required PowerShell software to connect to Office Install the Microsoft Online Services Sign-in Assistant Install the Window Azure Active Directory Module for Windows PowerShell. You can also find instructions on how to configure Azure PowerShell here:

The following scenarios are based on a fictional company called JLAnet. In this case, the JLAnet corporation will create a SharePoint online site collection for partner collaboration and send invitations to external partners. Steps: 1. Create SharePoint Site Collection, for example: 2. In the SharePoint Admin Center select the newly created site collection and click on ‘Sharing’

3. In the Sharing options, ensure that either the second or third option for sharing are selected.

4. Create a security group for partner accounts in Office 365. For this demo, we will create a group called ‘spsnashville’ 5. Obtain the groups Object ID by looking at the group’s properties in Azure AD. In this case the ID is: 25bbaa93-07a ac-5201dd059f6a

6. Go to the SharePoint site collection you intend to share and grant permissions to your newly created group:

Source: Required Fields External partner’s address DisplayName: Display name for the external partner (First and Last Name) Optional Fields InvitationText: Customize invitation text after app branding and before the redemption link. InvitedToApplications: AppIDs to corporate applications to assign users. AppIDs are retrievable in PowerShell by calling Get-MsolServicePrincipal | fl DisplayName, AppPrincipalId InvitedToGroups: ObjectIDs for groups to add user to. ObjectIDs are retrievable in PowerShell by calling Get-MsolGroup | fl DisplayName, ObjectId InviteRedirectURL: URL to direct an invited user after invite acceptance. This should be a company-specific URL (such as contoso.my.salesforce.com). If this optional field is not specified, the invited user is directed to the App Access Panel where they can navigate to your chosen corporate apps. The App Access Panel URL is of the form Cc Address: address to copy ed invitation. If the Cc Address field is used, this invitation cannot be used for - verified user or tenant creation. Language: Language for invitation and redemption experience, with "en" (English) as the default when unspecified. The other 10 supported language codes are: de: German, es: Spanish, fr: French, it: Italian, ja: Japanese, ko: Korean, pt-BR: Portuguese (Brazil), ru: Russian, zh-HANS: Simplified Chinese, zh-HANT: Traditional Chinese contoso.my.salesforce.com 7. Prepare your invitation CSV file

8. Your CSV will look similar to this. You can add as many users as you need 9. It is now time to invite your external users. In Azure AD, go to users and select create. You will see a window similar to this where you will select ‘Users in partner companies’ as the user type. You will then see the option to upload your CSV file

10. Your partner will receive an with the invitation sent from Microsoft. The contains the link to redeem the invitation

11. If the user is already part of a 365 tenancy, he/she will receive a message similar to this:

12. Your partner will then be logged in to your partner portal

When a partner does not have an existent 365 tenancy, he/she will be prompted to set up an account. If this is the first time an account from the partner domain is registered, Azure will create a new Azure AD tenancy for that partner’s domain

After successfully enter a verification code, the partner will then be redirected to the login page for access.

Tracking the change in User Name in Azure AD can help you troubleshoot if or not a partner user has redeemed their B2B collaboration invitation. The User Name attribute changes from the User Principal Name to the sign-in name

Things to Keep in Mind  B2B for Yammer is not yet possible but part of the roadmap  There are no APIs to perform all these steps in PowerShell yet. That is in the roadmap but not in the near future  Invites will not work if another user in your AAD is using the same . You must delete the existing account in order to create a B2B user with the same .  The invitation comes from Microsoft and there is no way to customize the branding of the itself  The user sending the invite must be a global admin in 365  The maximum number of records allowed per CSV is 2,000  Enforcing multifactor authentication is not supported yet for B2B users

References:

Remember to and tag #SPSNashville in your posts! Platinum Sponsors Gold Sponsors Silver Sponsors Thank You for being a part of SharePoint Saturday Nashville!