Azure AD B2B Collaboration (Business to Business)
In this episode of the Azure AD and Identity Show, your host, Simon May, talks to Arvind Suthar of the Identity Division about Azure AD B2B and how it can help your organization easily collaborate securely with any other organization with an Azure AD that includes every Office 365 customer!
More resources and next steps
- Learn: Enterprise mobility core skills
- Try: Enterprise Mobility Suite (EMS) free evaluation
- Connect: Join the Identity conversation on Twitter
- Gartner Magic Quadrant: Visionary in Identity as a Service
- Watch: How to simplify external resource sharing with Azure AD B2B collaboration
- Watch: Get the inside track from Microsoft experts
[00:01] Simon: Hello and welcome to the Azure Active Directory and Identity Show. My name is Simon May, your host, taking you through some of the most interesting features inside of Azure Active Directory and the identity space. Joining me today is Arvind from the Identity team. What are we going to talk about today?
[00:17] Arvind: We're going to talk about Azure AD B2B Collaboration. This is a feature that my team has been working on for the past year or so.
[00:23] Simon: B2B means business to business collaborations...
[00:26] Arvind: Business to business yes.
[00:26] Simon: ...so this is going to be a feature that's going to help people work with partners as a group.
[00:30] Arvind: That's right. It's going to let you as an organization share your applications with your business partners and let them access your applications using their own credentials.
[00:38] Simon: Great. So I'm kind of thinking that you had a real problem in mind that you were trying to solve with this. Can you elaborate on that problem a little bit for us?
[00:46] Arvind: Yeah, definitely. So these days much of the value that's created by companies is created in collaboration with other companies. So you take myself, I spend most of my time talking to customers outside of the building, you know, in addition to talking to people inside Microsoft, I spend more time talking to people outside of the company.
[01:06] Similarly, a lot of companies take on projects where in order to spread the risk or gather the talent that they need, they need to work across a set of organizations and all collaborate together to achieve their end.
[01:21] Companies like Microsoft and others have big supply chain networks or partner networks where they need to send information out to these partners and also pull information in and get feedback from these supply chain networks that they have.
[01:34] So, all of these kinds of problems call out for an identity management system that lets you do this cross-org collaboration and have some security when you're having these people outside of your organization access stuff.
[01:47] Simon: So this is kind of what I would have done in the past I would have probably gone and set up a separate Active Directory, set up the domain controllers. I might have then added the users from those partner groups into that Active Directory.
[02:01] I'd probably set up some trusts between my directories, my forests and it's kind of a lot of hard work. I'm guessing that you've done a lot to fix that.
[02:11] Arvind: Yeah that's exactly it. So the classic traditional model is this trust, you know, configuring federations, setting up servers, going and talking to your business partners, exchanging certificates, negotiating protocols doing all this kind of stuff.
[02:23] It's kind of some heavy lifting and if you have two thousand business partners it becomes a job in itself to just maintain these settings and set up these relationships and some of your partners aren't going to be able to do that.
[02:34] So your smaller business partners, your mom and pop operations, they're not going to be able to set up servers and manage all of this stuff.
[02:40] So, what a lot of companies do, Microsoft included, is they create these partner directories or they put these users in their own employee directories.
[02:51] And that has its own set of problems because, you know, you don't know when this person leaves the partner organization, these accounts get stale, they become kind of these zombie accounts or these accounts that are ripe for attack from hackers that are looking to penetrate your systems.
[03:06] So these are the two models that we're trying to solve with Azure AD B2B.
[03:12] Simon: Cool. What's the actual mechanism that you've put in place in order to be able to solve those particular problems?
[03:20] Arvind: Yeah, so it's an invitation model, basically, so we allow you as an admin of one organization to invite people from other organizations and control what they can access. You control the access. Your partner organizations control the identity and authentication method.
[03:36] We've put this into the Azure portal so that you're able to compile your list of users that you want to have access, what you want them to have access to, and you can fire them off and a set of invitations go out to these folks.
[03:49] Simon: So I literally no longer have to think about how do I manage usernames and passwords for the mom and pop shops that might be doing some work for me because they're incredibly good, they're really specialists?
[03:58] I don't have to think about how do I manage authentication flows with other directories? How do I keep other directories up and running to make sure things work?
[04:07] Arvind: Yeah that's right. If your partners have Azure AD, if they have Office 365, if they've already made the move to the cloud, then you're golden. They just use those same credentials to access your resources.
[04:18] If they don't, if they're these mom and pops, then they can sign up for an Azure AD account as part of the invitation process. I'll show you that flow when we do the demo.
[04:28] Simon: Yeah, actually, let's take a look at it right now.
[04:30] Arvind: Okay, cool. Alright, I'm going to start by launching the access panel and show you the applications I, as an employee, may have access to. As you'll see here I'm logged in as the admin of the ID Demo Company and I have access to SharePoint Online and Salesforce.
[04:46] For SharePoint Online we're going to do something where we put all the external users into a group named externals and that group is going to let us have access to the SharePoint site collection, the SharePoint team site. So we see that this is the SharePoint team site for the Identity Demo Company.
[05:11] We can check the page permissions here and see that team site members includes a group called externals. So we'll remember that because that is the group, which our new users are going to be added to. I'm also going to copy this URL so we can test it out later.
[05:33] So here we have the CSV so in order to send out invitations for users to get access to your resources you're going to compile a CSV file like this. CSV file has the email address, the display name, the app ID where you want to direct the user to. You can direct them to the SharePoint site.
[05:56] In this case, if you leave it blank, it will direct the user to the access panel for the inviting directory. These are the apps that your user's being assigned to and the group. So, if you need to know what the group is, you can go to PowerShell and you can find the group here by hitting the get MSO Groups command, you can get the required object ID.
[06:25] By hitting the get MSO Service Principal command you can find out the app principal ID for Salesforce in this case. So let's save this as a new file.
[06:56] Now we're going to go into the Azure portal to invite these users to access my resources. So here we are - the users tab - add user.
[07:15] Here we see that we can add users in partner companies as a new option in the add user dialogue. We press for the file and upload the file.
[07:42] When the file is uploaded we get a link here to see the status report to see how the invitations are doing. So when they go from one state to another, they'll show up. So we see that the email generation has started, we see that this Gmail account does not yet work because we don't yet support social identities. We'll go and wait for the mail message.
[08:04] Simon: Do they maybe have like a normal Active Directory user in...
[08:09] Arvind: That's a great question.
[08:09] Simon: ...almost all circumstances? Can you use them in Dynamics groups for example?
[08:12] Arvind: You can. The big difference between these users that are invited and your normal members is these users are tagged as guests, which means that they can't be an administrator of your directory or occupy any of those roles; they can't see, they can't go and enumerate everybody in the tenant.
[08:32] Simon: Excellent, yes, not something you would want people to be able to do.
[08:35] Arvind: Right, and they can only see a small set of attributes. So we've kind of scoped them down so that you can have higher confidence having these users floating around your directory.
[08:48] Okay here's the mail message that was sent out. Company branding is here. Salesforce icon is here.
[08:57] This is the application that's been shared with us. Here's the link that we go to to redeem the invitation. We see that there's some branding here. The Salesforce logo and we can accept the invitation now. We're being explained that we will be signing up for an account and we're prompted to enter a password twice.
[09:47] Okay and we see that now we have access to the Salesforce application with our external user account that was created in the Identity Demo Company. Should also have access to the SharePoint site and we see that we're able to access the SharePoint team site using this Arvind Suthar 40 account.
[10:17] If you have any questions about Azure AD or all the great things going on with it, here is our homepage for Azure AD. We have lots of hopes that we're going to make people's lives easier. We have a company that we're working with, Kodak Alaris, who is using this to rebuild their corporate extranet.
[10:39] As they separated from Kodak they needed to, you know, have their thousands of business partners still access ERP systems and still access their corporate environment and so they innovate. Rather than standing up a bunch of servers and doing federation, they're just using Azure AD B2B to do it.
[10:55] Simon: Awesome, it looks like an amazing feature that's going to save folks a huge amount of time in order to be able to get people collaborating with other folks inside of their organization and really being able to bring their partners into their collaboration flows and into their regular workflows.
[11:09] So it looks like you built an amazing set of features that are going to help people really collaborate. I guess one of the reasons for building this is that, actually, there's a lot of people that already have access to Active Directory and so forth.
[10:22] Arvind: That's right. So what we've built is a system where we want there to be one account per user, one federation configuration per company and a system that takes advantage of the six million directories that are already in Azure AD so your partners can just use what they already have most likely to access your systems.
[10:40] Simon: Yeah, it should make life a lot easier for you folks. Thanks very much for watching. We will see you on the next episode.