How to manage partner identities better with Azure AD B2B

It’s one thing having to manage the identities of users in your organisation’s directory; how tricky must it be to add users from your partners into the mix? The task is perhaps not as great as you’d expect, thanks to Azure AD B2B.

Working out the best way to interact with partners, particularly where large numbers of users are involved, has posed a problem for IT professionals for a while. One approach taken historically has been to ‘federate’ with each partner: a way of making use of partners’ own credentials to login to the host organisation’s resources. But this activity is complex and carries an overhead per partner.

Another common approach is to manage the partner identities within the host organisation – creating and managing accounts for each partner user. But with this approach comes a lot of manual updating, and possible security risks. Thanks to Azure AD B2B, the drawbacks of these other approaches can be avoided altogether.

A service based on Microsoft’s Azure Active Directory feature, B2B makes it easier for organisations to collaborate with partners on the same web applications. It removes all the hard work from linking two cloud-based Active Directories and facilitates seamless partner interactions.

 

HERE’S HOW IT WORKS

Step 1: Invite the user

A user from a partner organisation is invited to join a shared active directory in Azure AD B2B.

Click the ‘Add User’ button in the Azure Active Directory Users page as usual, but – in the drop down menu – choose ‘Users in partner companies’. At this point (in the classic Azure portal), you will need to upload a spreadsheet of users to be added.

A sample with column headings is available from the same dialogue box, but you can include email address and name as a minimum, going on to add group IDs and more as optional extras.

Step 2: User accepts invitation

A user from a partner organisation receives an email from Microsoft Azure with a link to click to accept the B2B invitation to join a shared active directory.

The partner user receives an email from Microsoft Azure with a link to accept the B2B invitation.

  • If the user does not yet have an Azure AD account, they will then be prompted to create a ‘work or school account’. Behind the scenes, this creates a free Azure Active Directory tenant.
  • If the user already has an Azure AD account, they will simply be prompted to sign in.

In cases where an AAD tenant is created, IT departments may subsequently take over this tenant by following the instructions here – see ‘How to perform a DNS domain name takeover’.

Step 3: Application appears on “myApps”

An application from a user belonging to a partner organisation to join a shared active directory appears in "myApps" in Azure.

The new partner user exists as a ‘Guest’ account within the host/originating AAD, and can be granted membership of groups in this AAD. However, the partner user’s credentials only exist in the partner AAD. This means that:

  • The partner only has to remember one set of credentials to log into their Windows computers, Azure apps and any B2B host’s Azure apps.
  • When the partner user leaves their organisation, they will no longer have access to any of the B2B host applications.

 

Conclusion

Microsoft’s Azure AD B2B enables information workers to collaborate with partners around the world. It provides them with seamless access to documents and applications, while maintaining complete control over their internal data. Its innovative new approach means that organisations can finally work together in a secure, collaborative and seamless way.

Is access to your organisation’s online services as seamless and secure for users as it should be? Take our Customer Identity And Access Management Assessment now to find out.

Find out more about collaborating easily and efficiently with partners and see Azure AD B2B in action by watching a recording of our webinar: ‘Discover the Potential of Microsoft Azure AD B2B Collaboration and B2C’.