Many administrators are familiar with Azure Active Directory, but a related service called Azure AD B2B plugs a...
functionality gap to give external users access to internal resources.
Azure Active Directory (Azure AD) is well-known as a cloud-based identity management platform. It's similar in some ways to the more familiar on-premises Active Directory that's used to manage and authenticate users and computers.
But Azure AD is very different. It can synchronize objects with on-premises Active Directory, but it is much more identity- and access-focused to connect users to various cloud services. One requested feature for Azure AD was the ability to admit outside users to internal resources with Azure AD as the gatekeeper. Microsoft released Azure AD B2B in April 2017 for this purpose.
Azure AD underpins Office 365 user management. To run Office 365 effectively, admins must understand the Azure AD basics, such as setting up Azure AD Connect to sync Active Directory objects to the Azure AD tenant.
Reasons to use Azure AD B2B
Azure AD B2B is an effective way to grant access and share resources to known external resources. Known identities, such as internal staff members who exist in AD, get synced to Azure AD. Through this basic level of security, they get access to internal company resources, such as SharePoint, email and OneDrive for Business. The organization might want external users to have access to the same services.
Azure AD B2B enables administrators to tailor permissions so it's possible to share a single SharePoint site and nothing else in the Office 365 tenant.
How Azure AD B2B works
To set up permissions through Azure AD B2B, a user invites an external party from the Azure portal with their email address. Administrators can give non-admins in an organization permission to add B2B users through the Azure Active Directory access panel.
The recipient clicks the emailed link and follows the instructions until they log in. Azure AD checks if the recipient has an Azure AD account. If they do, then they use those credentials for guest access to the Azure AD tenant. If they don't have an Azure AD account, one is created for the domain with no cost or any configuration work. The account lives in its own tenant that IT cannot access. Azure AD B2B also supports public email addresses, such as Outlook and Gmail.
After Azure AD B2B creates the account and grants guest access, the user appears in the Azure AD user list. Administrators can give permissions to the account or remove it. Removal does not delete the account, just its presence in the tenant.
Benefits of Azure AD B2B
A big advantage of Azure AD B2B is it gives the invited user some account management capabilities, freeing the administrator from added work.
Administrators cannot reset the guest's password. Instead, the user does their own password resets sent to the email address attached to the account.
Authentication is web-based and supports conditional multifactor authentication. Admins can set policies at the tenant, app or individual level to force extra authentication requirements, such as a text message code or the use of the Microsoft Authenticator app.
Admins can use PowerShell when there is a large group of external users to invite by referencing a data source, such as a CSV file, to send invites en masse.
Some Azure AD B2B features are free, but others need a license. Microsoft offers documentation related to different scenarios to help admins work out what they might need.