Microsoft Releases Azure Active Directory B2B Service
- By Kurt Mackie
- April 13, 2017
Microsoft's Azure Active Directory Business-to-Business (B2B) service, which is typically used by organizations working with partners or other external parties needing resource access, became generally available on Wednesday.
In addition, the Azure AD Business-to-Consumer (B2C) service is now generally available in Europe, nine months after being released in North America. Azure AD B2C is an identity and access management service used to connect organizations with consumers via social media or customized apps. In announcing the service expansion, Microsoft explained in a blog post that European users of the service can now tap datacenters located in Europe. Microsoft also is planning a future rollout of the Azure AD B2C service in "Asia-Pacific and China."
Meanwhile, the Azure AD B2B service is now at the GA stage globally. Azure AD B2B service allows personal or business accounts to be set up on the fly, offering a way for organizations to share resources, including access to SharePoint Online or OneDrive sites, according to a Microsoft FAQ document.
B2B Invite Process
The Azure AD B2B process kicks off when organizations send an invitation to a user via e-mail. The user can then establish access by signing into a Microsoft account. They can use an organizational address, or even a personal address via services such as Gmail, Outlook.com or Yahoo, among others. That process quickly establishes an Azure AD B2B account with a password. The user next gets sent a PIN via e-mail that ultimately permits access to the shared applications, documents and resources.
This end user sign-up experience using the Azure AD B2B service is demonstrated in this Microsoft Mechanics video. The video mentioned that Microsoft is working to establish federation directly with service providers (such as Google) so that users will have single sign-on access. In addition, Microsoft is also working with SAML-based providers to enable future single sign-on access.
IT departments "can invite collaborators to use any email address" when signing up for the Azure AD B2B service, explained Andrew Conway, general manager of EMS product marketing, in an announcement. The service can extend invites to any size organization, "with or without Azure AD," said Alex Simons, director of program management for the Microsoft Identity Division, in Microsoft's announcement.
IT pros can use the Azure Portal (but not the "classic portal") and PowerShell scripting with CSV files "to establish relationships," according to Microsoft's documentation. They can invite users "to the directory, or to any group or application." They also have auditing tools to see what users have accessed. It's also possible for partners to see user access details, too, according to Microsoft's video. IT pros even have the ability to set up "limited admin" roles for guests, per the FAQ.
Developers have access to the Azure AD B2B invitation manager API to "customize the invitation and onboarding workflows." It's possible to apply branding to the invites. Multifactor authentication can be enforced. Microsoft added APIs to the GitHub repository for customizing the self-service onboarding process.
A self-service capability can be set up for an organization's access panel. If set up, it's possible for workers in an organization to send out Azure AD B2B invites for the group or applications that they manage, if that's permitted.
The licensing to use Azure AD B2B for guests is available via Azure AD "Free, Basic, and Premium P1/P2 license tiers," according to Microsoft's licensing guidance document. Microsoft doesn't charge for inviting users and assigning access to applications, but there are some restrictions. For instance, it's free for guests for "up to 10 apps per guest user and 3 basic reports," according to the document. Access to paid Azure AD services requires that guests have similar licensing in place.
Organizations licensed to use Azure AD B2B have some restrictions on allocating access. There's a so-called "5:1 model":
"The inviting tenant will get 5 B2B user rights with each Azure AD paid license," the licensing document explained. "That is, each Azure AD paid license providing the rights to Azure AD paid features to one employee user in a tenant, will now also provide the rights to those same Azure AD paid features to an additional 5 B2B users invited to the tenant."
Getting additional Azure AD B2B user access rights would require purchasing additional Azure AD licensing. Organizations don't assign the licenses. The system has "automatic calculation and reporting" regarding license assignments.
The Azure AD B2B service is available across all Azure AD licenses, including Office 365, Enterprise Mobility + Security and Microsoft Intune, according to Microsoft's video. Users of Office 365 Groups already have support for the Azure AD B2B service, including "seamless access to SharePoint apps," according to Microsoft's video.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.