And we reached section 3 on my Study guide, in this section I will cover the following:
- manage external collaboration settings in Azure Active Directory
- invite external users (individually or in bulk)
- manage external user accounts in Azure Active Directory
- configure identity providers (social and SAML/WS-fed)
Table of Contents
Manage external collaboration settings in Azure Active Directory
Azure portal
You can find External collaboration in External collaboration settings – Microsoft Azure
This setting determines whether guests have full access to enumerate all users and group memberships (most inclusive), limited access to other users and memberships, or no access to other users and group memberships including groups they are a member of (most restrictive).
This setting controls who can invite guests to your directory to collaborate on resources secured by your Azure AD, such as SharePoint sites or Azure resources.
Yes means that you can enable self-service sign up for guests via user flows associated with applications in your directory. No means that applications cannot be enabled for self-service sign up by guests and require them to be invited to your directory.
And like said in the last sections of this series, these settings affect the whole tenant and will change some of the SharePoint / OneDrive sharing settings also.
SharePoint Admin Center
You can access the corresponding settings in SharePoint admin center
Invite external users (individually or in bulk)
Individually
You can Invite user to Your own Azure AD from the following page https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers
And you can also set.
From this page You can assign roles to the invited user.
When you send the invite.
The external user will get the invite.
Once they hit “Accept Invitation” they will be redirected to the tenant and sent OTP back to their email.
Note! Sign in with a certificate won’t be in the exam but nice feature that is in preview still.
Enter the code to sign in.
And consent for the permissions.
You will redirected to https://myapplications.microsoft.com and You will find the resources that You have access in here.
You can leave the organization inside Your own Profile page.
In bulk
Same page but Invite guest users in bulk.
The CSV will be similar to this one.
You must add to all users Email Address and Redirection url and You can optionally add customized message that will be send via Email
The result will be the same than for Individual invite.
Manage external user accounts in Azure Active Directory
Finding users
You can find the Guest users from Azure AD users ex. with filter Creation type == Invitation
Or with User type == Guest
Note the different user types. Mail is a user with Email account and ExternalAzureAD for a user that has External Azure AD account.
If the user hasn’t accepted the invite, You can send it again or revoke the invite. Also Redemption status is currently in Preview.
Managing users
Assigning licenses
You can add a license to a Guest user just like to normal user but You need the Usage location to assign license.
Authentication methods
You can also add authentication methods for external users.
And revoke users sessions.
Dynamic Groups
One really handy feature is to add all the Guest users to a Dynamic Group. You could then use this Group for assigning access, Conditional Access policies or licenses.
Validating the rule.
Configure identity providers (social and SAML/WS-fed)
Portal
You will find the External Identities settings here https://portal.azure.com/#blade/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/IdentityProviders
You can add Google, FB or other SAML/WS-Fed as an Identity provider.
Note! Google federation is designed specifically for Gmail users. To federate with Google Workspace domains, use SAML/WS-Fed identity provider federation.
Deprecation of web-view sign-in support
Google deprecated embedded web-view sign-in support in September 30, 2021. If your apps authenticate users with an embedded web-view and you’re using Google federation with Azure AD B2C or Azure AD B2B for external user invitations or self-service sign-up, Google Gmail users won’t be able to authenticate.
How to setup on Google’s side
First, create a new project in the Google Developers Console to obtain a client ID and a client secret that you can later add to Azure Active Directory (Azure AD).
Go to the Google APIs at https://console.developers.google.com, and sign in with your Google account. We recommend that you use a shared team Google account.
Give Your project a name.
Go to Apis
And open the OAuth consent screen
Give a app name and email for user support.
Add microsoftonline.com to domain and Developer contact email.
Open Credentials and add OAuth client ID
Under Authorized redirect URIs, enter the following URIs:
https://login.microsoftonline.comhttps://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp
(where<tenant ID>is your tenant ID)https://login.microsoftonline.com/te/<tenant name>.onmicrosoft.com/oauth2/authresp
(where<tenant name>is your tenant name)
Copy the Client Id and Secret.
Azure portal
Open External identities and identity providers and and Client Id and Secret.
The process is similar with FB, I’m not going to go thru all the steps. You can them inside Microsoft documentation.
Other IdP’s
SAML / WS-Fed
You Can add SAML (ex. ADFS) with Your metadata xml or manually.
The default location for Your metadata is: https://ServerPublicFQDN/federationmetadata/2007-06/federationmetadata.xml
Here is an article on creating ADFS server inside Azure.
Microsoft has an excellent article on what Claims and settings has to be done.
Direct Federation (Preview)
Direct federation is currently is Public preview, so it won’t be in the test but nice feature coming up in the roadmap.
Things to remember
External Collaboration settings affect also SPO and OneDrive.
You can Invite users with just Email. They don’t have to have Azure AD account.
OTP is used for the first login for Email invited accounts.
When BULK inviting users, You must add to all users Email Address and Redirection URL and You can optionally add customized message that will be send via Email
You can use Dynamic Groups to collect all the Guest users in the group.
For External Identity providers You need to have permissions to authenticate with OAuth to their API.
RSS - Posts