Update: This does not work anymore as described, see my updated blog post on B2B redemption.
I think most of you are familiar with the concept of Azure AD Business-to-Business (B2B) where you can add users of other companies to your Azure AD tenant. This feature does not require the partner organization to already own or manage their own tenant; you can simply invite every user with an email address.
If the invited user already exists in an Azure AD tenant a guest user is created in your tenant that is linked to this user object in the foreign tenant.
If the invited user does not exists in an Azure AD tenant a shadow/unmanaged tenant is created behind the scenes for that user, additional users from the same domain will then created within this unmanaged tenant.
However, if you add a foreign user to your tenant an invitation mail is send to this user you add and the user has to redeem the invitation. By default, users are created as a guest user, which don’t have any permission (even read directory) in your tenant. Nevertheless, you can assign permissions like application permission, Azure AD or RBAC roles to such users.
There are 4 methods to invite a user as a B2B guest to your tenant:
- Azure AD admin portal
- Azure AD access panel
- Azure AD PowerShell module v2
- Azure AD Graph Invitation API
You can get more details and concepts of Azure B2B on the documentation.
While adding users manually by your or your organization is nice if there are only a small amount of users to invite this can lead to a lot of work if this grow up to hundreds or “multiple” thousands. You might also want to skip the part of invitation redemption so multiple users from your partner organization are added without any further interaction or a notification at all.
Consider the following scenarios for example, which are concepts already discussed with customers:
- You manage external users already on-premises with your IDM solution (probably MIM I hope) and you want that users to be invited by a PowerShell connector and you want to notify users with your own email about that.
- You have a trustful partnership with another company and want some people of that company doing the invite to your tenant instead of you. But you are after that responsible to assign permissions to those users.
So, here is how you can archive this:
In order to be able to invite people without redemption you need an account with directory read permission of the partners tenant (the foreign tenant).
This account needs also invite permissions within your tenant (inviting tenant). By default only Global Admins can invite guest users, you can activate an option so that even members (your employees) or guests can invite other users. In addition, there is also an Azure AD role called “Guest Inviter”.
As you can see in the screenshot, there is also an option to disable the restrictions of guest users and they will behave like members (your normal employee account) and for example read all directory objects. That is nothing that we want to have by default for all your guests.
However, we need this permission for the inviting user (in your case a B2B user that will invite additional users) in order to be able to user the Azure AD admin portal (http://portal.azure.com)
This permission is not needed for members of the “Guest Inviter” role if they only want to use PowerShell or the API to invite users. Having both permissions will automatically suppress the invitation redemption instead the user is directly added to your tenant.
So what I did was to invite the first user of my partner company as a member to my tenant and assign him to the “Guest Inviter” role. This user can then be used as a service account for my PowerShell connector of MIM or by one or multiple people of my partners organization to invite additional guest users.
Invite B2B users as a user type member can only be done by PowerShell or the Invitation API:
Connect-AzureAD New-AzureADMSInvitation -InvitedUserDisplayName "Partner Inviter Account" -InvitedUserEmailAddress "firstname.lastname@example.org" -SendInvitationMessage $true -InviteRedirectUrl "http://myapps.microsoft.com" -InvitedUserType member
That first user will get the default invitation mail send by Azure AD:
Just redeem that invitation by clicking the “Get Started” link and after that assign the user to the “Guest Inviter” role in Azure AD.
Now let’s invite an additional user from that same partner company with the B2B account created before.
Go to the Azure AD admin portal and click “+ New guest user” from the “All Users” menu.
Invite a guest by simply enter his email address and optional an invitation message:
This second invited user will get no invitation mail by default since he was added by a user with read permissions within the foreign tenant, instead he will receive a mail that he was added to the tenant and no further action is needed.
To suppress also this “added user” message you need to invite additional users also by PowerShell and set the parameter “SendInvitationMessage” to false. You can use the Invitation API as well for that.
Having that you can now bulk import users by PowerShell or the Invitation API without further interaction by the guest user and integrate the provisioning into your existing processes.
This should also work the other way around by adding one of your users as the first user to the foreign partner tenant and assign directory read permission to this user there.