At Ignite Mark Wahl and Joseph Dadzie showed a very exciting new feature that will come up in the near future to manage access with entitlements and approvals for B2B user and employees.
It also will be possible to create a life-cycle on B2B accounts by auto-invite them if an employee from business grants those user an access by an entitlement and also removes or disables the user after expiration.
The key-points are:
B2B and employee access requests via a new user facing portal.
B2B and employee approval workflows for access
Access reviews of guests
Entitlement management (to hand over access control to business users)
It is quite easy in these modern times to invite and therefore add B2B guest users into your Azure AD tenant. Not only administrators but also users can simply invite any user of the world that has a valid email address (depending of the settings of your tenant).
While simply invite them, guest users will not have any permissions (beside login) to any resource of your tenant until permissions are assigned to them.
But a good identity management solution does not only care of creating identities but also remove them when no longer needed. Azure AD currently at time of writing this article does not provide any mechanism to get rid of unused guest accounts, it even does not provide a proper way to identity them.
There is no “LastLogin” attribute you can for example use, so you need to find the person who invited that guest and talk to him if it is still needed.
This is where my Azure AD B2B guest user “Housekeeping” solution can maybe help you. It provides a way to set your own “LastLogin” attribute on guest account and even track pending invitations and removes guest accounts after a defined time.
So how does it work:
Create an extension attribute to store the “LastLogin” as a DateTime
Import the Azure AD sign-in logs by MIM2016 with a PowerShell MA leveraging MS Graph Reporting API
Import B2B users by MIM with a PowerShell MA leveraging the AAD PowerShell Module V2 cmdlets
Aggregate sign-in logs to only get the newest login of a user
Set the extension attribute of those accounts and export it to AAD
Delete accounts after some time defined by an XML configuration file
Investigating this it seems Microsoft has done some updates to be compliant with GDPR.
However there was no notice before this change so one customer ran into issues while in a larger migration project.
What I can say for sure is, the described way I wrote about in my blog post will no longer work, Azure AD B2B bulk invite without redemption has gone.
So here are the changes compared to the old solution:
You don’t need an account in the tenant you are about to invite users from (source tenant)
You just need at least guest inviter role in your tenant, like before
You don’t need to send out the invitation mail with the redemption link, users can directly go to the resource and accept the new consent screen (GDPR)
You can still invite MSA account and also now google accounts.
If you invite a user who does not have an Azure AD (work/school account) the user is forced to create a MSA account
This means NO viral/unmanaged tenant is created any more (great news)
So as a conclusion, just bulk invite (PowerShell or Graph API) as many guests as you need without sending the invitation mail and users can just accept the consent screen which does the redemption automatically.
However, I find that this current behavior has some not so nice side effects:
If you invite a user without a tenant, the user need to create a MSA
If the company of that user decide to use Azure AD in the future, those users will have an MSA with the same mail address at the work/school account.
Which in fact is not possible currently to create and also not recommended. In fact most of us created a mail alias to get the MSA away from the work account.
If the user wants to use their new work/school account you currently need to delete and invite the user again with his work/school account.
Hope there will be an update that addresses this issue in the near future and that the above information cleared up some things for you guys.
I think most of you are familiar with the concept of Azure AD Business-to-Business (B2B) where you can add users of other companies to your Azure AD tenant. This feature does not require the partner organization to already own or manage their own tenant; you can simply invite every user with an email address.
If the invited user already exists in an Azure AD tenant a guest user is created in your tenant that is linked to this user object in the foreign tenant.
If the invited user does not exists in an Azure AD tenant a shadow/unmanaged tenant is created behind the scenes for that user, additional users from the same domain will then created within this unmanaged tenant.
However, if you add a foreign user to your tenant an invitation mail is send to this user you add and the user has to redeem the invitation. By default, users are created as a guest user, which don’t have any permission (even read directory) in your tenant. Nevertheless, you can assign permissions like application permission, Azure AD or RBAC roles to such users. Continue reading “Azure AD B2B: How to bulk add guest users without invitation redemption.”