Azure AD B2B invitation / redemption updates

I was again quite busy at work so had not that time to blog, which will result that I will loose my MVP at the end of June.

Hopefully I will find the time to blog more from now on, again.

I got some comments also from a customer that starting at end of may my blog post about
How to bulk invite B2B user” stops working.

Investigating this it seems Microsoft has done some updates to be compliant with GDPR.
However there was no notice before this change so one customer ran into issues while in a larger migration project.

What I can say for sure is, the described way I wrote about in my blog post will no longer work, Azure AD B2B bulk invite without redemption has gone.

But good news:
The new implementation in quite easier with some challenges as you can see in the
Updated Azure AD B2B redemption documentation

So here are the changes compared to the old solution:

  • You don’t need an account in the tenant you are about to invite users from (source tenant)
  • You just need at least guest inviter role in your tenant, like before
  • You don’t need to send out the invitation mail with the redemption link, users can directly go to the resource and accept the new consent screen (GDPR)
  • You can still invite MSA account and also now google accounts.
  • If you invite a user who does not have an Azure AD (work/school account) the user is forced to create a MSA account
  • This means NO viral/unmanaged tenant is created any more (great news)

So as a conclusion, just bulk invite (PowerShell or Graph API) as many guests as you need without sending the invitation mail and users can just accept the consent screen which does the redemption automatically.

However, I find that this current behavior has some not so nice side effects:

  • If you invite a user without a tenant, the user need to create a MSA
  • If the company of that user decide to use Azure AD in the future, those users will have an MSA with the same mail address at the work/school account.
    Which in fact is not possible currently to create and also not recommended. In fact most of us created a mail alias to get the MSA away from the work account.
  • If the user wants to use their new work/school account you currently need to delete and invite the user again with his work/school account.

Hope there will be an update that addresses this issue in the near future and that the above information cleared up some things for you guys.

 

 

Advertisements

New Release: Azure AD Connect 1.1 is GA

A new release of Azure AD Connect is now GA, its version number is 1.1 or build 1.1.105.0.

Check the download page here and also the release version history here.
There is also a post on Alex Directoy Blog with some more details on the new features.

This are the new features and fixed issues in that release, as you can see it brings some new main features:

Read more of this post

Azure AD Connect (AADConnect) now generally available (GA)

Today I saw the announcement of GA of AADConnect on the Microsoft Directory blog:

You can download the binaries from here.

AADConnect is a complete replacement and enhancement to DirSync and also AADSync.
With the release of this RTM both older tools should be in your mind as deprecated.

Here are some features provides by AADConnect:

  • Enable your users to perform self-service password reset in the cloud with write-back to on premises AD
  • Enable provisioning from the cloud with user write back to on premises AD
  • Enable write back of “Groups in Office 365” to on premises distribution groups in a forest with Exchange
  • Enable device write back so that your on-premises access control policies enforced by ADFS can recognize devices that registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10.
  • Sync custom directory attributes to your Azure Active Directory tenant and consume it from your cloud applications
  • Multi Forest Support
  • Wizard for setting up ADFS and WAP Server directly from the main wizard via Remote PowerShell
  • Staging Mode for testing or other purposes

Keep in mind even this is a RTM you will eventually face some issues because some of the features like user writeback are still in preview in Azure AD.

In addition Azure AD Connect health has also reached GA.

 

Azure AD and Enterprise Mobility Suite available without EA (Enterprise Agreement)

Hello,

since March 1. Azure AD Premium and EMS (Enterprise Mobility Suite) are available without the need to having an Enterprise Agreement.
Instead you can simple buy them through Cloud Solution Provider or Open program.

Enterprise Mobility Suite contains Azure AD Premium, Microsoft Intune and Azure Rights Management Service.
Keep also in Mind that Azure AD Premium contains a complete licence for FIM 2010 / MIM

See Alex AD blog for more Information

In addition if you are a subscriber of Windows Azure Pack or have a Silver or Gold competence you will get access to licenses for Azure AD and EMS via your Internal Use Rights (IURs) benefits: See this accouncement for more information.

-Peter

%d bloggers like this: