Beruflich Dokumente
Kultur Dokumente
collaboration
Use cloud power to collaborate with your business partners
Microsoft Corporation
Published: September 2015 (Updated: June 2016)
Version: 0.7b (DRAFT)
Abstract: Azure AD, the Identity Management as a Service (IDaaS) cloud multi-tenant service with proven
ability to handle billions of authentications per day, extends its capabilities with a feature for simply and
securely sharing applications with your business partners: Azure AD B2B (Business to Business) collaboration.
This feature, now in public preview, helps secure business-to-business collaboration with the partner
organizations that you work with every day. It provides simplified management and security for partners
and other external users accessing your in-house resources using Azure AD as the control plane. This
includes access to popular cloud applications such as Salesforce, Dropbox, Workday, and of course, Office
365 and all of this is in addition to mobile, cloud, and on-premises claims-aware applications. Azure AD
B2B collaboration is easy to configure and easy to maintain.
This document is intended for IT professionals, system architects, and developers who are interested in
understanding how Azure AD B2B collaboration helps supporting your cross-company relationships by
enabling partners to selectively access your corporate applications and data using their self-managed
identities, and how to leverage the related capabilities.
Table of Content
NOTICE ...................................................................................................................................................... 2
INTRODUCTION ...................................................................................................................................... 3
OBJECTIVES OF THIS PAPER ............................................................................................................................................... 7
NON-OBJECTIVES OF THIS PAPER ..................................................................................................................................... 7
ORGANIZATION OF THIS PAPER ........................................................................................................................................ 8
ABOUT THE AUDIENCE ....................................................................................................................................................... 8
SUPPORTING B2B COLLABORATION SCENARIOS ............................................................................. 9
UNDERSTANDING CLASSIC PARTNER ACCESS MODELS .................................................................................................. 9
EXTENDING AZURE AD FOR EXTERNAL IDENTITIES ..................................................................................................... 11
UNDERSTANDING AZURE AD B2B COLLABORATION PARTNER ACCESS MODEL ..................................................... 11
UNDERSTANDING AZURE AD B2B COLLABORATION HIGH LEVEL WORKFLOW ....................................................... 12
GETTING STARTED WITH AZURE AD B2B COLLABORATION ........................................................ 13
FULFILLING THE PRE-REQUISITES FOR THE WALKTHROUGH ........................................................................................ 13
INVITING A SET OF EXTERNAL USERS (INVITER UX) ..................................................................................................... 14
RECEIVING AND ACCEPTING THE INVITATION (INVITEE UX) ....................................................................................... 22
MONITORING THE INVITATIONS (INVITER UX) ............................................................................................................ 28
VIEWING AND MANAGING THE INVITEES (INVITER UX) .............................................................................................. 31
APPENDIX A. BUILDING A TEST LAB ENVIRONMENT .................................................................... 34
BUILDING THE TEST ENVIRONMENT FOR THE INVITER ................................................................................................. 34
BUILDING THE TEST ENVIRONMENT FOR THE INVITEES ............................................................................................... 48
1
Microsoft Azure is a flexible and open cloud computing platform hosted in Microsoft datacenters delivering scalable and reliable
Internet-scale services. As an Infrastructure as-a-Service (IaaS) platform, Microsoft Azure Infrastructure Services enables to deploy
(complex) workloads (servers, networking and storage infrastructure) in the cloud that you can control and manage on your terms.
Note Since its introduction, Azure AD "has handled 400 billion identity authentications in Azure AD"6. "We
have 350 million Azure Active Directory users. [] We actually process 4 billion, with a B, authentications every week
with Azure Active Directory"7. This is a real testament to the level of scale we can handle. At a high level, Azure AD
is a high availability, geo-redundant, multi-tenanted, multi-tiered cloud service that has delivered 99.99% uptime
for over a year now. We run it across 288 datacenters around the world. Azure AD has stateless gateways, front end
servers, application servers, and sync servers in all of those data centers. Azure AD also has a distributed data tier
that is at the heart of our high availability strategy. Our data tier holds more than 500 million objects and is running
across 13 data centers.9
Since we first talked about it in November 2011, and with such above numbers in the note in mind, Azure
AD has shown itself to be a robust identity and access management service for Microsoft cloud services. No
other cloud directory offers this level of enterprise reliability or proven scale.
Furthermore, last year, Gartner in their Magic Quadrant (MQ) for Identity Management as a Service (IDaaS)
[Gartner, June 2015] has placed Azure AD after its only first year of availability in the Visionaries MQ. As of
this writing, Gartner has just released their MQ for IDaaS for 2016 [Gartner June 2016] and Azure AD
Premium has been placed in the Leaders quadrant, and positioned very strongly for our completeness
of vision.
Also, as a Platform as-a-Service (PaaS) platform, it includes a number of features, which can be used individually or composed
together in a public or hybrid cloud fashion.
2
A tenant is directory operated by an organization
3
REIMAGING ACTIVE DIRECTORY FOR THE SOCIAL ENTERPRISE (PART 1):
http://blogs.msdn.com/b/windowsazure/archive/2012/05/23/reimagining-active-directory-for-the-social-enterprise-part-1.aspx
4
REIMAGING ACTIVE DIRECTORY FOR THE SOCIAL ENTERPRISE (PART 2):
http://blogs.msdn.com/b/windowsazure/archive/2012/06/20/reimagining-active-directory-for-the-social-enterprise-part-2.aspx
5
Modern business applications: http://www.microsoft.com/en-us/server-cloud/cloud-os/modern-business-apps.aspx
6
MICROSOFT BY THE NUMBERS: THE ENTERPRISE CLOUD (October 2014): http://news.microsoft.com/cloud/ms_numbers.pdf
7
JASON ZANDER AND JOE BELFIORE: TECHED EUROPE 2014: http://news.microsoft.com/speeches/jason-zander-and-joe-belfiore-teched-
europe-2014/
8
AZURE AD IS LIVE IN HONG KONG!: http://blogs.technet.com/b/ad/archive/2014/10/06/azure-ad-now-live-in-hong-kong.aspx
9
AZURE AD: UNDER THE HOOD OF OUR GEO-REDUNDANT, HIGHLY AVAILABLE, DISTRIBUTED CLOUD DIRECTORY:
http://blogs.technet.com/b/ad/archive/2014/09/02/azure-ad-under-the-hood-of-our-geo-redundant-highly-available-geo-
distributed-cloud-directory.aspx
As Alex Simons, Director of Program Management, Microsoft Identity and Security Services Division, says,
were thrilled with the result. It really validates our vision of providing a complete solution for hybrid identity
and access for supporting employees, partners and customers all backed by world class security based on
Microsofts intelligent security graph. This result says a lot about our commitment in the identity and access
management space but more importantly about our customers, implementation partners and ISV partners
who have worked together with us. They have been awesome about sharing their time and energy every
day, to make sure that the products and services we build meet their needs and are helping them position
their companies to thrive in the emerging world of cloud and devices.
You might be surprised to know that Microsoft also is the only vendor in the Leader quadrant across
Gartners Magic Quadrants for IDaaS, Cloud Infrastructure as a Service (IaaS), Server Virtualization,
Application Platform as a Service, Cloud Storage Services, and as a leader across the data platform and
productivity services. This really shows you why customers are choosing Microsoft across the full spectrum
of cloud computing our services are well integrated and also among the best available in their individual
categories.11
Alex Simons adds: our effort doesnt stop here. We have a lot of hard work ahead of us and we are planning
to deliver more innovative capabilities to further improve our position in the leaders quadrant.12.
MICROSOFT RECOGNIZED IN LEADER QUADRANT OF GARTNERS MAGIC QUADRANT FOR IDENTITY AND ACCESS MANAGEMENT AS A SERVICE,
10
WORLDWIDE: https://info.microsoft.com/EMS-IDaaS-MQ-2016.html
11
#AZUREAD A LEADER IN THE 2016 GARTNER IDAAS MQ!: https://blogs.technet.microsoft.com/enterprisemobility/2016/06/07/azuread-a-
leader-in-the-2016-gartner-idaas-mq/
12
Ibid
Note For a short introduction, watch the video AZURE AD AND IDENTITY SHOW: AZURE AD B2B COLLABORATION
(BUSINESS TO BUSINESS)14.
Azure AD B2B collaboration is a free feature that comes with Azure AD. This feature can be used with on the
available Azure AD editions, i.e. Azure AD Free, Azure AD Basic and Azure AD Premium, and as part of the
Enterprise Mobility Suite (EMS)15.
Note For more information on the available Azure AD editions, see later in this document and/or the MSDN
article AZURE ACTIVE DIRECTORY EDITIONS16. For more information on usage model, see the Microsoft MSDN article AZURE
ACTIVE DIRECTORY PRICING17.
13
AZURE AD B2C AND B2B ARE NOW IN PUBLIC PREVIEW!: http://blogs.technet.com/b/ad/archive/2015/09/09/azure-ad-b2c-and-b2b-are-
now-in-public-preview.aspx
14
AZURE AD AND IDENTITY SHOW: AZURE AD B2B COLLABORATION (BUSINESS TO BUSINESS): http://aka.ms/aadshowb2b
15
Enterprise Mobility Suite (EMS): http://www.microsoft.com/en-us/server-cloud/products/enterprise-mobility-suite/
16
AZURE ACTIVE DIRECTORY EDITIONS: http://msdn.microsoft.com/en-us/library/azure/dn532272.aspx
17
AZURE ACTIVE DIRECTORY PRICING: http://azure.microsoft.com/en-us/pricing/details/active-directory/
The partner companies who need access to your corporate applications do not need to have Azure AD.
Azure AD B2B collaboration provides a simple user signup experience to provide these partners with
immediate access to your applications.
Note For additional information, see the Microsoft MSDN article GETTING STARTED WITH AZURE AD22. As well as
the whitepapers ACTIVE DIRECTORY FROM THE ON-PREMISES TO THE CLOUD23 and AN OVERVIEW OF AZURE AD24 as part of the
same series of documents.
Likewise, it doesnt provide either in-depth description on how to implement a specific covered feature or
capability. Where necessary, it instead refers to more detailed documents, articles, and blog posts that
describe a specific feature or capability.
18
Microsoft Enterprise Agreement: http://www.microsoft.com/en-us/Licensing/licensing-programs/enterprise.aspx
19
Microsoft Cloud Solution Provider program: https://mspartner.microsoft.com/en/us/pages/solutions/cloud-reseller-overview.aspx
20
Microsoft Open Programs: http://www.microsoft.com/licensing/licensing-options/open-license.aspx
21
AZURE AD AND ENTERPRISE MOBILITY SUITE NOW AVAILABLE WITHOUT AN ENTERPRISE AGREEMENT:
http://blogs.technet.com/b/ad/archive/2015/03/12/azure-ad-and-enterprise-mobility-suite-now-broadly-available-outside-of-an-
enterprise-agreement.aspx
22
GETTING STARTED WITH AZURE AD: http://msdn.microsoft.com/en-us/library/dn655157.aspx
23
ACTIVE DIRECTORY FROM THE ON-PREMISES TO THE CLOUD: http://www.microsoft.com/en-us/download/details.aspx?id=36391
24
AN OVERVIEW OF AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391
25
Azure Active Directory community forum: http://social.msdn.microsoft.com/Forums/en-US/WindowsAzureAD/
26
Azure blog: http://blogs.msdn.com/b/windowsazure/
If federation is broken. It's PKI. If it is not PKI, there's a typo. If you typed it correctly (case counts!). It's PKI
- Laura E. Hunter
The hackers that carried out the massive data breach at Target Corp. appear to have gained access via a
refrigeration contractor in Pittsburgh that connected to the retailer's systems to do electronic billing.
Wall Street Journal
Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's
network.
Home Depot
"If I want to attack Fort Knox and I know they have locks and guards and strong security, it is easier to attack
one of their providers who already have access to the gold.
James Christiansen, VP, Accuvant
Once a partner account managed in the directory is compromised, attackers can move laterally to
other accounts in the same identity store. So an exploited partner user puts the whole organization
at risk
These accounts are disconnected from the partner's identity system, so they are not disabled when
partner employees change jobs or are terminated. Access continues long after a partner user has
left his organization
Note For additional information, see the blog post LEARN ALL ABOUT THE AZURE AD B2B COLLABORATION
PREVIEW!27.
Important note The end-to-end experience may evolve as additional features and other enhancements can
be introduced to the service over the time to the service, and more particularly at GA. All screenshots and steps are
thus subject to change as the B2B features may evolve until GA. The same considerations apply to the outlined
social identity providers that may also update their portal and steps over the time.
If you dont have such directory tenants, APPENDIX A. provides instructions to create them and setup an
appropriate test lab environment. Please refer to this appendix to make sure that your environment reflects
the prerequisites.
In terms of scenario for the course of this walkthrough, the Contoso369 organization requires partnering
with the Litware369 to assemble expertise, and consequently need to grant an access to some Litware369
experts for one of their LOB application.
Contoso369 would like to leverage the new capabilities introduced by Azure AD B2B collaboration. Similarly,
Litware369 already benefits from an identity hub in the cloud through their Office 365 subscription, and so,
theyre reluctant to invest in any new infrastructure to collaborate with Contoso369.
Consequently, to implement the suggested scenario, we will create:
1. For the inviting organization: the contoso369.onmicrosoft.com directory tenant. You will have
to choose in lieu of a directory name of your choice whose name is currently not in used.
Whenever a reference to contoso369b2c.onmicrosoft.com is made in a procedure, it has to be
replaced by the directory name of your choice to reflect accordingly the change in naming.
2. For the business partner organization: The litware369.onmicrosoft.com directory tenant. You
will have to choose in lieu of a directory name of your choice whose name is currently not in
used.
27
LEARN ALL ABOUT THE AZURE AD B2B COLLABORATION PREVIEW!: http://blogs.technet.com/b/ad/archive/2015/09/15/learn-all-about-the-
azure-ad-b2b-collaboration-preview.aspx
Important note The free edition of Azure AD is used in the walkthrough for the inviting organization. The
Basic or the Premium editions will offer in this context additional benefit such as extended branding capabilities, as
well as group assignment for the applications. If you want to additionally test these capabilities, you can sign-up
for an Azure Active Directory Premium trial.
For additional information about how to sign up and start using the Premium edition, see the Microsoft MSDN
article GETTING STARTED WITH AZURE AD PREMIUM28. You can also watch the Channel 9 demo videos ENABLING AZURE ACTIVE
DIRECTORY PREMIUM TRIAL29, HOW TO PURCHASE AZURE ACTIVE DIRECTORY PREMIUM - NEW CUSTOMERS30, and HOW TO PURCHASE
AZURE ACTIVE DIRECTORY PREMIUM - EXISTING CUSTOMERS31.
Important note A simplified sign-up is provided for invitee business partners without Azure AD. This
capability is not illustrated as part of this walkthrough.
To simplify the wording as much as possible in the rest of this section, the inviter word will refer
simultaneously, and depending on the context, to the Contoso369 administrator/organization/directory
tenant that is inviting partner users. Conversely, the invitee word will be the Litware 369 partner user that
receives the invitation and must complete the redeem process.
28
GETTING STARTED WITH AZURE AD PREMIUM: http://msdn.microsoft.com/en-us/library/azure/dn499825.aspx
29
ENABLING AZURE ACTIVE DIRECTORY PREMIUM TRIAL: https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Enabling-
Azure-Active-Directory-Premium-trial
30
HOW TO PURCHASE AZURE ACTIVE DIRECTORY PREMIUM - NEW CUSTOMERS: https://channel9.msdn.com/Series/Azure-Active-Directory-
Videos-Demos/How-to-Purchase-Azure-Active-Directory-Premium-New-Customers
31
HOW TO PURCHASE AZURE ACTIVE DIRECTORY PREMIUM - EXISTING CUSTOMERS: https://channel9.msdn.com/Series/Azure-Active-Directory-
Videos-Demos/How-to-Purchase-Azure-Active-Directory-Premium-Existing-Customer
Note As mentioned above, the Basic or the Premium editions will offer in this context additional benefit in
terms of branding capabilities. If you have You have a Basic or a Premium license assigned, you will be able to
customize how the sign-in page and the Azure AD Access Panel see later in this document - will appear to both
users within the organization and partner users. More specifically, you can brand these pages to include your
companys logo and customize other on-screen elements.
For additional information, see the Microsoft TechNet article ADD COMPANY BRANDING TO YOUR SIGN IN AND ACCESS PANEL
PAGES32.
The Azure AD extension in the Azure management portal will send email invitations to these external users.
The invited partner user will either sign in to an existing work account with Microsoft (managed in Azure
AD), or get a new work account in Azure AD. Once signed in, the invitee will be redirected to the application
or the site that was shared with them as per CSV file configuration.
Field Description
Email Required. Email address for invitee. Neither invitations to consumer email addresses
(e.g. gmail or comcast.net) or DLs are currently supported.
DisplayName Required. Display name for invitee (typically, first and last name)
InviteContactUsUrl Required. "Contact Us" URL to include in email invitations in case the invitee wants to
contact the inviter.
InviteAppID Optional. Application ID for the application to use for branding email invite and
acceptance pages.
InviteGroupResources Optional. Object IDs for security groups to which user is added.
InviteReplyURL Optional. URL to which to direct an invitee after invite acceptance. This should be an
inviter-specific URL to an application or a site (such as contoso369.my.salesforce.com).
If this optional field is not specified, the inviter's Access Panel URL is generated. This
URL is of the form:
https://account.activedirectory.windowsazure.com/applications/default.aspx?tenantId
=<TenantID>
Where TenantID is the GUID of the inviters directory tenant, for example for the
Contoso369 directory tenant in our illustration:
https://account.activedirectory.windowsazure.com/applications/default.aspx?tenantId
=6c9cd0b6-dbf2-4c83-8b56-4470862f7aa1
32
ADD COMPANY BRANDING TO YOUR SIGN IN AND ACCESS PANEL PAGES: https://technet.microsoft.com/en-us/library/dn532270.aspx
Connect-MsolService
Note If there is a newer version of the Windows PowerShell module, you will see a yellow warning text
explaining that a newer version is available. You should always ensure that you run the latest version of the module.
Username: philber@contoso369.onmicrosoft.com
Password: ****************
4. Type the following command with the Get-MsolServicePrincipal34 cmdlet of the Azure AD module:
33
AZURE ACTIVE DIRECTORY BUSINESS-TO-BUSINESS (B2B) COLLABORATION: https://azure.microsoft.com/en-us/documentation/articles/active-
directory-b2b-collaboration-overview
34
GET-MSOLSERVICEPRINCIPAL: https://msdn.microsoft.com/en-us/library/azure/dn194099.aspx
This value has to be replaced by the own value to reflect accordingly your own configuration.
To make that happens, we now need the Object ID of this group to fill in the InviteGroupResources in the
CSV file.
To get the Object ID of the Business Partners group, proceed with the following steps:
1. From the above Windows PowerShell command prompt, type the following command with the Get-
MsolGroup36 cmdlet of the Azure AD Module:
This value has to be replaced by the own value to reflect accordingly your own configuration.
35
MANAGING ACCESS TO RESOURCES WITH AZURE ACTIVE DIRECTORY GROUPS: https://azure.microsoft.com/en-
us/documentation/articles/active-directory-manage-groups/
36
GET-MSOLGROUP: https://msdn.microsoft.com/en-us/library/azure/dn194130.aspx
Email,DisplayName,InviteAppID,InviteReplyUrl,InviteAppResources,InviteGroupResources,InviteContactUsUrl
alexd@litware369.onmicrosoft.com,Alex Darrow,606e1423-fbaa-49cd-8cbe-68dec0d00d0e,,606e1423-fbaa-49cd-8cbe-
68dec0d00d0e,226b62de-274f-45cd-ae60-92d0854cb9e6,http://azure.microsoft.com/services/active-directory/
annew@litware369.onmicrosoft.com,Anne Wallace,606e1423-fbaa-49cd-8cbe-68dec0d00d0e,,606e1423-fbaa-49cd-8cbe-
68dec0d00d0e,226b62de-274f-45cd-ae60-92d0854cb9e6,http://azure.microsoft.com/services/active-directory/
katieJ@litware369.onmicrosoft.com,Katie Jordan,606e1423-fbaa-49cd-8cbe-68dec0d00d0e,,606e1423-fbaa-49cd-8cbe-
68dec0d00d0e,226b62de-274f-45cd-ae60-92d0854cb9e6,http://azure.microsoft.com/services/active-directory/
kellys@litware369.onmicrosoft.com,Kelly smith,606e1423-fbaa-49cd-8cbe-68dec0d00d0e,,606e1423-fbaa-49cd-8cbe-
68dec0d00d0e,226b62de-274f-45cd-ae60-92d0854cb9e6,http://azure.microsoft.com/services/active-directory/
Note Invitations to consumer email addresses (e.g. gmail or comcast.net) are currently not supported.
4. Click the name of your organizations directory, for example Contoso369 in our illustration.
5. Click USERS.
6. Click ADD USER in the tray of the bottom. An ADD USER dialog brings up.
8. Under CSV FILE, click the folder icon to locate the CSV file. A Choose File to Upload dialog opens
up.
9. Select the CSV file and click Open.
10. Click the check mark icon to upload the file and initiate the invitation workflow. The CSV file is then
processed.
11. Upon completion, click CLICK HERE FOR BATCH STATUS REPORT. Youre redirected to the
invitation detail report (see section later in this document).
At this point, thanks to an invitation workflow underneath, an email from the Microsoft Online
Services Team is generated and is sent to the each of the email addresses of invitees you specified in
the CSV file. Each generated email has a unique URL to redeem the invite.
Lets consider the user experience from the invitee perspective.
This invitation mail includes the inviter name along with the applications name for which the invitee
is invited.
Its branded with the application logo as specified by the InviteAppID in the CSV file.
The invitation email contains a redeem link that you can use at any time to access the inviters
application or site as specified by the InviteReplyURL in the CSV file (URL split for readability):
https://redeem.b2b.azure.net/redeem/
?tenant=6c9cd0b6-dbf2-4c83-8b56-4470862f7aa1
&invite=f8042f71-2943-4d8a-80a3-4a3ff65a96f6
&user=ca5e7888-8df4-4173-af86-379a30c670a9
&ticket=fYBgxhmBtBEtm2slQA5Q4DjL67JtojaUhEiFgqbNlX0%3d
&lang=en-us
It finally contains the Contact US link as specified by the InviteReplyURL in the CSV file, for example
in our illustration:
http://azure.microsoft.com/services/active-directory/
Beyond the invitees email address, the above invitation accept landing page provides some context
for the invitee on how to accept the invitation.
Note Under different scenarios, this landing page may explain that the user is about to sign in or that the
user is signed in with a different account so needs to sign out first.
2. Click Accept. Invitee is now redirected to their login page if they have a directory tenant in Azure
AD.
Important note If the invitee does not have an Azure AD tenant, this step is skipped. In lieu of it, a simplified
sign-up is provided. When the invitee clicks Accept in the screen above, they get the Azure AD signup screen below
prompting them to enter a password, display name, and region. This capability is not illustrated as part of this
walkthrough.
3. Enter the credentials of Alex Darrow for his tenant, for example in our illustration: pass@word1,
and then click Sign in. Youre now returning to the inviters page and invite acceptance is completed.
Youre now redirected to the InviteReplyURL specified in the CSV. If the InviteReplyURL is blank as it
was in our illustration, you will be directed to the Azure AD Access Panel in the inviter:
https://account.activedirectory.windowsazure.com/applications/default.aspx?tenantId=6c9cd0b6-dbf2-
4c83-8b56-4470862f7aa1
Note Invitees can click on the Here link if they are not automatically redirected to the InviteReplyURL
specified in the CSV, or if blank to the Azure AD Access Panel in the inviter.
Note We could have specified the URL of the sample application in the InviteReplyURL of the CSV. In such
a case, the invitees would have been directly redirected to the sample application instead of the Azure AD Access
Panel in the inviter. The option for which we have opted here enables us on the contrary to illustrate the Azure AD
Access Panel and its ability to display all the inviters applications if multiple for which the invitee has accepted the
invitation.
The Azure AD Access Panel allows the partner user to view and launch applications in the inviting
directory tenant for which theyve been invited. This is a single screen with accepted applications
for every partner user, and where they can single sign-on to those applications.
The sample application WebApp-OpenIDConnect-DotNet specified in the InviteAppResources in the
CSV file should appear here.
4. Click the WebApp-OpenIDConnect-DotNet icon. You will be redirected to the sample application.
Note In our illustration, you should run the sample application from the Visual Studio prior clicking to the
above icon.
5. Et voila!
"My Apps" is available as of today for both the iOS and Android platforms. My Apps for Android works on any
device running Android version 4.1 or higher, and is available in the Google Play store37. My Apps for iOS is
supported on any iPhone or iPad running iOS version 7 and up, and is available in the Apple App Store38.
For additional more information, see the blog post ACCESSING AZURE AD CONNECTED APPS ON ANDROID PHONES, IPHONES,
AND IPADS39.
Note The Premium offering adds following machine learning-based anomaly reports. For more information,
see the blog post AZURE ACTIVE DIRECTORY PREMIUM REPORTING NOW DETECTS LEAKED CREDENTIALS40.
In addition to that, Azure AD B2B collaboration enables you to review invitations reports associated
with the email invitations sent by your organization to invitees. In other words, this gives you the
ability to check the status of your invitations.
With the current public preview, you indeed get access to additional access reports giving you visibility into
which invitees have accepted the invitations.
An "Invitation summary" report is indeed available for monitoring the on-boarding workflow. Once the
CSV file is uploaded, the status of processed invitations can be reviewed in this report.
To view or download an invitation summary report, proceed with the following steps:
1. Sign into the Azure management portal as the administrator of the inviting directory in the Azure
management portal.
2. Click ACTIVE DIRECTORY, and then click the name of the organizations directory for which you
want to view or download a report.
3. Click REPORTS.
37
My Apps for Android: https://play.google.com/store/apps/details?id=com.microsoft.myapps
38
Apple App Store: https://itunes.apple.com/us/app/my-apps-windows-azure-active/id824048653?mt=8
39
ACCESSING AZURE AD CONNECTED APPS ON ANDROID PHONES, IPHONES, AND IPADS:
http://blogs.technet.com/b/ad/archive/2014/11/19/accessing-azure-ad-connected-apps-on-android-phones-iphones-and-ipads.aspx
40
AZURE ACTIVE DIRECTORY PREMIUM REPORTING NOW DETECTS LEAKED CREDENTIALS: http://blogs.technet.com/b/ad/archive/2015/06/15/azure-
active-directory-premium-reporting-now-detects-leaked-credentials.aspx
6. Check IT IS ACCEPTABLE FOR ADMINS IN MY ORGANIZATION TO VIEW THIS DATA, and click
the checkmark icon.
Status Description
MSODS invite started External user (temporary account for the invitee) in the process of being created in
directory (pending acceptance) as part of the invitation workflows
MSODS invite finished External user (temporary account for the invitee) created in directory pending
acceptance
Email generation started Email address and names split and emails in the process of being created as part of
the invitation workflows
Email delivered to email Email sent to invitees email server and confirmation received from the business
server partners email server. This does not mean the invitee has received the email and
accepted the invitation. (see section RECEIVING AND ACCEPTING THE INVITATION (INVITEE UX).)
User account created Invitee has signed in to their existing Azure AD account/signed up for a new Azure AD
account as part of the acceptance of the invitation
Invite accepted User redeemed the invitation. External user AlternativeSecurityId (AltSecID) is set in the
directory
In respect to the above status states, the twelve possible errors are as follows:
a. CSV Import Error, Invalid email address, Missing email address, Blacklisted domain,
Consumer Domain, Invitee in tenant domain, Invalid display name, Missing display
name, Invalid invite Contact Us URL, Missing invite Contact Us URL, Invalid invite reply
URL, Invalid invite AppId, Invalid invite app resources, Invalid invite group resources,
or Invalid invite create time if an error is encountered in the processing of the CSV file.
b. MSODS invite failed if an error is encountered in the creation of the temporary account
for the invitee.
c. Email creation failed, Email send failed, or Email bounced back if an error is encountered
in sending the email to the invitees email server or in receiving confirmation from the
business partners email server.
d. Viral tenant creation failure if an error is encountered in the sign-up of the invitee for an
Azure AD account.
e. External user MSODS connection failure if the invitation failed to be redeemed.
8. From this report, you are able to download the errors if any in a CSV file that can be corrected and
re-uploaded (DOWNLOAD ERRORS). You are also able to download the original CSV file from this
page if needed (DOWNLOAD CSV FILE).
Click DOWNLOAD CSV FILE at the tray in the bottom to download the report to an archive
compressed file in CSV format for offline viewing or archiving purposes.
9. Click Save.
10. Open the archive file, and then open the included CSV file (B2BBatchIdFile_f8042f71-2943-4d8a-
80a3-4a3ff65a96f6_635790459102338807.csv).
Note For more information, see the Microsoft TechNet article VIEW YOUR ACCESS AND USAGE REPORTS41. you can
watch the Channel 9 demo video AZURE ACTIVE DIRECTORY REPORTS42.
Note Activity and Events Reporting data is now also available (in preview) to developers through the Azure
AD Graph API. For more details, see the blog post ANNOUNCING THE PREVIEW OF GRAPH REPORTS AND EVENTS API43 and
the Microsoft MSDN article AZURE AD REPORTS AND EVENTS (PREVIEW)44
41
VIEW YOUR ACCESS AND USAGE REPORTS: http://technet.microsoft.com/en-us/library/dn283934.aspx
42
AZURE ACTIVE DIRECTORY REPORTS: https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-Active-Directory-
Reports
43
ANNOUNCING THE PREVIEW OF GRAPH REPORTS AND EVENTS API:
http://blogs.msdn.com/b/aadgraphteam/archive/2015/05/15/announcing-the-preview-version-of-graph-reports-and-events-api.aspx
44
AZURE AD REPORTS AND EVENTS (PREVIEW): https://msdn.microsoft.com/en-us/library/azure/mt126081.aspx
Note For more information, see the article EXTERNAL USER OBJECT ATTRIBUTE CHANGES FOR AZURE ACTIVE DIRECTORY
(AZURE AD) B2B COLLABORATION PREVIEW45.
Note If an invitee doesn't accept their invite, their user account in the Contoso369 directory will be
automatically removed after a period of time.
You can extend the partner user information with the available attributes. Azure AD also enables to
add custom attributes.
5. Click the left arrow icon, and then click GROUPS, and then select Business Partners.
45
EXTERNAL USER OBJECT ATTRIBUTE CHANGES FOR AZURE ACTIVE DIRECTORY (AZURE AD) B2B COLLABORATION PREVIEW:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-references-external-user-object-attribute-changes/
Note If you don't already have an Azure subscription, you can sign-up for a free one-month trial Azure
account by following the link https://azure.microsoft.com/en-us/pricing/free-trial/.
If you dont have any directory at this time, please follow the instructions in the next section,
otherwise skip this section.
Note For additional information, see the article HOW TO CREATE AN AZURE AD B2C DIRECTORY46.
5. Configure the basic properties for your new directory, i.e. its name, default domain name, and the
country or region as follows:
a. In Name, choose a name for the directory (that will help distinguish it from your other
directories in your Azure subscription), for example in our illustration Contoso 369
Corporation.
46
HOW TO CREATE AN AZURE AD B2C DIRECTORY: https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-
started-b2c/?rnd=1?
Note For more information, see the article MANAGING ACCESS TO RESOURCES WITH AZURE ACTIVE DIRECTORY GROUPS47.
47
MANAGING ACCESS TO RESOURCES WITH AZURE ACTIVE DIRECTORY GROUPS: https://azure.microsoft.com/en-
us/documentation/articles/active-directory-manage-groups/
To get the Object ID of your newly created group, proceed with the following steps:
1. While still in the Azure management portal, click Business Partners, and then click PROPERTIES.
2. Scroll down to OBJECT ID and copy the Object ID value to the clipboard: 226b62de-274f-45cd-
ae60-92d0854cb9e6. Note this value.
Download the SIA package (msoidcli_64bit.msi) from the following link: Microsoft Online Services
Sign-In Assistant for IT Professionals RTW 49.
2. Click Run to install. The wizard Microsoft Online Services Sign-in Assistant Setup pops up. Follow
the steps of the wizard.
3. Download the Azure AD Module (64-bit) package (AdministrationConfig-en.msi) from the following
link: http://go.microsoft.com/fwlink/p/?linkid=236297.
4. Click Run to install. The Azure Active Directory Module for Windows PowerShell Setup wizard
pops up. Follow the steps of the wizard.
At this stage, the Azure AD Module for Windows PowerShell installs a set of cmdlets specifically designed
for Azure AD tenant-based administration.
Note For more information about Azure AD cmdlets, see the Microsoft TechNet articles MANAGE AZURE AD
USING WINDOWS POWERSHELL50.
Each Azure AD cmdlet has required and optional arguments, called parameters, that identify which objects to act
on or control how the cmdlet performs its task. For more information about an Azure AD cmdlet, at the Windows
PowerShell command prompt, type Get-help and the name of the cmdlet.
48
Description of Microsoft Online Services Sign-In Assistant (MOS SIA): https://community.office365.com/en-us/w/sso/534
49
Microsoft Online Services Sign-In Assistant for IT Professionals RTW: http://www.microsoft.com/en-
us/download/details.aspx?id=41950
50
MANAGE AZURE AD USING WINDOWS POWERSHELL: https://technet.microsoft.com/library/jj151815.aspx
Note To understand the basic scenario for each sample type, see the Microsoft MSDN article AUTHENTICATION
SCENARIOS FOR AZURE AD52.
For the purpose of this walkthrough, we are going to use the WebApp-OpenIDConnect-DotNet quick start
sample that demonstrate how to write a web application the directs the users browser to sign them in to
Azure AD.
As the name of the sample application suggest, this sample shows how to build a .Net MVC web application
that uses the OpenID Connect standard protocol to sign-in users an Azure AD tenant.
The code for this sample application is maintained on GitHub: AzureAD-WebApp-OpenIDConnect-DotNet53.
However, for the sake of brevity, we will use an almost completed version for this sample application.
To get this almost completed sample application, proceed with the following steps:
1. Download the WebApp-OpenIDConnect-DotNet-complete.zip54 file from GitHub and save it to your
computer if you havent done so already.
51
AZURE ACTIVE DIRECTORY CODE SAMPLES: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx
52
AUTHENTICATION SCENARIOS FOR AZURE AD: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-
scenarios/
53
B2C-WebApp-OpenIdConnect-DotNet project: https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIdConnect-DotNet
DotNet/archive/complete.zip
3. Click the name of your organizations directory, for example Contoso369 in our illustration.
4. Click APPLICATIONS.
5. Click ADD in the tray of the bottom. A What do you want to do? dialog brings up.
8. On the App properties page, enter in APP URL the base URL for the sample, which is by default
https://localhost:44320/, and in APP ID URI https://contoso369.onmicrosoft.com/WebApp-
OpenIDConnect-DotNet, then click the check mark icon on the bottom-right hand corner of the
page.
9. After a successful creation of the app, you are redirected to the Quick Start page for the web
application.
All done! Before moving on to the next step, you need to find the Client ID of your sample application.
To get the Client ID of your sample application, proceed with the following steps:
1. While still in the Azure management portal on the Quick Start page for the web application, click
CONFIGURE.
2. Scroll down to CLIENT ID and copy the Client ID value to the clipboard: 606e1423-fbaa-49cd-
8cbe-68dec0d00d0e. Note this value.
55
ADDING, UPDATING, AND REMOVING AN APP: http://msdn.microsoft.com/en-us/library/dn132599.aspx
56
Microsoft.Owin.Security.OpenIdConnect 3.0.1 NuGet package: h
http://www.nuget.org/packages/Microsoft.Owin.Security.OpenIDConnect/
d. In this eventuality, uncheck Ask me for every project in the solution and click OK.
2. Open the Solution Explorer if its not already the case.
5. Click Restore. The missing NuGet packages are then downloaded to resolve the above unresolved
references.
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
</configuration>
1. In web.config, Find the app key ida:ClientId and replace the value with the Client ID value you
copied from the Azure management portal: 606e1423-fbaa-49cd-8cbe-68dec0d00d0e.
2. Find ida:Tenant and replace the value with your directory tenant name, for example in our
configuration contoso369.onmicrosoft.com.
3. If you changed the base URL of the sample, find the app key ida:PostLogoutRedirectUri and replace
the value with the new base URL of the sample. Otherwise, leave it unchanged.
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
</configuration>
4. Click Sign in in the upper right corner. You should be redirected to Azure AD to sign in.
7. Click About in the sample application bar. The claims sent by Azure AD are displayed.
Important note For information on unmanaged tenants and how they can be brought under admin control,
see the article WHAT IS SELF-SERVICE SIGNUP FOR AZURE?57.
This experience isnt illustrated in this walkthrough since it requires the invitees to have a valid business
email address to be in a position to receive email invitations. Invitations to consumer email addresses (e.g.
gmail or comcast.net) are currently not supported by Azure AD B2B collaboration.
57
WHAT IS SELF-SERVICE SIGNUP FOR AZURE?: https://azure.microsoft.com/en-us/documentation/articles/active-directory-self-service-
signup/
Note For more information, see the article SIGN IN TO OFFICE 36558.
For the course of this walkthrough, weve provisioned an Office 365 Enterprise (E3) tenant:
litware369.onmicrosoft.com. You will have to choose in lieu of it a directory tenant name of your
choice whose name is currently not in use.
Whenever a reference to litware369.onmicrosoft.com is made in a procedure, it has been replaced by
the directory tenant name of your choice to reflect accordingly the change in naming.
Note If you have a lot of users and dont want to create them one a time, you can create a list of users in a
comma-separated values (CSV) file and import them. It takes a little time to make the file, but then you can create
all the users in Office 365 at once. For additional information, see the article ADD SEVERAL USERS AT THE SAME TIME TO
OFFICE 365 - ADMIN HELP59.
58
SIGN IN TO OFFICE 365: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637600.aspx
59
ADD SEVERAL USERS AT THE SAME TIME TO OFFICE 365 - ADMIN HELP: https://support.office.com/en-us/article/Add-several-users-at-the-
same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?CorrelationId=5893d287-c03c-46ff-8ce0-
e6f402430be0&ui=en-US&rs=en-US&ad=US
Note By default your email address is added because you're the administrator, but you can remove it if you
want. You can enter up to 5 email addresses separated by semi-colons, as shown in the following figure.
10. At this point, an email from the Microsoft Online Services Team is sent to the email addresses you
specified. Click Close.
11. Repeat steps 4 to 10 to create an account for Anne Wallace, Katie Jordan, and Kelly Smith.
This completes the setup and the configuration of the test lab environment for the business partner
organization.
60
ADD USERS INDIVIDUALLY TO OFFICE 365 - ADMIN HELP: https://support.office.com/en-us/article/Add-users-individually-to-Office-365-
Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this
document.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious. No association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be inferred.
Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.