To implement an azure B2B environment in your production need a good strategy! There are some basic questions which are to clarify.
Does all you customers have an Azure AD Tenant and wow do you wan’t to handle customers who doesn’t have?
That question was important because it can help to prevent issues which I’ve seen in the past at so many customers.
But bevor we start with the error how can happens I will explain who the B2B process will work.
The GUI based invite was really simple, go to you tenant an add a “new guest user“:
Important , there is no E-Mail verification during the invite, so you can type any E-Mail Address into the field!
After you click “invite”, an E-Mail will be send to the E-Mail Address:
Behinde the seence what happends?
Typically, there are two Guest Types:
- Homed in the same directory
- Homes in an external Directory (Default B2B)
I love the Image from Microsoft which explains the tapes in detail (Link):
And here are the ugly things.
- If the customer don’t have an Azure AD Tenant and the Mail Address is an officially (not from gmx, yahoo,…) there will be a shadow tenant created!
- If you add a B2B user with a “gmx, yahoo,..” E-Mail, Microsoft will create a Microsoft Account and add an alias.
But the good news are.
- You can move the shadow tenant by an Admin take over (Link)
- Microsoft will remove the feature to create a Microsoft Account with an alias (no date published yet)
- Microsoft add the google as trusted identity provider, so you can invite google accounts (Link)
Does you company have an invite process? If not you have to define one!
An invite process can be handled
- automatically or
It depends on your strategy. In the past I’ve add an automatically invite process for one of my customer.
To accomplish the scenario, I use the following Azure Features:
- Azure Logic App (serverless components)
- Azure Log Analytics and Operations Insights to monitor the functionality
- Azure Graph to create the user (Customer Partner tenant) and send the invite
Screenshot about the logic app process:
When you invite customers is your Azure AD tenant ready for that? I speak about Azure AD hardening, Licensing and so on…