Active Directory / Azure / Azure AD / Identity Management / Salesforce / SSO

Azure Active Directory B2B Collaboration


Earlier this year Microsoft released Azure AD business-to-business Collaboration world wide in general availability. With Azure AD B2B collaboration companies are able to work together with users of partner companies, without providing those users an user account in there own Azure AD. The user accounts of the partner company may exist in Azure AD, but actually any type of email address is supported. Let`s have a look at how this works for both the admin and the user from the partner company. In my example I use the with Azure AD integrated application Salesforce.

How does it work for the Azure AD Admin

I have already setup the integration between Azure AD and Salesforce, which provides my users an SSO experience when the access Salesforce from the Office Myapps portal. I have also enabled automatic user provisioning, so for users I provide access to Salesforce automatically an user account in Salesforce is created with the right user role.

Logged on to the Azure Portal, go to Azure Active Directory, Users and groups and All users. At the top you can choose New guest User.

Now fill in the email address of the partners user. In my example I used a Gmail account, but it can be any kind of email address; Outlook, Office 365, on-prem Exchange etc.

The user invited now can be found in your Azure AD. Because it is in your Azure AD, you are able to manage the user account. You can off-course delete the account when access to your Azure AD isn`t wanted anymore. You can add it to groups, to provide access to an Enterprise Application or force a Conditional Access policy to require Multi-factor Authentication when accessing an Enterprise Application.
You can also have a look at the sign-ins, like you can for your own users accounts.

When we have a look at the users in the Salesforce admin center, we can see also a (guest) user account is created at that site.

This is all from the Admin perspective.

How does it look like for the user

When you are invited as a partner user, you receive an email invitation like below. When you click on Get started you are redirected to the logon page from Azure AD.

Depending on the type of account you received the invitation on, you are able to sign-n with your Office 365 or Microsoft account or to create a Microsoft account using your existing email address.
In my example I used Gmail, so I`m asked to create an account. The email address is already filled in and you need provide an password of choice.

To verify you own the email address you provided, a code is send to your email address. Fill in the received code

You get a Welcome screen with some info on what information you share with this organization

And you are now logged on to the Azure portal, with your Gmail guest account. This account is only assigned Salesforce, but there are lots of resources you can provide access to when using Azure B2B.

When you click on the Salesforce icon, you are logged on directly to Salesforce without providing a username or password.

If the administrator of the Azure tenant setup your guest account to use MFA, you first need to setup MFA before you are logged on to Salesforce.

Azure B2B licensing

What kind of licenses you need to purchase for using Azure AD B2B depends on what kind of access you provide to your partner users.
Have a look at this Azure AD B2B licensing guide for all the information.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons