Thursday 21 June 2018

Azure Active Directory (AD) Inviting Members and Guests (B2B)

Recently Azure has switched off the old portal and along with it the old Azure AD client. In the old portal there was a way to invite guests and members. In the new portal you can currently only invite guests, if you would like to invite members you need to do this through PowerShell. In this blog post we are going to take a look at how B2B actually works and how you can invite members.

What is a difference between a member and a guest user type? User type is used to enforce different security polices, Microsoft has written some great documentation about this. I found this image extremely helpful in their documentation:

How B2B invite works

How B2B invite works

Let's unpack what is happening in the image above. You can invite users from external Azure ADs and Microsoft Accounts. You can't invite users from Google Identity, etc. The whole B2B collaboration feature works in Microsoft ecosystem only. This means if your company decides to invite 3rd party company users that does not have Azure AD then these users will end up creating Microsoft Accounts to login in to your service.

How to invite members from external Azure AD

Let's say that Elliot Alderson works for ECorp, his original account is residing in ecrophq.onmicrosoft.com Azure AD. Elliot Alderson works for Ecorp Fraud department. ECorp fraud department has decided to get their own Azure AD as they want to enforce their own security rules on their subset of users. Also, they do not want to call ECorp HQ IT department every time they want to setup a brand-new application for authentication (client id, audience, etc).

In this case ECorp Fraud admin will need to run the following script. To keep things simple when this admin calls Connect-AzureAD he will just use adprincipal@ecorpfraud.onmicrosoft.com account to authenticate and invite Elliot.

   
Connect-AzureAD

New-AzureADMSInvitation -InvitedUserEmailAddress "elliot.alderson@ecorphq.onmicrosoft.com" -InviteRedirectUrl https://www.ecorp.com  -SendInvitationMessage $true -InvitedUserType Member

Once Elliot receives the email and accepts invitation this is how this setup will look like:

How Azure AD references users from external Azure AD

I do not know about the Azure AD internals, so I am going to speculate now. It seems that when you add a user from external Azure AD in to your Azure AD it creates this user record as an extension. When Elliot gets the invite or is given the consent URL and approves permissions, referenced link gets created so Azure AD knows where to redirect user to authenticate.

Tuesday 5 June 2018

Azure AD - Relationships between Azure EA Accounts and Subscriptions

When it comes to relationship between Azure Portal, Azure AD and Azure EA Portal it can get very confusing and frustrating. It can be hard to understand what you have to do to enable authentication in to the Azure Portal and why you have so many Azure ADs flying around. This brief blog post will try and explain relationship between Azure EA Portal account, Azure AD that gets created automatically and Azure subscriptions that can be accessed in the Azure Portal.

When you login to the Azure Enterprise Agreement Portal (Azure EA Portal) you can create "accounts" and under accounts you can create "subscriptions". Subscriptions is where you place your services (this is done in Azure Portal). Accounts is where you place your subscriptions (this is done in Azure EA Portal). When you create "account" Azure AD is automatically created for that account, and all subscriptions under that account link to that Azure AD. Here is the diagram that shows this relationship:

Azure AD, Subscription and Account Relationship Diagram

Let's say you have created ECorpFraud account in the Azure EA Portal and it belongs to ECorp Fraud department. That account will automatically get ECorpFraud Azure AD. This AD will be used to authenticate your users in to Azure Portal and let them see relevant Azure Subscriptions.

Imagine that Alice works in ECorp Fraud department, someone will need to add her to the ECorpFraud AD, once she is in there you will be able to give her permissions to see resources in Subscription A or B. Azure Portal itself uses Azure AD to enable authentication.

Now, if I create ECorp Finance account, same thing will happen. Azure AD for ECorp Finance will be created. I will then be able to add relevant users to that AD and then give them access in to the relevant subscriptions, in this case Alice and John.