Azure AD B2B and Extranet User Manager, the perfect pairing to sign in your external users
January 26, 2018 | Logan Guest, Sales Associate
When you hear the words “Dynamic Duo", a complementary pairing of two things that fit together perfectly comes to mind. This is how we like to explain the relationship between our Extranet User Manager (EUM) solution and Azure Active Directory Business-to-Business (Azure AD B2B)!
Section 1: Azure AD B2B is Ready to Mingle
Azure AD B2B is a service that allows external business partners to utilize their existing corporate identity to log in to your Office 365/SharePoint Online extranet. The users don't need to have Azure AD credentials themselves and the partner organization also does not have to have an Azure AD setup. Regardless of whether the user will be using active Azure AD credentials, a non-Azure AD business email, or a consumer email, Azure B2B can facilitate the successful authentication for the external user. The type of email that the user chooses to authenticate with will impact their onboarding experience. See below the 3 different B2B scenarios an external user may experience.
|Existing Office 365 or Azure AD user|
- Logs in with their Azure AD credentials to accept the invitation
|Business email not in Azure AD|
- Azure AD tenant is created behind the scenes
- User creates a password
- Can provide their name and country
- Azure AD manages the password reset requirements
- Tenant can be converted to a fully managed Azure AD tenant later
|Consumer email (Gmail, Yahoo, etc.)|
- Account is converted to a Microsoft account
- User creates a password
- Receives code to consumer email inbox
- Inserts 4-digit code to verify
- Account is successfully created and the user can login
From an end user perspective, where the user is coming from will determine the onboarding experience they may have. The first scenario where an external user has Azure AD credentials is seamless - they input their email and password just as they would at their own organization. The second scenario of having a business email becomes a little more challenging as the user is prompted to create a password and input some additional personal information. The last scenario, and often the most confusing for an end user, is using a consumer email that is not a Microsoft account. The user must progress through a set of steps to convert their consumer account to a Microsoft account. This final experience sometimes causes the external user to become disengaged or confused during the invitation process.
Section 2: Azure B2B is No Longer Single
Extranet User Manager is a solution that is focused on providing external users a seamless end user experience when they are on boarded and authenticated to an Extranet, regardless of where it resides. In the Office 365 space, Extranet User Manager paired with Azure B2B make a great couple. Azure B2B provides the Microsoft backed secure authentication and Extranet User Manager provides simplified account management, a customizable self-registration experience, and fully supports a model of delegating external user access to the actual business owner, versus having it sit in IT's queue.
From an account management perspective, EUM is focused on managing users at a Group level. This ensures a new employee can simply be added to the existing group that has all of the required permissions associated with their specific role at their external organization. The EUM administration user interface is very intuitive and makes it very simple to manage group and user based permissions. EUM acts as an intermediary between the user and Azure Active Directory. This keeps business users from being overwhelmed and allows you to critique what they have access to as an administrator of external user accounts. Additionally, from an end user perspective, EUM owns the invitation process so you can customize content and branding of the initial welcome email.
The self-registration that is available out of the box with EUM can be customized to fit your specific scenario. The self-registration is an HTML page built with jQuery making it extremely easy to apply corporate branding and customize. This allows you to delegate the registration of users out to the external users themselves. You can build in logical workflows that can automatically pre-approve registered accounts based on their inputted email domain or other factors. You can determine the fields that you would like to capture from your external users and make them mandatory or optional. In certain scenarios, you may want your self-registration to be anonymously available but only filled in by pre-existing vendors that you actively work with. In this case, you can build in a web service look up to find a unique ID specific to that vendor. This would then verify the individual is an existing vendor and allow them to progress to the registration portion of the onboarding experience. The self-registration can be customized in so many ways and to have this flexibility paired with Azure B2B is a great match when you're looking to put the duty of registering on the external user.
The last and often most important trait that Extranet User Manager brings to the relationship is the concept of delegated external user management. In many scenarios, organizations want to securely delegate the management of external users to their external clients themselves as they are directly aware of the individuals who should and should not have access. This model is offered by supporting a tiered approach to permissions. See below, the three types of elevated permissions a user can have within the EUM Administration portal.
- Able to add net new users
- Manage users that are in the group they are actively the owner of
- They do not have the ability to add a new group or manage groups they are not the owner of
- Has access to all groups and all users and can manage them
- This individual is often an internal business user to your organization that will effectively know who needs to have access
- Can apply the appropriate permissions
- Can access all users, all groups, and configure the EUM system
- This individual will likely be an internal IT administrator who acts as the individual managing both EUM and the applications EUM is authenticating to
Section 3: Happily, Ever After
Now, we could tell you that Azure B2B and Extranet User Manager lived happily ever after, however, we prefer to prove it to you! Associated Engineering is a consulting company focused on engineering and environmental consulting services. As you can imagine, their work involves many external parties such as clients, contractors, agencies, and many others. Ensuring they have an efficient method to manage the various ongoing projects for these external users is crucial to their bottom line. Access for the external teams was provided through a combination of Extranet User Manager and Microsoft's Azure AD B2B.
Working together, Azure AD B2B was used to manage the invitation process into the Office 365/SharePoint Online sites. This provided flexibility for the external users as they could use their existing Azure AD credentials or credentials were created for them during the invitation process. From a Microsoft licensing perspective, there were no additional license costs for those external users. Complimenting this, Extranet User Manager provisioned one or more Azure AD groups for each SharePoint project site, making site owners Group Owners in EUM. This allows delegation of the invitation process to the site owners, without giving them full control of the SharePoint site.
The results from this were an effective governance plan established within SharePoint, a friendly user onboarding experience, and simplified group management within EUM. Please find the links below to the official Associated Engineering Case Study as well as the joint webinar hosted by Extranet User Manager and some key members from the Associated Engineering team. This is one example of many where the “Dynamic Duo" created a well-rounded authentication solution for a client. If you're looking to accomplish a similar experience for your external users in Office 365, Extranet User Manager is the option to pursue!
Links to Additional Resources