AAD B2B Guest Collaboration Uncategorized

Experimental testing: Updating source authority for existing B2B collaboration user to type ’Multiple’ by matching synced AD object

julkaissut Joosua Santasalo
Comments 0

A while back, I wrote about matching existing AD Account to External Collaboration Account. It is really nice new feature which allows external user to sign in with their own Azure AD account and retain context of the originally synced accounts context.

Before proceeding reading this, its highly recommended to read the original post

Brief testing: Converting internal on-premises accounts to B2B collaboration accounts

Disclaimer: This way of implementing has no official support, and has not been tested in any production environment

Reasoning

Process outlined in the original blog requires, that the AD account exists first. Some companies have also existing B2B Collaboration users, and would like to consolidate both account types without removing first the B2B Collaboration user (if there is need for the same user to also have AD account)

  • Plainly the idea is, that sometimes, the user needs AD account to access back-end partner system that is not tied into the Azure AD (Thus the AD account), but would like to collaborate with their own Azure AD account

Modification of the process order

The modified order completes the same steps, but with fine differences in terms of how ImmutableID’s and ObjectID’s relate to the guest object in different phases of the flow

  • User is invited as guest from External Azure AD
  • After the invite is redeemed, the ’Directory synced’ remains as ’no’ (as expected)
  • Corresponding AD object is created in the inviting directory
    • The mail attribute needs to match the invited users email address
  • ImmutableID from the AD Object needs to be updated for the external B2B account in the inviting directory
  • After AAD Connect has run, you will see, that the users ’Sources of Authority’ is now ’Multiple’
  • User can now login with the inviting directory synced account, and with their own guest identity

Ending words

I haven’t tested this beyond sign-in to my custom application, but would expect it to work just like the original way of updating the ’Sources of Authority’ to multiple

Br Joosua

0 comments on “Experimental testing: Updating source authority for existing B2B collaboration user to type ’Multiple’ by matching synced AD object

Jätä kommentti