Azure AD B2B Collaboration With SharePoint Online

Azure AD B2B collaboration capabilities to invite guest users into your Azure AD tenant to allow them to access Azure AD service Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog boxes. OneDrive/SharePoint Online invited users also show up in Azure AD after they redeem their invitations and other resources such OneDrive for Business, SharePoint Online in your organization.

Azure B2B
Azure AD B2B Collaboration (Source Microsoft Corp)

Licensing Requirements for Paid Features:

The customer who owns the inviting tenant must be the one to determine how many B2B collaboration users need paid Azure AD capabilities. Depending on the paid Azure AD features you want for your guest users, you must have enough Azure AD paid licenses to cover B2B collaboration users in the same 5:1 ratio.

Extranet Collaboration.png
Contoso Corp B2B Collaboration with partners (Source Microsoft Corp)

The below guides articulate how to deploy Azure B2B functionality for SharePoint Online.

Turning on Azure AD Integrated App for Office 365

  1. Log on to Office 365 portal.office.com using your work or school account.
  2. Go to the Office 365 admin center, and from the left navigation bar, click Settings> Services & add-ins
  3. On the Integrated apps page, use the toggle to turn Integrated Apps on or off.

Add a B2B User

  1. Sign in to the Azure portal as an Azure AD administrator.
  2. In the navigation pane, select Azure Active Directory.
  3. Under Manage, select Users. Select New guest user.
  4. Under User name, enter the email address of the external user. Optionally, include a welcome message.
  5. Select Invite to automatically send the invitation to the guest user.
  6. To assign Group Permission, Under Manage, select Groups.
  7. Select a group (or click New group to create a new one). It’s a good idea to include in the group description that the group contains B2B guest users.
  8. Select Members. Add the Guest User.

Add Azure AD B2B Licenses

  1. Log on to Azure Portal.Azure.com, Navigate to Azure Active Directory
  2. To assign a license, under Azure Active Directory > Licenses > All Products, select one or more products, and then select Assign on the command bar.
  3. You can use the Users and groups blade to choose multiple users or groups or to disable service plans in the product. Use the search box on top to search for user and group names.
  4. When you assign licenses to a group, it can take some time before all users inherit the license depending on the size of the group. You can check the processing status on the Group blade, under the Licenses

Add guest users to a SharePoint Online App

  1. Sign in to the Azure portal as an Azure AD administrator. In the navigation pane, select Azure Active Directory.
  2. Under Manage, select Enterprise applications > All applications. Select the application to which you want to add guest users.
  3. On the application’s dashboard, select Total Users to open the Users and groups pane.
  4. Select Add user. Under Add Assignment, select User and groups.
  5. If the guest user already exists in the directory, search for the B2B user. Select the user, click Select, and then click Assign to add the user to the app.
  6. The guest user appears in the application’s Users and groups list with the assigned role of Default Access or Under Edit Assignment, click Select Role, and select the role you want to assign to the selected user. Click Select. Click Assign.

Turn on External Sharing for SharePoint Online

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. In the left pane, click sharing.
  5. Select “Allow sharing only with the external users that already exist in your organization’s directory.”
  6. You can setup additional settings such as Limits external sharing using domains, prevent external users from sharing files, External User must accept sharing invitations.

Turn on External Sharing for Specific Site Collection

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. Click Try the preview to open the new SharePoint admin center.
  5. In the left pane, click Site management.
  6. Locate the site that you want to update, and click the site name.
  7. In the right pane, under Sharing status, click Change.
  8. Select your option (see the following table) and click Save.

Redemption through the invitation email

If invited through a method that sends an invitation email, users can also redeem an invitation through the invitation email. An invited user can click the redemption URL in the email, and then review and accept the privacy terms.

  1. After being invited, the invitee receives an invitation through email that’s sent from Microsoft Invitations.
  2. The invitee selects Get Started in the email.
  3. If the invitee doesn’t have an Azure AD account or an MSA, they’re prompted to create an MSA.
  4. The invitee is redirected to the Review permissions screen, where they can review the inviting organization’s privacy statement and accept the terms.

Configure Azure B2B, Azure Rights Management for on-premises SharePoint, Exchange and File server

Azure Information Protection (Azure RMS) is an enterprise information protection solution for any organization. Azure RMS provides classification, labeling, and protection of organization’s data.

Note: This deployment also enables Azure B2B access for the Published Applications in Azure AD.

Azure Prerequisites

  • A subscription that includes Azure Information Protection. For example, PAYG, EA or E5
  • A global administrator account (@domain.onmicrosoft.com) to sign in to the Azure portal

Minimum On-premises Prerequisites

  • An operational Active Directory Federation Services
  • An operational Azure Active Directory Connect
  • An Active Directory Domain Controller
  • An RMS Connector Server
  • RMS Client version 2.1 or above installed on the SharePoint or File Server or Exchange Server
  • Azure Information Protection for Microsoft Office 2016
  • A matching UPN (dmain.com) which has been federated to Azure AD
  • Publicly routable domains name (domain.com)
  • Publicly routable DNS Records (spirm.domain.com, sts.domain.com)
  • Public certificates with SAN or an wild card certificate
  • Public certificate must have private key or PFX format
  • An operational SharePoint or File Server or Exchange Server to be protected by Azure RMS

Deploy On-prem Infrastructures:

  1. Register and verify domain.com to Azure ARM Portal
  2. Install and configure Active Directory Federation Services
  3. Install and configure Web Application Proxy Server
  • Install and configure Azure Active Directory Connect. AAD Connect installation pretty straight forward. To use Azure RMS you have to select three extra steps in AAD Connect. Either you can modify existing configuration to the below or if you are installing from scratch then you have to select an additional features. To provide the RMS functionality to synced users, Azure RMS has been selected in AAD Connect Wizard along with the Azure AD Apps.
  • On the AAD Connect Installation Page, click Customize to start a customized settings installation.
  • On User Signin Page Select Federation With ADFS.
  • On the Optional feature Page, Select Azure AD App and Attribute Filtering. Make sure you select all features which include Azure RMS
  1. Activate Azure RMS
  • Sign to Azure Portal using a Global Admin user (@domain.onmicrosoft.com)
  • Open Azure Information Protection, Click RMS Settings, Click Activate.
  1. If you are protecting SharePoint Server then you have to the additional steps on ADFS Server and SharePoint Server mentioned below.

Internal CNAME DNS record:

  • domain.com pointed to ADFS Server
  • domain.com pointed to SP Server
  • domain.com pointed to RMS Connector Server

ADFS Configuration:

Add a Claim Provider Trust using Wizard, type the name of the Claim Provider as “AzureAD” Select the URL to import metadata from https://login.microsoftonline.com/domain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml

Right Click on the the Azure AD Claim Provider, Edit Claim Rule and Add a custom claim rule

c:[]  => issue(claim = c);

 Add SharePoint 2013/2016 as a Relying Party Trust with the below properties:

Method to Add RP: Manual

Name: SP

RP Identifier: urn:sharepoint:domain

Enable WS-Federation and provide the following passive reply url: https://spirm.domain.com /_trust/

 Add two Claim Rules

UPN Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

B2B User Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Specify AzureAD as SharePoint 2013 Claim Provider

Set-AdfsRelyingPartyTrust -TargetName “SP”  -ClaimsProviderName @(“AzureAD”)

Specify Claim Provider for Internal Users:

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

Add Azure Web Application:

Log on to portal.azure.com, Click Azure AD, On the App registration section, Register an Azure Web Application using the below parameter:

Grant Access to Azure AD user and B2B User to this Application

  • Sign in to the Azure Active Directory admin center with an account that’s a global admin for the directory.
  • Select Azure Active Directory and then Users and groups.
  • On the Users and groups blade, select All users, and then select New Guest user.
  • Go back to newly registered App, Assign access permission to the guest user

Assign RMS Licenses to Azure B2B users:

Connect-MsolService

$AccountSkuId = “domain:ENTERPRISEPACK”

$UsageLocation = “AU”

$Users = Import-Csv c:\temp\userlist.csv

$Users | ForEach-Object {

Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation

Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId

}

Where userlist.csv contain userprincipal name or B2B username in first column. Further references.

Azure Licenses for B2B user https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-licensing

Configure Right Management Connector

  • Download Rights Management Connector on the server where you are going to install the Connector.
  • Create a Service account in Windows Active Directory with federated UPN SVCRMS@domain.com
  • SVCRMS@domain.com is AAD Synced Account.
  • Open AD users and Computers, Add SVCRMS@domain.com as a member of domain admins group.
  • Sign into Azure Portal, Assign SVCRMS@domain.com as global admin, Azure RightsManagement global administrator
  • On the computer on which you want to install the RMS connector, run exe with Administrator privileges. When prompted for credential use SVCRMS@domain.com account and alphanumeric password.

Note: do not install RMS connector on Exchange, File and SharePoint Server.

SharePoint Specific Configuration: Reference1 and reference2

Add-PSSnapIn Microsoft.SharePoint.PowerShell

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:\ADFSCertificates\STSTokenSigning.cer”)

New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming

$realm = “urn:sharepoint:dealdocs”

$signInURL = “https://sts.dealdocs.com/adfs/ls/”

$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl “https://sts.dealdocs.com/adfs/ls/” -IdentifierClaim $emailClaimmap.InputClaimType

Download and run GenConnectorConfig.ps1  the below command on SP Server. This command automate changes in registry values.

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013

Configure RMS Connector for SharePoint Server

  1. On the SharePoint Central Administration Web site, in the Quick Launch, click Security.
  2. On the Security page, in the Information Policy section, click Configure information rights management.
  3. On the Information Rights Management page, in the Information Rights Management section, select Use this RMS server type https://rmsconnector.domain.com).
  4. Click OK.
  5. Next step Add users to SharePoint Library

For Exchange Server, Download and run GenConnectorConfig.ps1  on Exchange Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013

Run the below command in Exchange Server

Set-IRMConfiguration -InternalLicensingEnabled $true

For File Server Download and run GenConnectorConfig.ps1  on File Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012

Create classification rules and file management tasks to protect documents with RMS Encryption.

Testing:

  • Download Azure Information Protection  and protect a document for B2B user
  • Upload the document into SharePoint Library
  • Request the B2B user to access from the invitation you have sent.