Recently I have been working on a few identity projects where Azure AD B2B users have been a focus point. The majority of organisations have always had a solution or process for onboarding contractors and partners. More often than not, this is simply “Create an AD Account” and call it a day. But what about Azure AD? It’s important for organisations to enable trusted parties here, without paying for it.
Using native “cloud only” B2B accounts lets organisations onboard contractors seamlessly. Scenarios do exist where you may want to control password policy, or grant access to on-premise integrated solutions. In these scenarios, retaining the on-premise process can be a hard requirement. Most importantly, we need to solve all these challenges without changes to existing business process.
Thankfully, Microsoft has developed support for UserTypes within AD Connect. Using this functionality, administrators can configure inbound and outbound synchronisation within AD Connect. The end result being on-premise AD accounts, synchronised to Azure AD as guest users.
The Microsoft Process
Enabling this synchronisation according to the Microsoft documentation is a pretty straight-forward task;
- Disable synchronisation – You should complete this before carrying out any work on AD connect
- Designate and populate an attribute which will identify your partner accounts. “ExtensionAttributes” within AD are a prime target here.
- Using the AD Connect Sync manager, ensure that you are importing your selected attribute.
- Using the AD Connect Sync Manager, enable “userType” within the Azure AD schema
5. Create an import rule within the AD Connect rules editor, targeting your designated attribute. Use an expression rule like so to ensure the correct value is applied.
IIF(IsPresent([userPrincipalName]),IIF(CBool(InStr(LCase([userPrincipalName]),"@partners.fabrikam123.org")=0),"Member","Guest"),Error("UserPrincipalName is not present to determine UserType"))
6. Create an export rule moving your new attribute from the metaverse through to Azure AD
7. Enable synchronisation and validate your results.
A Better Way to mark B2B accounts
While the above method will most definitely work, it has a couple of drawbacks. Firstly, it relies on data entry. If the designated attribute is not set correctly, your users will not update. If you haven’t already got this data, you also need to apply it. More work. Secondly, this process can be achieved through a single sync rule and basic directory management. Less locations for our configuration to break. To apply a simpler configuration;
- You still complete Steps 1 and 4 from above.
- Ensure that your users are properly organised into OU’s. For this example, I’m using a “Standard” and “Partner” OU structure.
3. Finally, create a single rule outbound from the AD Connect metaverse to Azure AD. As with most outbound rules, ensure you have an appropriate scope. In the below example we want all users, who are NOT mastered by Azure AD.
The critical part of your rule is the transformations. Because DistinguishedName (CN + OU) is imported to AD Connect by default, our rule can quickly filter on the OU which holds our users.
IIF(IsPresent([distinguishedName]),IIF(CBool(InStr(LCase([distinguishedName]),"ou=users - partners,dc=ad,dc=westall,dc=co")=0),"Member","Guest"),Error("distinguishedName is not present to determine UserType"))
And just like that, we have Azure AD Accounts, automatically marked as Guest users!