We implemented SCIM for an enterprise app and it is working fine. We were told that we could add external AD groups to allow our partners users to be able to access the app as well. For example, Company A (us) uses Azure AD and wants to add a specific AD group from Company B (different network/domain) to be provisioned in the app. I was told this was possible, but I can't find documentation on setup of external groups.
I may have the terminology wrong which is probably not helping.
Any directions to documentation or examples would be appreciated.
Thanks.
Groups can only be provisioned/assigned to an application if they are managed in the same Azure AD tenant as the application that is configured to do provisioning. You can create a group in your Azure AD tenant and populate it with external/guest users as members - in that case, the group will be managed by your organization's tenant, but the members will be guests homed in another tenant.
Related
Looking for ideal solution in Azure AD to automatically sync users between two Azure AD Tenants
The scenario i'm looking for is as follows
Corporate and our business project has separate Azure AD Tenants
Want to leverage Corp Azure AD to sync internal users directly to my projects Azure AD to avoid onboarding all new ppl into the company
When some internal employee leaves, sync off-boarding as well so that if Corp removes someone from Azure AD, it gets removed from my Projects AD as well
What are the best options for me ?
Azure B2B sync using external identities
Azure Lighthouse
Others ?
Can users be automatically synced without them requiring to click some activation/invitation link in emails ? Can this be fully automated without "invite link emails " etc ?
Looking for some assistance
AADConnect(AzureAD connect) can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants.
These tenants can be in different Azure environments.
You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to.
Note: One AADConnect server can synchronize to not more than one Azure AD tenant.
Reference:sync ad objects to multiple azure ad tenants
Also see use-scim-to-provision-users-and-groups
Consider the following case, for my application:
I have a website
The website sits on top of an azure api and gets data from cosmos DB
The data from cosmos DB is specific for different organizations
Different organizations should be able to have an "admin" appointed by me
The organization "admin" should be able to add his colleagues under the same organization
The users within a particular organization should only be able to view the data specific to their organization
Considering the above use-case, I have thought about using Azure B2C because:
Everything is already inside azure
I don't want to do security myself
However, I am unsure, if it is actually possible to achieve this with azure B2C? I can't seem to find any similar use-cases in the AD documentation. Hence why I start to think, that I'm going in a wrong direction...?
Therefore, can Azure AD B2C offer, what I want to achieve? (do I need a tenant for each Organization)
In case, Azure AD does not offer support for my use-case, what would you then recommend me to do?
As a white-label service, Azure AD B2C cannot be used as a built-in security provider for other Azure services without writing custom code to translate whatever authorization model you maintain in Azure AD B2C into access patterns for CosmosDB or other Azure services.
CosmosDB does have it's own in-built notion of users and permissions which you might map in some way (using custom code) to Azure AD B2C users. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data#users
You could also use CosmosDB's integration with Azure AD (not B2C) for RBAC controls: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
Finally, Azure AD B2C does not provide any out-of-the-box administrative tooling for the kind of delegated user administration model you described. Again this would need to be a custom coded admin UI or you'd need to use a third-party solution such as Saviynt for delegated administration: https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-saviynt
How can i have an option where users can register for an account in azure active directory if they don't already have an account using their own email? Currently i can only see an option to manually add users in through azure portal but I want to be able to allow users to register to my azure active directory programmatically through a .NET web app.
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources.
That means you need to manage the users under your organization's tenant.
All the users are employees of a company. Only in this way can users be managed easily under the same tenant.
So you need create accounts for your employees. There is not a option to make them register to Azure AD. I believe every company will provide work accounts to employees rather than asking employees to register.
If you want to work with your customers, let them register with your tenants, you should consider Azure AD B2C. It provides business-to-customer identity as a service, which allows customers to register for an account in Azure AD B2C tenant.
Azure AD have B2B collaboration for inviting external users.
But what if i wan't to invite an external Azure service that have a MSI.
Is it possible to create an Azure AD group and add a external(another subscription/tenant in Azure) MSI which i can then use to grant access to resources?
Say I wan't to allow a B2B partners Data Factory access to SQL database of ours and I do not wan't to give them a SQL Login.
MSIs are service principals which cannot be invited to other tenants. They are always tenant-specific.
The scenario sounds like you need to give access to something connected to your tenant.
I would suggest creating an App registration (Application),
adding a key, and giving those credentials to the other service.
You can then give the application access to your Azure subscription etc.
Is there a recommended Azure AD strategy for managing internal and our partner users?
We know we can add external users to our Azure AD but we would like a clear separation between the internal and partners users.
I see in Azure you can add another Azure AD so wondering if we can add a new just for external users. But I'm not sure what effect this would have to our current company Azure AD and whether it would have access and/or impact on the features we have in our Azure AD (e.g. O365/Sharepoint/etc).
Or is it recommended just to use groups in Azure AD to separate the internal and external users?
is it recommended just to use groups in Azure AD to separate the
internal and external users?
I think this is the best way to manage your users and partner users.
If you add partner users to another Azure AD, they will not access your default Azure AD resources and app.
Different Azure AD have different resource groups and APP.