External Users in Azure AD B2B

I have spent some time with customers working on Azure AD B2B and making applications available to partners and vendors through Azure AD. Part of the work was looking at what happens under the cover in AAD B2B, so we could understand what and how we had to work on reporting and auditing.

Azure AD B2B is intivation-based. When you want to work with an external partner or vendor, you invite them into working with you in one of your company’s applications. The system then sends an invitation to that person’s email address that you supply – and they redeem that invitation to gain access.

What happens in the background is the creation of an identity reference of that vendor’s or partner’s user account. That reference is created in your AAD and used to link permissions to – and audit and reporting.

That reference is created as a very special reference user object. The following is my users object in my AAD tenant:

First Name: Florian

Last Name: Fromm

Sign-In-Name: florian@fsft.net

objectID: e25b1308-1115-45d0-b813-a49e23a32e1f

UserType: Member

When I am invited by a partner organization my reference object in their contoso.onmicrosoft.com tenant would be this:

First Name: Florian

Last Name: Fromm

Sign-In-Name: florian@fsft.net

UPN: florian_fsft.net#EXT#@contoso.onmicrosoft.com

objectID: 7a7949ea-ff5b-4ac1-bdf5-5024ed8e0903

UserType: Guest

It looks like this in Powershell:

# Get-AzureADUser -ObjectId 444c110c-2028-4fa8-bf00-63af0336feed | fl

ExtensionProperty            : {[odata.metadata, https://graph.windows.net/aafc7cbd-922b-4676-ba50-38c1efb5cf29/$metada
                                ta#directoryObjects/Microsoft.DirectoryServices.User/@Element], [odata.type,
                                Microsoft.DirectoryServices.User], [deletionTimestamp, ], [signInNames, []]…}
DeletionTimeStamp            :
ObjectId                     : 7a7949ea-ff5b-4ac1-bdf5-5024ed8e0903
ObjectType                   : User
AccountEnabled               : True
AssignedLicenses             : {}
AssignedPlans                : {}
City                         :
Country                      :
Department                   :
DirSyncEnabled               :
DisplayName                  : Florian Fromm (FSFT)
FacsimilieTelephoneNumber    :
GivenName                    :
ImmutableId                  :
JobTitle                     :
LastDirSyncTime              :
Mail                         : florian@fsft.net
MailNickName                 : florian_fsft.net#EXT#
Mobile                       :
OnPremisesSecurityIdentifier :
OtherMails                   : {florian@fsft.net}
PasswordPolicies             :
PasswordProfile              :
PhysicalDeliveryOfficeName   :
PostalCode                   :
PreferredLanguage            :
ProvisionedPlans             : {}
ProvisioningErrors           : {}
ProxyAddresses               : {smtp:florian_fsft.net#EXT#@contoso.onmicrosoft.com,
                                SMTP:florian@fsft.met}
SipProxyAddress              :
State                        :
StreetAddress                :
Surname                      :
TelephoneNumber              :
ThumbnailPhoto               :
UsageLocation                :
UserPrincipalName            : florian_fsft.net#EXT#@contoso.onmicrosoft.com
UserType                     : Guest

First Name and Last Name were created during the invitation process and weren’t copied from my tenant. The inviting person knew what my name and email address was and supplied them during the invitation process. What’s more interesting is how the reference is created.

What’s more interesting is how my reference got created in Contoso: while my Sign-In name stayed intact, AAD “converted” my email address/sign-in name and appeneded an #EXT# suffix, before appending the tenant’s suffix contoso.onmicrosoft.com. There’s also a new objectID generated, which makes sense, as I am a new reference object.

Also – I became a special user object in that Contoso tenant, marked as a “Guest” in the “UserType” attribute.

Finding all external users who have a reference in my own AAD is easy, using that logic:

# Get-AzureADUser -Filter “UserType eq ‘Guest’”

No Comment