Forum Discussion
Azure AD Connect and On-Prem ADFS federated with multiple partner organization
Scenario:
We have an on-prem ADFS which is configured to federate with couple of partner organizations. The federated authentication with both our partners works well in On-Prem. Now we want to use this ADFS as authentication mechanism for Office 365.
Questions:
- Users of our AD will be synched with the help of Azure AD connect. Do we really need to sync the users of partner organization's AD as well to let them access our Office 365 tenant(shared SharePoint sites)? if it is required, what should be the approach?
- If partner-A and partner-B needs to access Office 365 SharePoint Site, what kind of license would they require? Can they be considered as external user? Would they require to have their own Office 365 tenant?
- We assume that once the ADFS federation with Office 365 configured, the authentication will happen in following way
- Partner-A user tries to access SharePoint Online site URL that i've shared
- Office 365 will route the request to on-prem ADFS of my organization
- My on-prem ADFS will then pass the request to Partner-A ADFS
- The user will get authenticated with Partner-A ADFS and returned to My ADFS with the token
- My ADFS will replace Partner-A's token with its own token and send back the user to Office 365
- User successfully accesses the shared SharePoint Online site
Is this the correct understanding?
Hi,
I would sync your users to Azure AD and simply invite your partners' users to SharePoint sites. If done so, the answers are as follows:
- No, you do not need to sync them to Azure AD.
- No need for any license, just invite them as external users. To login, your partners' invited users do require either a Microsoft Account (outlook.com, hotmail.com, etc.) or Azure AD account (Office 365 etc.).
- There is no need to any AD FS scenario here. When partners are external users, Office 365 will handle all the authentication
For security reasons, I suggest that you run the following PowerShell command in your tenant. It forces the external users to login with the same email address the invitation was sent to.
Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true
- WH-808Copper ContributorI'd assume they wouldn't want them using a Microsoft account for account management purposes. You can signup for a Microsoft account with any email address. If they do it with their work email address, two things would happen that would be issues with a lot of organizations. 1. It would be a separate account with a separate password. 2. If they left the partner company, they would still be able to login with the Microsoft account after the company partner account is deactivated or password changed.
The partner would need their own Azure AD with on-prem accounts synced or their own ADFS and you would federate your Azure AD with that.- Good point, it would be better from the management point-of-view to have all users in Azure AD in partner's own tenant.
However, there is no need to federate anything, Office 365 takes care of authentication. Besides, if the partner is already using Office 365, their domain is registered to their tenant it cannot be federated to other tenants.
Hi Atul,
You should not use your ADFS to authenticate partner users because you will need to validate their domain on your Office 365 as an accepted and validated domain.
- Atul MogheBrass Contributor
Thanks Nuno for your quick response!
Can you point me to an article where this or similar kind of scenario is explained in detail? I couldn't find any good resource/documentation around this scenario and i believe this must be quite common requirement for many big enterprises.
I think there is no article of that, but you can only validate your domains on Office 365 not your partner and that is a requisite of ADFS.
Bellow is an article of implementing ADFS https://blogs.technet.microsoft.com/rmilne/2014/04/28/how-to-install-adfs-2012-r2-for-office-365/
- Bhalchandra KadamCopper Contributor
Atul Moghe Did you get any solution for this scenario.
- Deletedhi,
1/ In sharepoint, you can add a external user, the user of partner organisation not need sync to let them access. But is just for sharing document.
2/ if you use the 1 solution, not need licence.
3/ For give access at partner org, you have few solutions,
- You can use Azure BtoB (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b)
- you can federated their on-premise AD with your tenant ( it's very intrusive for your organisation) - WH-808Copper Contributor
Easiest implementation would be your partners also sync their users to Azure AD. Then you can invite them as a guest to your tenant and then they will be available to add a users in Office 365.