Forum Discussion

Alexander Filipin's avatar
Alexander Filipin
Brass Contributor
Jul 06, 2017
Solved

AAD Application Proxy and B2B Users

Just want a confirmation the following would work: Invite B2B user Create DISABLED AD Account on local ADDS with the UPN of the invited B2B user (Automation via SCIM Provisioning) Use AAD App Prox...
Azure AD B2B
  • Mark_Wahl's avatar
    Mark_Wahl
    Jul 06, 2017

    Hi, I assume you are looking to use the app proxy for organizations with on-premises apps which are using Windows authentication.  We are currently working on the documentation for this scenario which should be posted to docs.microsoft.com shortly.   In principle, creating an account in a AD domain corresponding to a user in Azure AD, including a guest user, would enable the app proxy to match the user coming in from Azure AD and use KCD for impersonation and permit that user to then access Windows integrated authentication, however there are a number of account lifecycle subtleties here.  So even if you see the app proxy is able to permit the communication flow, I'd suggest waiting for the documentation as there are a number of deloyment considerations and best practices to look at (e.g., what container to put the users in, when to deprovision the user from AD, how to avoid RID exhaustion and end user confusion about "All authenticated users" etc)  Feel free to reach out to us if you have additional questions.  Thanks, Mark  

Mark_Wahl's avatar
Mark_Wahl
Icon for Microsoft rankMicrosoft
Jul 06, 2017

Hi, I assume you are looking to use the app proxy for organizations with on-premises apps which are using Windows authentication.  We are currently working on the documentation for this scenario which should be posted to docs.microsoft.com shortly.   In principle, creating an account in a AD domain corresponding to a user in Azure AD, including a guest user, would enable the app proxy to match the user coming in from Azure AD and use KCD for impersonation and permit that user to then access Windows integrated authentication, however there are a number of account lifecycle subtleties here.  So even if you see the app proxy is able to permit the communication flow, I'd suggest waiting for the documentation as there are a number of deloyment considerations and best practices to look at (e.g., what container to put the users in, when to deprovision the user from AD, how to avoid RID exhaustion and end user confusion about "All authenticated users" etc)  Feel free to reach out to us if you have additional questions.  Thanks, Mark  

nduijvelshoff's avatar
nduijvelshoff
Copper Contributor
Jan 23, 2019

Mark_Wahl I started configuring the new B2B shadow accounts, but it seams that the Application Proxy ignores the "Delegated Login Identity" configuration.

 

This results in the fact that my on-prem application server receives the cloud UPN (the one with #EXT#) instead of the configured sAMAccountName in the on-prem AD and respondes with a 401 since the user is not found/matched.

 

I assumed that the on-prem connector fetched the sAMAccountName form the on-prem AD, but it looks like it's using the onPremisesSamAccountName in Azure AD for this assignment (which is not available for B2B users and read-only via the Graph API).

 

Any suggestion for the issue I'm facing?

 

Regards,

 

Nick

Resources