Forum Discussion

Ellefs1's avatar
Ellefs1
Copper Contributor
Sep 27, 2021

Azure AD B2B SPO and OD integration + Whitelisting in AAD

Hi!   I got some scenarios I'd love your input on:   Configuration 1: - Whitelisting/allow list used in Azure AD - SPO and OD Azure AD B2B integration activated (and OTP) - SharePoint/OneDrive...
Access Management
Azure Active Directory (AAD)
Azure AD B2B
Ellefs1's avatar
Ellefs1
Copper Contributor
Sep 27, 2021

Hi ChristianJBergstrom. Haha, I can understand the love/hate feelings towards these types of questions. Appreciate you taking the time to provide your thoughts.

 

I'm aware of how we can use sensitivity labels on containers to control guest access (among other things). But one thing is controlling which teams/sites that will allow guests, another thing is controlling who can be invited in the first place. If an organization can control which domains they allow their employees to invite external users from by using whitelisting, along with the rest of "Configuration 2". Would you say that is a troublesome setup? I understand the limitations of the SP ad-hoc external recipient solution (no CA etc.) and of course the possibility of end users being blocked from adding certain users. What would be the other downsides, if any?

ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Sep 27, 2021

Hello again, I thought you'd settle for the previous one! Just kidding. I kind of understood you are aware of the options as how the initial question was asked, but had to put it out there.

 

Ellefs1 Doing a edit here because when opting in using AADB2B integration it doesn't take precedence (as previously said) but rather invitations in SharePoint are also subject to any domain restrictions configured in Azure AD. In other words, when not using AADB2B the AAD list works independently from OneDrive for Business and SharePoint Online allow/block list.

 

So, now it feels better 🙂

  • Ellefs1's avatar
    Ellefs1
    Copper Contributor
    Oct 01, 2021

    ChristianJBergstrom 

    "Doing a edit here because when opting in using AADB2B integration it doesn't take precedence (as previously said) but rather invitations in SharePoint are also subject to any domain restrictions configured in Azure AD. In other words, when not using AADB2B the AAD list works independently from OneDrive for Business and SharePoint Online allow/block list."

     

    Yes, this is aligned with my testes as well (I think). To be sure, this is how I experienced it without AADB2B integration:

    - Guest Access to Teams and SharePoint will be controlled by the whitelist in AAD

    - External Sharing will not be. So with SharePoint/OneDrive External sharing set to "New and existing guests" you can share any file/folder with any external using the "Specific people" option

     

    This is at least what I experienced within my sandbox.

     

     

  • Ellefs1's avatar
    Ellefs1
    Copper Contributor
    Sep 27, 2021
    Right, I believe we got that covered. As you can understand we're still at the drawing board here.

    The following is written on the "Allow list" documentation: "If you want to use an allow list, make sure that you spend time to fully evaluate what your business needs are."

    So here I am, spending time evaluating this! 🙂

    Takk for hjelpen! 🙂

Resources