Forum Discussion

Brass Contributor

Mar 23, 2017

Azure AD Connect and On-Prem ADFS federated with multiple partner organization

Scenario: We have an on-prem ADFS which is configured to federate with couple of partner organizations. The federated authentication with both our partners works well in On-Prem. Now we want to use ...

Azure Active Directory (AAD)

Identity Management

microsoft 365

Nestori Syynimaa

MVP

Nov 19, 2017

Hi,

I would sync your users to Azure AD and simply invite your partners' users to SharePoint sites. If done so, the answers are as follows:

No, you do not need to sync them to Azure AD.
No need for any license, just invite them as external users. To login, your partners' invited users do require either a Microsoft Account (outlook.com, hotmail.com, etc.) or Azure AD account (Office 365 etc.).
There is no need to any AD FS scenario here. When partners are external users, Office 365 will handle all the authentication

For security reasons, I suggest that you run the following PowerShell command in your tenant. It forces the external users to login with the same email address the invitation was sent to.

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true

WH-808

Copper Contributor

Nov 24, 2017

I'd assume they wouldn't want them using a Microsoft account for account management purposes. You can signup for a Microsoft account with any email address. If they do it with their work email address, two things would happen that would be issues with a lot of organizations. 1. It would be a separate account with a separate password. 2. If they left the partner company, they would still be able to login with the Microsoft account after the company partner account is deactivated or password changed.

The partner would need their own Azure AD with on-prem accounts synced or their own ADFS and you would federate your Azure AD with that.

Nestori Syynimaa
MVP
Nov 29, 2017
Good point, it would be better from the management point-of-view to have all users in Azure AD in partner's own tenant.

However, there is no need to federate anything, Office 365 takes care of authentication. Besides, if the partner is already using Office 365, their domain is registered to their tenant it cannot be federated to other tenants.
- WH-808
  Copper Contributor
  Nov 29, 2017
  I think you might be mixing up federation with sync. You can't sync a domain to more than one tenant but you can absolutely federate with other directories. If they are in another Azure tenant, you have two options, invite them as external users to your tenant or setup federation between two tenants using custom policies. If you don't mind external users in your directory, then inviting them as external users is by far the easiest of the two options.
  - Nestori Syynimaa
    MVP
    Nov 29, 2017
    The term federation means many things in Office 365/Azure AD, so I think we are simply talking about different things here.
    
    What I meant by federation is that you either create a new federated domain to Office 365 or convert an existing one to federated:
    
    # Create a new federated domain New-MsolFederatedDomain -DomainName mydomain.com # Convert a domain to federated Convert-MsolDomainToFederated -DomainName mydomain.com
    
    This naturally requires that the domain is registered to that Office 365 tenant. Moreover, what the federation does is that it only authenticates the user. To log in and use Office 365 services, there must be a matching user object in the Office 365 tenant.
    
    I suppose by federation you meant something like Azure B2B Collaboration?