Forum Discussion
Azure AD Connect and On-Prem ADFS federated with multiple partner organization
Scenario: We have an on-prem ADFS which is configured to federate with couple of partner organizations. The federated authentication with both our partners works well in On-Prem. Now we want to use ...
Hi,
I would sync your users to Azure AD and simply invite your partners' users to SharePoint sites. If done so, the answers are as follows:
- No, you do not need to sync them to Azure AD.
- No need for any license, just invite them as external users. To login, your partners' invited users do require either a Microsoft Account (outlook.com, hotmail.com, etc.) or Azure AD account (Office 365 etc.).
- There is no need to any AD FS scenario here. When partners are external users, Office 365 will handle all the authentication
For security reasons, I suggest that you run the following PowerShell command in your tenant. It forces the external users to login with the same email address the invitation was sent to.
Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true
I'd assume they wouldn't want them using a Microsoft account for account management purposes. You can signup for a Microsoft account with any email address. If they do it with their work email address, two things would happen that would be issues with a lot of organizations. 1. It would be a separate account with a separate password. 2. If they left the partner company, they would still be able to login with the Microsoft account after the company partner account is deactivated or password changed.
The partner would need their own Azure AD with on-prem accounts synced or their own ADFS and you would federate your Azure AD with that.
The partner would need their own Azure AD with on-prem accounts synced or their own ADFS and you would federate your Azure AD with that.