Forum Discussion
Using Azure AD B2B Collaboration for extranet with multiple partners
Hi If we use AAD B2B Collaboration with many partners for an extranet solution in SharePoint Online, and if we don't want users from one partner to be able to access another partners site, we wou...
Azure B2B is a good solution if you don't want to get into the business of managing those external user accounts - i.e. the external company is responsible for forgotten passwords and keeping track of who they fired etc.
But if it is a user from a small company or standalone guy, then yes, it is probably easier to use the built-in Guest sharing features.
But if it is a user from a small company or standalone guy, then yes, it is probably easier to use the built-in Guest sharing features.
Yea I know with Azure AD B2B you can create is an ubiquitous id in AzureAD. I think that's great in 2 scenarios: if the external users need access to apps other than SharePoint as well or if you have Azure App Proxy and some on premise apps that could add the complexities of that Auth. But in a straight SharePoint online scenario wouldn't be wiser just to use external sharing? Less admin effort simply allow sharing and only allow external access to the site or site collection they need to see. Make sure you require login for access and the auth is the same with less work. If they get fired and the account is revoked the same thing happens. Also does SHO see the B2B user as external? If not I feel like you are adding overhead for making sure the partner can't see anything not meant for them.
- I agree with everything you say - except unless you double as super-HR guy, there is no way for you to know when the person you shared content to was fired from the other company and they'll continue to have access to your SPO site(s) until someone figures out that person shouldn't be there anymore.
(Because the user is accessing your SPO site via their Microsoft account, not their work account).
Whether or not this is important to you may depend on the sensitivity of the data - if the guy you originally shared to quit your partner to work for a competitor then you may have some concerns.- Completely forgot that they allowed Sharing to Microsoft accounts. You can limit to the domain so they can't log in with a random accounts but that is a huge hole. Thanks for pointing that out. Really wish Microsoft would allow you to limit that without killing sharing totally.
- Sarat Subramaniam
Microsoft
Yes, we are working on the Allowlist functionality that will let you control the orgs/domains you want your org to collaborate with.
