Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Using Azure AD B2B Collaboration for extranet with multiple partners

Iron Contributor

Hi

 

If we use AAD B2B Collaboration with many partners for an extranet solution in SharePoint Online, and if we don't want users from one partner to be able to access another partners site, we would have to create separate groups for each parter - or in some cases even for each site collection, right?

 

Thanks

Jakob

9 Replies

I typically recommend creating separate site collections for collaboration with each partner. This provides a very clear and easy to understand boundary for the business users and site admins.

It's not any different than if you have internal users in your company that you want to make sure don't have access to each others sites.

The other thing you may to look for is if Partner A shares a site or content to Partner B.

Hopefully unlikely, but possible to do.

Why do you need to use Azure B2B? You could just share the content with them with the proper permissions and then an account gets created in your directory for the extranet users
Azure B2B is a good solution if you don't want to get into the business of managing those external user accounts - i.e. the external company is responsible for forgotten passwords and keeping track of who they fired etc.

But if it is a user from a small company or standalone guy, then yes, it is probably easier to use the built-in Guest sharing features.
Yea I know with Azure AD B2B you can create is an ubiquitous id in AzureAD. I think that's great in 2 scenarios: if the external users need access to apps other than SharePoint as well or if you have Azure App Proxy and some on premise apps that could add the complexities of that Auth. But in a straight SharePoint online scenario wouldn't be wiser just to use external sharing? Less admin effort simply allow sharing and only allow external access to the site or site collection they need to see. Make sure you require login for access and the auth is the same with less work. If they get fired and the account is revoked the same thing happens. Also does SHO see the B2B user as external? If not I feel like you are adding overhead for making sure the partner can't see anything not meant for them.
I agree with everything you say - except unless you double as super-HR guy, there is no way for you to know when the person you shared content to was fired from the other company and they'll continue to have access to your SPO site(s) until someone figures out that person shouldn't be there anymore.
(Because the user is accessing your SPO site via their Microsoft account, not their work account).
Whether or not this is important to you may depend on the sensitivity of the data - if the guy you originally shared to quit your partner to work for a competitor then you may have some concerns.
Completely forgot that they allowed Sharing to Microsoft accounts. You can limit to the domain so they can't log in with a random accounts but that is a huge hole. Thanks for pointing that out. Really wish Microsoft would allow you to limit that without killing sharing totally.

Yes, we are working on the Allowlist functionality that will let you control the orgs/domains you want your org to collaborate with.