SOLVED

Azure AD B2B SharePoint on Premise using Groups

%3CLINGO-SUB%20id%3D%22lingo-sub-219150%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-219150%22%20slang%3D%22en-US%22%3EWhat%20method%20do%20you%20use%20to%20publish%20the%20on-prem%20SharePoint%20to%20Azure%20AD%20for%20the%20purposes%20of%20Azure%20B2B%20Collaboration%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20made%20a%20post%20here%20about%20it.%20If%20you%20want%20to%20take%20a%20minute%20and%20chime%20in.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FAzure-B2B-Collaboration-and-SharePoint-Server-2016%2Fm-p%2F219081%23M425%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FAzure-B2B-Collaboration-and-SharePoint-Server-2016%2Fm-p%2F219081%23M425%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-179634%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-179634%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EI%20don't%20know%20how%20you%20solved%20this%20but%20I'm%20using%20accounts%20defined%20in%20AzureAD%20(members%20and%20B2B%20guests)%2C%20putting%20them%20in%20Azure%20groups%20(usage%20of%20AzureCP%20to%26nbsp%3Bsee%20them%20in%20People%20Picker).%20The%20%22Role%22%20claim%20with%20the%20Azure%20group%20will%20appear%20in%26nbsp%3Bthe%20claims%20associated%20to%20the%20user%20for%20Azure%20AD%20members%20and%20Azure%20AD%20Guest%20but%20only%20when%20defined%20as%20Microsoft%20Account%20(%3D%20source).%20When%20the%20source%20is%20%22Azure%20AD%20External%22%2C%20it%20won't%20appear.%20Any%20idea%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106911%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106911%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20understanding%20the%20user%20writeback%20is%20no%20longer%20supported%20in%20Azure%20AD%20Connect%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106337%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106337%22%20slang%3D%22en-US%22%3EWhat%20do%20you%20mean%20by%20%22Write%20back%20B2B%20user%22%20are%20you%20referring%20to%20leveraging%20AD%20connect%3F%20We%20are%20facing%20this%20same%20challenge.%20We%20have%20an%20on-prem%20SharePoint%20but%20need%20to%20share%20webaccess%20to%20external%20users.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-78943%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-78943%22%20slang%3D%22en-US%22%3EThomas%2C%3CBR%20%2F%3E%3CBR%20%2F%3ESounds%20interesting.%3CBR%20%2F%3ECould%20you%20please%20provide%20detailed%20steps%20on%20what%20you%20just%20mentioned%20or%20a%20link%20to%20an%20article%20that%20does%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-75615%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-75615%22%20slang%3D%22en-US%22%3E%3CP%3ENow%20Azure%20AD%20Groups%20are%20transmitted%20as%20Roles-Claim%20to%20SharePoint.%20The%20only%20thing%20we%20changed%20was%20the%20AzureCP%20configuration%20(Claims%20Provider)%20by%20removing%20the%20UPN%20Claim%2C%20so%20that%20only%20EmailAddress%20and%20Role%20is%20used%20as%20Claim%20types%20mapped%20to%20Azure%20objects.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-73586%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-73586%22%20slang%3D%22en-US%22%3E%3CP%3EOr%20maybe%20its%20not%20working%20with%20NTLM%20enabled%2C%20instead%20of%20Kerberos%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-72630%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-72630%22%20slang%3D%22en-US%22%3EHello%20Thomas%2C%3CBR%20%2F%3ENo%2C%20you%20don't%20need%20to%20do%20this%20to%20access%20your%20SharePoint%20On-Prem.%20I%20have%20done%20the%20same%20thing%20to%20give%20external%20users%20access%20to%20a%20SharePoint%202013%20On-Prem%2C%20without%20an%20App%20Proxy%20or%20write-back%20stuff.%3CBR%20%2F%3EBut%20I'm%20facing%20the%20same%20issue%20you%20have.%20I%20can%20give%20individual%20users%20from%20Azure%20AD%20access%20to%20a%20SharePoint%20on-prem%20but%20when%20they%20are%20part%20of%20a%20security%20group%20in%20Azure%20and%20I%20give%20them%20access%20through%20that%20group%2C%20the%20get%20an%20access%20denied.%3CBR%20%2F%3EHaven't%20found%20a%20solution%20for%20this.%20Would%20be%20great%20to%20know%20if%20this%20is%20even%20possible%20or%20not.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-71496%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71496%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20do%20you%20mean%20that%20the%20suggested%20steps%20are%20necessary%20to%20access%20onPrem%20Farm%20at%20all%2C%20or%20do%20you%20mean%20the%20steps%20are%20necessary%20for%20being%20permitted%20with%20an%20Office%20365%20group.%3C%2FP%3E%3CP%3EBecause%20directly%20authorized%20users%20already%20can%20access%20our%20onPrem%20SharePoint%20(via%20ADFS%20Proxy).%20I%20just%20search%20for%20an%20option%20to%20authorize%20external%20users%20by%20using%20a%20security%20group.%3C%2FP%3E%3CP%3EAn%20alternative%20for%20me%20would%20be%20to%20have%20a%20group%20like%20%22Everyone%20except%20External%20users%22.%20I%20just%20want%20to%20have%20a%20group%20(onPrem)%20to%20identify%20all%20external%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-71493%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71493%22%20slang%3D%22en-US%22%3E%3CP%3EInorder%20for%20B2B%20users%20to%20access%20OnPrem%20applications%2C%20you%20need%20to%3A%3C%2FP%3E%0A%3CP%3E1.%20Set%20up%20App%20proxy%20for%20Authentication%20to%20work%3C%2FP%3E%0A%3CP%3E2.%20Write%20back%20B2B%20users%20to%20OnPremises%20for%20Authorization%20to%20work%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20working%20on%20making%20this%20more%20seamless%20in%20the%20future.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69883%22%20slang%3D%22en-US%22%3EAzure%20AD%20B2B%20SharePoint%20on%20Premise%20using%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69883%22%20slang%3D%22en-US%22%3E%3CP%3EHaving%26nbsp%3BSharePoint%20OnPrem%2C%20ADFS%2C%20Azure%20AD%20Sync%20etc%20in%20place%20and%20wanting%20to%20use%20Azure%20AD%20B2B%20for%20external%20user%20access%20the%20authentication%20of%20external%20users%20in%20the%20SharePoint%20Web%20Application%20is%20now%20possible.%26nbsp%3B%3C%2FP%3E%3CP%3ECreating%20an%20%22Azure%20Security%20Group%22%20(putting%20all%20external%20users%20in%20it)%20and%20authorizing%20this%20group%20in%20our%20SharePoint%20OnPrem%20SiteCollection%20does%20not%20authenticate%20users%20(Access%20denied).%3C%2FP%3E%3CP%3ESo%20the%20resolvement%20of%20%22Azure%20Security%20Groups%22%20seem%20not%20to%20work.%20In%20the%20SAML%20token%20(which%20reaches%20SharePoint)%20the%20role%20claims%20are%20not%20existent%20although%20we%20configured%20the%20Token%20Issuer%20with%20the%20role%20claim%20rule%20(%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole%3C%2FA%3E).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20we%20missing%3F%20Is%20Azure%20AD%20B2B%20with%20%22Azure%20Groups%22%26nbsp%3Bpossible%3F%20I%20found%20no%20article%20describing%20this%20in%20the%20web.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-69883%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Having SharePoint OnPrem, ADFS, Azure AD Sync etc in place and wanting to use Azure AD B2B for external user access the authentication of external users in the SharePoint Web Application is now possible. 

Creating an "Azure Security Group" (putting all external users in it) and authorizing this group in our SharePoint OnPrem SiteCollection does not authenticate users (Access denied).

So the resolvement of "Azure Security Groups" seem not to work. In the SAML token (which reaches SharePoint) the role claims are not existent although we configured the Token Issuer with the role claim rule (http://schemas.microsoft.com/ws/2008/06/identity/claims/role).

 

What are we missing? Is Azure AD B2B with "Azure Groups" possible? I found no article describing this in the web.

10 Replies

Inorder for B2B users to access OnPrem applications, you need to:

1. Set up App proxy for Authentication to work

2. Write back B2B users to OnPremises for Authorization to work

 

We are working on making this more seamless in the future.

So do you mean that the suggested steps are necessary to access onPrem Farm at all, or do you mean the steps are necessary for being permitted with an Office 365 group.

Because directly authorized users already can access our onPrem SharePoint (via ADFS Proxy). I just search for an option to authorize external users by using a security group.

An alternative for me would be to have a group like "Everyone except External users". I just want to have a group (onPrem) to identify all external users.

Hello Thomas,
No, you don't need to do this to access your SharePoint On-Prem. I have done the same thing to give external users access to a SharePoint 2013 On-Prem, without an App Proxy or write-back stuff.
But I'm facing the same issue you have. I can give individual users from Azure AD access to a SharePoint on-prem but when they are part of a security group in Azure and I give them access through that group, the get an access denied.
Haven't found a solution for this. Would be great to know if this is even possible or not.

Or maybe its not working with NTLM enabled, instead of Kerberos?

best response confirmed by Thomas Habersatter (Occasional Contributor)
Solution

Now Azure AD Groups are transmitted as Roles-Claim to SharePoint. The only thing we changed was the AzureCP configuration (Claims Provider) by removing the UPN Claim, so that only EmailAddress and Role is used as Claim types mapped to Azure objects.

Thomas,

Sounds interesting.
Could you please provide detailed steps on what you just mentioned or a link to an article that does?
What do you mean by "Write back B2B user" are you referring to leveraging AD connect? We are facing this same challenge. We have an on-prem SharePoint but need to share webaccess to external users.

My understanding the user writeback is no longer supported in Azure AD Connect

 

 

Hi

I don't know how you solved this but I'm using accounts defined in AzureAD (members and B2B guests), putting them in Azure groups (usage of AzureCP to see them in People Picker). The "Role" claim with the Azure group will appear in the claims associated to the user for Azure AD members and Azure AD Guest but only when defined as Microsoft Account (= source). When the source is "Azure AD External", it won't appear. Any idea ?

What method do you use to publish the on-prem SharePoint to Azure AD for the purposes of Azure B2B Collaboration?

I made a post here about it. If you want to take a minute and chime in.

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/Azure-B2B-Collaboration-and-ShareP...