Jul 15 2017
- last edited on
Jul 24 2020
Jul 15 2017 07:00 AM
I found understanding the licencing a bit complicated but here goes. So you are talking about Azure AD B2B collaboration, right? This is the way it works is
"Azure AD allows for B2B collaboration by enabling the use of a select set of Azure AD features to guest users who are invited into the Azure AD tenant. While some features are free, for any paid Azure AD features, guest users must be licensed as follows: with each Azure AD paid edition license that you own for an employee or a non-guest user in your tenant, you will also be able to invite up to 5 guest users to the tenant. The features you can extend to these guest users will depend on the type of Azure AD edition you purchase. There is no charge for inviting a guest user and assigning him/her to an application in Azure AD, for up to 10 apps per guest user. For paid Azure AD features that are extended to guest users, the inviting tenant will need the appropriate number of Basic or Premium P1 or Premium P2 licenses to cover guest users, in the 1 license: 5 users ratio as described above."
Simple, yeh? So you want to invite 200 collaboration users to the Azure AD tenant? You can do that for free as long as you don't need to use any paid Azure AD features. That's probably quite limiting if want to use Group-based access management /provisioning or the Azure AD Application Proxy, for example with these users. Then you'd need to purchase 40 Azure AD Basic Licences, in this case. Say you need Dynamic Groups or conditional access, for some of the users, say half, you'd buy 20 Basic Licences and 20 Azure AD P1 licences.
Anyway, that was my long way of saying yes you can mix and match licences, work out what features you need and apply the 5:1 licensing rule. More explanation and scenarios are listed here - Azure Active Directory B2B collaboration licensing guidance.
I hope I understood the question anyway and that this helps a bit!
Jul 16 2017 02:00 AM
Jul 16 2017 05:23 AM
I am not totally sure about this. You have the on-prem web app, which I would have thought meant using the Application Proxy, which I linked to previously. Then publish the app into Azure portal and you could assign the guest users to the app accordingly and provide B2B access in principle.
There could be a lot more to it than that, for example, you mention SSO but I am not sure how that works in this case. Personally, I'd test this with a Proof of Concept or ask Microsoft this question directly, if you have means, via Azure support etc. Also, by the way, there is a dedicated space for Azure AD B2B Collaboration, that's worth checking out. Good luck.