May 15 2017
03:04 AM
- last edited on
Jan 14 2022
04:49 PM
by
TechCommunityAP
May 15 2017
03:04 AM
- last edited on
Jan 14 2022
04:49 PM
by
TechCommunityAP
Having SharePoint OnPrem, ADFS, Azure AD Sync etc in place and wanting to use Azure AD B2B for external user access the authentication of external users in the SharePoint Web Application is now possible.
Creating an "Azure Security Group" (putting all external users in it) and authorizing this group in our SharePoint OnPrem SiteCollection does not authenticate users (Access denied).
So the resolvement of "Azure Security Groups" seem not to work. In the SAML token (which reaches SharePoint) the role claims are not existent although we configured the Token Issuer with the role claim rule (http://schemas.microsoft.com/ws/2008/06/identity/claims/role).
What are we missing? Is Azure AD B2B with "Azure Groups" possible? I found no article describing this in the web.
May 19 2017 10:27 AM
Inorder for B2B users to access OnPrem applications, you need to:
1. Set up App proxy for Authentication to work
2. Write back B2B users to OnPremises for Authorization to work
We are working on making this more seamless in the future.
May 19 2017 10:43 AM
So do you mean that the suggested steps are necessary to access onPrem Farm at all, or do you mean the steps are necessary for being permitted with an Office 365 group.
Because directly authorized users already can access our onPrem SharePoint (via ADFS Proxy). I just search for an option to authorize external users by using a security group.
An alternative for me would be to have a group like "Everyone except External users". I just want to have a group (onPrem) to identify all external users.
May 24 2017 01:17 AM
May 29 2017 01:16 AM
Or maybe its not working with NTLM enabled, instead of Kerberos?
Jun 07 2017 12:55 AM
SolutionNow Azure AD Groups are transmitted as Roles-Claim to SharePoint. The only thing we changed was the AzureCP configuration (Claims Provider) by removing the UPN Claim, so that only EmailAddress and Role is used as Claim types mapped to Azure objects.
Jun 19 2017 11:49 AM
Sep 14 2017 05:55 AM
Sep 15 2017 10:31 AM
My understanding the user writeback is no longer supported in Azure AD Connect
Apr 05 2018 01:56 AM
Hi
I don't know how you solved this but I'm using accounts defined in AzureAD (members and B2B guests), putting them in Azure groups (usage of AzureCP to see them in People Picker). The "Role" claim with the Azure group will appear in the claims associated to the user for Azure AD members and Azure AD Guest but only when defined as Microsoft Account (= source). When the source is "Azure AD External", it won't appear. Any idea ?
Jul 26 2018 03:03 AM
Jun 07 2017 12:55 AM
SolutionNow Azure AD Groups are transmitted as Roles-Claim to SharePoint. The only thing we changed was the AzureCP configuration (Claims Provider) by removing the UPN Claim, so that only EmailAddress and Role is used as Claim types mapped to Azure objects.