Cross tenant SQL Server Authentication using B2B Collaboration

MVP

Introduction

The purpose of this article is to detail the proof of concept developed to showcase that existing SQL resources hosted in various Azure service models and leveraging Azure AD authentication methods (users, service principals, certificates, etc…) at Company A can have authentication succeed if such authentication methods are initiated by identities (Users) in the new company B tenant.

Architecture Overview

Company B has Azure SQL instances and SQL Server VMs hosted on tenant A

Company B needs to carve out, for business reasons, and move into their own Azure Tenant.

Company B cannot move those servers immediately because of on-premises dependencies that will cause unacceptable downtime during a move.

Company B needs to validate that if they migrate their users to their own Azure tenant and, as such, identities reside in the new Tenant B Azure tenant, those users will be able to authenticate to the Azure SQL instances and Azure SQL servers located in the Tenant A

eliekarkafy_0-1676976695963.jpeg

 

B2B Collaboration

Configuring cross-tenant access settings for B2B collaboration will allow the Company B identities to be invited as guest users to the Company A tenant.

Using the external identities cross-tenant access settings to manage the collaboration between the two tenants.

These settings determine both the level of inbound access and the level of outbound access for invited users. 

Default Settings

Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. 

Default settings for Company A

eliekarkafy_1-1676976695972.png

 

Default Settings for Company B

eliekarkafy_2-1676976695977.png

 

Organization Settings

Adding the organization will configure a specific Azure AD organization. Any Azure AD organizations not listed here will use the default settings.

Adding Company B as an organization to Company A will override the default settings and the defined settings for inbound and outbound settings will take precedence.

Adding Company A as an organization to Company B will override the default settings and the defined settings for inbound and outbound settings will take precedence. 

Organization settings for Company A

eliekarkafy_3-1676976695982.png

 

Organization settings for Company B

eliekarkafy_4-1676976695986.png

 

Inbound Access Settings

With inbound access settings, you select which external users and groups will be able to access the internal applications you choose.

Specify the users that will be allowed to be invited from the Company B tenant to be added as guests in the Company A tenant.

Define the users by adding the Object ID of each user.

Define a group by adding the Object ID of the group.

Any user not added in the inbound access settings cannot accept the invitation and will be blocked.

B2B Collaboration inbound settings for Company B organization on Company A tenant 

eliekarkafy_5-1676976695990.png

 

As it’s a one-way trust from Company B to Company A. We will be blocking any inbound access coming from the Company A users.

Users from the Company A cannot be invited and added as guests in the Company B tenant. 

B2B Collaboration inbound settings for Company A organization on Company B tenant 

eliekarkafy_6-1676976695994.png

 

Outbound Access Settings

With outbound settings select which of your users and groups will be able to access the external applications you choose.

As it’s a one-way trust from Company B to Company A, outbound access will be blocked coming from the Company A users.

B2B Collaboration outbound settings for Company B organization on Company A tenant 

eliekarkafy_7-1676976695996.png

 

Specify the users that will be allowed to be invited from the Company B tenant to be added as guests in Company A tenant.

Any user not added in the inbound access settings cannot accept the invitation and will be blocked. 

B2B Collaboration outbound settings for Company A organization on Company B tenant 

eliekarkafy_8-1676976696007.png

 

Guest Users

You can invite guest users (Company B Users) to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources using the invitation email they received. 

eliekarkafy_9-1676976696031.png

 

The guest user will appear on Azure AD with a UPN and an Identity as external Azure AD user. 

eliekarkafy_10-1676976696034.png

 

SQL Cross-Tenant Permissions

To grant your invited users’ permissions to access SQL databases, you can add them to a security group with access to the database(s). 

Granting an individual invited user access to SQL databases can be done by connecting to the SQL database instance using SQL admin rights, selecting the database, and run the following query:

*Make sure to use the UPN of the invited user as it appears in Company A tenant. 

The user is added to Company A directory with a user principal name (UPN) in the format emailaddress#EXT#@domain, for example,

user_CompanyB.onmicrosoft.com#EXT#@companyA.onmicrosoft.com, where:

  1. user_CompanyB.onmicrosoft.com is the email address invited from user_CompanyB directory
  2. #EXT# is the external identifier
  3. companyA.onmicrosoft.com is the organization from which you sent the invitations.

CREATE USER [user_CompanyB.onmicrosoft.com#EXT#@companyA.onmicrosoft.com] FROM EXTERNAL PROVIDER

eliekarkafy_11-1676976696036.png

 

And you user will appear in the Users security section of the database 

eliekarkafy_12-1676976696039.png

 

Try to access the database using the invited user’s credentials, to verify a successful sign in

eliekarkafy_13-1676976696041.png

 

Summary

In summary, B2B collaboration access settings secured a trust relationship between the two tenants for successful cross-tenant SQL authentication. 

 

0 Replies