Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD B2B SPO and OD integration + Whitelisting in AAD

Copper Contributor

Hi!

 

I got some scenarios I'd love your input on:

 

Configuration 1:

- Whitelisting/allow list used in Azure AD

- SPO and OD Azure AD B2B integration activated (and OTP)

- SharePoint/OneDrive external sharing settings set to New and Existing guests

Question:

- This setup will block sharing from SPO and OD with any external not included in the whitelist, as the integration will try to add the recipient to AAD as a guest?

 

Configuration 2:

- Whitelisting/allow list used in Azure AD

- SPO and OD Azure AD B2B integration and OTP disabled

- SharePoint/OneDrive external sharing settings set to New and Existing guests

Questions:

- The whitelist will not prevent sharing with any externals, as SPO and OD will still be using the old ad-hoc external sharing solution?

- Is this the only possible setup if you want whitelisting on guest access but don't want to limit external sharing from OD and SPO using the "Specific people" option?

7 Replies

@Ellefs1 Hello, I hate and love these questions :)

 

Not doing any testing so just replying how I think it will work.

 

Config 1: I believe you're right. When opting in for AAD B2B SPO/OD integration you'll leave ad-hoc external SharePoint sharing so all external users will be added as guest users during the sharing process. So for ex. when I start to enter the verification code with a new user, in the next prompt I have to agree to join the resource org. and have my guest account created. That should be a no-go if not being allowed.

 

Config 2: You can control the "sharing prompt" as I understand you already do for the Anyone-links. The "specific people" will create a secure direct sharing link that will bypass the whitelist in AAD and the SharePoint external sharing settings will apply. Ad-hoc external sharing doesn't get verified by AAD CA access policies.

 

I must recommend using sensitivity labels instead of trying to adjust permissions by using legacy sharing permissions or AAD B2B integration. So opt-in to the latter as that's the way going forward and then set up guest access to 'containers' (groups, sites, teams) using sensitivity labels.

 

Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites - Microsoft ...

 

To the left you have more info about them as well.

 

Btw, if using MCAS you can be very granular combining filters etc.

Hi @ChristianJBergstrom. Haha, I can understand the love/hate feelings towards these types of questions. Appreciate you taking the time to provide your thoughts.

 

I'm aware of how we can use sensitivity labels on containers to control guest access (among other things). But one thing is controlling which teams/sites that will allow guests, another thing is controlling who can be invited in the first place. If an organization can control which domains they allow their employees to invite external users from by using whitelisting, along with the rest of "Configuration 2". Would you say that is a troublesome setup? I understand the limitations of the SP ad-hoc external recipient solution (no CA etc.) and of course the possibility of end users being blocked from adding certain users. What would be the other downsides, if any?

Hello again, I thought you'd settle for the previous one! Just kidding. I kind of understood you are aware of the options as how the initial question was asked, but had to put it out there.

 

@Ellefs1 Doing a edit here because when opting in using AADB2B integration it doesn't take precedence (as previously said) but rather invitations in SharePoint are also subject to any domain restrictions configured in Azure AD. In other words, when not using AADB2B the AAD list works independently from OneDrive for Business and SharePoint Online allow/block list.

 

So, now it feels better :)

Right, I believe we got that covered. As you can understand we're still at the drawing board here.

The following is written on the "Allow list" documentation: "If you want to use an allow list, make sure that you spend time to fully evaluate what your business needs are."

So here I am, spending time evaluating this! :)

Takk for hjelpen! :)
Haha :) Inga problem!

@ChristianJBergstrom 

"Doing a edit here because when opting in using AADB2B integration it doesn't take precedence (as previously said) but rather invitations in SharePoint are also subject to any domain restrictions configured in Azure AD. In other words, when not using AADB2B the AAD list works independently from OneDrive for Business and SharePoint Online allow/block list."

 

Yes, this is aligned with my testes as well (I think). To be sure, this is how I experienced it without AADB2B integration:

- Guest Access to Teams and SharePoint will be controlled by the whitelist in AAD

- External Sharing will not be. So with SharePoint/OneDrive External sharing set to "New and existing guests" you can share any file/folder with any external using the "Specific people" option

 

This is at least what I experienced within my sandbox.

 

 

Hi,
Good blog post, thanks for sharing.

I agree with you that the integration certainly comes with a lot of benefits. But I do see some challenges, if the org/tenant has an allowlist for B2B invitations:
- With the integration active, sharing externally will be limited to domains on this list as sharing requires the recipient to be added as a guest. All domains that users share files with probably won't be on this list, and adding domains to the whitelist just to be able to share files with them isn't feasible as I see it.

I do favor this integration in general, but I believe there's a difference between sharing files and folders with external users (as users have done by sending them by email for ages) vs. inviting externals as guests and giving them direct access to a resource. Ideally I'd like the B2B allow list to not controll external sharing (as is the case without the integration). I do understand that this isn't doable due to the fact that the integration relies on the external user being added as a guest. But this is how I see it.

Thoughts on this?