Playing with the new Azure B2B Collaboration Service Preview

Tags: azure, b2b, aad, identity

Well, I have the luck of dedicating some time to help in a little spike process here in Microsoft P&P that involves using the new Azure B2B Collaboration service.

While it's a brand new service and still in preview, there is some informaiton and documentation available about how it works and how to use it.

For example, you can start giving these links a look:

Well, as part of the spike we followed the steps described above and found a couple issues, so I'm documenting them now with the hope it helps somebody else.

So, I'll summarize our finding below:

  1. The steps involve creating a new Azure Directory Domain that will host the shared application with some partners.
    1. Tip: this new domain HAS to be linked with an Azure Subscription, because you need an admin user from THAT new domain to login in the Azure management portal in order to create the invitations for partner users.
  2. You need to create a CSV file as described above to invite parter users to use your shared application. You have two options here: the invited person already has an Azure identity or hasn't and he will create a new one when accepting the invitation.
    1. Tip: if partner user accounts already exists, then the CSV "Email" column has to match the "User Name" account attribute of the existing user, not Email.
    2. Tip: if the invited partner user account is not email enabled, then you need to include an undocumented "CCEmail" column in the CSV with a working email address. This is specially useful for demo and testing scenarios (like our own spike here).
    3. Tip: in the CSV you need to include a value for the column "InviteAppId" but that column refers to the "Application Principal ID", not "AppID".
  3. The Azure B2B Collaboraiton service is focused on sharing internal corporate resources with external partners without federating or duplicating user accounts.
    1. Tip: The service in its current state doesn't support well the multi-tenant application scenario where you are sharing an applicaiton to multiple external partners (tenants) and want their users to be properly identified as coming from an external tenant so the applicaiton can use that information to control data access and apply different restrictions. Currently all users appear to come from the same Azure tenant and that's why we could't reliabiy detect from where the user is coming from.

That's all I have for now, will keep an eye on this as this new B2B service does have a very valid scenario and does simplify the process of integrating identity management with an external partner.


PS: Thanks Rohit for your time!


  • John Luangco said

    Hi there,

    Thanks for this post. It is useful to know some of the lessons learnt. With regards to your comment on adding the CCEmail column in the CSV.

    I tried to add the CCEmail column into the CSV, and provided a gmail account into the CCEmail column for one of the users. Unfortunately I didn't seem to get any email from Azure.

    Is there a particular position that the CCEmail column needs to be in? i.e. last column or 4th column?

    Thanks again


Comments have been disabled for this content.