Coming up we take a look at Azure Active Directory B2B collaboration. Now generally available a new
service that helps simplify the secure sharing of your apps and services with your business partners. We will show you how it enables your partners to bring their own identity to securely access your corporate resources without you having to manage their identity whether or not they have Azure Active
Directory in place. We'll also show you how it allows you to build custom collaboration experiences with our Microsoft graph API while allowing you to focus on protecting company data through conditional access policies including multi-factor authentication enabled by Azure Active Directory. Microsoft Mechanics I'm joined today by Sarat from the Azure
AD team, welcome to the show. Great to be on the show Simon. Congratulations, we've hit a major milestone Azure AD B2B has gone general availability. You actually recently transitioned
from the SharePoint team. How has that helped you with building Azure AD B2B? It's been immensely helpful. SharePoint Online was about easy
and secure external collaboration. On files and sites. We learned a lot there. But most modern businesses need external partners to work on
more than files and sites. With Azure Active Directory b2b, we are bringing collaboration into the identity fabric. And that enables it for thousands of applications integrated with Azure Active Directory. Let me show you what that means. So here I am signed in as John. And I work with the Woodgrove corporation. We are a large consumer goods company with a worldwide distribution network. And we use Azure Active directory for the tens of thousands of people inside and outside the company with valid needs to access our system. But we work with external partners who help with supply chain management and logistics. Some of these are small companies that
don't even have an IT department. Using Azure Active Directory B2B, we can easily give these users access
to key applications and keep all our plans intellectual properties safe in the Azure AD protected environment. So here I am signed in as Audrey. One of our supply chain experts from a company that does not have an IT department. As you can see, Audrey signed in with her gmail address and yet she has access to all the
applications that she needs for her work with the Woodgrove corporation. And all of this is because of Azure Active
Directory B2B collaboration. That's interesting, I have not seen that before with a consumer email address like gmail. We have separated the account from the identity. So that the user can continue to use any identity. The personal identity in this case. But my organization can still keep Azure Active Directory authorization policies in place. So that my content is safe. So this is a new requirement or a new concept. How have people done this in the past? Businesses have always needed to work with other businesses to be successful. But the old way was to create accounts and manage passwords for these external users. Let me show you an example of this happening. So we have signed in to the F128
photography company. And they work with a number of different
users from different companies like Contoso Pictures, Litware Corp, wingtip Toys, etc. Here you can see Abby Spencer from
the Contoso pictures actually has a user account in the F128 organization with a display name that says she's from Contoso Pictures. And a user name that matches. This is so that users in the F128 organization know that Abby is from a different company. And so they can maintain policies. But see this is a problem for the administrator who has to keep up with the changing roles and even Abby leaving for the company. And still, don't some solutions actually try
to synchronize those accounts from the on-premises directory into Azure Active Directory and it all gets a bit complicated to
make single sign-on work? That's exactly right. Single sign on is very important to get right. Organizations go to a number of
extremes to get this done. But if I am running a large business, it would be very invasive for my org and my partner org. It's an unreasonably high bar for me
to ask an independent unaffiliated organization to Synch their
users into our directory. But the good news is that's the old way of doing things. Ok great, let's get into how you've actually made this better with Azure Active Directory B2B. Let me show you. I'm signed in as John Doe in the
Woodgrove organization that I just told you about. Now I am not an ID administrator. I'm a floor manager. And I'm responsible for our retail stores supply chain. So I can go to the Salesforce ERP application where we do supply management. Hit the manage app option. So I'm going go and hit the plus button. And I'm going to add you, Simon. But your organization does not have an IT department. So I'm going to type in Simonumay@gmail.com because that's how we work together. And I'm going to include a personalized
message so you know it's from me. Great. That's from John. And I hit add. What that does is send you an invitation. And add you to the Sales Force application.. So should we switch over to my email
and take a look at what it looks like? Let's do that. So if I go in here and take a look in the email. I can see that I'ts come from Woodgrove. Your photo is there so I know that it's
come from the right place. The message is in there as well. So let me hit "Get started". and that's going to take me across to Azure AD. That's a welcome message from Woodgrove. I'll hit next. At this point, we just ask you to create a password for that social account that you're using, and hit Next. This will send you a code to your email just so we can verify that it is you. I'll go grab that code and copy and paste
it into the right place inside of the Azure AD sign in screen. And when done I hit Next. That's really it. so at this point of time we are just
preparing your account. and we will take you to the access panel page. So what just happened there? How did that work? Well you used a consumer domain. And so for that we just created a consumer account for you in the Microsoft account system. In the future, we will be we will be federating directly
with providers like Google so that users like you can get seamless
single sign-on into my organization. So that works if I'm a freelance and
I'm using consumer email What about if I've got a business email address but I don't have Azure Active Directory? So let's imagine that you had a business
account with Contoso logistics who do our warehousing and distribution. Your company does not have Azure Active Directory, but it has an IT department. So you have a managed email address. So now I'm going to just add you to
the Sales Force application with your IT managed email account that says it's Simon@contosologistics.com. And I'm going to click Add. So that should send you an email. I've got it and I'm going to click on the Get Started link. So now you see that landing page again. You hit Next and you're prompted to create a password. And because you're using a business identity, we create a business account for you
in Azure Active Directory. And you land on the App Access panel and you can click on Salesforce. That's cool I'm getting single sign-on
directly into Salesforce. That's exactly right. So this allows you to work on any application that I collaborate with with you, no matter what identity you are using. Now you notice that we created a password for you. That was because your account did not
exist in it Azure Active Directory yet. So we just created a quick one there. And created a password that you can manage. But in the future we will federate with the other standards-based SAML based identity providers. There so that you'd get single sign-on from your own on-premises identity provider. So in both cases, sign-on was actually pretty painless. So I guess the point you're making
is the organizations can set authorization policies regardless of how
the user is signed in? Exactly. We are shifting the focus of the organizations from worrying about how their partners sign-in to protecting their data to the
powerful authorization policies that are powered by Azure Active Directory. This means controlling what the users
are permitted to access, what they can do with that access, and the additional criteria they need to gain access. So really we offer complete piece of mind for IT. What would a worker in IT need to do to set this up? Let's take a look. Here I'm signed in as Alison,
the IT administrator of Woodgrove. First, to enable the scenario where I added you and your organizational identity to Salesforce. As an IT administrator, I've already created a group for Salesforce access. I'm calling it external partner Salesforce group. I'll make my persona, John Doe, the owner of this group. There it is, I've assigned the owner. Now, let me switch over to Salesforce. I'm going to add this group into Salesforce which will enable the Salesforce
application for collaboration. Again I go to the users and groups option. I'll click on Add. Select the Users and Groups option here. Search for that external partner Salesforce group. I'm going to assign it to the Salesforce application. And then I'm going to select a rule to users who were added in
that group can be assigned. I'm just going to pick Chatter Free User. But I could pick any of these other rules
that are here for support. I'm gong to hit Assign Now. So that's it and what I've done is added John Doe as the owner of a group that I've now assigned to the Salesforce application. So this covers how users can safely get through the front door and access the resources you defined? What if I want to take a more sophisticated check on who's actually coming into the network, what network location they're coming from, and maybe even enforce multi-factor authentication. With Azure Active Directory B2B, You have the unique capability of applying conditional access policies for external users as well. We are extending the Azure Active
Directory protection umbrella to partner relationships too. Let's take a look. I'm signed in as Alison, the IT administrator of Woodgrove, again. And I'm going to go to Conditional
Access Policies for Salesforce. I add a new policy. I call it the Salesforce MFA policy. I go down to target Users and Groups that should respect this policy. Let's go down to look at the conditions as well. I'm gong to leave all of this blank for now. But I could have configured the appropriate locations, or the devices. It's a trial that users are coming in
and targeting those specific cases. But let's just go down and grant access. I'm going to require multi-factor authentication. This converts this policy into an MFA policy. I hit Enable the policy. And that's it. Now all the business to business
collaboration users that are coming in are going to have to do MFA as they access Salesforce. I've actually go one of those users set up right here. Let me just go into the portal here and I'm going to go into my Salesforce app
that you provided earlier. I get to Azure AD page and it's asking me to setup multi-factor authentication. Absolutely. That's pretty slick. In these examples you're actually adding
one user at a time, though. What if Woodgrove doesn't know ahead of time who needs to access their system? Do we support that kind of scenario? Yes, Indeed that's a very common scenario. And using our APIs, we do. Let's say John Doe didn't know ahead of time that he needed to add another partner
from your company. But the other partner, Jeff had the URL
for Woodgrove online for the B2B portal. So at this point of time, Jeff can come in
and sign up for access to Woodgrove and Woodgrove could do policy based onboard of that user to the right application. And there it is, Jeff's request has come in. I'm just going to approve it. And that should send an email to Jeff. Great, and there's my onboarding
instructions from Woodgrove. Signed in as Jeff I can click on "Get Started". I see the landing page and I'm going to click "Next". Remember, I also did not have an
Azure Active Directory account. So here I easily create one. And in the future, it's going to be single sign-on. I get a verification code, again. I input my verification code. And that lands me on the Woodgrove
application access panel. So even without being manually onboarded by
administration in the organization, I was able to get policy based access to all the applications that my org needed to in order to work successfully with Woodgrove. And I could do self service onboarding. So that was really cool. How easy was that for Woodgrove to actually setup? This took a couple of hours. We took instructions that we have already published as part of the Azure Active Directory B2B collaboration API documentation
that you can see here. We actually produced that sample and
published it on GitHub. So an organization that is interested in trying that self service scenario out can just click on "Deploy to Azure". They can deploy this application into a
subscription of their choice, customize it and modify it for the organizational needs. Everything you've showed us has been really really cool. But, have all been experience with non Microsoft apps. I actually assume that this just works with Office 365. Absolutely. Office 365 groups already supports inherently the B2B capabilities we are producing in Azure Active Directory. As well as those B2B users can get seamless access in SharePoint applications. And we are working closely everyday
with Office 365 application teams to make sure this is an integrated part
of all of Office 365 applications. I guess the final things is, do IT admins get any insight to what is happening inside of their organizations? I know people are going to watch that. Absolutely. Let me show you. Here again, I am Alison. You can see that John Doe invited Simon. And that Simon accepted that invitation at a given time. In fact I can even go to the sign in logs and I can see all the applications
that Simon has accessed. So just like with internal users, you would be able to get all the information about what external users are doing in your organization. In addition, if the partner organization is on Azure Active Directory, they can also tell what their users are
doing outside of the organization. Sarat, that was a great overview. It's a lot simpler to enable external collaboration across your apps and services
for both users and IT. What are you going to be working on next? We saw today how it was possible to add individual users from partner companies. But most businesses work with roles
in other partner companies. And they want those partner companies to manage the memberships into those roles. So we are going to create experiences where the partner company can manage memberships and you don't have to have the headache of that life cycle management. And, in addition to that we are going to do a ton of work in
the governance features like access reviews, periodic email verification, sponsorships, etc. Very cool. So how can these guys actually try Azure AD B2B? This feature set is available for all Azure AD customers. If you have Office 365, EMS, Intune or any service in Azure, you can start using it today. And you can learn more at the link below. Thank you very much for joining us on the show today. And congrats again for the GA milestone. Don't forget to keep watching Microsoft Mechanics for the latest updates. We'll see you next time. Microsoft Mechanics www.microsoft.com/mechanics
