How to configure B2B direct connect in Azure AD

Shared channels in Microsoft Teams is used to collaborate with people inside and outside the organization. You can invite people who are not in the team. Only users who are either owners or members of the shared channel can access the channel. While guests (people with Azure Active Directory guest accounts in your organization) can’t be added to a shared channel, you can invite people outside your organization to participate in a shared channel by using Azure AD B2B direct connect.

In this blog post, we will see how to configure B2B direct connect and End user experience from Microsoft Teams Application.

This feature currently only works with Microsoft Teams shared channels. With B2B direct connect, users from both organizations can work together using their home credentials and a shared channel in Teams, without having to be added to each other’s organizations as guests.

How to configure B2B direct Connect

For Inviting users to the shared channels who are outside your organization, you will need to configure Azure AD B2B direct Connect on Azure in your organization and also in your partner Azure organization as well. Azure Active Directory (Azure AD) B2B direct connect is a feature of External Identities that lets you set up a mutual trust relationship with another Azure AD organization for seamless collaboration.

About B2B direct Connect

B2B direct connect lets your users and groups access apps and resources that are hosted by an external organization. To establish a connection, an admin from the external organization must also enable B2B direct connect. When you enable outbound access to an external organization, limited data about your users is shared with the external organization, so that they can perform actions such as searching for your users. More data about your users may be shared with an organization if they consent to that organization’s privacy policies.

Please follow below steps to configure B2B direct connect

1. Login on Microsoft Azure Portal.
2. Search for Azure Active Directory and then click on External Identities on the left hand side.
3. Click on Cross-tenant access settings.
4. Click on Organizational Settings and then click + Add Organization.

Add domain name or Tenant ID of External organization.

Once the organization is added, you will need to configure Inbound access settings and Outbound access settings.

• Inbound access settings controls whether users from external organizations can access resources in your organization. You can restrict access to your organization resources by specifying users, groups or applications of External organization who are allowed to access the resources in your organization.

For Example: There is a web app called FinanceApp created in your organization myOrg. Finance department of Extorg organization wants to access this app. You can create an Azure AD security group in Extorg for Finance department and add this group while configuring B2B direct connect Inbound settings in myOrg.

• Outbound access settings control whether your users can access resources in an external organization. You can restrict it for a user, group or allow it for whole organization.

5. Configure B2B Inbound Access Settings

We will see how to configure B2B direct connect Inbound access settings. This needs to be configured for your Azure AD organization and also External Azure AD organization as well.

B2B Inbound Access
B2B direct connect inbound access settings determine whether users from external Azure AD organizations can access your resources without being added to your tenant as guests. By selecting “Allow access” below, you’re permitting users and groups from other organizations to connect with you. To establish a connection, an admin from the other organization must also enable B2B direct connect.

To configure inbound access settings. Please follow below steps:

1. Open Microsoft Azure Portal
2. Search for Azure Active Directory –> External Identities.
3. Cross-tenant access settings –> Organization Settings.
4. Inbound access column is showing as “Inherited from default” which means this setting is being controlled by Default settings.
5. Click on Cross-tenant access settings –> Default setitngs to check the default settings for B2B direct connect.
6. To configure Inbound access settings click on “Inherited from default” link under Inbound access column.

7. Click on B2B direct connect tab and then select Customize settings.

• External users and groups tab– Select Access status as “Allow access” and Applies to “All external users and groups”
• Applications tab – Select “Access status” to Allow access and “Applies to” to All Applications or Select Applications for example Office 365.

6. Trust settings

Next tab is for Trust Settings where you can configure the trust settings related to External Azure AD organizations. Select customize settings and then select the given checkboxes.

• Trust multi-factor authentication from Azure AD tenants – If you trust Multi-Factor authentication claim of External Azure AD organization then you can select the checkbox “Trust multi-factor authentication from Azure AD tenants“. Selecting this option will reduce the MFA prompts as the user will have to go through MFA once not twice.

• Trust compliant devices – If you trust the claim of compliant devices by External Azure AD organization then you can check “Trust compliant devices“. If your conditional access policy applies to compliant devices then this claim should satisfy the requirements of compliant device and provide access to the applications.

• Trust hybrid Azure AD joined devices – If you trust hybrid Azure AD joined devices of External Azure AD organization, then check “Trust hybrid Azure AD joined devices“

7. Configure B2B Outbound access settings

Outbound access settings controls whether users in your organization can access resources which are outside the organization. You can also control which users, group or App can access external resources. Let’s see how to configure B2B Outbound access setitngs.

B2B Outbound Access
Outbound access settings determine how your users and groups can interact with apps and resources in external organizations. The default settings apply to all your cross-tenant scenarios unless you configure organizational settings to override them for a specific organization. Default settings can be modified but not deleted.

To configure outbound access settings. Please follow below steps:

1. Open Microsoft Azure Portal
2. Search for Azure Active Directory –> External Identities.
3. Cross-tenant access settings –> Organization Settings.
4. Outbound access column will show as “Inherited from default” which means this setting is being controlled by Default settings.
5. Click on Cross-tenant access settings –> Default setitngs to check the default settings for B2B direct connect.
6. To configure Outbound access settings click on “Inherited from default” link under outbound access column.

7. Click on B2B direct connect tab and then select Customize settings.

• Users and groups tab– Select Access status as “Allow access” and Applies to “All <your org> users” . This will allow all users of your organization to access resources in configured external organization.

• External Applications tab – Select “Access status” to Allow access and “Applies to” to All Applications. This will provide access to All applications in configured External organization. You can also select specific applications which your organization users are allowed to access.

When you try and save the Outbound access settings, you will receive below pop-up related to privacy policy. Go through the message and click on Yes. You can also click on Learn more and get more information about it.

Inbound and Outbound Access settings are now configured. You can modify these settings later if your organization requirement changes.

For example, if you want to stop Inbound access in the future, you can go back to the Azure AD –> Cross tenant access settings –> Organization Settings -> Find the configured organization and re-configure Inbound or Outbound access settings.

Azure Active directory admin of Extenal Organization needs to add your Azure AD organization on their side and configure Inbound and Outbound Access policies. After this configuration is complete, you should be able invite users from External Azure AD organization.

B2B Direct connect and Microsoft Teams

As we know B2B direct connect feature currently only works with Microsoft Teams shared channels. With B2B direct connect, users from both organizations can work together using their home credentials and a shared channel in Teams, without having to be added to each other’s organizations as guests.

You can create shared channels in Microsoft Teams. Only team owners can create shared channels. As the team owner who creates the shared channel, becomes the channel owner.

How to create a Teams shared channel

1. Open Microsoft Teams.
2. Find the Team in which you want to create a shared channel.
3. Click on Three dots next to the Team and click on Add Channel.

4. Provide a Name of the Channel for example: Finance Project Team A and In the Privacy drop down select Shared, You also get Standard and Private channel options but in our case as we are creating a Teams shared channel, we will use choosing Shared – People you choose from your org or other orgs have access.
5. Click on Create button.

How to add External users to the Teams shared channel

After you click on Create button while creating a Teams shared channel, you will get the option to share the channel with other users. On this screen you can search for users and add. You can add internal or external users.

Because of the B2B direct connect configuration, we are also able to search for users in external organization. As you can see from the screenshot, A user Nestor Wilke (External) is searchable from my organization. You can add this user to the shared channel.

You will also notice that there is External tag next to the name of the user to reflect that this user is from another Azure AD organization. You can also add more users / team to this shared channel after the channel has been created. Click on Done to complete the setup.

Teams Shared Channel Finance Project A has been created. Notice an icon next to the channel to highlight that this is a shared channel. You can click on three dots and then click on Share channel. You will get different options on sharing a channel with a Team or individual users.

Few Important Points about Shared Channels

• Using shared channels you can invite people outside of your organization by using Azure AD B2B direct connect.
• Shared channels are enabled by default but can be disabled by Editing Teams Policies via Microsoft Teams Admin Center.
• Guest accounts cannot be added to the Shared Channels.
• Shared Channels cannot be converted to Standard Channels.

Conclusion

Teams shared channel is a great solution for collabrating with External Organizations without adding external users as guest in your Azure AD organization. You can configure B2B direct connection before inviting users from external organization. When you invite an external user from shared channel, it verifies the B2B direct connect settings before adding the user. You can explore and read more about shared channels on Microsoft Documantation https://docs.microsoft.com/en-us/microsoftteams/shared-channels.

READ NEXT

• How To Enable Developer Preview And Public Preview In Microsoft Teams.
• External Users / Guests Are Able To Bypass Lobby – Microsoft Teams Meeting.
• Unable To Change The Coexistence Mode From Islands To Teams Only.
• Outlook And Teams Not Launching, Error Code 80090016. Your Computer’s Trusted Platform Module Has Malfunctioned.
• How To Disable A Particular Service Or License For Example Teams From Office 365 Assigned License Plan Using Powershell.