-
Notifications
You must be signed in to change notification settings - Fork 279
/
faq.yml
206 lines (162 loc) · 18.5 KB
/
faq.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
### YamlMime:FAQ
metadata:
title: B2B collaboration FAQs
description: Get answers to frequently asked questions about Microsoft Entra B2B collaboration.
ms.service: entra-external-id
ms.topic: faq
ms.date: 04/24/2024
ms.author: mimart
author: msmimart
manager: celestedg
ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
ms.collection: M365-identity-device-management
title: Microsoft Entra B2B collaboration FAQs
summary: |
[!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
These frequently asked questions (FAQs) about Microsoft Entra business-to-business (B2B) collaboration are periodically updated to include new topics.
> [!IMPORTANT]
> - **Starting January 4, 2021**, Google [deprecated WebView sign-in support](https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html). If you're using Google federation or self-service sign-up with Gmail, you should [test your line-of-business native applications for compatibility](google-federation.md#deprecation-of-web-view-sign-in-support).
> - The [email one-time passcode](one-time-passcode.md) feature is now turned on by default for all new tenants and for any existing tenants where you haven't explicitly turned it off. When this feature is turned off, the fallback authentication method is to prompt invitees to create a Microsoft account.
sections:
- name: General
questions:
- question: |
Can we customize our sign-in page so it's more intuitive for our B2B collaboration guest users?
answer: |
Absolutely, for information about how to customize your organization's sign-in page, see [Add company branding to sign in and Access Panel pages](~/fundamentals/how-to-customize-branding.md).
- question: |
Can B2B collaboration users access SharePoint Online and OneDrive?
answer: |
Yes. However, the ability to search for existing guest users in SharePoint Online by using the people picker is **Off** by default. To turn on the option to search for existing guest users, set **ShowPeoplePickerSuggestionsForGuestUsers** to **On**. You can turn this setting on either at the tenant level or at the site collection level. You can change this setting by using the Set-SPOTenant and Set-SPOSite cmdlets. With these cmdlets, members can search all existing guest users in the directory. Changes in the tenant scope don't affect SharePoint Online sites that have already been provisioned.
- question: |
Can B2B collaboration users access Power BI content?
answer: |
Yes, you can [distribute Power BI content to external guest users using B2B collaboration](/power-bi/guidance/whitepaper-azure-b2b-power-bi). To share Power BI content across Microsoft clouds, you can [use Microsoft cloud settings](cross-tenant-access-overview.md#microsoft-cloud-settings) to establish mutual B2B collaboration between your cloud and an external cloud.
- question: |
Is the CSV upload feature still supported?
answer: |
Yes. For more information about using the .csv file upload feature, see [this PowerShell sample](code-samples.md).
- question: |
How can I customize my invitation emails?
answer: |
You can customize almost everything about the inviter process by using the [B2B invitation APIs](customize-invitation-api.md).
- question: |
Can guest users reset their multifactor authentication method?
answer: |
Yes. Guest users can reset their multifactor authentication method the same way that regular users do.
- question: |
Which organization is responsible for multifactor authentication licenses?
answer: |
The inviting organization performs multifactor authentication. The inviting organization must make sure that the organization has enough licenses for their B2B users who are using multifactor authentication.
- question: |
What if a partner organization already has multifactor authentication set up? Can we trust their multifactor authentication?
answer: |
[Cross-tenant access settings](cross-tenant-access-overview.md) let you trust multifactor authentication and device claims ([compliant claims and Microsoft Entra hybrid joined claims](~/identity/conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Microsoft Entra organizations.
- question: |
How many organizations can I add in cross-tenant access settings?
answer: |
Cross-tenant access settings are a policy in the directory that stores your settings for how you collaborate with other organizations. This policy file has a 25kb size limit and once it is maxed out, no additional organizations or changes can be made that would further increase the file size. Due to how we store the content in this policy, there is no defined limit of organizations you can add in cross-tenant access settings. If you need to apply settings to a large number of organizations, we recommend implementing those settings as your default settings. Follow the steps to [calculate the current size of your policy](troubleshoot.md#an-error-similar-to-failure-to-update-policy-due-to-object-limit-appears-while-configuring-cross-tenant-access-settings) and determine whether you are close to hitting the 25kb file size limit.
- question: |
How can I use delayed invitations?
answer: |
An organization might want to add B2B collaboration users, provision them to applications as needed, and then send invitations. You can use the B2B collaboration invitation API to customize the onboarding workflow.
- question: |
Can I make guest users visible in the Exchange Global Address List?
answer: |
Yes. By default, guest objects aren't visible in your organization's global address list, but you can make them visible. For details, see [Add guests to the global address list](/microsoft-365/solutions/per-group-guest-access#add-guests-to-the-global-address-list) in the Microsoft 365 per-group guest access article.
- question: |
Can I make a guest user a limited administrator?
answer: |
Absolutely. For more information, see [Adding guest users to a role](./add-users-administrator.yml).
- question: |
Does Microsoft Entra B2B collaboration allow B2B users to access the Microsoft Entra admin center?
answer: |
Unless a user is assigned the role of limited administrator, B2B collaboration users won't require access to the Microsoft Entra admin center. However, B2B collaboration users who are assigned the role of limited administrator can access the portal. Also, if a guest user who isn't assigned one of these admin roles accesses the portal, the user might be able to access certain parts of the experience. The guest user role has some permissions in the directory.
- question: |
Can I block access to the Microsoft Entra admin center for guest users?
answer: |
Yes, you can create a Conditional Access policy that blocks guest user access to the admin center or portal. When configuring the Conditional Access policy, you have granular control over the types of external users you want to apply the policy to. When you configure this policy, be careful to avoid accidentally blocking access to members and admins. Learn more about [Conditional Access for external users](authentication-conditional-access.md#conditional-access-for-external-users).
- question: |
Does Microsoft Entra B2B collaboration support multifactor authentication and consumer email accounts?
answer: |
Yes. Multifactor authentication and consumer email accounts are both supported for Microsoft Entra B2B collaboration.
- question: |
Do you support password reset for Microsoft Entra B2B collaboration users?
answer: |
If your Microsoft Entra tenant is the home directory for a user, you can [reset the user's password](~/fundamentals/users-reset-password-azure-portal.yml) from the Microsoft Entra admin center. But you can't directly reset a password for a guest user who signs in with an account that's managed by another Microsoft Entra directory or external identity provider. Only the guest user or an administrator in the user’s home directory can reset the password. Here are some examples of how password reset works for guest users:
* Guest users in a Microsoft Entra tenant that are marked "Guest" (UserType==Guest) can't register for SSPR through [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup). These type of guest user can only perform SSPR through [https://aka.ms/sspr](https://aka.ms/sspr).
* Guest users who sign in with a Microsoft account (for example guestuser@live.com) can reset their own passwords using Microsoft account self-service password reset (SSPR). See [How to reset your Microsoft account password](https://support.microsoft.com/help/4026971/microsoft-account-how-to-reset-your-password).
* Guest users who sign in with a Google account or another external identity provider can reset their own passwords using their identity provider's SSPR method. For example, a guest user with the Google account guestuser@gmail.com can reset their password by following the instructions in [Change or reset your password](https://support.google.com/accounts/answer/41078).
* If the identity tenant is a just-in-time (JIT) or "viral" tenant (meaning it's a separate, unmanaged Azure tenant), only the guest user can reset their password. Sometimes an organization will [take over management of viral tenants](~/identity/users/domains-admin-takeover.md) that are created when employees use their work email addresses to sign up for services. After the organization takes over a viral tenant, only an administrator in that organization can reset the user's password or enable SSPR. If necessary, as the inviting organization, you can remove the guest user account from your directory and resend an invitation.
* If the guest user's home directory is your Microsoft Entra tenant, you can reset the user's password. For example, you might have created a user or synced a user from your on-premises Active Directory and set their UserType to Guest. Because this user is homed in your directory, you can reset their password from the Microsoft Entra admin center.
- question: |
Does Microsoft Dynamics 365 provide online support for Microsoft Entra B2B collaboration?
answer: |
Yes, Dynamics 365 (online) supports Microsoft Entra B2B collaboration. For more information, see the Dynamics 365 article [Invite users with Microsoft Entra B2B collaboration](/power-platform/admin/invite-users-azure-active-directory-b2b-collaboration).
- question: |
What is the lifetime of an initial password for a newly created B2B collaboration user?
answer: |
Microsoft Entra ID has a fixed set of character, password strength, and account lockout requirements that apply equally to all Microsoft Entra cloud user accounts. Cloud user accounts are accounts that aren't federated with another identity provider, such as
* Microsoft account
* Facebook
* Active Directory Federation Services
* Another cloud tenant (for B2B collaboration)
For federated accounts, password policy depends on the policy that is applied in the on-premises tenancy and the user's Microsoft account settings.
- question: |
An organization might want to have different experiences in their applications for tenant users and guest users. Is there standard guidance for this? Is the presence of the identity provider claim the correct model to use?
answer: |
A guest user can use any identity provider to authenticate. For more information, see [Properties of a B2B collaboration user](user-properties.md). Use the **UserType** property to determine user experience. The **UserType** claim isn't currently included in the token. Applications should use the Microsoft Graph API to query the directory for the user, and to get the UserType.
- question: |
Where can I find a B2B collaboration community to share solutions and to submit ideas?
answer: |
We're constantly listening to your feedback, to improve B2B collaboration. Please share your user scenarios, best practices, and what you like about Microsoft Entra B2B collaboration. Join the discussion in the [Microsoft Tech Community](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/bd-p/AzureAD_B2b).
We also invite you to submit your ideas and vote for future features at [B2B Collaboration Ideas](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B-Ideas/idb-p/AzureAD_B2B_Ideas).
- question: |
Can we send an invitation that is automatically redeemed, so that the user is just “ready to go”? Or does the user always have to click through to the redemption URL?
answer: |
You can invite other users in the partner organization by using the UI, PowerShell scripts, or APIs. You can then send the guest user a direct link to a shared app. In most cases, there's no longer a need to open the email invitation and click a redemption URL. See [Microsoft Entra B2B collaboration invitation redemption](redemption-experience.md).
- question: |
How does B2B collaboration work when the invited partner is using federation to add their own on-premises authentication?
answer: |
If the partner has a Microsoft Entra tenant that is federated to the on-premises authentication infrastructure, on-premises single sign-on (SSO) is automatically achieved. If the partner doesn't have a Microsoft Entra tenant, a Microsoft Entra account is created for new users.
- question: |
Can an Azure AD B2C local account be invited to a Microsoft Entra tenant for B2B collaboration?
answer: |
No. An Azure AD B2C local account can only be used to sign in to the Azure AD B2C tenant. The account can't be used to sign into a Microsoft Entra tenant. Inviting an Azure AD B2C local account to a Microsoft Entra tenant for B2B collaboration isn't supported.
- question: |
What applications and services support Azure B2B guest users?
answer: |
All Microsoft Entra integrated applications can support Azure B2B guest users, but they must use an endpoint set up as a tenant to authenticate guest users. You might also need to [customize the claims](claims-mapping.md) in the SAML token that is issued when a guest user authenticates to the app.
- question: |
Can we force multifactor authentication for B2B guest users if our partners don't have multifactor authentication?
answer: |
Yes. For more information, see [Conditional Access for B2B collaboration users](authentication-conditional-access.md).
- question: |
In SharePoint, you can define an "allow" or "deny" list for external users. Can we do this in Azure?
answer: |
Yes. Microsoft Entra B2B collaboration supports allowlists and blocklists.
- question: |
What licenses do we need to use Microsoft Entra B2B?
answer: |
For information about what licenses your organization needs to use Microsoft Entra B2B, see [External ID pricing](external-identities-pricing.md).
- question: |
What happens if I invite a user whose email and UPN don’t match?
answer: |
It depends. By default, Microsoft Entra-only allows UPN for login ID. When UPN and email are the same, Microsoft Entra B2B invitations and subsequent sign-ins work as expected. However, issues can arise when a user’s email and UPN don’t match, and the email is used instead of the UPN to sign in.
When a user is invited with a non-UPN email, they will be able to redeem the invitation if they redeem using the [email invitation link](redemption-experience.md#redemption-process-through-the-invitation-email), but redemptions via a [direct link](redemption-experience.md#redemption-process-through-a-direct-link) will fail. However, even if the user successfully redeems the invitation, subsequent sign-in attempts using the non-UPN email will fail unless the identity provider (either Microsoft Entra ID or a federated identity provider) is configured to allow email as an alternative login ID.
This issue can be mitigated by:
1. [Enabling email as an alternate login ID](~/identity/authentication/howto-authentication-use-email-signin.md) in the invited/home Microsoft Entra tenant
2. Enabling the federated identity provider to support email as login ID (if Microsoft Entra ID is federated to another identity provider) or
3. Instructing the user to redeem/sign-in using their UPN.
To avoid this issue entirely, administrators should ensure users’ UPN and email are the same value.
![Screenshot shows the flow for guest redemption.](media/user-invitation-different-email-upn/guest-redemption.png)
![Screenshot shows the flow for subsequent sign-ins.](media/user-invitation-different-email-upn/subsequent-sign-in.png)
>[!NOTE]
>Invitations and redemptions being sent across Microsoft clouds must use UPN. Email is not supported at this time. For example, if a user from a US Government tenant is invited to a Commercial tenant, the user must be invited using their UPN.
- question: |
Instant-on: What can cause replication latency?
answer: |
In the B2B collaboration flows, we add users to the directory and dynamically update them during the invitation redemption process, app assignment, and so on. The updates and writes ordinarily happen in one directory instance and must be replicated across all instances. Replication is completed once all instances are updated. Sometimes when the object is written or updated in one instance and the call to retrieve this object is to another instance, replication latencies can occur. If that happens, refresh or retry to help. If you are writing an app using our API, then retries with some back-off is a good, defensive practice to alleviate this issue.
additionalContent: |
## Next steps
[What is Microsoft Entra B2B collaboration?](what-is-b2b.md)