Detailed step-by-step deployment instructions
Details
- Allows self-service provisioning of guest accounts in a tenant. Portal enables this via API calls to the Microsoft Graph
- Leverages Azure DocumentDB. For development, a downloadable emulator is available: https://aka.ms/documentdb-emulator
- ARM template deploys the following:
- Azure Web App
- Azure DocumentDB
- Requires the following (see step-by-step deployment instructions above for details):
- Azure AD application with the following:
- Microsoft Graph - app permissions
- Read and write directory data
- Read and write all users' full profiles
- Microsoft Graph - delegated permissions
- Sign in and read user profile
- Azure AD application with the following:
- Microsoft Graph - delegated permissions
- Sign in and read user profile
- Multi-Tenant enabled
- Optional - custom DNS name and SSL cert
Operation
- Guests access the home page and may enter their login email to request access to the host tenant/company. Optionally, they may click to "Require Sign-In" - this will allow them to login to the guest's home tenant, authenticate, then return with the form pre-filled AND with the request authenticated and validated.
- Once the request is submitted, the request will be queued in a DocumentDB repo.
- A user in the home company with the "Guest Submitter" role granted can then access the portal, log in, and browse the pending requests, either approving, denying, or leaving in a pending state for others to review. Additionally, internal comments can be attached to the request records.
- Optionally, authorized users may login and add a "Partner Organization" profile record. This will allow potential guests with a matching domain suffix, to be optionally auto-approved for B2B guest access in the tenant.
- Whether a user is automatically approved, or manually approved, once an approval occurs, a welcome email is generated to the requester with a link that allows for redemption of the request.
This code is made available as a sample to demonstrate usage of the Azure Active Directory B2B Invitation API. It should be customized by your dev team or a partner, and should be reviewed before being deployed in a production scenario.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.