The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Invite external users to Azure AD Domain services? RRS feed

  • Question

  • Hi,

    I would like to get inputs or recommendation how to handle external users to access our Azure tenant/setup.

    Today we setup a unique tenant/subscription for each customer and host an application and publish it with RDS.

    In each tenant we use Azure Domain Services. We need to make our application server (VM) a member of a domain and then use WVD to publish the application in a secure way.

    Our customer would like to use their own username/password to access our application and my first thought was to use Azure B2B collaboration and invite them as guest users or setup AD Connect to syncronize a specific group of users into our Azure Tenant.

    But then I assume the username/password would not sync to Azure Domain Service. Only to Azure AD (?).

    The users need to authenticate to Azure Domain services because the WVD and our applications servers is member of the domain.

    Tuesday, November 5, 2019 10:24 PM

All replies

  • Our customer would like to use their own username/password to access our application and my first thought was to use Azure B2B collaboration and invite them as guest users or setup AD Connect to syncronize a specific group of users into our Azure Tenant.


    But then I assume the username/password would not sync to Azure Domain Service. Only to Azure AD (?)

    @Boffen, There are a few things you should consider here.

    1. The User accounts, Group Memberships and credential (password) hashes are synchronized to Azure AD Domain Services from the Tenant. It is a one-way sync and there is no write-back from Azure AD DS to Azure AD. Ref: How objects and credentials are synchronized in an Azure AD Domain Services

    2. If you invite the other users to your tenant, the account is created in your tenant (with a reflection like user@#EXT#domain.com), though their username does not actually change. But the password does not get carried forward to your tenant. Hence, if any authentication is required from your tenant's side, the request is sent to the home tenant of the user to be authenticated from.

    3. Now, when the password is not there in your tenant for the guest users, it certainly does not get carried over to the Azure AD DS. So, if the authentication has to be done Azure AD DS would pass the request to your tenant and then your tenant would request authentication from the user's home tenant.

    4. If you are looking to setup Azure AD Connect, you first need to formulate on which kind of a working model you are thing of. Here's the document which details the different Topologies that Azure AD Connect supports.

    Hope this helps you get a better picture. Let us know how we can assist you further.

    -----------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Wednesday, November 6, 2019 11:10 AM
    Moderator
  • I'm following up on this issue, 

     Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    Wednesday, November 13, 2019 10:24 PM
    Moderator
  • Please let us know if you were able to resolve the issue from the replies before. If you still have more questions please let us know with some additional information regarding your question and we'll try to resolve it. It may require additional support escalation if we are unable to resolve this on this msdn thread. 

    If there's no more follow ups in regards to this, I will be marking an answer as answer. If you feel your question has not been answered please let us know anymore pending asks and we can try to follow up accordingly. 

    thanks,

    - Frank H.

    Tuesday, November 26, 2019 8:02 PM
    Moderator