Azure Active Directory B2B collaboration frequently-asked questions (FAQ)

Frequently-asked questions is periodically updated to reflect any new interests.

Is this functionality available in the Azure classic portal?

The new capabilities in this Azure AD B2B collaboration public preview refresh are available only through the Azure portal and the new Access Panel. Try it!

Can B2B collaboration users access SharePoint Online and OneDrive?

Your B2B collaboration guest users are in the directory. You can add them to groups to which you can permission SharePoint Online and OneDrive sites, or even directly pick them from the SharePoint Online people picker. Because these are guest users, the SharePoint Online sites must have external sharing enabled.

Is the CSV upload mechanism still supported?

Yes. Refer to the PowerShell sample we have included.

How can I customize my invitation emails?

You can customize almost anything about the inviter process using the B2B invitation APIs.

Can the invited external user leave the organization to which he was invited?

This is currently not available in this public preview refresh.

Now that multi-factor authentication (MFA) is available for guest users, can they also reset their MFA method?

Yes, the same way that regular users can.

Which organization is responsible for MFA licenses?

The inviting organization is the organization that steps in and performs MFA. Thus, the inviting organization is responsible to make sure they have enough licenses for their B2B users who are performing MFA.

What if my partner org already has MFA set up? Can we trust their MFA and not use our MFA?

Not in this public preview refresh, but we will be supporting this in future releases. When that is released, you will be able to select specific partners to exclude from the your (inviting organization's) MFA.

How can I achieve delayed invitations?

Some organizations want to add B2B collaboration users, provision them to applications that require provisioning, and then send the invitations out. If that is you, you can use the B2B collaboration invitation API to customize the onboarding workflow.

Can guest users and contacts co-exist?

Your organization might have added contacts representing external collaborators so that they show up in the Global Address List and as email address suggestions during email composition. You might be wondering what happens when you now add these same collaborators as B2B collaboration users in the directory, right? In a future release, B2B collaboration users and your contact objects will be able to co-exist in your company directory. Stay tuned for our announcements!

Can I make my guest users limited admins?

Absolutely. If this is what your organization needs, find out how in Adding guest users to a role.

Does Azure AD B2B collaboration support permitting B2B users to access the Azure portal?

B2B collaboration users should not need to access the Azure portal unless they are assigned a limited administrator or global administrator role. In this case, they can access the portal. If a guest user who is not in these roles accesses the portal, then he/she may be able to access certain parts of the experience because the Guest user role has certain permissions in the directory as described in previous sections.

Can I block access to the Azure portal for guest users?

Yes! But be careful as you configure this policy to avoid accidentally blocking access to members and admins. You can block access to the Azure portal by guest users through conditional access policy on Windows Azure Service Management API through the following three steps.

  1. Modify the All Users group to only contain Members
  2. Create a dynamic group that contains Guest users
  3. Set up a conditional access policy to block guest users from accessing the portal, as shown in the following video.

What is the timeline by which Azure AD B2B collaboration will start support for MFA and consumer email accounts?

Both MFA and consumer email accounts are supported now in this public preview refresh.

What is the GA timeline for Azure AD B2B?

When we do this depends on the feedback that the current feature set receives from customers.

Is there a plan to support password reset for Azure AD B2B collaboration users?

Yes, both of these are supported for B2B collaboration (guest) users.

Is it also enabled for users in a viral tenant?

Not currently.

Does Microsoft CRM provide online support to Azure AD B2B collaboration?

CRM will provide support to Azure AD B2B collaboration after it is generally available.

Are B2B collaboration guest users visible in SharePoint Online/OneDrive people picker?

Yes! However, the ability to search for existing guest users in the SharePoint Online people picker is OFF by default to match legacy behavior. You can enable this using the setting 'ShowPeoplePickerSuggestionsForGuestUsers' at the tenant and site collection level. This can be set using the Set-SPOTenant and Set-SPOSite cmdlets, which allow members to search all existing guest users in the directory. Changes in the tenant scope do not affect already provisioned SharePoint Online sites.

What is the lifetime of an initial password for a newly created B2B collaboration user?

Azure AD has a fixed set of character, password strength, and account lockout requirements that apply equally to all Azure AD cloud user accounts. Cloud user accounts are the accounts that are not federated with another identity provider such as Microsoft Account, Facebook, ADFS, or even another cloud tenant (in the case of B2B collaboration). For federated accounts, the password policy depends on the policy in the on-premises tenancy and the user's Microsoft account settings.

Applications want to differentiate their experience between a tenant user and a guest user. Is there standard guidance for this? Is the presence of the identity provider claim the right model for this?

A guest user can use any identity provider to authenticate as we discuss in Properties of a B2B collaboration user. Hence, the UserType is the right property to determine this. The UserType claim is not currently included in the token. Applications should use Graph API to query the directory for the user and getting their UserType.

Where can find a B2B collaboration community to share solutions and submit ideas?

We're constantly listening to your feedback on ways to improve B2B collaboration. We invite you join the discussion, share your user scenarios, best practices, and what you like about Azure AD B2B collaboration at the Microsoft Tech Community

We also invite you to submit your ideas and vote for future features at the B2B Collaboration Ideas site.

Next steps

Browse our other articles on Azure AD B2B collaboration: