Azure AD business-to-business (B2B) collaboration with Microsoft Identity Manager(MIM) 2016 SP1 with Azure Application Proxy (Public Preview)

The initial scenario in preview for is external user AD account lifecycle management. In this scenario, an organization has invited guests into their Azure AD directory, and wishes to give those guests access to on-premises Windows Integrated Authentication or Kerberos-based applications, via the Azure AD application proxy or other gateway mechanisms. The Azure AD application proxy requires each user to have their own AD DS account, for identification and delegation purposes

Scenario Specific Supported Guidance

In this scenario, an organization has invited guests into their Azure AD directory, and wishes to give those guests access to on-premises Windows. Integrated Authentication or Kerberos-based applications, via the Azure AD application proxy or other gateway mechanisms. The Azure AD application proxy requires each user to have their own AD DS account, for identification and delegation purposes

A few assumptions made in the configuration of B2B with MIM and Azure Application Proxy

B2B End to End Deployment

Scenario

Contoso Pharmaceuticals works Trey Research Inc. as part of their R&D Department. Trey Research employees need to access the research reporting application provided by Contoso Pharmaceuticals.

  • Contoso Pharmaceuticals are in an independent tenant, to have configured a custom domain.

  • Invited an external user: to the Contoso Pharmaceuticals tenant. This user has accepted the invitation and can access resources that are shared.

  • Published of an application via App Proxy, and in this scenario, as an example to use MIM Service and Portal for guest user to participate in MIM Process, Example Helpdesk scenarios.

Create the Graph Management Agent

Note: Before creating connector make sure, you have reviewed the Graph Management Agent.

In the Synchronization Service Manager UI, select Connectors and Create. Select Graph (Microsoft) and give it a descriptive name

Connectivity

On the Connectivity page, you must specify the Graph API Version Production ready is V 1.0, Non-Production is Beta

Capabilities

On the Global Parameters page, you configure the DN to the delta change log and additional LDAP features. The page is pre-populated with the information provided by the LDAP server.

Global Parameters

On the Global Parameters page, you configure the DN to the delta change log and additional LDAP features. The page is pre-populated with the information provided by the LDAP server.

Configure Provisioning Hierarchy

This page is used to map the DN component, for example OU, to the object type that should be provisioned, for example organizationalUnit. leave this default click next

Configure Partitions and Hierarchies

On the partitions and hierarchies page, select all namespaces with objects you plan to import and export.

Select Object Types

On the partitions and hierarchies page, select all namespaces with objects you plan to import and export.

Select Attributes

On the Select Attributes screen, select needed attributes to manage B2B Users. The Attribute "id" is required

  • id

  • displayName

  • mail

  • givenName

  • surname

  • userPrincipalName

  • userType

Configure Anchors

With the Configure Anchor, Configure the anchor is a required step. by default use the id attribute for mapping.

Configure Connector Filter

On the configure Connector Filter page, Allows you to filter out objects based on attribute filter. In this scenario for B2B, the goal is only to bring in Users with the userType that equals Guest and not member.

Configure Join and Projection Rules

Configuring Join and Projection rules are handled by sync rule, it is not needed have to identify a join and projection on the connector itself. Leave default and click ok.

Configure Attribute Flow

Like the join and projection, is not needed to define the attribute flow, as it is handle by the sync rule that is to be create later. Leave default and click ok.

Configure Deprovision

Configure deprovision allow you to delete the object if metaverse object is deleted. In this test, we make them disconnectors as the goal is to leave them in Azure also we are not exporting anything to azure as it is Import only.

Configure Extensions

Configure Extensions on this management agent is an option but not required as we are using a synchronization rule. If we decided to an advance rule in the attribute flow earlier, then this would be an option to define.

Creating MIM Service Synchronization Rules

in the steps below we begin the mapping of B2B guest account and the attribute flow. Some assumptions are made here that you already have the Active Directory Management Agent Configured and the FIM MA configured to talk to the MIM Service and portal.

Before creating the sync rule, we need to create an attribute called userPrincipalName tied to the person object using the MV Designer.

In the Synchronization client, select Metaverse Designer

Then Select the Person Object Type

Next under actions click Add Attribute

Finally complete the following details

Attribute name: userPrincipalName

Attribute Type: String (Indexable)

Indexed = True

The next steps will require the configuration minimal configuration of the FIM Service Management Agent and The Active Directory Domain Services Management Agent.

More details can be found here for the configuration https://technet.microsoft.com/en-us/library/ff686263(v=ws.10).aspx - How Do I Provision Users to AD DS

Synchronization Rule: Import Guest User to MV to Synchronization Service Metaverse from Azure Active Directory

Navigate to the MIM Service and Portal and Select Sycronization Rules and click new.

Select "Create resource in FIM"

Flow Rules:

Initial Flow Only Use as Existence Test Flow (FIM Value ⇒ Destination Attribute)
displayName⇒displayName
Left(id,20)⇒accountName
id⇒uid
userType⇒employeeType
givenName⇒givenName
surname⇒sn
userPrincipalName⇒userPrincipalName
id⇒cn
mail⇒mail
mobilePhone⇒mobilePhone

Synchronization Rule: Create Guest User account to Active Directory

This synchronization rule creates the user in active directory

Flow Rules:

Initial Flow Only Use as Existence Test Flow (FIM Value ⇒ Destination Attribute)
accountName⇒sAMAccountName
givenName⇒givenName
mail⇒mail
sn⇒sn
userPrincipalName⇒userPrincipalName
Y "CN="+uid+",OU=B2BGuest,DC=scontoso,DC=com"⇒dn
Y RandomNum(0,999)+userPrincipalName⇒unicodePwd
Y 262656⇒userAccountControl

Synchronization Rule: Import B2B Guest User Objects SID to allow for login to MIM

This synchronization rule creates the user in active directory

Lastly, we invite the user and then run the management in the following order:

  • Full Import and Synchronization on the MIMMA Management Agent

  • Full Import and Synchronization on the ADMA_SCONTOSO_B2B Management Agent

  • Full Import and Synchronization on the B2B Graph Management Agent

  • Export, Delta Import, and Synchronization on the ADMA_SCONTOSO_B2B Management Agent

  • Export, Delta Import, and Synchronization on the MIMMA Management Agent

Finally: Application Proxy with B2B Guest and Logging into MIM

Now that we have created the synchronization rules in MIM. In the App Proxy configuration, define use the cloud principle to allow for KCD on app proxy. Also, next added the user manually to the manage users and groups. The options not to show the user until creation has occurred in MIM to add the guest to an office group once provisioned requires a bit more configuration not covered in this document.

Initial Flow Only Use as Existence Test Flow (FIM Value ⇒ Destination Attribute)
sAMAccountName⇒accountName
"CONTOSO"⇒domain
objectSid⇒objectSid

Once All configure

Finally have B2B user login and see the application

Next Steps

How Do I Provision Users to AD DS

Functions Reference for FIM 2010

How to provide secure remote access to on-premises applications

Download Microsoft Identity Manager management agent for Microsoft Graph (preview)