Invite users with Azure Active Directory B2B collaboration

You can invite other users to access your environment. The Microsoft 365 Global admin can do this through the Azure portal. Invited users can access your environment using their own login credentials once a license and a security role are assigned to them. You don’t need to create a new user account and temporary password for these invited users in your own Microsoft 365 tenant.

Requirements

  • To send business-to-business (B2B) user invitations, you must have an Azure Active Directory Global admin role.

  • To bulk- invite users, get the latest Azure Active DirectoryPowerShell which can be downloaded from the PowerShell module's release page.

Incompatibilities

The following features are not supported for B2B invited users.

  1. Unified Service Desk client

    Invited users will not be able to use the Unified Service Desk client to log into the host tenant’s environment.

  2. Dynamics 365 App for Outlook

    Invited users will not be able to use their own tenant email addresses when performing email related transactions in the host environment. Server-side synchronization of invited users’ incoming and outgoing emails are not supported as there can be complications, especially for invited users who are already syncing their emails in their own tenant.

  3. Invited users cannot perform email activity using their own email address. The customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation) only synchronizes incoming and outgoing emails from Microsoft Exchange Online that is hosted in the same Microsoft 365 tenant.

  4. Microsoft 365 Groups

    Microsoft 365 Groups connects a group to customer engagement apps. Data (including new conversations and documents) are stored in the Exchange and/or SharePoint system. Since invited users belong to a different Microsoft 365 tenant, the invited users do not have permission to create Microsoft 365 Groups in the invited-to Microsoft 365 tenant. However, they can participate in the Microsoft 365 Groups conversations as a guest in their Outlook Inbox, but not within customer engagement apps.

  5. Dynamics 365 Customer Voice

    Invited users will not be able to use Dynamics 365 Customer Voice. You must create a new user in your tenant and then provide access to the new user.

Invite a user

You can add users to through Azure Active Directory B2B user collaboration. Global admins and limited admins can use the Azure portal to invite B2B collaboration users to the directory, to any security group, or to any application.

Admins can use one of the following methods to invite B2B users to their environment:

  1. Invite users to your environment that has a security group.

  2. Invite users to your environment that does not have a security group.

  3. Bulk-invite guest users using a .csv file.

    Your invited user will receive an email invitation to get started with B2B user collaboration.

    Email invitation sent to new user.

    When your user accepts the invitation by clicking on the Get Started link on the invitation email, they will be prompted to accept the invitation.

    Accept the invitation.

Note

Until you add a license to the user account, the user will not have access to customer engagement apps. Follow the steps below to add a license through the Azure portal.

Update user’s name and usage location

To assign a license, the invited user’s Usage location must be specified. Admins can update the invited user’s profile on the Azure portal.

  1. Go to Azure Active Directory > Users and groups > All users. If you don't see the newly created user, refresh the page.

  2. Click on the invited user, and then click Profile.

    User Profile button in Azure Active Directory.

  3. Update First name, Last name, and Usage location.

    Update Azure Active Directory user profile.

  4. Click Save, and then close the Profile blade.

Assign invited users a license and security role

Assign your invited users a license and security role so the user can use customer engagement apps.

  1. Go to Azure Active Directory > Users and groups > All users. If you don't see the newly created user, refresh the page.

  2. Click on the invited user, and then click Licenses.

    Assign a license with the Azure portal.

  3. Click New or Add button.Assign.

  4. Click Configure required settings.

  5. Select the product to license.

    Click Assign to see the list of licenses.

  6. Click Select, and then click Assign.

    Next, assign the invited users with appropriate security roles for the environment so they can access it. See Create users.

Approve email or enable mailbox (not supported)

Since server-side synchronization is not supported, System admins cannot approve an invited email address or mailbox since emails cannot be synced from the invited user’s Microsoft Exchange.

Notify your invited users

To complete the user invitation, notify your invited users and provide them with the URL for the environment they are invited to (for example, https://contoso.crm.dynamics.com).

Power Apps support for B2B guest maker (preview)

Important

  • This is a preview feature.
  • Preview features aren’t meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback.

B2B guest users can run Power Apps.

Follow these steps to allow B2B collaboration users to create Power Apps.

Note

Ensure that you perform below steps on the resource tenant, and not on the home tenant.

  • A resource tenant is where the app is expected to exist, and where the user is expected to create the app using Power Apps as a guest.
  • A home tenant is where the user's account resides and authenticates against.
  1. In Azure Active Directory, in external collaboration settings set guest user access to "(most inclusive)". For more info about Azure AD B2B check out: What is guest user access in Azure AD B2B?

  2. Use the following PowerShell cmdlet to enable guests to make Power Apps.

    $requestBody = Get-TenantSettings 
    $requestBody.powerPlatform.powerApps.enableGuestsToMake = $True 
    Set-TenantSettings $requestBody 
    
  3. Assign the Environment Maker security role to the B2B guest users that you want to be able to create apps and Microsoft list custom forms using Power Apps.

    Tip

    In addition, you can also review all other guests of this security role (especially in the default environment), and remove users that aren't expected to have this privilege.

After the B2B guest users are given the required permissions to create and edit apps, they can now create Power Apps and Microsoft List custom forms using Power Apps.

  1. B2B guests can follow these steps to sign in the preferred Azure AD tenant to build apps.

Known limitations

  1. To sign in to make.powerapps.com via Azure B2B, a user is required to sign in to an Azure Active Directory tenant. Microsoft Accounts (for example user@outlook.com, user@live.com, user@hotmail.com) cannot directly sign in to https://make.powerapps.com.
  2. If the Azure B2B maker is expected to build an app that uses Dataverse or build apps in a solution, they’ll need a license with Dataverse use rights assigned to them in the resource tenant.

See also

Azure AD B2B Collaboration is Generally Available!
Azure Active Directory B2B collaboration code and PowerShell samples
Azure Active Directory B2B collaboration frequently-asked questions (FAQ)
Azure Active Directory B2B Collaboration
Azure AD B2B: New updates make cross-business collab easy

Share a canvas app with guest users