The owner of a CSP (Cloud Solution Provider) subscription must be associated to a specific tenant, and we want to keep our main corporate tenant separate for security purposes. We intended to invite necessary corporate users (or partner accounts) via B2B and allocate CSP roles to them.

This (allocation of roles to B2B users) is currently impossible due to each M365 workload (EXO, SharePoint, etc) not yet support assigning roles to B2B users.

As a result, we may have to maintain separate identities -- possibly for each of our customer's CSP tenants -- which is highly inconvenient and can represent a security issue if an account needs to be de-activated.

1. Join CSP program, associate it to a new Azure AD tenant


2. B2B invite guest another user


3. Attempt to assign admin or other roles to said user


4. Create a customer tenant/subscription


5. Repeat step 3

These workloads should be supported for assigning roles to Azure AD B2B guest users.

Hi,

Can we have an inbuilt Azure AD functionality to sync user from one or multiple azure ad to a central Azure AD (shared tenant) so that it removes the overhead burden of creating and deleting user in central Azure AD.

You already have the concept ready it's just you need to provide an in-house functionality. (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/scim-graph-scenarios)

Also the available functionality like whitelisting the complete domain in B2b is not of great help because users leaves the home tenant and we don't have any sign of it also we need additional attribute like (Phone No. / Country / Designation) etc.

Per your Azure B2B documentation "Starting March 31, 2021, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into email one-time passcode authentication."

This is a big issue for us because we develop SaaS applications and use this feature to create accounts for users that don't have Azure AD accounts. The passcode authentication that you recommend instead offers suboptimal user experience since access to email is required to sign in. I cannot imagine our customers being happy without option to create an account with email / password combination.

For new customers the ability to create new accounts (in self-service manner) is very important because there is no way to get IT departments involved right from the beginning. Also it's not our goal to start discussions with IT departments right from the beginning. Customer has a problem, we have a solution, it should be really simple and fast to get started (5 minutes, no more)! Creating a new account via B2B invitation in self-service manner is really easy and simple for the customer since it can be done without any extra steps or discussions with IT department.

Please reconsider keeping this feature available so those who need ability to offer AD compatible accounts in self-service manner to their customers can continue to do so! It's important for our SaaS products and I imagine we're not the only one.

We are able to invite new guest users into our AD Tenant using either PowerShell or Graph API. Using this approach we may choose not to send the Invitation E-Mail, in which case we would get the Invitation Redemption URL and we can send it to the "guest" in any way we choose allowing us to better control the first step of the overall invitation experience.

The issue is that once we get the URL, we have no way to retrieve that URL back in the future. It is up to us to save that URL for future use or till the invitation is accepted. This is not an issue if we are using the invitation e-mail, we have the option to resent it in the Azure Portal.

When we are inviting users in bulk and want to control our own invitations, this is an aspect that we have to take care of - especially considering that our guests sometimes do not immediately accept the invitation and when they need to log on to the shared application they need to then go through the invitation link - and we are expected to provide that quickly.

I would thus ask for a way to get the invitation redemption url on either the Portal, PowerShell or the Graph API.

We got customers, that work very close with several partner tenants. Instead of the current B2B self-service invite process, they look for a solution to automatically provision, update and deprovision guests from selected tenants in their tenant.
Currently the only solution we can deliver this feature is by leveraging Microsoft Identity Manager (MIM) and Graph API Apps to synchronize AzureAD Tenants. Thes works very well if we only integrate a few tenants.
If we would get this functionality out-of-the box, so that e.g. Tenant X just request Tenant Y to synchronize user objects as guest. And of course after Tenant Y has consented the requests for guest user synch or tenant federation, the synchronization is done by AzureAD...

When 2 Azure tenants are connecting, if the external tenant users use their email to set up the account, it puts their email as the username in your tenant. Azure should update your tenant with their actual upn instead of email.

When they goto connect they need to use thier upn to log in but that information is not shown in your tenant and so you can not help them log in. They also can not reset the password because the email that shows as their username is not a valid account in your Azure AD Users.

This seems to occurs when UPNs do not match Email addresses in remote tenants.