Users want to collaborate with external parties. You have a few options to accomplish this:
- Share anonymously
- Share with any authenticated user
- Share with existing authenticated user
- Share with organization only
None of these work well when security and scale are required.
The best of both worlds would be to allow your end users to request access for an external user and then to kick off an approval workflow. If approved by the appropriate parties, a B2B invite will be automatically sent to the desired email address. Once invited, the user can then share with that account. This is assuming you have your org configured so sharing is only possible with existing external accounts.
With an Office 365 subscription, you get a product called Microsoft Flow. Most people just equate this to being Microsoft’s attempt at creating an IFTT knock off. However, it’s so much more than that. You can, in essence, build out an entirely server-less API that you can interact with. It’s much closer to Azure Functions or Azure Logic Apps than IFTT.
In this blog post, I’m going to walk you through creating a Flow with an approval process to automatically add B2B users to your Azure AD tenant. Let’s go!
In order to make our Flow run, we want a trigger that provides it with input. There are many ways to do this, but I’m using a Microsoft Form (also part of O365). When the form is submitted, the flow will grab the values and do “stuff” with it.
First, go to the Forms app from https://portal.office.com (or just go to https://forms.office.com). Once there, click the button to create a new form. You can build your form to request whatever information you’d like. Here’s what I have and use in my Flow.
Now that the form is created, lets move over to Flow to get to the meat and taters. Buckle up, it’s a bit lengthy.
Head on over to https://portal.office.com again and find the Flow app. If you don’t see it, make sure you have the license assigned.
NOTE: For security reasons, you should create a new Flow Environment to create this (and future) Flows in. This will allow you to control who in your organization can access and run the Flow. Otherwise, everyone in your org can potentially be given access to view the Flow.
Create a new Automated – from Blank Flow
Now fill out the Flow name and choose the When a new response is submitted option as the initial trigger.
Once you have created the empty Flow, choose the Form that you created in the trigger.
Before we can continue, we need to hop over to Azure AD to register an App, grant it permissions and generate a secret (password) that we can use in our Flow for programmatically interacting with Azure AD.
Head over to https://portal.azure.com –> Azure Active Directory
Now go to App Registrations
Click on New Registration and fill out the details
Once created, save the Application ID and Tenant ID for later
Now we need to assign the App some permissions. It only needs enough access to perform the actions required. Step through the screenshots below to setup the App permissions.
Ok – Now that the permissions are squared away, lets create a secret that we can use to authenticate with. Go to Clients and Secrets in the app.
Create a new Client Secret
Give it a meaningful description and choose an expiration time that meets your requirements. Just know the Flow will break will the secret expires until you generate a new one and update the Flow. Make sure you copy the secret for use later (keep it somewhere secure like a password manager)
Head on over to page two for more…