Setting up and Enabling Azure AD B2B for New Collaborate

Azure Active Directory (Azure AD) B2B Collaboration provides authentication and management of guests accessing your New Collaborate site. Using New Collaborate in FYI with Azure AD B2B, you can securely share your files with external users whilst maintaining control over your own corporate data.

When a document or folder is shared with a client, if the client does not already have a work account or a Microsoft account, they will be prompted to create a guest account as part of the sign-in process. 

FYI uses existing infrastructure both in FYI and in your practice's Microsoft 365. 

Watch the tutorial to learn how to set up Azure AD B2B for New Collaborate, or follow the steps below.

Benefits when using Azure AD B2B for Collaborate

With legacy Collaborate, if you were not using B2B Collaboration when a client was invited to Collaborate, they were added as an "anonymous user". These users were unable to be identified, nor could policies be applied to the account, making it difficult to implement adequate security measures.

With New Collaborate, using Azure AD B2B (Guest Users) is required. Enabling Azure AD offers the following benefits:

• When clients or external users are invited to Collaborate using B2B Collaboration, a guest user account is created in Azure Active Directory. Your IT department can then implement security measures such as Multi-Factor Authentication (MFA) or conditional access policies to ensure only specific access is provided.
  Note: FYI only supports the Microsoft Multi-Factor authentication solution. Refer to Prerequisites for using FYI in your Practice.
  
  
• The ability to implement Google Federation in Azure AD. For information on how to configure this refer to How can we enable Google Federation in Azure so that external users are able to access the shared content with us using their existing Gmail account?
  
  
• By default, all internal users are able to send guest user invites out on behalf of the practice. To nominate specific user accounts (recommended) to send invites out refer to the article Is it possible to restrict Guest User Invites to be sent from a specific user only?
  
  
• Greater logging and reporting capabilities, including folder views and file access events.
  
  
• No need to change any processes for internal users - they will not see any difference in how they use Collaborate in FYI.
  
  
• Quick and easy to implement; it should not take more than an hour to update the settings.
  
  
• Using the New Collaborate Setup Wizard will automatically select Guest Users for the "Microsoft 365 security" option as part of the setup process for you.

Enabling Azure AD B2B

Step 1 - Review SharePoint External Settings

1. Open Microsoft 365 Admin Center by visiting https://admin.microsoft.com/.
   
   
2. Log in using a Microsoft Global Admin account.
   
   
3. From the menu on the left-hand side, locate the Admin Centers section and select SharePoint (you may need to first click Show All). 
   
   
4. From the menu on the left-hand side, select Policies, then select Sharing.
   
   
5. In the External Sharing section, select "New and existing guests".
   
   
6. Expand the section More external sharing settings.
   
   
7. Tick the option "Guests must sign in using the same account to which sharing invitations are sent".
   
   
8. In the section File and folder links select "Specific people (only the people the user specifies)".
   
   
9. Click Save

Step 2 - Review External Identity Settings

1. Open Microsoft Entra Admin Centre by visiting https://entra.microsoft.com/.
   
   
2. Login using a Microsoft Global Admin Account.
   
   
3. To restrict Guest Users from being able to view properties of shared documents and folders in Collaborate, from the menu on the left-hand side, in the External Identities section, select External Collaboration Settings.
   
   
4. For the Guest user access option select Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).
   
   
   
5. Click Save at the top of the page.
   
   

Optional - Disable One-Time Passcode

If you would like to disable guest users from being able to use a one-time passcode to authenticate:

1. From the menu on the left-hand side, in the External Identities section, select All identity providers.
   
   
2. Select Email one-time passcode and change the toggle for Email one-time passcode for guests to No.

This will ensure that all users, including existing users, are prompted to log in with their email address and a password. If the Guest User does not have a Microsoft 365 account with a password, they will be prompted to set one on the next login.

You are now ready to begin the New Collaborate setup process.

Frequently Asked Questions

Are there any additional costs to enable Azure AD B2B?

There is no subscription for using Azure AD B2B. Your practice would only pay if you exceeded 50,000 monthly active users (guests accessing files). For more information, refer to the Microsoft Help Article Billing model for Azure AD External Identities.