1. FYI
  2. Legacy Collaborate
  3. Setting up Collaborate

Setting up and Enabling Azure AD B2B for Legacy Collaborate in FYI

Note: You are viewing an article on the Legacy version of Collaborate. Click here to view New Collaborate.

The following instructions are for your IT department to set up and enable the Azure Active Directory (Azure AD) B2B integration for Collaboration in FYI.

For an overview and the benefits of Collaborating with Azure AD B2B, refer to Collaborating with Azure AD B2B.

Note: Once the integration with FYI is enabled, your team will not have to re-share or do any manual migration for documents that were already shared. If a link was created before Azure AD B2B integration was enabled, SharePoint will automatically create a B2B guest account when it is accessed.

Step 1 - Restrict Guest User Invites

Note: This step is recommended but is not essential. If the OneDrive Admin is updated in FYI, these permissions will also need to be updated to the new account.

This step restricts Guest User invitations. The reason for this restriction is so that the only way a Guest User account is created is by sharing via FYI. Internal users (other than the OneDrive Admin account) would then not be able to create Guest User invitations.

If Guest User Invites are restricted, and a practice user attempts to share a document directly from their own OneDrive account instead of from FYI, the user will receive the error "Sorry, we're unable to reach the server right now. Please try again later." and the file will not be sent to the client.

Important: We strongly recommend using an independent Admin account, e.g. admin@, rather than a specific individual within the business. If linked to an individual account, additional steps would be required to update permissions if that individual left the practice. Refer to Link your Practice's OneDrive Admin Account.

  1. Ensure you have created a OneDrive Admin account as per Link your Practice's OneDrive Admin Account
  2. Open Azure https://portal.azure.com/.
  3. Login using the Microsoft Global Admin account.
  4. Open Azure Active Directory by clicking Manage Azure Active Directory.
  5. From the menu on the left-hand side, select External Identities, then select External collaboration settings.
  6. In the Guest Invite Settings, enable "Only users assigned to specific admin roles can invite guest users".

    The following are the recommended selections.

    2235_Collaborate_B2B_Setup_1.gif

  7. Click Save.
  8. Return to Azure Active Directory.
  9. From the menu on the left-hand side, select Users.
  10. Search for and open your practice's OneDrive Admin user account (refer to OneDrive Admin Account).
  11. From the menu on the left-hand side, select Assigned Roles.
  12. Click Add Assignments.
  13. Locate the role "Guest inviter".

    2236_Collaborate_B2B_Setup_2.gif
    Guest Inviter is a role within Azure that allows the user to create the guest account via the Collaborate invitation. This role needs to be enabled so that the Guest Account can be created.
    Guest account invitations in FYI are always created by the OneDrive Admin Account.

  14. Checkmark the role "Guest inviter".

    Note: The admin roles Global Administrator and User Administrator also have permission to create guest user accounts. For more information refer to the Microsoft help article Configure external collaboration settings.

    Note: If Privileged Identity Management (PIM) is used in Azure, the Assignment Type must be set as "Active". By default, it is set as "Eligible" which will not apply the required role permissions.

  15. Click Add.

Step 2 - Review SharePoint External Settings

  1. Open Microsoft 365 Admin Centre - https://admin.microsoft.com/.
  2. Login using a Microsoft Global Admin account.
  3. From the menu on the left-hand side, in the Admin Centers section, select SharePoint (you may need to first click Show All).
  4. From the menu on the left-hand side, select Policies, then select Sharing.
  5. In the External Sharing section, select "New and existing guests".
  6. Expand the section More external sharing settings.
  7. Checkmark "Guests must sign in using the same account to which sharing invitations are sent".
  8. Checkmark "Guest access to a site or OneDrive will expire automatically after this many days", and enter the number of days (for example, "30").

    2237_Collaborate_B2B_Setup_3.gif
  9. In the section File and folder links, select "Specific people (only the people the user specifies)".

    2238_Collaborate_B2B_Setup_4.gif
  10. Click Save.

Step 3 - Enable SharePoint and OneDrive integration with Azure AD B2B

The following is from the Microsoft help article SharePoint and OneDrive integration with Azure AD B2B

  1. Open Azure https://portal.azure.com/.
  2. Login using a Microsoft Global Admin account.
  3. Open Azure Active Directory by clicking Manage Azure Active Directory.
  4. From the menu on the left-hand side, select External Identities, then select All identity providers.
  5. Under Configured identity providers, select Email one-time passcode and, if not already enabled, choose "Enable email one-time passcode".
  6. Click Save.
  7. Download the SharePoint Online Management Shell and run as an administrator.
    For information, refer to the Microsoft help article Getting started with SharePoint Online Management Shell.
  8. Connect to SharePoint as a Global admin or SharePoint admin. For information refer to the Microsoft help article About the SharePoint admin role in Microsoft 365. Refer also to Getting started with SharePoint Online Management Shell
    For example, Connect-SPOService -Url https://yourdomain-admin.sharepoint.com and with Credential as email@yourdomain.com

Step 4 - In FYI, in the Collaborate App, select "Guest Users" for the Microsoft 365 Security Setting

  1. In FYI, login in as an FYI Admin or a user in a User Group that has Permissions enabled for Automations,
  2. From the Automation menu, go to the Apps tab.
  3. Open the Collaborate app.
  4. In the setting for Microsoft 365 Security, select "Guest Users".

    2597_Collaborate_tab_select_guest_users_for_Azure_setup.gif

  5. Click Save.

Refer also to Configuring your Collaborate Settings to Co-Edit and Share Documents with Clients.

Step 5 - Run a Test and Check the Address used to Send the Verification Code

When Azure AD B2B is enabled, run a test to ensure it is working as expected.

You can also check the address used to send the verification code. It is likely to show as account-security-noreply@accountprotection.microsoft.com.

If the verification code is not received, or the email goes to a junk/spam folder, refer to the following articles:

 

Was this article helpful?
0 out of 0 found this helpful