B2B user accessing exchange mailbox via resource tenant

Question

B2B user accessing exchange mailbox via resource tenant

testuser7 286

Hello,

My tenant is contoso.com and I have one guest user in it with ******@fabrikam.com

when John hits "OWA- outlook web access" and if the authentication request is directed to my contoso.com tenant , contoso will prepare the token and john will see his mailbox.

Would above be possible and if answer is yes then
how would it be different if the authentication request was directed to John's home tenant i.e., fabrikam.com and fabrikam would have prepared the token to put John on his mailbox.

Thanks.

Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2022-12-13T08:18:48.29+00:00

Hi @testuser7 ,
Just checking in to see how things are going on with this thread.
If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well.
If you still have further questions or concerns, feel free to post back.

2 answers

Your answer

Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2022-12-13T08:18:48.29+00:00

Hi @testuser7 ,
Just checking in to see how things are going on with this thread.
If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well.
If you still have further questions or concerns, feel free to post back.

Answer 1

Vasil Michev 119.5K MVP Volunteer Moderator

Not sure I understand the question here, are you asking whether Guest users can have a mailbox in the resource tenant? If so, the answer is yes, however this is not a supported scenario. It requires you to "convert" the userType to Member first, then you can assign a license: https://www.michev.info/Blog/Post/2256/some-new-interesting-experiences-with-guest-users-in-office-365
Again, this is not really supported, as Exchange Online has no support for B2B. So while you can technically provision the mailbox, the user will not be able to access it. Well he can, if you reset his password in the resource tenant and login directly (another unsupported scenario). But you can still grant permissions on the mailbox and have someone else access it.

And yes, it matters where you authenticate from. The supported scenario for a B2B user, even one with userType set to member, is to authenticate against their own AAD (you will notice that the user still has "ExternalAzureAD" value under Identities in the Azure portal). While you can technically override this by creating/resetting a password in the resource tenant, this is not supported.
This article goes over the various types of B2B users and their properties: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/user-properties

testuser7 286 Reputation points

2022-12-09T16:04:56.653+00:00

******@fabrikam.com is a b2b user.
technically he can use john_fabrikam.com#EXT#@Company portal .com to get the token for EOL from contoso tenant. (I gave him password)
or
he can use ******@fabrikam.com and still get token for EOL from contoso tenant. (of course in this case the IDP claim would be his home-tenant)

Regardless of the route he takes, the proxyAddress field of this user is always ******@fabrikam.com whether you look in his home tenant or resource-tenant.

So I do not know how EOL reconciles, but he can get into the same mailbox from both places. Is it right ?
he may have gotten EOL license from his home-tenant or may be from resource-tenant. (assuming I have changed his user-type to member)
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2022-12-10T08:16:31.527+00:00

No, he can only get to his mailbox by logging in directly to his home tenant. The token you get also contains the tenantId, which is examined as part of the request. Similarly, the license must be assigned in the home tenant.
My scenario above revolved around creating a mailbox for a B2B user in the resource tenant, in which case the opposite applies - both token and license are needed in the context of the resource tenant. But again. that is an unsupported scenario.
testuser7 286 Reputation points

2022-12-13T13:33:16.58+00:00

Thanks @Vasil Michev

I took a day to digest your answer and map out everything practically.
Looks like I am onboard with you.

I have one point where I need your help.

Is it possible to add "proxyaddress" claim in id-token generated by AAD ??
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2022-12-13T14:26:20.03+00:00

Yes, you should be able to use proxyaddresses either as direct mapping or custom transformation.

Answer 2

testuser7 286

Can you help me please.
I am trying to create following simple "claim-mapping-policy" and attaching it on the service-principal of client-app.

{
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"proxyaddresses\",\"JwtClaimType\":\"proxyaddresses\"}]}}"
],
"displayName": "Test1234"
}

However, I still DO NOT FIND proxyaddresses coming in the id-token

Share via

B2B user accessing exchange mailbox via resource tenant

2 answers

Your answer