Allow user from external Azure AD to connect to on-premise resource using the their external Azure AD account

Nicholas Palmer 81 Reputation points
2023-05-03T00:02:13.38+00:00

Hi,

I'm trying to figure out if something is possible. Here is my current setup. I have my on-premise AD successfully connected to my Azure AD using Azure AD connect. I've successfully published on premise resources like a web server that requires a login to Azure and I'm able to access this web server from the MyApps page and using the application proxy and the SSO option for Enterprise applications I'm able to access this resource without having to provide credentials. This all works great.

So now I'd like to allow external users to be able to access this same resource and not have to provide credentials. I've invited a guest user to my Azure AD and given that user the required Azure permission to access the published web server in their MyApps page. When they connect the MyApps page they can see the app and launch it. But when the SSO process starts, it doesn't work for them because the user account that they are using is not present in my on-premise AD so they can't login.

Is there any way to make this work? I've thought about creating a new UPN suffixes in my on-premise AD and creating the accounts for the external users. But I'm not sure how Azure AD connect would handle that during the sync, and having to manage creating new UPN suffixes would be a headache.

Any ideas?

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,739 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,528 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 44,496 Reputation points
    2023-05-03T13:45:15.2+00:00

    Hello there,

    If your on-premises app uses SAML-based authentication, you can easily make these apps available to your Azure AD B2B collaboration users through the Azure portal using Azure AD Application Proxy.

    Grant B2B users in Azure AD access to your on-premises applications https://learn.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-cloud-to-on-premises

    This article compares options for integrating your on-premises Active Directory (AD) environment with an Azure network.

    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Nicholas Palmer 81 Reputation points
    2023-05-05T18:53:39.23+00:00

    Hi,

    Thanks for the response. It was helpful. The link https://learn.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-cloud-to-on-premises had a possible option - "Create B2B guest user objects through an Azure AD B2B script" that I tested out, but it didn't quite work.

    The on-premise app that I am trying to publish is an RDWeb server. As I said, I've got SSO working for users that are in my on premise AD/Azure AD, but when I try and login with a guest Azure AD user the SSO fails. I've setup SSO for the RDWeb server using this technique https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications

    I believe the reason the external SSO fails is because the external user has a Azure login ID of userone@extcloud.onmicrosoft.com. This translates to the following ID in our Azure AD of UserOne_extcloud.onmicrosoft.com#EXT#@mydomain.com. Based on the powershell script in the above link, I tried creating an on premise AD user with the account ID of UserOne_extcloud.onmicrosoft.com#EXT#@mydomain.com. I'm able to create the account, but when I try and access the MyApps site with the external user account, the SSO process still fails.

    The problem is that when I go to access the RDWeb server published thru MyApps and connect with the userone@extcloud.onmicrosoft.com account that is ok. Then when I launch the app for the RDWeb server I'm taken to the RDWeb login page and instead of trying to login with the UserOne_extcloud.onmicrosoft.com#EXT#@mydomain.com account, the login account is using the userone@extcloud.onmicrosoft.com account and so the SSO process fails.

    One way that I can think to make this work is to create the userone@extcloud.onmicrosoft.com user in my on-premise AD. But I'm not sure I can create an on-premise user account with the @extcloud.onmicrosoft.com UPN. Do you know if this is possible?

    Thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.