Can Azure B2B Collaboration perform just-in-time provisioning with SAML Federation for Guest Accounts?

Christopher Rowlett 25 Reputation points
2023-07-12T19:33:56.4566667+00:00

I have an Azure AD tenant configured with B2B Collaboration with several external identity providers using the invite capabilities to individually invite guests to the tenant. Notably, when these users are invited, they are also assigned groups and SCIM'ed into other SaaS products.

I have another external IdP joining the fray with a slightly more interesting provisioning lifecycle that I cannot directly hook into. Instead, at best, I can process a daily export of provisioning information and mass invite new users, having them accept the invitation / consent via URL on their first login attempt (invite email goes to an unattended mailbox). Ideally, I'd like to avoid the batch processing and perform onboarding when the user presents to the tenant with the SAML for the first time. Am I missing such a capability anywhere?

Constraints:

  1. External IDP won't perform any lifecycle hooks (e.g. wont provision the user for me in AD)
  2. External IDP is not Azure-based
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,715 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 32,551 Reputation points Microsoft Employee
    2023-07-14T23:09:41.2666667+00:00

    @Christopher Rowlett ,

    SAML JIT user provisioning can be enabled if your application is using SAML for federation, and it is supported for guest accounts.

    User's image

    https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/isv-automatic-provisioning-multi-tenant-apps

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful