![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 11%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
25,130 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Hello @Josua Gaolus Nainggolan
I Understand you are working on enabling external users (from a partner company) to access your SAP Fiori Launchpad that is integrated with Microsoft Entra ID for authentication.
You want to know the required configurations on Microsoft Entra to allow external users (Guests) to authenticate to your SAP Fiori app.
In your workforce tenant, you can use B2B collaboration to share your company's applications and services with guests, while maintaining control over your own corporate data. A simple invitation and redemption process lets partners use their own credentials to access your company's resources or Applications. You can also enable self-service sign-up user flows to let guests sign up for apps or resources themselves. Once the guest redeems their invitation or completes sign-up, they're represented in your directory as a user object. The user type for these B2B collaboration users is typically set to "guest" and their user principal name contains the #EXT# identifier.
With Microsoft Entra B2B Collaboration, the partner uses their own identity management solution, so there's no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities. So external users can access SAP Fiori using SSO without creating user accounts manually in the SAP backend system.
Important points to be NOTED for the B2B Collaboration:
- B2B collaboration is enabled by default, but comprehensive admin settings let you control your inbound and outbound B2B collaboration with external partners and organizations.
- For B2B collaboration with other Microsoft Entra organizations, use cross-tenant access settings to control which users can authenticate with which resources or applications. Manage inbound and outbound B2B collaboration, and scope access to specific users, groups, and applications.
You no need to expose SAP Fiori through Azure App Proxy, guests can access it through standard internal urls to your application.
Additionally, you can also Utilize groups and conditional access policies to maintain proper access control for external users. You can set up specific policies that apply to guest users to ensure they have the appropriate level of access to the SAP Fiori app.
Follow the documentation in detail to the B2B Collaboration and settings to be configured: B2B Collaboration , Cross Tenant Over View.
Additionally for detailed explanation on Cross tenant synchronization you can go through the mentioned link: https://www.youtube.com/watch?v=7B-PQwNfGBc&ab_channel=MicrosoftSecurity
Hope this helps. Let us know if you have any additional queries. Happy to assist you further.Please "Accept the answer" if the information helped you. This will help us and others in the community as well.