How to Enable External Guest Users (B2B Collaboration) to Access SAP Fiori Apps via Microsoft Entra ID SSO?

Josua Gaolus Nainggolan 0 Reputation points
2025-04-08T04:15:52.5566667+00:00

Hi everyone,

I’m currently working on enabling external users (from a partner company) to access our SAP Fiori Launchpad that is integrated with Microsoft Entra ID (formerly Azure AD) for authentication.

We are considering using Microsoft Entra B2B Collaboration to invite guest users from other organizations and allow them to log in using SSO (Single Sign-On) to access the Fiori apps hosted internally.

Here are the details:

🔹 Current Setup:

  • SAP Fiori is integrated with Microsoft Entra ID (SAML-based SSO)

Internal users can access the apps via SSO (working fine)

We have already registered the SAP application in Microsoft Entra as an Enterprise App

🔹 Our Goal:

Invite external users (via B2B collaboration as Microsoft Entra Guests)

Let them access SAP Fiori apps using their own organization credentials

Maintain proper access control (using groups or conditional access)

🔹 Questions:

What are the required configurations on Microsoft Entra to allow external users (Guests) to authenticate to our SAP Fiori app?

Are there additional settings in SAP needed to recognize or authorize these external users?

Can external users access SAP Fiori using SSO without creating user accounts manually in the SAP backend system (like SU01)?

Are there best practices or official documentation for setting up B2B SSO for SAP Fiori specifically?

Do we need to expose SAP Fiori through Azure App Proxy or similar, or can guests access it through standard internal URLs?

Any guidance, references, or links to documentation would be really helpful.

Thanks in advance!Hi everyone,

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
    2025-04-09T15:53:22.4733333+00:00

    Hello @Josua Gaolus Nainggolan

    I Understand you are working on enabling external users (from a partner company) to access your SAP Fiori Launchpad that is integrated with Microsoft Entra ID for authentication.

    You want to know the required configurations on Microsoft Entra to allow external users (Guests) to authenticate to your SAP Fiori app.

    In your workforce tenant, you can use B2B collaboration to share your company's applications and services with guests, while maintaining control over your own corporate data. A simple invitation and redemption process lets partners use their own credentials to access your company's resources or Applications. You can also enable self-service sign-up user flows to let guests sign up for apps or resources themselves. Once the guest redeems their invitation or completes sign-up, they're represented in your directory as a user object. The user type for these B2B collaboration users is typically set to "guest" and their user principal name contains the #EXT# identifier.

    With Microsoft Entra B2B Collaboration, the partner uses their own identity management solution, so there's no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities. So external users can access SAP Fiori using SSO without creating user accounts manually in the SAP backend system.

    Important points to be NOTED for the B2B Collaboration:

    1. B2B collaboration is enabled by default, but comprehensive admin settings let you control your inbound and outbound B2B collaboration with external partners and organizations.
    2. For B2B collaboration with other Microsoft Entra organizations, use cross-tenant access settings to control which users can authenticate with which resources or applications. Manage inbound and outbound B2B collaboration, and scope access to specific users, groups, and applications.

    You no need to expose SAP Fiori through Azure App Proxy, guests can access it through standard internal urls to your application.

    Additionally, you can also Utilize groups and conditional access policies to maintain proper access control for external users. You can set up specific policies that apply to guest users to ensure they have the appropriate level of access to the SAP Fiori app.

    Follow the documentation in detail to the B2B Collaboration and settings to be configured: B2B Collaboration , Cross Tenant Over View.

    Additionally for detailed explanation on Cross tenant synchronization you can go through the mentioned link: https://www.youtube.com/watch?v=7B-PQwNfGBc&ab_channel=MicrosoftSecurity

    Hope this helps. Let us know if you have any additional queries. Happy to assist you further.Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.