Microsoft Entra business-to-business (B2B) collaboration with Microsoft Identity Manager(MIM) 2016 SP1 with Azure Application Proxy

The initial scenario is external user AD account lifecycle management. In this scenario, an organization invites guests into their Microsoft Entra directory, and wishes to give those guests access to on-premises Windows-Integrated Authentication or Kerberos-based applications. This access is provided through Microsoft Entra application proxy or other gateway mechanisms. The Microsoft Entra application proxy requires each user to have their own AD DS account, for identification and delegation purposes.

Scenario-Specific Guidance

A few assumptions made in the configuration of B2B with MIM and Microsoft Entra ID Application Proxy:

You have an on-premises Active Directory deployed, and Microsoft Identity Manager (MIM) is installed. The MIM Service, MIM Portal, Active Directory Management Agent (AD MA), and FIM Management Agent (FIM MA) are configured with basic settings. For more information, see Deploy Microsoft Identity Manager 2016 SP2.
You follow the instructions in the article to download and install the Graph connector.
You have Microsoft Entra Connect configured for synchronizing users and groups to Microsoft Entra ID.
You set up Application Proxy connectors and connector groups. If not, see Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID to install and configure.
You publish one or more applications, which rely on Windows Integrated Authentication or individual AD accounts via Microsoft Entra application proxy.
One or more guests are invited, resulting in one or more users being created in Microsoft Entra ID. For more information, see Self-service for Microsoft Entra B2B collaboration sign-up.

B2B End to End Deployment Example scenario

This guide builds on the following scenario:

Contoso Pharmaceuticals works with Trey Research Inc. as part of their R&D Department. Trey Research employees need to access the research reporting application provided by Contoso Pharmaceuticals.

Contoso Pharmaceuticals exists in its own tenant with a custom domain configured.
Someone invites an external user to the Contoso Pharmaceuticals tenant. The invitation is accepted, and the user can access shared resources.
Contoso Pharmaceuticals publish an application via App Proxy. In this scenario, the example application is the MIM Portal. This would enable a guest user to participate in MIM processes, for example in help desk scenarios or to request access to groups in MIM.

Configure AD and Microsoft Entra Connect to exclude users added from Microsoft Entra ID

By default, Microsoft Entra Connect assumes that non-admin users in Active Directory synchronize into Microsoft Entra ID. If Microsoft Entra Connect finds an existing user in Microsoft Entra ID that matches the user from on-premises AD, it matches the two accounts. The program treats this as a previous synchronization and makes the on-premises AD authoritative. However, this default behavior isn't suitable for the B2B flow, where the user account originates in Microsoft Entra ID.

Users brought into AD DS by MIM from Microsoft Entra ID must be stored so that Microsoft Entra ID doesn't synchronize them back. One way to do this is to create a new organizational unit in AD DS, and configure Microsoft Entra Connect to exclude that organizational unit.

For more information, see Microsoft Entra Connect Sync: Configure filtering.

Create the Microsoft Entra application

Note: Before you create the management agent for the Graph connector in MIM Sync, review the guide to deploying the Graph Connector and create an application with a client ID and secret. Ensure that the application is authorized for at least one of these permissions: User.Read.All, User.ReadWrite.All, Directory.Read.All or Directory.ReadWrite.All.

Create the New Management Agent

In the Synchronization Service Manager UI, select Connectors and Create. Select Graph (Microsoft) and give it a descriptive name.

Screenshot showing Management agent for Graph with a name of B 2 B Graph, and an O K button.

Connectivity

On the Connectivity page, you must specify the Graph API Version. Production ready PAI is V 1.0. Non-Production is Beta.

Screenshot showing the Graph A P I version selected and a Next button.

Global Parameters

Screenshot showing values for global parameters and a Next button.

Configure Provisioning Hierarchy

This page is used to map the DN component, for example OU, to the object type that should be provisioned, for example organizationalUnit. This isn't needed for this scenario, so leave this as the default and click next.

Screenshot showing the Configure Provisioning Hierarchy page and a Next button.

Configure Partitions and Hierarchies

On the partitions and hierarchies page, select all namespaces with objects you plan to import and export.

Screenshot showing the Configure Partitions and Hierarchies page and an O K button.

Select Object Types

On the object types page, select the object types you plan to import. You must select at least 'User'.

Screenshot showing the Select Object Types page with an object type selected, and an O K button.

Select Attributes

On the Select Attributes screen, select attributes from Microsoft Entra that you need to manage B2B users in AD. The Attribute "ID" is required. The attributes userPrincipalName and userType is used later in this configuration. Other attributes are optional, including

displayName
mail
givenName
surname
userPrincipalName
userType

Screenshot showing the Select Attributes screen with some attributes selected, and an O K button.

Configure Anchors

On the Configure Anchor screen, configuring the anchor attribute is a required step. By default, use the ID attribute for user mapping.

Screenshot showing the Configure Anchors screen with an object type of user and an anchor attribute of i d, and a Next button.

Configure Connector Filter

On the configure Connector Filter page, MIM allows you to filter out objects based on attribute filter. In this scenario for B2B, the goal is to only bring in Users with the value of the userType attribute that equals Guest, and not users with the userType that equals member.

Screenshot showing the Configure Connector Filter page with filters for user selected, and an O K button.

Configure Join and Projection Rules

This guide assumes you're creating a sync rule. A sync rule handles the configuration of Join and Projection rules, so you don't need to identify a join or projection on the connector itself. Leave default and click ok.

Screenshot showing the Configure Join and Projection Rules page with an O K button.

Configure Attribute Flow

This guide assumes you're creating a sync rule. You don't need to define the attribute flow in MIM Sync, because the sync rule created later handles it. Leave default and click ok.

Screenshot showing the Configure Attribute Flow page with an O K button.

Configure Deprovision

The setting to configure deprovision allows you to configure MIM sync to delete the object, if the metaverse object is deleted. In this scenario, we make them disconnectors as the goal is to leave them in Microsoft Entra ID. In this scenario, we aren't exporting anything to Microsoft Entra ID, and the connector is configured for Import only.

Screenshot showing the Configure Deprovisioning page with an O K button.

Configure Extensions

Configure Extensions on this management agent is an option but not required because we're using a synchronization rule. If we decided to use an advanced rule in the attribute flow earlier, then there would be an option to define the rules extension.

Screenshot showing the Configure Extensions page with an O K button.

Extending the metaverse schema

Before creating the sync rule, we need to create an attribute called userPrincipalName tied to the person object using the MV Designer.

In the Synchronization client, select Metaverse Designer

Screenshot showing the Metaverse Designer option on the Synchronization Service Manager ribbon menu.

Then Select the Person Object Type

Screenshot showing the Metaverse Designer object types with the person object type selected.

Next under actions click Add Attribute

Screenshot showing the Add Attribute item on the Actions menu.

Then complete the following details

Attribute name: userPrincipalName

Attribute Type: String (Indexable)

Indexed = True

Screenshot showing dialogue boxes to enter values for Attribute name, Attribute type, and Indexed.

Creating MIM Service Synchronization Rules

In the steps below we begin the mapping of B2B guest account and the attribute flow. Some assumptions are made here: that you already have the Active Directory MA configured and the FIM MA configured to bring users to the MIM Service and Portal.

Screenshot showing the Synchronization Rules screen.

The next steps will require the addition of minimal configuration to the FIM MA and the AD MA.

More details can be found here for the configuration https://technet.microsoft.com/library/ff686263(v=ws.10).aspx - How Do I Provision Users to AD DS

Synchronization Rule: Import Guest User to MV to Synchronization Service Metaverse from Microsoft Entra ID

Navigate to the MIM Portal, select Synchronization Rules, and click new. Create an inbound synchronization rule for the B2B flow via the graph connector. Screenshot showing the General tab on the Create Synchronization Rule screen with the synchronization rule name entered.

Screenshot showing the Scope tab with Metaverse Resource Type, External System, External System Resource Type, and Filters.

On the relationship criteria step, be sure to select "Create resource in FIM". Screenshot showing the Relationship tab and Relationship Criteria.

Screenshot showing the Inbound Attribute Flow tab on the Synchronization Rule IN screen.

Configure the following inbound attribute flow rules. Be sure to populate the accountName, userPrincipalName and uid attributes as they're used later in this scenario:

Initial Flow Only	Use as Existence Test	Flow (Source Value ⇒ FIM Attribute)
		`[displayName⇒displayName](javascript:void(0);)`
		`[Left(id,20)⇒accountName](javascript:void(0);)`
		`[id⇒uid](javascript:void(0);)`
		`[userType⇒employeeType](javascript:void(0);)`
		`[givenName⇒givenName](javascript:void(0);)`
		`[surname⇒sn](javascript:void(0);)`
		`[userPrincipalName⇒userPrincipalName](javascript:void(0);)`
		`[id⇒cn](javascript:void(0);)`
		`[mail⇒mail](javascript:void(0);)`
		`[mobilePhone⇒mobilePhone](javascript:void(0);)`

Synchronization Rule: Create Guest User account to Active Directory

This synchronization rule creates the user in Active Directory. Be sure the flow for dn must place the user in the organizational unit, which was excluded from Microsoft Entra Connect. Also, update the flow for unicodePwd to meet your AD password policy - the user doesn't need to know the password. Note the value of 262656 for userAccountControl encodes the flags SMARTCARD_REQUIRED and NORMAL_ACCOUNT.

Screenshot showing the General tab of the Synchronization Rule OUT screen.

Screenshot showing the Scope tab with Metaverse Resource Type, External System, External System Resource Type, and Outbound System Scoping Filter.

Screenshot showing the Outbound Attribute Flow tab.

Flow Rules:

Initial Flow Only	Use as Existence Test	Flow (FIM Value ⇒ Destination Attribute)
		`[accountName⇒sAMAccountName](javascript:void(0);)`
		`[givenName⇒givenName](javascript:void(0);)`
		`[mail⇒mail](javascript:void(0);)`
		`[sn⇒sn](javascript:void(0);)`
		`[userPrincipalName⇒userPrincipalName](javascript:void(0);)`
Y		`["CN="+uid+",OU=B2BGuest,DC=contoso,DC=com"⇒dn](javascript:void(0);)`
Y		`[RandomNum(0,999)+userPrincipalName⇒unicodePwd](javascript:void(0);)`
Y		`[262656⇒userAccountControl](javascript:void(0);)`

This inbound synchronization rule brings the user's SID attribute from Active Directory back into MIM, so the user can access the MIM Portal. The MIM Portal requires the user to have the attributes samAccountName, domain and objectSid populated in the MIM Service database.

Configure the source external system as the ADMA, because AD automatically sets the objectSid attribute when MIM creates the user.

Note that if you configure users to be created in MIM Service, make sure they aren't part of any sets used for employee SSPR management policy rules. You may need to change your set definitions to exclude users created by the B2B flow.

Screenshot showing the General tab of the Synchronization Rule IN screen.

Screenshot showing the Relationship tab of the Synchronization Rule IN screen.

Screenshot showing the Scope tab of the Synchronization Rule IN screen.

Screenshot showing the Inbound Attribute Flow tab.

Initial Flow Only	Use as Existence Test	Flow (Source Value ⇒ FIM Attribute)
		`[sAMAccountName⇒accountName](javascript:void(0);)`
		`["CONTOSO"⇒domain](javascript:void(0);)`
		`[objectSid⇒objectSid](javascript:void(0);)`

Run the synchronization rules

Next, we invite the user, and then run the management agent sync rules in the following order:

Full Import and Synchronization on the MIMMA Management Agent. This ensures MIM Sync has the latest synchronization rules configured.
Full Import and Synchronization on the ADMA Management Agent. This ensures that MIM and Active Directory are consistent. At this point, there are no pending exports for guests.
Full Import and Synchronization on the B2B Graph Management Agent. This brings in the guest users into the metaverse. At this point, one or more accounts are pending export for ADMA. If there are no pending exports, check that guest users were imported into the connector space. Also, make sure the rules are configured to give them AD accounts.
Export, Delta Import, and Synchronization on the ADMA Management Agent. If the exports failed, then check the rule configuration and determine if there were any missing schema requirements.
Export, Delta Import, and Synchronization on the MIMMA Management Agent. When this completes, there should no longer be any pending exports.

Table listing Management Agents by Name, Type, Description, and State.

Optional: Application Proxy for B2B guests logging into MIM Portal

Now that we create the synchronization rules in MIM. In the App Proxy configuration, define use the cloud principal to allow for KCD on app proxy. Also, next added the user manually to the manage users and groups. Configuring the option to prevent the user from showing until creation in MIM, or to add the guest to an Office group once provisioned, requires additional steps. These steps aren't covered in this document.

Screenshot showing the MIM B 2 B manage users and groups screen.