Microsoft’s new MIM Graph connector extends Azure AD B2B services to your on-premises environment.
Azure AD B2B has made enabling access to documents and applications to business partners extremely easy and secure. This has been great for cloud workloads but left a gap in the hybrid world that we live in. Microsoft’s latest enhancement to MIM is a way to extend Azure B2B your on-premises environment. For the technically minded, this connector will create on-premises Active Directory accounts to be used in conjunction with the Azure App Proxy and Kerberos constrained delegation (KDC).
When implementing Azure AD B2B you have several choices on how users can be invited to your directory. Oxford Computer Group assisted several of our clients to on-board B2B users with a self-service portal or a request on behalf of the user through MIM that triggers a workflow. Using a MIM process to on-board these users allows for the owner/sponsor of the identity to manage that account through the MIM portal. Keep in mind that careful considerations must be made to delegate who has permissions to invite external users.
This new connector creates AD user objects with a UPN that matches the cloud UPN.
For a B2B user this might look like this: chris_oxfordcomputergroup.com#EXTfirstname.lastname@example.org
Luckily the user never has to know that this ugly UPN string even exists. However, you will need to add the UPN suffix to your on-premises Active Directory for the KDC to properly function with the Azure App Proxy. The on-premises account will need to be enabled and the password it has will not be needed by the user and should be randomly assigned.
Now that the user has an object in MIM you can assign it to groups and enrich its identity data if necessary to facilitate other business processes that might apply to it.
Once the MIM connector is configured and B2B accounts are being created in your on-premises Active Directory you can publish on-premises apps to these users through Azure AD.
This is an exciting MIM and hybrid identity enhancement to the Microsoft identity stack.
Want to learn more about MIM and how it works? Check out our MIM training courses.