Microsoft Azure B2B - Visual Studio Online

I am sure that you have heard that the Azure Active Directory Team have been hard at work and recently placed Azure AD Business to Business (B2B) in to public preview, which enables organizations to share applications & services that they currently use with external business guest / partners etc. and obtain your feedback prior to us placing this feature in to General Availability.

A common scenario in the developer world is where organizations connect Visual Studio Online with a Corporate Azure Active Directory, up until this feature release administrators have always had to manage Azure AD accounts for partners/business guests or have had to result in using Microsoft Accounts (Consumer Identities) which has always been frowned up on and for good reason to be honest, as consumer accounts should be avoided in the world of Business & Enterprise!

More Information about Azure B2B can be found here: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2b-collaboration-overview/

In this article the aim is to show you how to configure Visual Studio Online to use Azure AD accounts that are created as part of you Inviting Partners / Business Guests in to your Azure AD. If you want to read further information about the feature as a whole, please refer to the link above.

Unfortunately it is early days at this moment in time, and so this particular deployment does require a bit of a 2 step process to get your external users using Visual Studio Online.

Obtain ApplicationID for Visual Studio Online {Login to AAD Connected to VSO}

 Connect-MsolService

Get-MsolServicePrincipal -ServicePrincipalName Microsoft.VisualStudio.Online

Create Invite CSV

Sample CSV file

Here is a sample CSV you can modify for your purposes. Save it to any file name you prefer, but ensure that it has a '.csv' file extension.

 Email,DisplayName,InviteAppID,InviteReplyUrl,InviteAppResources,InviteGroupResources,InviteContactUsUrl
wharp@contoso.com,Walter Harp,cd3ed3de-93ee-400b-8b19-b61ef44a0f29,https://azure.microsoft.com/services/active-directory/,,,https://azure.microsoft.com/services/active-directory/
jsmith@contoso.com,Jeff Smith,cd3ed3de-93ee-400b-8b19-b61ef44a0f29,https://azure.microsoft.com/services/active-directory/,,,https://azure.microsoft.com/services/active-directory/
bsmith@contoso.com,Ben Smith,cd3ed3de-93ee-400b-8b19-b61ef44a0f29,https://azure.microsoft.com/services/active-directory/,,,https://azure.microsoft.com/services/active-directory/

Email: Email address for invited user.
DisplayName: Display name for invited user (typically, first and last name).
InviteAppID:  The ID for the application to use for branding the email invite and acceptance pages.
InviteReplyURL:  URL to which to direct an invited user after invite acceptance. This should be a company-specific URL (such as contoso.my.salesforce.com). If this optional field is not specified, the inviting company's Access Panel URL is generated (this URL is of the form https://account.activedirectory.windowsazure.com/applications/default.aspx?tenantId=<TenantID>).
InviteAppResources:  AppIDs to which applications can assign users. AppIDs are retrievable by calling Get-MsolServicePrincipal | fl DisplayName, AppPrincipalId
InviteGroupResources:  ObjectIDs for groups to add user to. ObjectIDs are retrievable by calling Get-MsolGroup | fl DisplayName, ObjectId
InviteContactUsUrl:  "Contact Us" URL to include in email invitations in case the invited user wants to contact your organization.

Invite User Accounts

1. Login to Azure Management Portal
2. Select Active Directory > Choose Directory that is linked to VSO > Users > Add
3. Select “Users in Partners Companies” and upload CSV File that you created previously.

End User Experience

Each of the users that you sent out an invite to will get an e-mail like the following example:

Once they click on the link, they will be taken to a page like the following example: [branding is my demo branding]

NOTE: In this scenario, you would normally configure the Reply URL to send the user to the application once accepted. In this instance I would recommend you sending the users to a static landing page stating that there account will be abled in X amount of time. The reason for this is because you will have to go and add the user to the VSO Permissions once the account has been created. Unfortunately there is no 'Sync' Between the Invite Process & VSO Group Memberships and at the moment you can't add AAD Groups to VSO Groups which would of course make it more streamlined.

Once the invite has been accepted, as a collection admin you shall now be able to go and add the e-mail ID that you invited in to the relevant VSO Group. Once this has been done, the user will now be able to login to VSO using their Work Account and access your VSO Collection.

Add Users to Visual Studio Online Collection Group

1. Login to VSO Admin Portal, Click Settings Cog > Select Collection > Security > “Project Collection Administrators” > Members > Add

Once you have added the user to the VSO Group. They will be able to access the VSO Collection by either going directly to your *.visualstudio.com address.

I hope that this helps, it is just one of the examples Azure B2B is going to help organizations stay secure, compliant and improve the end-user experience!

If you have any questions let me know,

James.