Azure Active Directory B2B integration

Azure AD B2B allows any partner to use their own identities and credentials in a collaboration scenario. For the authentication flows and capabilities, we'll take a more in-depth look in Chapter 8, Using the Azure AD App Proxy and the Web Application Proxy and Chapter 10, Exploring Azure AD Identity Services. For now, we'll give a quick overview of the synchronization part:

For Azure AD B2B users to use on-premises Kerberos applications, we need to synchronize the guest user accounts back to the On-Premises Active Directory. For this reason, you need to provide your default Azure AD domain suffix in your local AD. In our case, it's inovitcloudlabs.onmicrosoft.com. You will find the option in the AD Domains and Trusts console:

The registration of the new UPN suffix is necessary because the Azure AD Application Proxy checks the local AD for the existence of the guest user UserPrincipalName, such as jochen.nickel_inovit.ch#EXT#@inovitcloudlabs.onmicrosoft.com.

Microsoft provides a default solution for synchronizing the guest users back to the local AD; check it out at https://bit.ly/2Bor7xy. The solution contains the needed MIM 2016 configuration or a script to deploy the solution successfully. Don't be worried, we'll do the default configuration and extension later in the book.