This article will provide a sample solution for adding guest users to Azure B2B from SharePoint Online. It uses PowerApps, Flow and the Graph API to add the users to Azure Active Directory.

Azure B2B is the external sharing feature of Azure and of Office 365. In most Office 365 products Azure B2B is the standard, but SharePoint online and OneDrive use a different sharing mechanism by default. However, you can turn on external sharing using B2B in the admin center.

By turning on external sharing using Azure B2B, SharePoint Online users cannot add external users so easily as when the default sharing mechanism is used. On the other side, external sharing using Azure B2B offers a lot more capabilities that are aimed at enterprises, like for instance, managing external users from the Azure Portal, Conditional Access policies (MFA for instance and more), the ability to let an admin of a partner organization manage the external accounts using a Self-Service Portal and more auditing and reporting capabilities.

So, in my opinion, turning on Azure B2B in larger organizations should be a best practice. But, offering a solution to let your SharePoint Online and OneDrive users, add guest users from SharePoint Online, and don’t have to leave this environment is key for making it simple and make it a success inside your organization.

This post offers a solution which can be used for adding guest users in a controlled matter from inside a SharePoint Online site, using the following components in the below flow:

  • PowerApp: The fill-in form is created using a PowerApp. It calls the Flow after filling in all the necessary fields.
  • Flow: The flow will call the Graph API through an Azure AD App.
  • Azure AD App: The Azure AD App will be configured with the application permissions which are needed to call the Graph API and call the methods that are needed to add a user to Azure B2B.
  • Graph API: The Graph API is used to add the guest user to Azure AD B2B and to send out the invitation to the user.

To create the solution using the above components, the components should be created in a slightly different order. The first step is to get the Azure AD App into place, so it can be called from the flow later in the process.

 

Azure AD App

Because we need administrator permissions to create a guest user in Azure AD B2B and don’t want to use the user permissions or consent from the user who is filling out the PowerApp form, an Azure AD App needs to be created with all the necessary permissions for calling the Graph API.

  • Go to https://portal.azure.com and log in with your Azure credentials. Go the Azure Active Directory, click App Registrations in the left menu and click New Application Registration.
  • Select Application you’re developing and add the following settings:
  • Click Create.
  • Once the app is created, click Settings in the top menu of the next blade.

 

 

 

 

 

 

 

 

  • Click Required Permissions and in the next blade click Add.

 

 

 

 

 

 

 

 

  • Click Select an API and next Microsoft Graph and Select.

 

 

 

 

 

 

 

 

 

 

 

  • Click Select Permissions and add on the Enable Access blade that appears and enable the following permissions
    • Application Permissions:
      • Read and write directory data
      • Invite guest users to the organization
      • Read and write directory data
    • After enabling the required permissions, click Grant permissions in the top menu and grant the permissions.

 

 

 

 

 

 

  • Back on the Settings blade, click Keys and add a new key. Give it a description and select the expiring duration (1 or 2 years or never expires). Click the Save button to generate the secret.

 

 

 

 

 

 

 

  • Copy the secret to Notepad, we need this later inside Flow to call the Graph.
  • Go back to the App Settings blade and copy the Application ID to Notepad as well.

 

 

 

 

 

 

 

  • At last, we need the Active Directory tenant ID to call the App from Flow, you can find it under the Active Directory Blade in the Azure portal. Under Manage, click Properties. The tenant ID is shown in the Directory ID box.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now the Application is registered, and the permissions are set, we can go to Flow to create the flow for creating the guest users.

 

Flow

Open flow from Office 365 and select the PowerApp template.

  • Click + New step -> Add an action.
  • Add 3 variables to the canvas, select the Variables – Initialize variable Add the following variables:
    • Name: ClientID, Type: String, Value: add the Application ID in here.
    • Name: ClientSecret, Type: String, Value: add the Client Secret in here. One thing to note: The Client Secret will probably end with an “=”. This should be replaced with “%3D”. If you don’t replace this, the call for the authorization token will end with an unauthorized exception.
    • Name: TenantID, Type: String, Value: add the Azure AD tenant ID in here.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Add a new Action and select the HTTP Action. Rename the action to Generate Access Token. Add the following values:
    • Method: Post
    • Uri: https://login.microsoftonline.com/<TenantID>/oauth2/token. Replace <TenantID> with the TenantID variable created earlier.
    • Headers: Content-Type, application/x-www-form-urlencoded
    • Body: grant_type=client_credentials &client_id=<ClientID>&client_secret=<ClientSecret>&resource= https%3A%2F%2Fgraph.microsoft.com. Replace the values inside the brackets with the variables created earlier.

 

 

 

 

 

 

 

  • Run the workflow now, and you will see that the outcome of the HTTP Action will consist of the Access Token. This token can now be used to create the guest user in Azure AD using the Azure B2B Graph methods.

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Copy the body text of the output to Notepad. We will use this in the next step for generating a schema for the JSON parser.
  • Next, add a Data Operations – Parse JSON Action to the canvas. For the Content, select the Body from the Generate Access Click use sample payload to generate schema and paste the body output into the text box.

 

 

 

 

 

 

  • Click Done and the schema is automatically generated.

 

 

 

 

 

 

 

 

  • To pass on the parameters from the PowerApp, add 3 Initialize Variables Actions below the PowerApps Action. Give them the following values:
    • Rename the action to FirstNameParameter, Name: FirstName, Type: String, Value: select Ask in PowerApps, then a new parameter is created.
    • Rename the action to LastNameParameter, Name: LastName, Type: String, Value: select Ask in PowerApps, then a new parameter is created.
    • Rename the action to EmailAddressParameter, Name: EmailAddress, Type: String, Value: select Ask in PowerApps, then a new parameter is created.

 

 

 

 

 

 

 

 

  • Add an HTTP Action to the canvas below the JSON Parser, rename the method to Create Guest User and add the following values:
    • Method: Post
    • Uri: https://graph.microsoft.com/v1.0/invitations
    • Headers: Authorization, bearer <AccessToken> (make sure there is a whitespace between the bearer part and the access token).
    • Body:
      {
      
      "invitedUserEmailAddress": "<EmailAddress variable>",
      
      "inviteRedirectUrl": "https://puttysoft.sharepoint.com/sites/AzureB2B",
      
      "invitedUserDisplayName" : concat(variables('FirstName'), ' ', variables('LastName')),
      
      "sendInvitationMessage" : true,
      
      "invitedUserMessageInfo" : {
      
      "customizedMessageBody": "Hey there! Check this out. I created an invitation through the Graph API"
      
      }
      
      }
      

 

 

 

 

 

 

 

  • Save the Flow.

PowerApps

  • Go to https://web.powerapps.com and log in with your Office 365 credentials. Select the “Start from blank” template and select “Phone from Factor” and click Make this App.

 

 

 

 

 

 

 

  • The Edit screen is opened, add the following labels, fields and a button to the canvas:
    • Label: Name: LabelFirstname, Text: Firstname *
    • TextInput: Name: TextFirstName, clear Text Input
    • Label: Name: LabelLastname, Text: Lastname *
    • TextInput: Name: TextLastName, clear Text Input
    • Label: Name: LabelEmailAddress, Text: Email Address *
    • TextInput: Name: TextEmailAddress, clear Text Input
    • Button: Name: ButtonAdd, Text: Add Guest User
    • Rename Screen1 to AzureB2BFillInForm

 

 

 

 

 

 

 

  • Open te AzureB2BFillInForm, click the ButtonAdd, click Action and Select A data pane is openend, in there select the flow created in the previous step and associate it with the button.

 

 

 

 

 

 

 

  • In the formula bar add the below variables to the Run() method to pass the values to the Flow:
    PowerAppsbutton.Run(TextFirstName.Text, TextLastName.Text, TextEmailAddress.Text)
    
    

 

 

 

 

 

 

 

  • Save and Publish the PowerApp. Then click Share this app. Copy the Web link or App ID to Notepad.

Adding the PowerApp to a SharePoint Site

The last step is to add the PowerApp to a SharePoint so that your users can start using for inviting guest users.

  • Add a PowerApp web part to a SharePoint page. In the settings add the web link of App ID which you’ve copied to Notepad in the previous step. Publish the page.

 

 

 

 

 

 

 

You can now fill in the form and click the button. The user will receive an invite in his/ her mailbox.

 

 

 

 

 

 

 

 

 

 

 

 

Note: Before the user can access the SharePoint site in the redirect URL, it should be added to SharePoint manually. This sample only adds the guest user Azure AD.

 

Usefull links

The following articles are used to create this sample solution:

There are currently no comments.