Licensing, Cloud and Web Services - Configuring Microsoft Azure AD for B2B Guest Users Using OIDC

Introduction and Prerequisites

This guide provides instructions for configuring your OIDC-based Azure AD federation to support guest users within Bentley Identity Management System (IMS).

If you have not already set up Azure AD OIDC federation, please review this Azure AD OIDC guide and note in your request below that you would like to utilize Azure B2B in addition to normal federation.

Azure AD provides functionality to invite guest users to your Azure AD tenant. This allows the user to maintain a “guest identity” inside your tenant, which can be granted access to your internal resources and access applications set up in your environment. This guest account is maintained by your tenant, but the guest authenticates with their primary domain credentials, not guest credentials.

If you wish to use guest users, there are some limitations regarding the capabilities of guest users with Bentley IMS. As with all federations in our environment, when a user signs in through your federation, they are automatically assigned to your user directory inside of Bentley IMS. This means that your organization is responsible for providing the necessary licensing for these users.

Guest users in your Azure AD tenant will be treated the same as normal users from your federation and will appear with a guest identify of the form username_externaldomain_EXT_@yourdomain.com format.

Warning Warning: Usage incurred by guest users is covered by your organization. To limit costs, consider using the access controls provided in Entitlement Management as described in the following best practices.

Making the Required Changes to your Application

Open your Azure AD portal (https://portal.azure.com/) and login using administrative privileges
Select “Azure Active Directory” from the left navigation, if not already selected.
Choose “App Registrations” from the left sidebar, and find the application you are using for our federation.
Choose "Token configuration" from the left sidebar, and click the elipsis along the right edge.
Select Edit from the contextual menu, select Yes to both questions in the right pane that appears, and click the Save button at the bottom (not shown below).

Finally, submit a federation request to enable B2B functionality since special logic is required to create IMS logins based on guest accounts properly.