Azure AD B2B user allow RDS login

Question

Our situation is as follows;

           Company A                           Company B            
+-----------------------------+     +----------------------------+ 
|                             |     |                            | 
|   +---------------------+   |     |   +--------------------+   | 
|   |  On Prem AD: main   |   |     |   |  Azure AD DS: ext  |   | 
|   +----------|----------+   |     |   +--------------------+   | 
|              |              |     |                            | 
|              |              |     |   +--------+  +--------+   | 
|              |Azure Sync    |     |   | RDS SH |  | RDS GW |   | 
|              |              |     |   +--------+  +--------+   | 
|              |              |     |                            | 
|   +----------|-----------+  |     |   +--------+               | 
|   | Azure AD:  main-sync |  |     |   | RDS CB |               | 
|   +----------------------+  |     |   +--------+               | 
|                             |     |                            | 
+-----------------------------+     +----------------------------+

We are looking for a way to allow users of Company A to login on the RDS environment in Company B.

The RDS servers are joined in the Azure AD DS.

Our first thought was to utilize Azure's B2B function (guest account). Inviting a user from the main-sync domain in the ext domain works, but logging in to the RDS environment that is running on servers joined into the ext domain is not working.

As Company A already utilizes the Azure Sync between their primary domain and their own Azure AD, we cannot use that to sync main -> ext.

Is there something we can do to allow the B2B-accounts to login to the RDS-environment?

Alternatively, if our plan of allowing B2B accounts to login will never work - what would be the least intrusive solution for Company A to allow users in Company B's RDS to log in?

score 3 · Accepted Answer · answered Jun 29 '18 at 10:55

You're not going to be able to log in using B2B guest accounts. When you create the guest account it gets added to Azure AD, and because you use AAD DS it can then be seen by the RDS machines, however, none of the password data is synced into the B2B tenant. As the RDS machines don't understand AAD, they are not able to look up credentials in the source tenant (like you would with an AAD login) and so fail.

Because you're using AAD DS in the domain B you're a bit limited in what you can do. AAD DS does not support trusts, so that is out. You could maybe look at using ADFS. The simplest option might just be to create a second set of accounts in domain B for users from domain A.

Could you elaborate a little on your ADFS suggestion? Thanks a million! — Jeremy, Jul 06 '18 at 15:24

Azure AD B2B user allow RDS login

1 Answers1