External B2B File Sharing of Windows file shares with MyWorkDrive and Azure Active Directory Guest Accounts
MyWorkDrive External B2B File Folder Sharing Overview
Customer’s who utilize MyWorkDrive Azure AD integration for authentication can now easily invite external guest users to collaborate on Windows File Shares. With this feature, external users are invited to Azure AD as Guest Users, they then receive an email invitation. Once redeemed and logged in they are then impersonated by MyWorkDrive to show them their allowed folders. By inviting external users to Azure AD the administrator will not need to manage guest user logins, passwords or authentication while still allowing the guest user to fully collaborate with internal users on files and folders within the MyWorkDrive File Share. More details on how this works are detailed in this Microsoft Support Article: https://docs.microsoft.com/en-us/azure/active-directory/b2b/hybrid-cloud-to-on-premises and in our B2B File Sharing Video. To implement Guest user sharing in MyWorkDrive we are creating an account in Active Directory that we can impersonate, setting it so the user can’t login interactively, then impersonating that user after verifying their login to Azure AD to show them their Windows File Shares. Unlike external link sharing using OneDrive or Sync & Share systems, the guest user can fully collaborate on files and folders with internal users. From a security and support standpoint there are no password resets to manage and security can be enabled on Azure AD Guest Accounts to require Multi-Factor Authentication to verify user identities. Conversely, to enable Windows file shares to provide anonymous access external via links would require compromising security by storing password hashes in a database or granting the server computer account full write access to all Windows file shares. We have seen competing products that store password hashes to shares in a database that have rights to all shares at the root level. We have opted to not integrate in this way since it is an extreme security risk. There is also risk that anytime a file or folder that is shared externally is renamed the link would be broken – the only work around is storing files in a database which defeats the purpose of accessing files on Windows File Shares without migrating them.
- Setup MyWorkDrive server to use Azure AD SAML
- MyWorkDrive Server 6.0 or higher
- Create an OU in Active Directory to Store external users
- Create an Active Directory Group for Guest Users & grant it NTFS permission on the file share(s)
- Add the Active Directory Group to the share in MyWorkDrive
Detailed Guest User Folder Sharing Setup Steps
Setup MyWorkDrive server to use Azure AD SAML with Delegation or Kerberos Constrained Delegation to the file shares
It is necessary to integrate MyWorkDrive with Azure AD using our SAML integration. The Azure Directory will be used to authenticate and store guest users. It does not need to be the same Azure Active Directory used by the company, nor does the company need to use Azure AD for internal user MyWorkDrive authentication. Follow our support article here to setup Azure AD SAML authentication in MyWorkDrive.
Create a group in Azure AD for guest users that will be used to track or permit access to the MyWorkDrive SAML app
In azure AD create a cloud based group for external guest users who will be allowed to use the MyWorkDrive Enterprise SAML app and add this group to allow those users to login. Group created in Azure AD – for example “MWD-Guest”:
If you require users to be assigned to the app to login (The SAML App properties “User Assignment Required” is set to Yes), Add the AAD Group to your MyWorkDrive SAML App to permit login by Guest Users:
Create an OU in Active Directory to Store external users
In Active Directory create an OU to store all external guest users. This will make it much easier to manage, remove or edit external guest users later. The guest users will be created and stored here. They will be set to SmartCardLogonRequired to prevent login using username/password since we will impersonate them instead using delegation. These users will also be removed from domain users to prevent access to any internal resources. If your company is syncing your Active Directory to Azure AD using AD Sync, be sure to exclude this OU from automatic syncing.
Create Active Directory Guest Users Group
In Active Directory create a guest user group. External guest users will be added to this group as their primary Active Directory group and removed from the default domain users group. This Active Directory Group can also be used to grant NTFS permissions to the shares you wish to make available to eternal users in MyWorkDrive.
Create Azure AD Enterprise App Registration
To allow the MWD Server to automatically create and manage guest users in Azure AD it is necessary to create an Azure AD Enterprise App. The AAD App can be created manually or using our PowerShell script.
Automatic Powershell Registration
Download and run our PowerShell Azure AD App Creation Script as administrator from the MWD Server. The script will prompt you for Azure AD Domain name, Application Name and prompt for login to Azure AD several times to authorize your AAD App. The script will automatically create your enterprise app registration and save the resulting Application id and Tenant id into the MWD admin panel under Enterprise settings. To complete setup, copy and paste the Application Secret manual into the MWD Admin panel under Enterprise settings, Guest User settings. Complete the setup by enabling guest user sharing under Enterprise settings – Azure AD SAML: Guest Users: Input your guest users OU, Azure AD created user group and Active Directory Group. Click Save.
Register MWD admin panel application in your Azure account. MWD admin panel needs the following permissions: Directory.Read.All, User.Invite.All, User.ReadWrite.All.
Save the resulting application/client id, directory/tenant id and client secret for pasting into the MWD admin panel under enterprise settings.
Create Application Secret.
Enable Guest User Sharing
Complete the setup by enabling guest user sharing under Enterprise settings – Azure AD SAML – Guest Users: Input your guest users OU, Azure AD created user group and Active Directory Group. If you used our automated Powershell script the App ID, App Tenant Id and App Secret will already be pre-filled. If not, manually paste in these settings. Accept or modify the Username Prefix as desired to add a prefix to all guest user usernames to assist in differentiating or finding guest users in Active Directory as desired.
Enable and invite guest users to a share
Select or create Active Directory Group for the share
Before enabling Guest sharing access on a MyWorkDrive share, either create a new unique Active Directory Group that will be used for assigning NTFS permission on each file share or use an existing Group (this can be the same group that was used in used as the default domain group applied to guest users when enabling guest user access in enterprise settings).
Add an existing group to NTFS Permissions on the File Share
Enable Guest User Sharing on a share
Click the slider and enable Guest User Access. Search for and select the desired NTFS permission group that guest users will be added to to.
Click “New” to Invite the external guest user
Click to confirm and Save to complete enabling guest user sharing on the share.
After inviting the guest user, the External Guest User is created internally and externally in Azure AD, receives the email invitation, logs in or creates a Microsoft Account and is then shown MyWorkDrive shares at your MyWorkDrive server web address.
Manage Guest Users
Guest users can be easily disabled or removed in Active Directory and Azure AD at any time. Invited users can be re-sent email invitations or removed in Azure AD. External Guest Users may also be accessed on the enterprise page:
Once clicked select the user to resend email invitations or remove them from Active Directory and Azure AD as guest users.