External B2B File Sharing of Windows file shares with MyWorkDrive and Azure Active Directory Guest Accounts
MyWorkDrive External B2B File Sharing Overview
Customer’s who utilize MyWorkDrive Azure AD integration for authentication can now easily invite external guest users to collaborate on Windows File Shares. With this feature, external users are invited to Azure AD as Guest Users, they then receive an email invitation. Once redeemed and logged in they are then impersonated by MyWorkDrive to show them their allowed folders. By inviting external users to Azure AD the administrator will not need to manage guest user logins, passwords or authentication while still allowing the guest user to fully collaborate with internal users on files and folders within the MyWorkDrive File Share. More details on how this works are detailed in this Microsoft Support Article: https://docs.microsoft.com/en-us/azure/active-directory/b2b/hybrid-cloud-to-on-premises and in our B2B File Sharing Video.
To implement Guest user sharing in MyWorkDrive we are creating an account in Active Directory that we can impersonate, setting it so the user can’t login interactively, then impersonating that user after verifying their login to Azure AD to show them their Windows File Shares. Unlike external link sharing using OneDrive, the guest user can fully collaborate on files and folders with internal users. From a security and support standpoint there are no password resets to manage and security can be enabled on Azure AD Guest Accounts to require Multi-Factor Authentication to verify user identities.
Manual Configuration Steps
In the past customers would need to perform these manual steps below to invite guest users to collaborate on File Share folders in MyWorkDrive:
- Setup MyWorkDrive server to use Azure AD SAML with Delegation or Kerberos Constrained Delegation to the file shares
- Create a group in Azure AD for guest users that will be used to permit access to the MyWorkDrive SAML app created in step 1.
- Create an OU in Active Directory to Store external users
- Create an Active Directory Group for Guest Users & grant it NTFS permission on the file share
- Add the Active Directory Group to the share in MyWorkDrive
- Manually create the guest user in the on-premise Active Directory with UPN changed to users actual external email, set to SmartcardLogonRequired parameter is set to $true, random password (user will never login interactively), optionally set account to expire after X days.
- Invite guest user in Azure AD to our app
- User receives invitation, logs in or creates Microsoft Account.
- User is shown our Azure AD MyWorkDrive app and clicks to login and is logged in using SAML.
To simplify and automate the process, We have created a sample Powershell script that fully automates steps 5-8 that can be downloaded here: create-guest-users.ps1
Before you use the script, make sure that you review the process and setup in a QA environment. Also, understand that the script is made available only as a sample. You will need to customize and review the script before you run it. Powershell 5.1 or higher required.
Detailed Setup Steps
Setup MyWorkDrive server to use Azure AD SAML with Delegation or Kerberos Constrained Delegation to the file shares
Follow our support article here to setup Azure AD SAML authentication in MyWorkDrive.
Create a group in Azure AD for guest users that will be used to permit access to the MyWorkDrive SAML app created in step
In azure AD create a cloud based group for external guest users who will be allowed to use the MyWorkDrive Enterprise SAML app and add this group to allow those users to login.
Group created in Azure AD – for example “MWD-Guest”:
Group added to MyWorkDrive SAML App to permit login:
Create an OU in Active Directory to Store external users
In Active Directory create an OU to store all external guest users. This will make it much easier to manage, remove or edit external guest users later. The guest users will be created and stored here. They will be set to SmartCardLogonRequired to prevent login using username/password since we will impersonate them instead using delegation. These users will also be removed from domain users to prevent access to any internal resources.
Create Active Directory Guest Users Group
In Active Directory create a guest user group. External guest users will be added to this group as their primary Active Directory group and removed from the default domain users group. This Active Directory Group will also be used to grant NTFS permissions to the share you wish to make available to eternal users in MyWorkDrive.
Add group to share in NTFS & MyWorkDrive
Add group to NTFS Permissions on the File Share:
Add group to MyWorkDrive Share:
Modify and Run Powershell script to create local users and invite them to Azure AD
Before running the Sample Powershell Script a few variables need to be defined:
# Input the Active Directory NTFS group you created here
$NTFSGroup = ‘MWF-Guest’
# Input the OU where you wish to store active directory guest user accounts here
$Location = ‘OU=Domain Guests’
# Input desired Guest User title and description here
$Title = ‘MWD Guest User’
$Description = ‘MWD Guest User’
# Input your azure ad domain here
$AADomain = ‘contoso.com’
# Input your Cloud Based Azure AD Guest User Group here
$AADGroup = ‘MWD-Guest’
# Input your MyWorkDrive SAML Web Address here
$MWDURL = ‘https://yourserver.yourdomain.com/account/login-saml
We also need to install the Azure AD Preview Module: Install-Module AzureADPreview
After running the Powershell script the External Guest User is created internally. You will then be prompted to login to Azure AD so we can create the external guest user invitation in Azure AD. The guest user then receives the email invitation, logs in (or creates Microsoft Account as needed) and is then shown MyWorkDrive shares in the MyWorkDrive Web Application. Guest users can be easily disabled or removed in Active Directory and Azure AD at any time.
In future versions of MyWorkDrive we will be integrating these steps into the Admin Portal to further simplify the process.