How can we help you today?
External B2B File Sharing of Windows file shares with MyWorkDrive and Azure Active Directory Guest Accounts
MyWorkDrive External B2B File Folder Sharing Overview
Enterprise+ Licensed Customers who utilize MyWorkDrive Azure AD integration for authentication can now easily invite external guest users to collaborate on Windows File Shares.
With this feature, external users are invited to Azure AD as Guest Users. They’re emailed an invitation to join. Once redeemed and logged in, they are then impersonated by MyWorkDrive to show them their allowed folders. By inviting external users to Azure AD, the administrator will not need to manage guest user logins, passwords or authentication while still allowing the guest user to fully collaborate with internal users on files and folders within the MyWorkDrive File Share.
More details on how this works are detailed in this Microsoft Support Article: https://docs.microsoft.com/en-us/azure/active-directory/b2b/hybrid-cloud-to-on-premises and in our B2B File Sharing Video.
To implement Guest user sharing in MyWorkDrive, a user account is created for the invited guest in Active Directory which we can impersonate, and set such that the invited guest user can’t login interactively – only via AzureAD. Once logged in to Azure AD, the user is impersonating that user to show them their Windows File Shares.
Unlike external link sharing using OneDrive or Sync & Share systems, the guest user can fully collaborate on files and folders with internal users. From a security and support standpoint there are no password resets to manage and security can be enabled on Azure AD Guest Accounts to require Multi-Factor Authentication to verify user identities.
Conversely, to enable Windows file shares to provide anonymous access external via links would require compromising security by storing password hashes in a database or granting the server computer account full write access to all Windows file shares. We have seen competing products that store password hashes to shares in a database that have rights to all shares at the root level.
We chose to avoid such an extreme security risk; avoiding integrations which require storing password hashes or permitting unrestricted access to file shares. Our choosen method also avoids issues like shared folders being renamed and breaking share links or storing files in databases which defeats the purpose of accessing files on Windows File Shares without migrating them.
- Setup MyWorkDrive server to use Azure AD SAML
- MyWorkDrive Server 6.0 or higher with Enterprise Plus license
- Create an OU in Active Directory to Store external users
- Create an Active Directory Group for Guest Users & grant it NTFS permission on the file share(s)
- Add the Active Directory Group to the share in MyWorkDrive
- Enterprise Plus MyWorkDrive Subscription License
Detailed Guest User Folder Sharing Setup Steps
Setup MyWorkDrive server to use Azure AD SAML with Delegation or Kerberos Constrained Delegation to the file shares
It is necessary to integrate MyWorkDrive with Azure AD using our SAML integration. The Azure Directory will be used to authenticate and store guest users. It does not need to be the same Azure Active Directory used by the company, nor does the company need to use Azure AD for internal user MyWorkDrive authentication. Follow our support article here to setup Azure AD SAML authentication in MyWorkDrive.
Create a group in Azure AD for guest users that will be used to track or permit access to the MyWorkDrive SAML app
In azure AD create a cloud based group for external guest users who will be allowed to use the MyWorkDrive Enterprise SAML app and add this group to allow those users to login.
Group created in Azure AD – for example “MWD-Guest”:
If you require users to be assigned to the app to login (The SAML App properties “User Assignment Required” is set to Yes), Add the AAD Group to your MyWorkDrive SAML App to permit login by Guest Users:
Create an OU in Active Directory to Store external users
In Active Directory, create an OU to store all external guest users. This will make it much easier to manage, remove or edit external guest users later. The guest users will be created and stored here. They will be set to SmartCardLogonRequired to prevent login using username/password since we will impersonate them instead using delegation. These users will also be removed from domain users to prevent access to any internal resources. If your company is syncing your Active Directory to Azure AD using AD Sync, be sure to exclude this OU from automatic syncing.
Create Active Directory Guest Users Group
In Active Directory, create a guest user group. External guest users will be added to this group as their primary Active Directory group and removed from the default domain users group. This Active Directory Group can also be used to grant NTFS permissions to the shares you wish to make available to eternal users in MyWorkDrive.
Create Azure AD Enterprise App Registration
To allow the MWD Server to automatically create and manage guest users in Azure AD it is necessary to create an Azure AD Enterprise App. The AAD App can be created manually or using our PowerShell script.
Automatic Powershell Registration
Download and run our PowerShell Azure AD App Creation Script as administrator from the MWD Server. The script will prompt you for Azure AD Domain name, Application Name and prompt for login to Azure AD several times to authorize your AAD App.
The script will automatically create your enterprise app registration and save the resulting Application id and Tenant id into the MWD admin panel under Enterprise settings.
To complete the connection to AzureAD, copy and paste the Application Secret manual into the MWD Admin panel under Enterprise settings, Guest User settings.
Complete the setup by enabling guest user sharing under Enterprise settings – Azure AD SAML: Guest Users: Input your guest users OU, Azure AD created user group and Active Directory Group. Click Save.
MWD admin panel needs the following permissions:
Save the resulting application/client id, directory/tenant id and client secret for pasting into the MyWorkDrive Guest User setup under enterprise settings.
Create the Application Secret and paste it into the MyWorkDrive.
Enable Guest User Sharing
Complete the setup by enabling guest user sharing under Enterprise settings – Azure AD SAML – Guest Users: Input your guest users OU, Azure AD created user group and Active Directory Group.
If you used our automated Powershell script the App ID, App Tenant Id and App Secret will already be pre-filled. If not, manually paste in these settings.
Accept or modify the Username Prefix as desired to add a prefix to all guest user usernames to assist in differentiating or finding guest users in Active Directory as desired.
Enable and invite guest users to a share
Select or create Active Directory Group for the share
Before enabling Guest sharing access on a MyWorkDrive share, either create a new unique Active Directory Group that will be used for assigning NTFS permission on each file share or use an existing Group (this can be the same group that was used in used as the default domain group applied to guest users when enabling guest user access in enterprise settings).
Add an existing group to NTFS Permissions on the File Share
Enable Guest User Sharing on a share
Click the slider and enable Guest User Access. Search for and select the desired NTFS permission group that guest users will be added to to.
Click “New” to Invite the external guest user
Click to confirm and Save to complete enabling guest user sharing on the share.
After inviting the guest user, the External Guest User is created internally and externally in Azure AD and sent an email invitation.
When they click Accept Invitation they will be prompted to Login to or Create a Microsoft Account, along with any MFA or validation you required. Once authenticated, they will be logged in to MyWorkDrive and see the shares they are provisioned for at your MyWorkDrive server web address.
Note, due to propogation, it may take as long as 15 minutes after creation for the new user to be sync’d across all segements of AD and a successful login to be completed.
Manage Guest Users
Guest users can be easily disabled or removed in Active Directory and Azure AD at any time. Invited users can be re-sent email invitations or removed in Azure AD. External Guest Users may also be accessed on the enterprise page:
Once clicked, select the user to resend email invitations or remove them from Active Directory and Azure AD as guest users. Delete will remove them from AzureAD as well as LocalAD.