How to Create Guest Access Portal for External Users Management – Part 1

In this Article Series, We are going to see how to create Custom application Portal for the Guest Users Management.

This Portal helps to Guest Users to request from External Domains or External World.. Post request received, Guest Inviter Administrators can login and approve the requests. Also it helps in auto approving the Domains and also manage the groups that users should be part once added to apply the custom Conditional Access Policies and other requirements.

To get this portal hosted, We are going to use the following Services from Azure,

  1. Azure Active Directory application registrations.
  2. Azure App Services
  3. Azure Cosmos DB

We should have appropriate Azure Subscriptions for the above services to get this application hosted and configured successfully.

Okay.. Let’s get started

1. Creating Azure Applications using Azure Active Directory

Login to https://portal.Azure.comAzure Active Directory— App Registrations and click on New Application Registration

Note: I have used legacy option, if you’re comfortable with new App registration options, you still can go with that as well.

Enter the Name for the application, Select Application type : Web app/API and sign-on URL as https://willentertheurl-Later

This Sign-on URL we are going to change later in this stage with right url, so type with anything for now since it is mandatory to move further from here.

Once application Registration done, click on Settings

Click on Required Permissions

Click on Add

Click on Select an API

Select Microsoft Graph

Click “Select permissions“. On the “Enable Access” panel that appears, check the following items:

  • APPLICATION PERMISSIONS
    • Read and write directory data
    • Read and write all users’ full profiles
  • DELEGATED PERMISSIONS
    • Sign in and read user profile

Once all set as mentioned, Click on Done

Click on Grant Permissions

Click on Yes to Grant Permissions

Now, we need to generate the keys,

Clock on Keys– Type Key1 in the description and select the Years for expiration and click on Save

Copy the keys generated, once you moved out of this blade, you will not get it back, hence ensure rightly copied and saved for our use in the later stage

Now, Admin application registration completed, we need t register once more application for Pre-Auth Approval.

Again, Go to Azure Active DirectoryApp registration— click on New application Registration

Enter the Name B2B Pre-Authentication App, Application type : Web app / API, Sign-on URL: https://willenterthisURL-Later

This Sign-on URL we are going to change later in this stage with right url, so type with anything for now since it is mandatory to move further from here.

Click on Settings

Select Required Permissions and click on Add

Select Microsoft Graph

Under “Required permissions”, you will again add the Microsoft Graph API. This time you only need to check one item:

  • DELEGATED PERMISSIONS
    • Sign in and read user profile

Click on Done

Click on Grant Permissions

Click on Yes to enforce the permissions

Now, we need to generate the keys for Pre-Auth Application as well

Click on Keys– Type Key1 in the description and select the Years for expiration and click on Save

Copy the keys generated, once you moved out of this blade, you will not get it back, hence ensure rightly copied and saved for our use in the later stage

Go to the Properties and Select Multi-Tenanted as Yes

Go back and select Manifest of the B2B Pre-Authentication app and search for oauth2AllowImplicitFlow and set it as true and click on Save

Now, you need to copy of the application IDs of the Admin app and Pre-Auth App and keys which generated. you also need to copy the tenant ID from the directory properties.

So far, we have 5 values copied and applications are registered.

In next article, We will see how to deploy Application using Azure App Services and CosmosDB.

For the Part 2 Article in this series, How to Create Guest Access Portal for External Users Management – Part 2

Leave a Reply

Your email address will not be published.