Objective: Login with an Azure AD account
Test Login scenario with email@example.com
Go to myapps.microsoft.com
You will notice the published SharePoint site.
Click on Roy Kim’s SharePoint
The user is authenticated but not authorized to the SharePoint site.
So, what’s the issue?
The UPN has to be mapped between the Azure AD account and the on-premises AD account. The Azure AD account’s domain is spb2b.onmicrosoft.com. Ideally, you would go by the organization’s custom domain. Since my lab’s domain is contoso.com and I can’t take ownership of it and verify in Azure AD, I have to settle with spb2b.onmicrosoft.com
I have also added Alternative UPN suffixes for rkim.ca for user accounts ending with @rkim.ca
Go to Active Directory Users and Computers
Find the user to login with and right click on its properties.
Change to the new UPN suffix.
Attempt to sign in into SharePoint Application.
Go to: https://roykimspublishedsharepoint-spb2b.msappproxy.net
Get redirected to sign in page
Login with firstname.lastname@example.org
Can user accounts get added into Azure AD that does NOT exist in the on-premises AD?
It is important to understand that Azure AD Connect synchronizes account only one way from AD to Azure AD. What I was hoping for from Azure AD Connect was some user write-back capability. The user writes back is not currently supported as noted in this article. It would have been nice if when I create a user account in Azure AD, then that account gets created in the on-premises AD. Then a SharePoint site admin can add the AD user to the site with appropriate permissions. But this is not a supported scenario.
To recap, I have demonstrated the authentication into SharePoint with an Azure AD Account. However, to add any external accounts, the caveat is to add the account into your on-premises AD with the supported alternate UPN suffix. This likely wouldn’t be practical in real-world enterprise scenarios, but maybe perhaps so in an isolated extranet environment.
I would recommend this type of solution if you want to simply publish on-premises applications such as SharePoint Server without the need of Windows Server WAP and ADFS.
I hope this blog series demonstrated my journey of configuration details and what works or wouldn’t work to support Azure AD login using Azure Application Proxy for an internet facing SharePoint site.
An alternative approach with some advantages would be SAML claims-based authentication with Azure AD. This can potentially be future blog article as I wait for SAML 1.1 support in Azure AD since Azure Control Services is deprecated as of summer 2017 which supported SAML 1.1 token conversion for SharePoint support.
Add User Principal Name Suffixes
Azure AD vs Azure AD B2C vs Azure AD B2B
What is the Access Panel?