Recently at Content and Code, I needed to be able to provide an external user (someone outside of our organisation) with access to an Azure subscription using Azure RM RBAC. The Azure portal interface implies that you can just add them straight away and the details they need in order to connect will just be sent to them:
However, no email is ever received by the recipient, and manually logging into the Azure Portal doesn’t show them the subscription/resource group/resource you’ve delegated.
To solve this, you need to use Azure Active Directory B2B to invite them, have them accept the invitation and then add the permissions. The way to invite external users for Azure B2B is in the old portal (for now) under the option “Users in partner companies”:
Never used Azure B2B before? I’m hoping to write a blog post about it, but most of what you need in order to invite them will be in the Azure B2B documentation linked from the ❔ next to “CSV FILE” in the screenshot above. I’ve copied their Sample CSV below.
Email,DisplayName,InvitationText,InviteRedirectUrl,InvitedToApplications,InvitedToGroups,CcEmailAddress,Language [email protected],Walter Harp,Hi Walter! I hope you’ve been doing well.,,cd3ed3de-93ee-400b-8b19-b61ef44a0f29,,[email protected],en [email protected],Jeff Smith,Hi Jeff! I hope you’ve been doing well.,,cd3ed3de-93ee-400b-8b19-b61ef44a0f29,,[email protected],en [email protected],Ben Smith,Hi Ben! I hope you’ve been doing well.,,cd3ed3de-93ee-400b-8b19-b61ef44a0f29,,[email protected],en
Ignore the use of the InvitedToApplications, InvitedToGroups and InviteRedirectUrl from this file – we don’t need them for Azure access. Once you upload this file, the user should receive an email with a link to accept the invite. You can now add permissions for them to the Azure resource (group, or subscription, even). Then when they navigate to https://portal.azure.com (the Azure Portal) they should be able to see the subscription/resource group in the relevant list.