This guide provides instructions for configuring your OIDC-based Azure AD federation to support guest users within Bentley Identity Management System (IMS).
If you have not already set up Azure AD OIDC federation, please review this Azure AD OIDC guide and note in your request below that you would like to utilize Azure B2B in addition to normal federation.
Azure AD provides functionality to invite guest users to your Azure AD tenant. This allows the user to maintain a “guest identity” inside your tenant, which can be granted access to your internal resources and access applications set up in your environment. This guest account is maintained by your tenant, but the guest authenticates with their primary domain credentials, not guest credentials.
If you wish to use guest users, there are some limitations regarding the capabilities of guest users with Bentley IMS. As with all federations in our environment, when a user signs in through your federation, they are automatically assigned to your user directory inside of Bentley IMS. This means that your organization is responsible for providing the necessary licensing for these users.
Guest users in your Azure AD tenant will be treated the same as normal users from your federation and will appear with a guest identify of the form username_externaldomain_EXT_@yourdomain.com format.
Warning: Usage incurred by guest users is covered by your organization. To limit costs, consider using the access controls provided in Entitlement Management as described in the following best practices.
Finally, submit a federation request to enable B2B functionality since special logic is required to create IMS logins based on guest accounts properly.