Welcome to Agustín Hernán Borrajo's cloud consulting microsite ! The main purpose of this web is to share my 20+ years of experience on Hybrid Cloud Infrastructure & Cybersecurity. A detailed description of concrete work experiences and skills can be found in my2025 resume. You can explore and read my online technical articles expanding the below menu:
Validating Azure B2B Guest User accounts using OIDC/OAuth2 via MS Entra ID and MS Authenticator. 🔽
Application Lifecycle Management (ALM) usually involves planning, development, testing, deployment, and maintenance stages. Identity and Access Management (IAM) is also a key component that defines and rules your Application's cybersecurity. User Authentication can be implemented via SAML or OIDC while resource Authorization can rely on OAuth2 or OIDC.
In this article we will review the token grant flow known as 'OAuth 2.0 auth code grant' applied to Microsoft Entra ID.
The intent of this Proof of Concept (PoC) exercise is to show that Azure B2B External Guest users can verify their accounts.
It is interesting to notice that the account verification/validation can take place even if the Authentication is not in place.
In layman's terms: B2B Guest users can authorize their accounts while they wait for the APP authentication layer to be operational.
Below you can find how to enable an external B2B collaborator to request an authorization code including the redirect to a Test-APP.
🔸step_1 : We create a new APP registration in the Azure Portal for a Single-page application including the redirect URI.
The redirect URI will be in this case our Test-App http://agu.20m.com/gni/ ( where Authentication is not yet setup ).
Both the Home page URL and Test-App redirect URI are the same for our 'OAuth 2.0 auth code grant' exercise.
Fine-grain updates can be applied directly editing the JSON MS Graph App Manifest property values, also via the Azure Portal.
For the purpose of this PoC we enable 'Access tokens' and 'ID tokens' as well as 'Allow public client flows'.
🔸step_2 : An external user needs to be invited to the default MS Entra ID directory by creating a new user_id.
The B2B invitation state becomes 'Pending acceptance' and the invited user ( agustinborrajo@agu.20m.com ) gets the invite.
The onboarding email comes from invites@microsoft.com on behalf of our Azure Domain showing the associated tenant_id.
🔸step_3 : We accept the invitation sent to agustinborrajo@agu.20m.com and afterwards follow the account verification flow.
Our account will be fully validated once we enter the verification code, grant permissions and loop-in the MS Authenticator APP.
An alternative device with internet access participates in this process ( smartphone ) since a QR code needs to be scanned.
The Microsoft Authenticator APP gets successfully registered and the Enterprise Application shows it as usable Auth method.
B2B invitation state is now 'Accepted' and evidence is available in the Audit Logs and Sign-in Logs for tracking purposes.
The Enterprise Application entry ( linked to the previously created APP registration ) permits to assign the guest user to it.
We get the APP_launcher_URL from myapplications.microsoft.com and embed it as a link in http://agu.20m.com/gni/
🔸step_4 : Now it is time to access http://agu.20m.com/gni/ from an incognito session to make sure cookies are flushed.
User's_Public_IP, reverse_DNS, client_DNS_IP and ISP info gets displayed for eventual identity validation troubleshooting.
The 'OAuth 2.0 authorization code flow ⇨ External_ID Validation' link will get the guest ID authorization process started.
A sign-in User_ID is requested ( we enter agustinborrajo@agu.20m.com ) and the 'Account verification code' is then sent.
The Account verification code arrives in the subject of an email coming from accountprotection.microsoft.com
When the code is entered we get authorized and redirected back ( by Azure, not by the Test-APP ) to http://agu.20m.com/gni/
If we hit again 'OAuth 2.0 authorization code flow ⇨ External_ID Validation' no User_ID will be requested and no code gets sent.
Only a redirect to http://agu.20m.com/gni/ occurs, since the Authorization is still in place via session cookies. ⯇ Success !
When Browsing History and Cookies are deleted, both SessionCacheKey.CurrentTenantIdKey & AppIdCookieKey get erased
and 'OAuth 2.0 authorization code flow ⇨ External_ID Validation' will now ask again for User_ID and verification code.
