Powershell to setup Azure AD B2C Guests as users in CRM

Imagine a scenario where you want to add guest users from another Azure AD tenant to your own tenant so that they can use your CRM instance.  This could be a B2B collaboration story or it could also be a story of mergers and acqusitions.

In this case we have a business with a parent and 2 child organisations.  The parent organisation is creating a CRM solution and workers from the 2 child organisations will all work together processing customer cases. All organisations have Office 365 and the like so we are probably starting with a diagram like the below.

When the users start to collaborate on Acme’s instance of Dynamics the diagram will look like the below with the red arrow showing the system the users are trying to access

In Acme however users from Fabrikam and Contoso will be invited as guest users into the Azure AD for Acme. This will create them as a guest user using the Azure AD B2B features. This means that the user in Fabrikam will federate back to their own Azure AD tenant to authenticate. They will need to be assigned a CRM license in Acme’s tenant and also added to any Azure AD groups for CRM. Once this is done they will appear in CRM and be able to be assigned roles.

Splitting the work required between an Azure AD admin and a CRM Admin, in this post id like to show a script that you could use to do the Azure bit. This script will:

  1. Create the user in Azure AD as a guest
  2. Send an invite from Azure AD to their email asking them to join our tenant
  3. Add the user to an Azure AD group which has already been configured with CRM to make them appear in its users list
  4. Assign a CRM license to the user

Note that to do this we have a csv file as the input to the powershell script so we can do users on batch if required.

The csv file looks like the following:

With this input we can now run our powershell script which is below.

 

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

install-module azuread
get-module azuread


function ProcessInviteFile()
{

    $invitations = import-csv C:\Admin\AzureAD\Users.csv
    $messageInfo = New-Object Microsoft.Open.MSGraph.Model.InvitedUserMessageInfo
    $messageInfo.customizedMessageBody = "Hi! We would like you to join us on Dynamics CRM"

    foreach ($email in $invitations) 
    {
        Write-Host 'Inviting User - ' $email.Name
        $newuser = New-AzureADMSInvitation -InvitedUserEmailAddress $email.InvitedUserEmailAddress -InvitedUserDisplayName $email.Name -InvitedUserMessageInfo $messageInfo -SendInvitationMessage $true -InviteRedirectUrl 'https://portal.office.com' -ErrorAction Stop
        Write-Host $newuser
        Write-Host 'Done Invite '
    

        Write-Host 'Configuring User - ' $email.Name
        
        [string]$emailAddress = $email.InvitedUserEmailAddress
        $domain = $emailAddress.Split("@")[1]
        $friendlyEmail = $emailAddress.Replace("@", "_")
        $upn = $friendlyEmail + "#EXT#@fabrikam.onmicrosoft.com"

        Write-Host $upn        
        $User = Get-AzureADUser -SearchString $newUser.InvitedUserEmailAddress  -ErrorAction Stop
        Set-AzureADUser -ObjectId $newuser.InvitedUser.Id -UsageLocation 'GB'

        #Add User To Groups
        $ProdGroup = Get-AzureADGroup -Filter "DisplayName eq 'CRM_Prod'" -ErrorAction Stop

        Add-AzureADGroupMember -ObjectId $ProdGroup.ObjectId -RefObjectId $newuser.InvitedUser.Id -ErrorAction Stop

        #Add CRM License
        $LicenseSku = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'CRMSTANDARD'} -ErrorAction Stop
        $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense -ErrorAction Stop
        $License.SkuId = $LicenseSku.SkuId
        $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
        $AssignedLicenses.AddLicenses = $License
        Set-AzureADUserLicense -ObjectId $newuser.InvitedUser.Id -AssignedLicenses $AssignedLicenses -ErrorAction Stop     
        Write-Host 'Done'
    }
}


$cred = Get-Credential
Connect-AzureAD -Credential $cred
ProcessInviteFile
Write-Host 'All Done'

 

The one important thing to note about the powershell is the formatting of the external email which is used in Acme’s tenant as the upn.  This will be in a certain format and there is a bit of the script that handles working out what the upn will be from the email supplied.  In this case this script is specific to Fabrikam users, but you could easily modify the script or do something more fancy with the conversion of email address to upn for looking up the user.

Job done

You May Also Like

About the Author: michaelstephensonuk