Grant B2B users in Azure AD Access to On-premises Applications (AADAP)
Overview
Azure AD Application acts as reverse proxy and it has ability to publish our on-premise applicaiton. Addtionally, it can intergrate Azure AD pre-authentication in order to further protect the access to this application.
And we may get senarios like internal web applicaiton had already configured IWA (Intergrated Windows Authenticaiton), and we configured KCD (Kerberos Constrained Delegation) Single Sign-On. Which would lead to a issue while authenticating a B2B guest user. See below picture:
This issue is caused by missing B2B user objects in the on-premise Active Directory. So Microsoft provides us two solutions to this senario. Please refer to the below documentation:
This article will disscuss the lightweight solution that create B2B guest user objects through an Azure AD B2B script so that the IWA SSO could be successfully reached.
1. B2B to AD Sync Script
You could download the script from below github page:
https://github.com/Azure-Samples/B2B-to-AD-Sync
Please refer the readme file for the instruciton.
2. Supplementary information to perfrom before we run the script
When you read this step, it is assumed that you have a general understanding of the operation steps.
I added some major checkpoints according to the readme and potential issues that may be encountered.
2.1 Major Checkpoints
1. We will use our Domain Controller server to perform all steps.
2. We use the command on github page to create a self-signed certificate: 
Notice that you will get a cert with private key on local machine store and a public key cert on the output path. Export the private key cert as .pfx file and also import it to current user store: 
3. Create an App registration entry, and upload the public key cert to it: 
Record the Thumbprint for further use.
4. The App Registration entry is used for automation, and since the admin consent had been done on the app already. While using the powershell script, user is no longer require to do the authenticaiton and consent. However, you can still consent the permission of Graph API:
Connect-MgGraph –Scopes "User.Read.All","Group.Read.All"
5. Go to your Domain controller, create to OUs e.g. “B2BGuestUsers”, “DisabledB2BGuestUsers”, record corresponding distinguished name for further use. 
6. Open PowerShell with Elevated, and install MSGRAPH and AD module:
Install-WindowsFeature RSAT-AD-PowerShell
Install-Module Microsoft.Graph -Scope AllUsers
7. Later modify the B2B sync script to suit your tenant and AD settings: 
8. For B2BGroupID, you will need create a security group on AAD and put the B2B users in that group. And you will find the corresponding Object ID for this group. 9. Go to AD Domain Trusts, trust the *.onmicrosoft.com of your tenant.
9. Lastly, run the script use below command you will see the B2B user created on the OU.
.\B2B-AAD-to-AD-Sync.ps1
2.2 Limitations & Known Issue
to be continued…