Merge pull request #106258 from msmimart/mm-b2b-govt

[B2B] Update B2B variations and limitations in Azure US Government cloud tenants

Author: GitHubber17

articles/active-directory/b2b/current-limitations.md

@@ -31,6 +31,21 @@ Azure AD B2B is subject to Azure AD service directory limits. For details about
 ## National clouds
 [National clouds](https://docs.microsoft.com/azure/active-directory/develop/authentication-national-cloud) are physically isolated instances of Azure. B2B collaboration is not supported across national cloud boundaries. For example, if your Azure tenant is in the public, global cloud, you can't invite a user whose account is in a national cloud. To collaborate with the user, ask them for another email address or create a member user account for them in your directory.
 
+## Azure US Government clouds
+Within the Azure US Government cloud, B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that isn't part of the Azure US Government cloud or that doesn't yet support B2B collaboration, the invitation will fail or the user won't be able to redeem the invitation. For details about other limitations, see [Azure Active Directory Premium P1 and P2 Variations](https://docs.microsoft.com/azure/azure-government/documentation-government-services-securityandidentity#azure-active-directory-premium-p1-and-p2).
+
+### How can I tell if B2B collaboration is available in my Azure US Government tenant?
+To find out if your Azure US Government cloud tenant supports B2B collaboration, do the following:
+
+1. In a browser, go to the following URL, substituting your tenant name for *<tenantname>*:
+
+   `https://login.microsoftonline.com/<tenantname>/v2.0/.well-known/openid-configuration`
+
+2. Find `"tenant_region_scope"` in the JSON response:
+
+   - If `"tenant_region_scope":"USGOV”` appears, B2B is supported.
+   - If `"tenant_region_scope":"USG"` appears, B2B is not supported.
+
 ## Next steps
 
 See the following articles on Azure AD B2B collaboration:

articles/active-directory/b2b/troubleshoot.md

@@ -94,6 +94,10 @@ If the identity tenant is a just-in-time (JIT) or viral tenant (meaning it's a s
 
 As of November 18, 2019, guest users in your directory (defined as user accounts where the **userType** property equals **Guest**) are blocked from using the AzureAD PowerShell V1 module. Going forward, a user will need to either be a member user (where **userType** equals **Member**) or use the AzureAD PowerShell V2 module.
 
+## In an Azure US Government tenant, I can't invite a B2B collaboration guest user
+
+Within the Azure US Government cloud, B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that isn't part of the Azure US Government cloud or that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see [Azure Active Directory Premium P1 and P2 Variations](https://docs.microsoft.com/azure/azure-government/documentation-government-services-securityandidentity#azure-active-directory-premium-p1-and-p2).
+
 ## Next steps
 
 [Get support for B2B collaboration](get-support.md)

articles/azure-government/documentation-government-services-securityandidentity.md

@@ -40,7 +40,7 @@ Windows Defender ATP installation on Windows VMs via Security Center and the ass
 ### Notifications
 
 - **Azure activity logs**  
-User activity in Security Center is not logged in Azure activity logs in Microsoft Azure Government. This means that there’s no trace or audit for user performed actions.
+User activity in Security Center is not logged in Azure activity logs in Microsoft Azure Government. This means that there's no trace or audit for user performed actions.
 
 ### Threat detection
 
@@ -142,19 +142,25 @@ All features covered in the above list are available in the US Government cloud
 
 The following Azure Active Directory Premium P1 features are currently not available in Azure Government:
 
-- B2B Collaboration ([vote for this feature](https://feedback.azure.com/forums/558487-azure-government/suggestions/20588554-azure-ad-b2b-in-azure-government))
 - Azure Active Directory Domain Services
 - Cloud App Security
+- B2B Collaboration is available in Azure US Government tenants created after June, 2019. Over time, more tenants will get access to this functionality. See [How can I tell if B2B collaboration is available in my Azure US Government tenant?](../active-directory/b2b/current-limitations.md#how-can-i-tell-if-b2b-collaboration-is-available-in-my-azure-us-government-tenant)
 
 The following features have known limitations in Azure Government:
 
+- Limitations with B2B Collaboration in supported Azure US Government tenants:
+  - B2B collaboration is currently only supported between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that isn't part of the Azure US Government cloud or that doesn't yet support B2B collaboration, the invitation will fail or the user will be unable to redeem the invitation.
+  - B2B collaboration via Power BI is not supported. When you invite a guest user from within Power BI, the B2B flow is not used and the guest user won't appear in the tenant's user list. If a guest user is invited through other means, they'll appear in the Power BI user list, but any sharing request to the user will fail and display a 403 Forbidden error. 
+  - Office 365 Groups are not supported for B2B users and can't be enabled.
+  - Some SQL tools such as SSMS require you to set the appropriate cloud parameter. In the tool's Azure Service setup options, set the cloud parameter to Azure US Government.
+
 - Limitations with the Azure Active Directory App Gallery:
   - Pre-integrated SAML and password SSO applications from the Azure AD Application Gallery are not yet available. Instead, use a custom application to support federated single sign-on with SAML or password SSO.
-  - Rich provisioning connectors for featured apps are not yet available. Instead, use SCIM for automated provisioning.
+  - Rich provisioning connectors for featured apps are not yet available. Instead, use SCIM for automated provisioning.'
 
 - Limitations with Multi-factor Authentication:
   - Hardware OATH tokens are not available in Azure Government.
-  - Trusted IPs are not supported in Azure Government. Instead, use Conditional Access policies with named locations to establish when Multi-Factor Authentication should and should not be required based off the user’s current IP address.
+  - Trusted IPs are not supported in Azure Government. Instead, use Conditional Access policies with named locations to establish when Multi-Factor Authentication should and should not be required based off the user's current IP address.
 
 - Limitations with Azure AD Join:
   - Enterprise State Roaming for Windows 10 devices is not available