topic Re: SAML Authentication for Third Party in ArcGIS Online Questions

SAML Authentication for Third Party

khem1000 — Mon, 08 Jun 2026 13:28:16 GMT

Hi,

We are looking to migrate our built-in accounts to SAML set up in Azure AD. There is no issue for internal users who have an AD account.

We also have about 300 external contractors, who currently have access but they do not have their own AGOL license. Some of the users only need temporary access for 3-6 months for a specific project.

Do they need to have full account set up in our Azure AD ?

Or does B2B work i.e. are they added as guests in our Azure AD and by doing SAML claims transform in Azure, they can be authenticated using their own IDP?

Can someone please point me to ESRI architecture documentation how the external users can be set up for authentication using SAML.

Are there any recommended option(s) ?

Thanks

Re: SAML Authentication for Third Party

RyanUthoff — Mon, 08 Jun 2026 13:45:04 GMT

No, they don't necessarily need full access in your Azure AD tenant. All you need to do is invite them as an external user in Azure AD, which essentially adds them as a guest account in your tenant.

When you invite them as an external user, you do NOT manage their account (so no password resets, no email management, etc.). The contractor's organization is still responsible for that. The only thing you can really control is what they have access to within your Azure tenant (such as giving them permissions to AGOL).

On the AGOL side of things, you would manage it the exact same was as your internal users.

And a final note, you can invite non-Microsoft accounts as well. They work just about the same as Microsoft accounts.

Re: SAML Authentication for Third Party

khem1000 — Mon, 08 Jun 2026 14:34:25 GMT

Thanks. This sounds quite promising.

I understand the benefit of using guest accounts, but does the SAML assertion provided for the guest users work reliably without needing further customisation in Azure?

Has anyone got this working?

I assume to revoke access, the user simply need to be removed from Azure and their membership and content deleted in AGOL.

Re: SAML Authentication for Third Party

RyanUthoff — Mon, 08 Jun 2026 14:51:01 GMT

For the purposes of AGOL, it works exactly the same as an Azure AD account that your organization owns. You invite them to your Azure AD tenant, and then the end user needs to accept the invitation from Microsoft. After that, you just set the permissions just as if it were an account that your organization owns.

Yes, I got this working. This is a common workflow.

Again, you would treat revoking access the same as if it were an account that your organization owns. You delete the account and/or content from AGOL, then delete the account from Azure (or at least remove them from the AGOL enterprise app that gives them access to AGOL).

Re: SAML Authentication for Third Party

khem1000 — Mon, 08 Jun 2026 15:09:59 GMT

Thanks for confirming.

This appears straightforward, but I couldn't find any ESRI documentation on using guest accounts.

Re: SAML Authentication for Third Party

RyanUthoff — Mon, 08 Jun 2026 15:18:00 GMT

Yeah, I wouldn't necessarily expect there to be any Esri documentation about it because this is something that is done at the Azure level vs. the Esri level. Just like how Esri doesn't really tell you how to create accounts in Azure. They just tell you how to link Azure to AGOL so you can sign into AGOL with your Azure login.