Our company recently bought another company. The bought company already has it's own AD forest and it's own Azure tenant. We want now to bring everyone on the same tenant.
The current setup is like this:
The request is to have everyone on Tenant A. Everything from Tenant B will be migrated to Tenant A. We have already done this process in the past. Usually we created new user accounts in Forest A, which got synced to Tenant A and thus we had objects on Tenant A onto which migrate all the stuff from the other tenant.
But this time instead of creating new user accounts on Tenant A, the managements wants to use the ability to sync one AD Forest to multiple tenants thus creating the accounts and having exactly the same credentials and keeping the other companies access to their AD forest.
So the next step would be like this:
And once everything is migrated onto Tenant A it will be like this:
So the questions are:
In the "One AD to multiple tenants" scenario only one tenant can have the Exchange hybrid. In our case the Agent A (syncing Forest A and Forest B) has the Exchange Hybrid Deployment enabled. Can we use the same agent to have Forest C synced to Tenant A, but without Exchange Hybrid? Or do we need to create a third agent that sync Forest C to Tenant A, but without Exchange Hybrid?
Since DomainC.com will be moved from Tenant C to Tenant A during migration it will not be a verified domain on Tenant A before that. So every user we sync from Forest C will be as user#TenantA.onmicrosoft.com even though on the forest they are user#DomainC.com. Once DomainC.com becomes verified on Tenant A, will the UPN suffix for these users change from #TenantA.onmicrosoft.com to #DomainC.com automatically with the first sync after the domain is verified or will it remain #TenantA.onmicrosoft.com? If it remains that way - how could be manually change that afterwards?
Could there be any mailbox issues once the Exchange Hybrid sync is disabled from Forest C to Tenant C and enabled from Forest C to Tenant A? The mailboxes would already been migrated from Tenant C to Tenant A.
Related
I have one Salesforce profile and one permission set in Salesforce. As per the requirement, there are two user personas in our Salesforce application.
Persona 1 -> SF Profile
Persona 2 -> SF Profile + Permission Set
To achieve the above configuration using Azure AD auto-provision, we have created two security groups and added relevant business users into those two groups. Currently, we struggling to determine the best approach on how to assign the Salesforce permission sets to the users in the "Persona 2" user group.
You already have Single Sign-On configured in SF, right? At the bottom of the page there's place for just-in-time (JIT) login handler class.
You'd have to write that class but there are some online examples for ... implements Auth.SamlJitHandler. Once you have the class skeleton ready - use System.debug(JSON.serializePretty(attributes)); or something similar to see what Azure Active Directory sends. Last time I used this AAD couldn't send groups info but it could send role(s). So we determined unique sets of users and if role is X - check if the user has permission set X assigned and if not - assign it. We then expanded it to other SF features (groups, queues, user role, profile...). PermissionSetAssignment is the table you need.
If you don't want to write code for this there's always Identity Connect but that's paid and on-premise agent program (I think). No idea if it can work with AAD. But you'll get simple interface for the mapping.
I need to implement Azure B2C muli-tenant application and different customers will also be on-boarded to this application. We need to use Azure B2C to allow users register with their social accounts.
Do we need to have one B2C tenant corresponding to one customer or we can use a single B2C tenant for all customers ? What is the best practice around these two options ?
Thanks for your help!
It depends on whether the customers are tightly or loosely related to one another.
For example,
Customers comprise of Business A, Business B and Business C.
Each customer will have many users.
Customers are completely separate and billing needs to be very distinct
In the above scenario, I would set up different tenants for each 'customer'.
I'd say it is driven by your billing model; read more here, and how manageable is it to set up separate tenants per 'customer'.
We are trying to set up Azure AD connect, but we seem unable to get to the situation we desire.
Our current situation is a local AD where we fill in the email field for all users (and all external users). Our admins have a normal and an admin account. The email for the adminaccount is the same for all. We don't have Exchange linked to AD, nor do we yet have the possibility to set up ADFS.
I've been trying to set up the sync for the admins only. So let's assume the following situation:
Account 1:
SamAccountName: Admin1
UPN: admin1#company.com
Email: Admin#company.com
Account 2:
SamAccountName: Admin2
UPN: admin2#company.com
Email: admin#company.com
Our first sync stopped after the first one, with the message that the UPN is duplicate.
When checking, AAD had 1 account:
Account 1:
UPN: admin#tenant.onmicrosoft.com
So, I undid everything and started from scratch. This time, I changed account 2 to not have an email. This is the result:
Account 1:
UPN: admin#tenant.onmicrosoft.com
Account 2:
UPN: admin2#tenant.onmicrosoft.com
So basically, we want our UPN to be like SamAccountName#tenant.onmicrosoft.com, but it seems like we need to clear the email field, sync and fill it again. A lot of our internal tools use the email field currently, which makes it quite impossible.
I tried changing the Azure AD connect setup as well, to change the place where they ask for UPN to SamAccountName, but either I get errors or it doesn't work. What am I missing.
We also have accounts for external partners, something like this:
SamAccountName: partner_userx
UPN: partner_userx#company.com
email: someuser#externalpartner.com
If I sync this, the AAD UPN was someuser#tenant.onmicrosoft.com.
If I set up everyting in staging and take a look at csexport output, I see nothing special. Just the properties described as they are on my local AD.
For some reason the Sync uses the mail field, which I do not want.
Sorry for the delayed response. Azure AD is picking up the email address as the UPN prefix value and appending your initial domain (e.g. #tenant.onmicrosoft.com) simply because the UPN suffix being sync'ed from on-premises is not valid/not verified domain. If you have the AD:UserPrincipalName set on-premises and its UPN suffix is a Verified Domain on your Azure tenant it should work as you expect. Meaning, you'll get the expected UPN value in Azure AD, if you sync a UPN suffix with a domain that is verified on the tenant (either a custom domain or the tenant's initial domain).
Taking the example provided:
SamAccountName: partner_userx
UPN: partner_userx#company.com
email: someuser#externalpartner.com
You need to either:
a) set the on-premises UPN as partner_userx#tenant.onmicrosoft.com instead, or;
b) verify the domain 'company.com' on your Azure AD tenant
If neither of these options are feasible then you'll have to work on some advanced sync rule customization (which is not supported) to map an alternative AD attribute to serve as the source attribute for the UPN and set this attribute with the alternative UPN value containing a verified domain suffix (e.g: extensionAttribute10 = partner_userx#tenant.onmicrosoft.com)
I need to let someone access a SQL Database and have no time to study and catch up with all the constantly morphing AD stuff so I want to make her one of the existing subscription Co-Administrators added 9 years ago. I just want to add her (ie her Microsoft account) as a Classic Administrator.
Under IAM, Classic Administrators, I clicked Add, Co-Administrator, and a list of five email-like strings showed up. (I don't know whether these represent e-mail addresses or Microsoft accounts.)
How do I add another Microsoft account to this list so that I can make her a Co-Administrator?
If the Microsoft account (i.e the email address you see in the list in your question) is not existing in the same azure ad tenant of the subscription , you need to invite her (i.e. the Microsoft account) to the tenant first, navigate to the Azure Active Directory in the portal -> Users -> New Guest User, note don't forget to accept the invitation email.
Then the Microsoft account will be a guest user in your tenant, just navigate to your subscription and add co-administrator, you can search for the Microsoft account (i.e. the email address).
I need to let someone access a SQL Database
I am not sure you mean to let her access the SQL database in a management tier or data tier. If you what her to access the data tier e.g. do operations on the data in the tables, you will also need to configure the Active Directory admin in the SQL Server, navigate to the SQL Server in the portal -> Active Directory admin -> Set admin -> invite the user you what -> Save, more details see this link: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure
We are building a enterprise product, and expect a lot of customers, to not have active directory of their own.
We plan to use AAD as our IAM provider.
We plan to create a master AAD for the product, and then invite users of each customer (tenant) as external users to the master AAD, using their business email id. Each set of users for a given customer, will be added to an external group for manageability.
Would this be the right approach, for supporting multi-tenanted IAM for a product hosted in Azure?
It's a pretty hard question. AAD's multi-tenancy basically requires the org to have an AAD to have proper separation etc.
But in the case of an org not having an AAD, this is one option.
One crucial thing you must not forget with this path is to turn on the option in the AAD tenant to restrict Guest user permissions. This makes it so that the invited users can't just go to portal.azure.com and get a full list of all users in the tenant. At least usually this is a desired thing when multiple clients are in the same tenant.
Other options could be:
Setting up an AAD tenant for each customer
Good separation for customers
There might be a limit how many you can create
I'm not aware of an API you could use for this (but hey Selenium works :D)
Set up your own identity provider with e.g. IdentityServer
Maximum customizability
Lot of work for you to develop and maintain
Everything would of course be easier if they just had an AAD :)
It would depend on some details of the approach you want to follow. If you are expecting for them to use their business email, then you may consider having Single Sign-On (many organizations expect not needing to duplicate accounts and you may want to delegate your customers the hassle of resetting passwords).
Also, you need to determine what kind of isolation need(do you want to have a single set of users or have a clear separation by tenant?) and the budget (AAD cost is measured on a per-user basis) you have for this? Azure AD B2C could be also an option, or as #juunas mentioned, implementing your own solution with something like IdentityServer.