Looking for ideal solution in Azure AD to automatically sync users between two Azure AD Tenants
The scenario i'm looking for is as follows
Corporate and our business project has separate Azure AD Tenants
Want to leverage Corp Azure AD to sync internal users directly to my projects Azure AD to avoid onboarding all new ppl into the company
When some internal employee leaves, sync off-boarding as well so that if Corp removes someone from Azure AD, it gets removed from my Projects AD as well
What are the best options for me ?
Azure B2B sync using external identities
Azure Lighthouse
Others ?
Can users be automatically synced without them requiring to click some activation/invitation link in emails ? Can this be fully automated without "invite link emails " etc ?
Looking for some assistance
AADConnect(AzureAD connect) can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants.
These tenants can be in different Azure environments.
You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to.
Note: One AADConnect server can synchronize to not more than one Azure AD tenant.
Reference:sync ad objects to multiple azure ad tenants
Also see use-scim-to-provision-users-and-groups
Related
How can i have an option where users can register for an account in azure active directory if they don't already have an account using their own email? Currently i can only see an option to manually add users in through azure portal but I want to be able to allow users to register to my azure active directory programmatically through a .NET web app.
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources.
That means you need to manage the users under your organization's tenant.
All the users are employees of a company. Only in this way can users be managed easily under the same tenant.
So you need create accounts for your employees. There is not a option to make them register to Azure AD. I believe every company will provide work accounts to employees rather than asking employees to register.
If you want to work with your customers, let them register with your tenants, you should consider Azure AD B2C. It provides business-to-customer identity as a service, which allows customers to register for an account in Azure AD B2C tenant.
Is there a recommended Azure AD strategy for managing internal and our partner users?
We know we can add external users to our Azure AD but we would like a clear separation between the internal and partners users.
I see in Azure you can add another Azure AD so wondering if we can add a new just for external users. But I'm not sure what effect this would have to our current company Azure AD and whether it would have access and/or impact on the features we have in our Azure AD (e.g. O365/Sharepoint/etc).
Or is it recommended just to use groups in Azure AD to separate the internal and external users?
is it recommended just to use groups in Azure AD to separate the
internal and external users?
I think this is the best way to manage your users and partner users.
If you add partner users to another Azure AD, they will not access your default Azure AD resources and app.
Different Azure AD have different resource groups and APP.
I do not have much experience with AD in general. I have a web app in Azure and I want to authenticate users in the app using Azure AD and I read a bit about Azure AD B2B option but I simply still do not understand it.
What I do now in steps:
Create a new Azure Directory
In that directory I go to Azure Active Directory (service)
Register my application
Go to Users/all Users/ New guest user and add the users of the application
Job done
What is the difference between me doing this and the Active Directory B2B?
Azure AD business-to-business (B2B) collaboration capabilities enable any organization using Azure AD to work safely and securely with users from any other organization, small or large. Those organizations can be with Azure AD or without, or even with an IT organization or without. +
Organizations using Azure AD can provide access to documents, resources, and applications to their partners, while maintaining complete control over their own corporate data. Developers can use the Azure AD business-to-business APIs to write applications that bring two organizations together in more securely. Also, it's pretty easy for end users to navigate.
Enable users from other organization to access the application is one kind of Azure AD B2B. And the Azure AD B2B is enabled by invite the other users to your organization tenant.
More details bout Azure AD B2B, please refer the link below:
What is Azure AD B2B collaboration
I've created some Microsoft Live accounts for managing my Azure subscriptions (I've got five). I can log in using, for example, joe#mycompany.com and manage my web services using the public portal. I think I've got the hang of Azure Active Directory and the Domain Services that go along with it. So now I'm wondering, can I associate my domain ('mycompany.com') with an Azure Active Directory in my corporate portal, add my user 'joe' to it, and use 'joe#mycompany.com' to sign into the portal? That is, will the Azure Portals use Azure Active Directory for logins?
The Azure Portal allows users to sign in with both Azure AD Accounts AND Microsoft accounts (aka MSAs, LiveIDs, #outlook.com).
If you associate your domain with an Azure AD tenant, you'll be able to log in to the Azure portal with your Azure AD account.
It is important to note that if you have a joe#mycompany.com Microsoft account and a joe#mycompany.com Azure AD account (which you get by adding the mycompany.com domain to an Azure AD tenant and then creating joe#mycompany.com that tenant), you effectively have tow DIFFERENT ACCOUNTS. When you type in joe#mycompany.com, you'll see a prompt like this one:
You'll have to make sure you pick the right one since your existing Azure subscriptions will be associated with your MSA and any new ones you create with your Azure AD account will, by default, not be accessible to your MSA.
Your best bet is to setup an Azure AD tenant, migrate your Azure subscriptions from your MSA to your Azure AD tenant by transfering ownership of the subscription and ensure all new subscriptions are created with Azure AD accounts (and not MSAs). At that point, you can always pick Organizational account and not have to worry about which which Azure subscription is linked to which account.
Other relevant info:
Comprehensive explanation of MSAs, Azure AD and Azure Subscriptions
Creating an Azure subscription using an Azure AD tenant
Before I am going to describe my questions, I would like to tell you that I am a web developer and not a security/Active Directory or Azure specialist, so please be gentle :-)
I work for a large international financial services company. We have a global IT department that provides member firms with services that we use (Active Directory 2012).
In my member firm, we are currently considering migrating custom build websites to Azure. All the custom build websites are implemented with Kerberos and Single Sign-On using Active Directory. Some of these websites read & write information in Active Directory.
The challenge that we are facing is how we can migrate these websites to Azure whilst using the enterprise's Active Directory. I searched for detailed information about solutions available but haven't found anything that answered my questions. My questions:
What solutions are there for connecting Azure with an enterprise's Active Directory?
What are the advantages and disadvantages for these solutions?
What are the requirements for these solutions?
Perhaps there is a book/blog/whitepaper that answers my questions?
AFAIK you cannot use directly the corp AD from Azure. You must use Azure Active Directory. However, there are solution to keep the corp AD and the Azure AD in sync. For example read Connecting AD and Azure AD: Only 4 clicks with Azure AD Connect, which shows how to use Azure AD Connect to link the Azure AD with your corp AD. It will basically mirror one corporate AD forest with an Azure AD account, and keep it up to date by periodic re-sync. The net effect is that you develop your cloud apps to authenticate and authorize based on the Azure AD, but the Azure AD will mirror the corp AD. There will be a delay in propagating changes to Azure AD, eg. an employee added to the "domain\sales" group will not be allowed to access the "Sales" app for some hours until the Azure AD sync catches up with the corp AD change.