I have an Enterprise Application registered on Azure Active Directory and I want only certain AAD users to be able to access it. I have created a user group for the authorized users and everything works fine. The users who are not assigned to the application, as expected, can't sign-in and they get an error message like the following after successful authentication. Is it possible to customize this message? I just need to add a support email address.
Customization of error message in AzureAD may not be possible as in AADB2C. You may try to give the support email in "sign-in page text and formatting" entry box through Company branding page for AAD sign-in .But this page appears as background in sign in page no matter success or failure of user authentication.
Note :Company branding requires azure ad Premium 1, Premium 2, or
Office 365 (for Office 365 apps) licenses.
Related
We are creating a flow to add a guest user to Azure AD.
Reference Article
https://www.timlinenterprises.com/how-to-invite-external-users-using-microsoft-flow-and-microsoft-graph-api/
Followed the steps in the article and got the error as shown below while executing the flow
Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'. ControllerName=MSGraphInviteAPI, ActionName=CreateInvite, URL absolute path=/api/a65449db-d753-4811-b4e1-846b9be25a50/invites
Below is the screenshot of the HTTP Request from Flow
HTTP Request in Flow
HTTP Request in Flow 2
Below is the screenshot of the API Permissions on Azure
Azure API Permissions
As soon as I replace .onmicrosoft.com with the Tenant ID ,the flow executes without any issues and the guest user receives the invitation. The user gets added to Azure AD however their profiles do not show up on office 365 Guest users nor under SharePoint User Profile even after waiting for 24 hours.
Whenever I invite a guest user using graph explorer , the guest is added successfully to Azure , Office 365 and SharePoint
Graph Invitations Execution
Response to Post Request
This is a Global Admin account with all the privileges and E3 license assigned.
All the articles online show you how to add guests on Azure AD , However there is no info if the user would show up on Office 365 Guest List.
Please let me know if anyone is aware of this and can help me the steps to get this resolved , also let me know if any other details are needed from my end.
EDIT
There was a small confusion , I confused Tenant ID with Client ID , after entering the Tenant ID the flow works without any issues as show below
enter image description here
As soon as I enter .onmicrosoft.com under the tenant section , the flow fails
We have just 1 tenant where Azure Application is created
Please let me know if anything else needs to be checked
Thanks in advance.
As soon as I replace .onmicrosoft.com with the client ID ,the flow
executes without any issues
It's impossible. You can only put tenant ID or domain name here. "client id" doesn't work.
In your case, a65449db-d753-4811-b4e1-846b9be25a50 should be the tenant id which you are trying to invite guest into.
Since the application permissions User.Invite.All and Directory.ReadWrite.All are correct, the reason why you get this issue is probably that you put a wrong tenant name here. The Azure AD app you registered is not in this tenant a65449db-d753-4811-b4e1-846b9be25a50. Please have a check.
I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.
The API I am calling (with new user log-in) to first retrieve all applications:
https://graph.microsoft.com/beta/applications
Response is:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
Of course I have apps in that tenant.
Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.
Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.
So it will query the apps list for the personal account rather than tenant_y.
So now you have two choices:
Create a new user in tenant_y by following add a new user and
then use this new user to log into Microsoft Graph Explorer to query
the apps list.
Implement Get access on behalf of a user and make sure that you
call {your tenant} endpoint rather than common endpoint while
requesting the access token. And you should use another tool (for
example Postman) instead of Microsoft Graph Explorer.
Update:
You can modify the permissions in Microsoft Graph Explorer like this:
Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.
Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format
https://login.microsoftonline.com/{tenantId}/V2.0
Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).
The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.
Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo.
We have E5 account for Office 365. We have issue on SharePoint Online. My issue is that We have created one site collection and in that site collection one page is going to be access by external users. We did all the setting and now we can send email to external users and programmatically we add external user to certain SharePoint Group and this group have access to particular page.
External user is getting email too. Once external user clicked on it, it will take to our tenant and if the external user email is not Microsoft account than he can log-in successfully but it cannot access the resources. I get below error message
Your sign-in was successful but does not meet the criteria to access
this resource. For example, you might be signing in from a browser,
app, or location that is restricted by your admin
How can I solve it.
You will need to edit the conditions on your policy to meet your requirement. You did not list what you currently have so it's hard to say what needs to be done to fix it. You can find your policies under Azure AD in the portal. This post outlines where those settings can be found.
https://blogs.technet.microsoft.com/skypehybridguy/2017/08/31/microsoft-teams-restrict-usage-with-azure-ad-conditional-access/
I've created company branding from the Azure portal for my application.
This is working as expected for the first page i.e, the username page. When I click on next for the password page, the custom branding disappears and default Microsoft background appears.
I want the branding to be continued for the password page also so that there would be consistency.
You probably try to sign in with a Microsoft Account instead of your Azure Active Directory account. If you sign in with a "native" Azure Active Directory account you will continue see your company branded page.
You can customize your Azure AD sign-in pages, which appear when users sign in to your organization's tenant-specific apps, such as https://outlook.com/contoso.com, or when passing a domain variable, such as https://passwordreset.microsoftonline.com/?whr=contoso.com.
Your custom branding won't immediately appear when your users go to sites such as, www.office.com. Instead, the user has to sign-in before your customized branding appears.
Visit this link for more information
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding
I'm trying to use Video Indexer API (v2). But when I try to sign in to it using the the Azure Active Directory, I get this message:
Selected user account does not exist in tenant 'Microsoft' and cannot access the application 'da0eb6e2-d2bd-4cbd-ad65-81ddc43546e2' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
I'm not sure what the issue is?
Sign-in to the VideoIndexer developer portal has been revised.
We unified the developer portal sign-in with that of the VideoIndexer site.
The screenshot in #Mohit_Garg comment in no longer relevant. This is our new sign-in experience.
The first option should be used in case of Active Directory accounts. This is also the only option that will allow you to use Video Indexer paid.
In many cases users selected the Microsoft option in the old authentication method when they actually wanted AAD option.
After the new experience they select the first option "Sign in with a corporate account" and get a message saying that an account with that E-Mail already exit.
An Email is unique in Video Indexer developer portal. So if you want to use your AAD but previously opened an account in the developer portal using a different authentication method you will need to sign-in using the original authentication method and close the account in your developer profile page. After the account removal you will be able to sign in with different authentication method.
More info can be found in the official video indexer documentation
Clarification: I'm a developer in the Video Indexer team.
Follow below steps to Subscribe to the API -
Sign in.
To start developing with Video Indexer, you must first Sign In to the Video Indexer portal.
If signing in with an AAD account (for example, alice#contoso.onmicrosoft.com) you must go through two preliminary steps:
A. Contact us at visupport#microsoft.com to register your AAD organization’s domain (contoso.onmicrosoft.com).
B. Your AAD organization’s admin must first sign in to grant the portal permissions to your org. To do this, the organization's admin must navigate to https://videobreakdown.portal.azure-api.net/signin-callback?provider=Aad, sign in and give consent.
Subscribe.
Select the Products tab. Then, select Production and subscribe.
Once you subscribe, you will be able to see your subscription and your primary and secondary keys. The keys should be protected. The keys should only be used by your server code. They should not be available on the client side (.js, .html, etc.).
Start developing.
You are ready to start integrating with the API. Find the detailed description of each Video Indexer REST API.