I'm looking at the possibilities of azure ad self service sign up.
https://learn.microsoft.com/nl-nl/azure/active-directory/external-identities/self-service-sign-up-user-flow
I want to share a SharePoint online team site with 1000 people via self-service sign-up. Is this possible?Or does sharepoint online not support this
SharePoint supports self-enroll service.
But it only supports to create a B2B extranet to collaborate with a partner organization that uses Azure Active Directory.
It means that your customers have to be AAD users and you have to configure self-enroll separately for all tenants of AAD customers.
License requirements
Using this feature requires an Azure AD Premium P2 license.
Specialized clouds, such as Azure Germany and Azure China 21Vianet,
are not currently available for use.
See details from Use SharePoint as a business-to-business (B2B) extranet solution and Create a B2B extranet with managed guests
It is not yet supported to configure self-enroll for any customers (from any domains) at one time.
Related
I develop multi tenant web app.
App is cofigured to support Accounts in any organizational directory (https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-modify-supported-accounts).
I plan to register App in AppSource marketplace "Web App" category (https://appsource.microsoft.com/en-us/?product=web-apps).
App must support "Free Trial" publishing option (https://learn.microsoft.com/en-us/azure/marketplace/determine-your-listing-type).
How to restrict access to my app only for trial organizations and organizations that bought a license?
How to check license? Or maybe Azure will not grant users access tokens for app if they have no license?
«There are loosely 2 kinds of SaaS Apps that we support today - Listing and Sell Through Microsoft. Listing is when all you want to do is to list your SaaS offer on Microsoft marketplaces and all the customer interaction, provisioning, commerce etc is handled by you and your SaaS experiences. Sell Through Microsoft is what allows you to enable your SaaS offer trasanctable via Microsoft marketplaces.»
https://www.microsoftpartnercommunity.com/t5/Microsoft-AppSource-and-Azure/SaaS-Onboarding-Walkthrough-or-End-to-End-Document-for/m-p/7731/highlight/true#M123
If you want (as me) to sell through Microsoft, here is API
https://learn.microsoft.com/ru-ru/azure/marketplace/partner-center-portal/pc-saas-fulfillment-api-v2
This is a licensing related question for Azure Active Directory.
We would like to use Azure AD as a SAML identity provider for our own applications, using the available method in the Azure AD Premium subscription, i.e. by creating a new custom application in the 'enterprise applications' list. Now do I need to assign a Premium license to every user that is going to login to this application via SAML? Or does it suffice to assign this license to the users that are administering the application?
The former case seems more plausible to me, however it would be way too expensive for us, and during testing the custom applications seems to work also for users which do not have the license.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
I am not a licesing expert, that said, Azure AD licenses are per user. Read the doc above. If the app is pre-integrated in the gallery, Azure AD users with the free tier can connect to 10 apps at no cost. If the app is on-premises, that requires Azure Application Proxy which would require Azure AD Basic.
If it's a custom application not in the gallery AD Premium is required. Keep in mind AD premium has a ton more functionality. Conditional Access is a Game Changer. Very powerful. Multifactor Authentication, self service password reset, MIM, SCCM CALs, are all included.
Being able to simplify identity for users and link All applications they use to their AD account is important. Ems gives you the ability to monitor identity with Advanced Threat Analytics etc. It's actually a very useful suite of services and not drastically different in price than stand alone AD premium.
There is an interesting point on license page too
Blockquote
With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps can get SSO access to up to 10 apps. Admins can configure SSO and change user access to different SaaS apps, but SSO access is only allowed for 10 apps per user at a time. All Office 365 apps are counted as one app.
Assume there exists and O365 instance where user identities are managed in the cloud - see the Cloud Identity section here: https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
Assume there also exists a separate Azure subscription that maintains it's own Active Directory, as well as an assortment of other resources such as SQL Databases, VMs, Virtual Networks, etc...
Can the two (the O365 instance and the Azure AD) use the same domain? Given it seems like Office 365 uses an Azure AD under the covers, my question is really just asking if two Azure Active Directories can use the same domain. Unfortunately, I can't find much online with regards to answers for this and I can't yet test it.
If you had two Active Directory tenants using the same example.com domain, and you logged into the portal with bob#example.com How would the portal know which tenant was responsible for bob?
An Azure Active Directory tenant much be authorative over the domains that are associated with it.
What you can do is associate the Office 365 Active Directory with an Azure subscription (or as many Azure Subscriptions as you have) and then you will have SSO across all of your subscriptions and Office 365.
This is probably the simplest guide on how to achieve that - it is for RemoteApp, but the underlying concept is the same.
Two Azure Active Directories cannot have same domain.
Technically O365 instance with a tenant name (.onmicrosoft.com) is an Azure AD. Office 365 is just a SaaS application attached to every Azure AD. Basically for Office 365, Identity Management backend is Azure AD. Basically if we have a domain abc.com added/verified in tenant A , it means that we can create users in tenant A with user#abc.com. If we were able to add the same domain in tenant B, which is not possible practically but if we consider theoretically, there would be a user user#abc.com in tenant B too! Hence its impossible to have same domain with two Azure AD.
If you have a domain abc.com under a tenant - contoso.onmicrosoft.com (does not matter whether its in Office 365). If we want to view this directory in azure portal (classic) and if you know the global administrator of this directory, we can add it to the Azure Classic portal (use custom directory) option (comes up for live account service admin).
https://azure.microsoft.com/en-us/documentation/articles/active-directory-how-subscriptions-associated-directory/#manage-the-directory-for-your-office-365-subscription-in-azure
Also, Office 365 subscription gives you benefit of free "Access to Azure Active
Directory" subscription to all office 365 Global administrators. This is given to effectively manage the users in office 365 via Azure AD as well (SSPR, MFA settings- which is not available via O365 portal).
https://support.office.com/en-us/article/Register-your-free-Azure-Active-Directory-subscription-d104fb44-1c42-4541-89a6-1f67be22e4ad
I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.
I understand that Office 365 is on separate domain and live id (Microsoft account) is used for consumer applications.
But can an Office 365 account get live/Microsoft services?
The issue is we trying to SSO Office 365 applications and Azure ML (used with Microsoft account) but as the domains are different I am unable to find any proper help or process on the web.
We can create a live account with our company domain but can we create a federation on Live account ? For e.g. on Office 365 we created a #.com federation and were able to SSO it, how can we do the same with a live account ?
According to the Azure ML pricing page the free tier is standalone, requiring a Live ID. The Standard tier is associated with your Azure subscription, so you use your org IDs.