So I'm wanting to send emails from a Microsoft account using OAuth2 and everything I am reading says I need to setup some things in Azure Active Directory (for app registration to get a client secret and all this stuff) which I can do when I follow their instructions but everything seems to be contingent on an active Azure subscription which seems to cost a heck of a lot of dollars and cents.
I can create an account for free but that's only for up to a year. So am I wrong in thinking I won't be able to do this unless I pay heaven-knows-what for an Azure subscription?
I'm going by these instructions:
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
If you only want to register the application in Azure AD to obtain the client secret and other basic settings about the application, you do not need to subscribe.
Related
We have 2 azure subscriptions old and new.
I can not use the resource move button to push the app service mysite.azurewebsites.net from the old subscription to the new subscription.
That would be too easy! The subscriptions are from different people/companies so the old subscription is not aware of the new subscription in the user interface of azure portal.
Now I have 2 questions:
1.) Is there any way to still move the app service although they do not share the same tenant? - I guess its called like that - Can I make both subscriptions to have the same tenant?
2.) I assume here that I have to re-create the app service and copy/paste all appsettings and that option 1.) will not work! But doing that I can not create the app service with the same name mysite.azurewebsites.net because its already in use in the old subscription and site names must be unique in the whole azure system. (too bad that production app does not use a certificate... rolleyes)
How will number 2. work then? I really need that name because many other websites already use it...
1.) Is there any way to still move the app service although they do not share the same tenant? - I guess its called like that - Can I make
both subscriptions to have the same tenant?
Unfortunately, it's not possible to do that. One tenant can have different subscriptions, but one subscription can only in one tenant(Azure Active Directory). So, If your another subscription has belonged to another tenant, you cannot share it with your this tenant.
How will number 2. work then?
Yes, you need to recreate your App service. If you want to use the old App name for your new App , you need to delete the old Web App. Because Azure doesn't allow two Web Apps have a same App name.
Hope this helps!
Update
There are two another ways to achieve that.
Redirect the old web app's URL to the new web app .This can be done by configure your web app itself.
a. You can back up your old app to a storage account.
b. Delete your old web App.
c. Download the backup files to your local machine.
d. Go to another subscription and upload the backup file to a storage account.
e. Restore the old app from the storage account.
These ideas are inspired by the OP-#Elisabeth. Thanks!
Update 2
Unfortunately, my test result is failed. When I selected the ZIP file from a storage account to restore the app, it just did not respond at all. It can restore it by app back up. But from the storage account, it did not succeed .
I have a web application deployed on Azure with the Azure Active Directory security enabled (the express setting). So, when I try to access the application, I need to be a part of the AD to have access.
I would like to add more features to the application, like displaying the current user logged in, implement a logout, managing permissions etc... I believe I can achieve all of things with Azure Graph API.
However, to do this, I will need to test some stuff locally. Is there any way to simulate Azure AD locally? It is "switched on" on Azure and everything works great there, but ain't got nothing to simulate this on my local machine.
There is no "local" or "offline" version of Azure AD available.
Your options at this time are:
Test using an actual Azure AD tenant. You can create your own test tenant to allow you to make changes as necessary, postponing the need to work with the admin of your corporate Azure AD until you're ready to go to production.
Create your own Mock STS that implements the OpenID Connect protocol and use that during development/testing. The risk here is that you'll have to make sure that this Mock STS behaves just like Azure AD does or close enough for your purposes.
As a side note, you can create a feedback entry asking for a feature on this in the Azure AD Feedback Forum
This problem may stem from the dependency on MS accounts for MSDN instead of work accounts, but maybe some one has found a solution?
I use the same email address for both my MS and Work Accounts.
Our Company Subscriptions seems to be linked to our MS Accounts, as does our VSTS accounts. I can sign into Azure Portals using both MS and Work Account. I want to be able to deploy do our company subscription from VSTS.
When I sign into Azure, using my work account, I can see our Azure AD. I am a global admin and can make changes, etc. This is not visible when I sign in using the MS account. It tells me I don't not have access, which I can understand.
In VSTS, I have linked my MS Account to my work account. But I cant access some of the projects # {whatever}.visualstudio.com VSTS sites with my work account, I must use my MS account.
The main problem is when I try to set up a build and deploy from VSTS into the Company Azure Subscription. To achieve this I need to set up a Service Endpoitn to ARM in Azure. So I go ahead and try to do that.
It fails as it says that the account does not have the sufficient privileges needed in Azure Active Directory. Remember, AAD is only accessible when I log into my work account in the azure portal.
One last point, AAD would see my MS account as a guest account, so I thought 'hey, I will add that account to AAD as a guest and assign privileges necessary to perform the tasks I need'. But because the same email address was used for both my MS account and work account, it tells me when I try to add the guest account, that it already exists.
Is there any way around this problem? How can I associate/move all VSTS subscriptions to my work account?
When the VSTS identity you are using does not have access to the Azure subscription your trying to deploy to, the best way to do this is to create your service endpoint manually.
The steps are [here][1]. See the Azure Resource Manager service endpoint -> Manual subscription definition section. It has a few more steps, but once you create that, just use that service endpoint in your build or release definitions & your good to go.
This isn't a specific problem question but a "cry for help".
My problem is this. Our organization is in the process of implementing Office365.
Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.
We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.
I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...
My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1
But create Provider for AzureAD. But then its still question about this B2B AD part.
Please help by pointing to some up to date resources..
You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.
Then you can administrate everything you want (e. g. which user has access to which application) within the Azure Active Directory blade from the Azure Portal.
You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.
In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.