We have 3 people that need access to our Azure B2C portal pages. How granular are the permissions on the Profile page and All Users page?
We want to restrict the visibility of a User's first name and last name to a single administrator.
Can the User "Profile" page be restricted whilst the "All Users" page is still available to the whole admin team?
Is it possible to set visibility controls on specific fields? That would allow us to have the Profile page available but the fname and lname as hidden fields.
You cannot control the visibility of the fields in the Azure Portal in this way. Yuo can only control which fields can be modified based on the Azure AD Admin role of the user.
The only option to provide more granular access would be to surface your own Admin tool built on top of the MS Graph API.
Or there maybe a solution which a partner offers.
Related
This is mostly playing around at the moment but I'm attempting to use Azure AD B2C as the login provider / user store for a website I'm working on.
I want to limit what users can access based on a user level.
At the moment, in order to handle this I have a database entry for UserLevel that stores the users OID, and an enum for the user level (admin, moderator, user etc) and then for page / api access I've set up a requirement that checks the authenticated user is in the UserLevel repository, and that their level matches, or exceeds the required level.
What I'm wondering is if there are any major problems with doing things this way / is there a better way to handle this.
You can use Custom Attributes to save all your User properties - it will act like DB columns in B2C.
How to create?
Navigate to the directory that contains your B2C tenant.
Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
Select User attributes, and then select Add.
Provide a Name for the custom attribute (for example, UserLevel)
Choose a Data Type as String (Note that only String, Boolean, and Int are available).
Optionally, enter a Description for informational purposes.
Click Create.
The custom attribute is now available in the list of User attributes and for use in your user flows.
How to use in your User Flows?
In your Azure AD B2C tenant, select User flows.
Select your policy (for example, "B2C_1_SignupSignin") to open it.
Select User attributes and then select the custom attribute (for example, UserLevel). Click Save.
Select Application claims and then select the custom attribute.
Click Save.
You should now see UserLevel in the list of attributes collected during the sign-up journey, and see it in the token sent back to your application - based on which you will be able to identify the access you want to give to that user (instead of making another DB call which will increase latency).
I am new to powerapps, and I need to create an app with AzureAD authentication. But I am confused by this authentication. Do I understand correctly that I don't have to implement user sign-up and login screens, because every user which will be added to AzureAD would be able to login to microsoft account and will have an access to my powerapp?
So, I don't have to write any code for user signup/login/forgot password?
But in the Internet I saw that some people use AzureAD.getUser() and Office365.User. When do I need it?
PowerApps is building enterprise apps for your organization staffs. This app has to be developed, published and shared to AD users, and users can sign-in using Active directory single sign-on.
You can invite/share with AD individuals, security group or O365 group. But not Distribution groups. You can share the app to all users by sharing with “Everyone”.
Even PowerApps can be shared with external users (guests) but they must be guest users of an Azure Active Directory tenant.
How to share a PowerApp?
Yes, no signup or login other than Microsoft AD login/challenge screen.
Those snippets will be used to get current logged in user details.
Everything #ArunVinoth said and to add a little more info about:
But in the Internet I saw that some people use AzureAD.getUser() and Office365.User. When do I need it?:
These are PowerApps connectors (API wrappers) that allow you to surface AD/O365 data within the app for your users.
Example:
You may have a way for users to lookup contact information for people within the org.
You would add the Office365Users connector to your application
Then execute the .SearchUser method from that connector to display contact info based on user input.
These connectors are not for authenticating to the app, but rather providing lookup capabilities for your users. Or automating these lookups for your app logic.
I am trying to assign an Business account to an user and not able to figure out how to do it.
I believe you are trying to customize Catalog form (SP700000) on Acumatica Portal site and getting Your user profile is not associated with any Business Account message.
Associated business account check is done in constructor of the InventoryLineMaint Graph linked to this page and if not found; exception is raised which is correct by design. And that’s the reason you are seeing this message.
To customize this screen using Acumatica Customization Browser, you should create an admin Portal user who is associated with business account.
Allow roles Customizer and Portal Admin for External User Type. You need to check Guest Role for these two in order to add here.
Step # 1
Login to ERP using admin credential, navigate to User Roles screen (SM201005), and check Guest Role for Customizer and Portal Admin roles in order to add them on EP202500.
Step # 2
Now navigate to User Types screen (EP202500), and select External User Type. Modify to allow roles Customizer and Portal Admin for External User Type.
Step # 3
Now create External user.
Navigate to Customers Screen (AR303000) and select ABARTENDE customer. Go to Contacts tab and open up existing Contact - Kabuk Fadi, Mr. (CR302000) Navigate to User Info tab and setup External user as below.
Step # 4
Now login to Portal site using this user. You should be able to customize page SP700000 via Acumatica Customization Browser.
I am not an expert with SharePoint and couldn't figure out if this questions has been answered already in SO. So, please redirect as necessary. Thanks!
Customer has a sharepoint farm (syncs with AD) which is a purely OOB implementation and no custom code. That said, the question is - if a user was updated in AD (a property of the user), can the user's permissions on the existing site collection, be modified/reset automatically without manual intervention?
Let's say if
1) User belongs to BusinessGroup "Group1" (AD) and the user has "Full
Control" to SharePoint site collection "Group1-SiteColl".
2) User's BusinessGroup is now changed to "Group2" in AD.
In this scenario, the user permissions on "Group1-SiteColl" should be reset to "ViewOnly" (or something of that sort) and the user should be given "FullControl" permission to the new SiteCollection "Group2-SiteColl"
How can this be achieved (automated, no manual intervention) without deploying any custom code. With PS or OOB workflows?
Any help is appreciated.
You can set permissions only for users or groups (both SharePoint and AD). Based on AD properties you can define audiences to hide or display some parts (typically webparts) in SharePoint UI. But this is not equal to permissions!
I'm building a sitecore 7.2 using asp.net MVC 5.0. The site will have login and each user will be roles.
We need to show/hide the site menu items based on logged in user Roles. The user detail and roles are stored in SAP backend.
Could someone please advise what's the best way to achieve above?
Essentially you will want to map the roles stored in your backend system to Sitecore Roles. Potentially look into creating a custom Role Provider (see in document below)
Once logged in, requests are made to Sitecore are made in context of that logged in user. Therefore if the user, or their role, does not have permission to view an Item, it will not be returned in the request. This effect means that your Menu will not display items they do not have permission to access.
You and Content Editors can control what users and roles can access via the Security Editor and view their access rights via the Access Viewer in the Content Editor.
This documents will have everything you need - http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf
Its also worth noting that Sitecore's seucirty manages roles as Ors. So if one of the user's role has permission to see an Item, then the user can see it.
If you require the roles to be Ands; every role must have permission before its displayed to the user, check this post out - http://www.sitecore.net/learn/blogs/technical-blogs/john-west-sitecore-blog/posts/2015/03/require-membership-in-multiple-roles-in-the-sitecore-aspnet-cms.aspx
You need the roles for the current user from SAP? There is an Odata API for that: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde6197817511e10000000a42189b/content.htm
You could query the API in real-time, but it would of course require a login to SAP for the current user.
Or - you could use another API and connect via a service user.