I realize this is probably a "noob" question but I am trying to follow this guide to enable our users to sign in to Microsoft Azure AD using their email address instead of their UPN.
Some background: Our org uses a UPN scheme that is different from a users email address. Our UPN's follow the format abc12d#organization.com while user's email is firstname.last#organization.com. This enables us to have unique UPN's no matter how big our org scales. I am new to Azure AD but I've managed to integrate most of our 3rd party systems with Azure.
The problem: I mapped the user email field as the UPN for one of our services (Apple Business Manager) and now when a user tries to sign in to their Apple ID, it tries to sign them into Azure with firstname.last#organization.com instead of Azure UPN abc12d#organization.com. Because we have not enabled Microsoft's Sign-in using email as an alternate ID feature, the sign in window tries to sign them into an account that doesn't exist.
What I've tried: I know the simple solution would be to just change the mapping in Apple Business Manager to use the users true UPN from Azure but most of our sign-in's now use the users email so I really don't want to create confusion. I have tried to follow the guide mentioned above, which I assume is referring to using PowerShell in Azure and not your on-prem AD DS service (but it does not specify). Every time I attempt to follow the guide, I get an error message on step 3 in PowerShell that says Get-AzureADPolicy: The term 'Get-AzureADPolicy' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I have tried reading though various online forms but am yet to encounter anyone who is encountering this error for this specific use case. No other online documentation has helped me resolve the problem. In my mind, it is probably user error and limited experience with Azure and PowerShell cloud.
Any help would be greatly appreciated! I am happy to provide more information as needed.
Get-AzureADPolicy is under Azure Active Directory PowerShell 2.0-preview.
You need to install the preview release using:
Install-module AzureADPreview
Don't forget to import it:
Import-Module AzureADPreview
Note that you cannot install both the preview version and the GA version on the same computer at the same time.
Reference here. If it still doesn't work, running UnInstall-Module AzureAD before you install preview version may be helpful.
Related
I am currently working on a project where I am needing to find the active username (not the device name or hostname) of associates on the machines. Since there was no standard naming convention when the devices were provisioned, I am looking to find a way to figure out or see the last logged in users through Azure AD or Intune.
Not sure if I am making this post in the correct place, if not please be kind and suggest where I should post this.
Thanks!
To fetch the details of last logged on users on Intune, make use of below query in Microsoft Graph Explorer:
GET https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}
The above query will only work on beta version of Microsoft Graph.
Please check the required permissions below:
In the output response, you can find the UserId and LastlogonDateTime in usersLoggedOn field.
In order to display the username via UserId, make use of powershell script mentioned in this reference.
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant. Beta version is subject to change don't use it for production.
For more information, please refer below links:
Get windowsManagedDevice - Microsoft Graph beta | Microsoft Docs
Find out last logon user of MDM assigned Coporate Device - Microsoft Q&A
I am running into an issue with having the user data for the mobilePhone attribute update and show up for our users' contact cards which run on the SPO/Delve platform. Does anyone know of a way to have the data sync?
To update Azure AD mobile phone attribute to SharePoint online, try making use of below steps:
Make sure to have the below modules installed before running the
PowerShell script
Azure Active Directory (AD) Module
SharePoint Online Module
MS Online Services Sign-in Assistant
Office365 CSOM package
The user must be a global admin on the SharePoint User Profile Application as well as a Service Admin on the Azure tenant.
To connect to PowerShell, make sure the user account must not be configured to MFA.
To get all users, make use of below query,
$AzureADUsers = Get-MSolUser -All
To overwrite existing values, make use of below query,
$overwriteExistingSPOUPAValue = "True"
To know how to do it in detail, please find below reference by Raymond Tishenko
Sync Mobile Phone from Azure Active Directory to SharePoint Online using PowerShell (tishenko.com).
After executing the script, you can see that values are successfully copied from Azure Active Directory to SharePoint.
I am trying to use sendgrid on azure, but when I am creating the account, it gives me an error saying:
The portal is having issues getting an authentication token. The experience rendered may be degraded.
Additional information from the call to get a token:
Extension: SendGrid_EmailService
Details: code: 500, statusText: error, message: There was an error processing your request. Please try again in a few moments., stack:
It has been giving me this since morning, pretty annoyed. And also it disables two fields, and marks them as loading:
Screenshot of the two fields marked as loading (For a very long time)
Since sendgrid wasnt working I thought I'd try and use SparkPost- The signup was successful, but its been taking hours to deploy.
Then I thought of manually configuring the smtp settings so the host and user and stuff could be sendgrid, but I wasnt able to find a way to do so.
Could someone help me out please! Thanks in advance!!
EDIT: This problem has been solved by the Microsoft Team.
Looks like SendGrid has some technical problems. You should check first SendGrid official support website if this is the issue. I was using SendGrid for a while, but I had to move to another solution. When you are registering SendGrid account via Azure you getting standard SendGrid plan. That means that you are sending your mails through shared SendGrid IPs. This is probably ok for marketing emails, but if you intend to send any transactional emails like password reset, bills etc you will end up eventually with tearing your hair off the head, because shared SendGrid IPs are in most existing spam blacklists out there.
SendGrid app status
I was able to enter to SendGrid using the following steps from Aaryaman Maheshwari in this comment:
Steps from Aaryaman's answer:
Step 1: In order to find ur username for SendGrid, first, go to the
SendGrid resource and then click properties. Now copy the resource id.
Step 2: Now, in the azure online shell, open bash and type the
following command: az resource show --ids [THE COPIED RESOURCE ID]
Make sure to replace [THE COPIED RESOURCE ID] with the resource Id you
copied in step 1
Step 3: In the json string that the terminal outputs, look for the
username property and note that down
Step 4: After you do that you can manually go to sendgrid.com and then
enter the username you just retrieved and then the password which you
used to sign up with.
Thanks Aaryaman Maheshwari
In order to incresase security, Sendgrid has recently requested to enable 2 factors authentication to connect to your account (it started one or two weeks ago).
Since this moment, the "automatic" connection from Azure to Sendgrid stopped to succes, and we have the same 500 error.
Also, "basic authentication" (username / password) will stop to work (starting from 10 decemeber I believe) in your api.
I'm not sure this is the reason, but it happens at the same time ;)
Just to update:
There was bug identified on Azure Portal and our product engineering team have fixed the issue.
Provisioning SendGrid account via https://portal.azure.com/ and managing works as expected.
The alternate https://rc.portal.azure.com/ URL was shared during the impact and is no longer required to be used.
We had a discussion on Q&A thread. Once again apologies for all the inconvenience. Much appreciate the follow-up and great collaboration.
(Related to this question)
I have an application that should be automatically usable for all customer tenants, and therefore tried this tutorial to enable preconsent.
After doing the Powershell commands and getting again the application, I can see that it is enabled:
PS C:\Windows\system32> $graphResponse.value.recordConsentConditions
SilentConsentForPartnerManagedApp
However, when creating a new tenant(or using an existing one) and trying to access Microsoft Graph's /users call, I get a 500 error until I navigate to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&prompt=admin_consent (with {0} being the cliendId of the app), sign in as an admin and accept the delegation.
Am I missing a step here?
After a contact with Microsoft support, this is a bug on their side. They told me yesterday that the engineer team acknowledged it. It will be fixed.
In order to query the MS Graph, your app will need to be granted the appropriate permissions by an end user or by an administrator of the tenant. Usually the best way to acquire consent from an administrator is by using the prompt=admin_consent parameter, as you've done above.
If for some reason you must do so via powershell, you can create an oAuth2PermissionGrant object using a consentType of AllPrincipals.
Personally I wouldn't recommend using the recordConsentConditions property. It's only there for legacy reasons - I don't even know what it does.
So, finally I decided to jump into the Azure bandwagon and create my own portal. At the moment, my apps are hosted on Google Apps and I'm considering moving them to Azure and O365 before which I wanted to trial and get the taste of MS Azure.
I signed up for a trial subscription and my management URL ended up something like https://manage.windowsazure.com/#MynameMydomainname.onmicrosoft.com. So I decided to delete this account and set up a new account altogether trying to sign up with a new domain alias. And now it is https://manage.windowsazure.com/#MyaliasMydomainname.onmicrosoft.com. MS Support would't help and would want me to sign up for O365 which I don't want to at the moment.
Why my management portal always has my complete e-mail address and how do I edit it?
Edit: Thought would add the following example to explain my problem a bit easier.
My name is Muthu and I already have an e-mail address Muthu#Contoso.com and now I attempt to set-up my Azure around it. I sign up for a Microsoft account with the e-mail address Muthu#Contoso.com, provide my card details and successfully set up the account. Now, the logon URL looks like https://manage.windowsazure.com/#MuthuContoso.onmicrosoft.com and the default directory has the UPN of #muthucontoso.onmicrosoft.com.
I set up an account for a user Eddie, George and Mark and their UPN appears as follows:
Eddie#muthucontoso.onmicrosoft.com
George#muthucontoso.onmicrosoft.com and
Mark#muthucontoso.onmicrosoft.com.
How do I get rid of my name from the domain name here?
P.S.: I managed to get rid of my name from the Management portal URL by simply verifying my ownership of contoso.com using O365 control panel but still couldn't get around to rename the default directory. I can't force my name for the users in my organization just because I signed up for it. There should be some way around. Kindly help.
When loging in you're actually signing in to an aad tenant.. Which is bound to a subscription... As you can have multiple subscriptions and tenants they need to show you where you are