I'm unable to add user in Azure Devops Organization - azure

I'm a user of a Azure DevOps organization with Basic access along with Project Access Administrator group membership
But when I try to add a user at organization level it gives me a error
You are a Guest in the connected Azure AD and Guests may not be able
to search users in the the Azure AD. Please contact your Azure AD
admin to make you a member of the connected Azure AD to enable
searching for users.
Could someone please help me on this?
I'm a AAD member and also the user whom I'm trying to add is also AAD Member not sure why it is telling that I'm a guest user.

Related

Adding Users to the AAD Group via MS Graph

I am trying to add users to the AD Group via MS Graph API using application permission, and can't give GroupMamber.ReadwriteAll permission as this will allow app registration to add people to any group which is a security concern. My app registration is the owner of the AAD group.
Any help is much appreciated.
Thanks.
Please note that, to add users to the Azure AD Group via MS Graph API, you must have one of the below permissions as mentioned in this MsDoc.
Without having at least one of the above permissions, you cannot add users to the Azure AD group.
I assigned the app as owner of the group like below:
I tried to add users to the Azure AD group without granting any of the above permissions and got the error like below:
After granting the required permission, I was able to add the user to Azure AD group successfully like below:

Can't create an AD account because the directory is federated (AADB2B_0001)

We're trying to invite users (including those from different ADs) to ours in order to give them access to our enterprise app. We are using the AD to manage the app's users and permissions.
We send them an email to join our AD as a guest user.
However, when they already have an Azure AD account connected to a local AD (that's federated), we don't have the permission to create an account on our side.
There are a few articles on this problem including (resending invites till it works, asking them to add our organization to trusted, and creating our own account for them)
https://techcommunity.microsoft.com/t5/Microsoft-Teams/Invitation-redemption-failed-AADB2B-0001/td-p/292175
http://answers.flyppdevportal.com/MVC/Post/Thread/d9c92fea-a554-4c7a-91af-30016aa35111?category=windowsazuread
Our objective is to use their AD sign in for our apps as well. Is there an easy way, such as copying their AD profile or sending them a link that they have to simply click "Yes" without having to do much IT work on their side? Thank you!
Here's an example from a different post:
They have a local ad and an azure ad setup, but the specific user I was trying to invite doesn't have an account in their azure ad.
We can't create an azure ad account for them
They have to give the user an azure ad account

Azure AD B2C invite as guest for administration

Recently I am starting to get an error when trying to invite a guest user to my Azure AD B2C tenant, for only user from a specific domain. The reason i'm inviting is to share the administration process with the specified user.
The error i'm getting is: User account is disabled
So far what I've tried:
Using the Users > New guest user" UI in Azure AD blade.
Using the "Organizational relationships > New guest user" UI in Azure AD blade.
Using the Users > New guest user" UI in Azure AD B2C blade.
Using graph api invitations endpoints.
Observation: Only happen for user from specific domain (External Azure D) but works for those with Microsoft account.
Just for everyone's benefit here I'm posting the answer after consulting with Microsoft support.
There are 2 possible issues that might cause you unable to invite the Guest user to the Azure AD:
Users are not properly deleted. When you search for the user email, it might not be visible in the UI, but still unable to invite. It's partly because the UI has some limited search capabilities (exact/startswith email or name only).
Solution: You can use graph api to query for the user. You should definitely try to look for the user based on the OtherMails field.
User you're trying to invite is from an Azure AD tenant that is also one of identity provider trusted in your Azure AD B2C. This is the cause of the issue with my implementation that I found.
When the user use their Azure AD credential logging in for the 1st time to my application (Azure AD B2C), a "social account" is created automatically in the Azure AD B2C. This account is created with the UserPrincipalName in the format of cpim_guid#yourtenant.onmicrosoft.com, and AccountEnabled false (disabled). Their Azure AD email will be in the OtherMails property. This is why you can't find the user by their email in the UI, and you have to know the exact name they use in their Azure AD in order to find them.
Solution: If you can find in the UI, typically their MemberType is Member Source is External Azure AD, you can just delete the user. If not, use graph api to query for their email in OtherMails property. Then immediately invite the user as guest. They should have no problem logging in to the B2C application again as the social account will be created automatically.
Note: Ensure that you don't use Azure AD B2C policies that adds additional attributes to the user logging in using social account. If yes, you'd need some other strategy for deleting the user, inviting as guest, recreating the social account, and restoring back the additional attributes.

MS Graph Guest user cannot read Azure AD data

I created an application registered in Application registration portal and granted the admin consent there. As a user from our Azure AD, I can use my web app to read e.g. groups I have been assigned to in AD.
But when I invite a MS user to our AD (he becomes a Guest user there) the user can sign in into the application but he cannot read the groups (used the same method like the internal user). I always get an error: "Authorization_RequestDenied Insufficient privileges to complete the operation."
Is there a way to get it work? I have tried to browse through the Azure portal to check permissions or whatever but nothing helped so far.
Actually, for both AAD Graph API and Microsoft graph api , you cannot use a MS account guest user to read the groups data like a member in that tenant.
Even you can set guest user permissions with no limitation, but you still cannot get the data of a group in that tenant. This is because that MS Account is not a member of that tanant. So, it cannot specify a tenant to query.
I suggest you can use/create a member in your tenant to achieve this.

Add users from another AD to my team project

I've logged in to azure portal using my work account (Azure AD) and created new vsts account and team project. I can now login to vsts using my work account and add my colleagues from the same AD to team project.
Is it possible to add users/stakeholders from another company to my team project if I don't have admin access to my company's AD?
EDIT:
please vote for multi-tenant authentication in VSTS on uservoice
Answer from Microsoft support:
Any user who wants to use VSTS will have to be in that AAD. Normally they would get added as an MSA account, or an account in another AAD.
Me: I was thinking about creating my own AAD in Azure and adding users from another AAD to it, but I’m not sure whether they will still be able to log in using their corporate login and in case their account will be disabled in their AAD, it will be disabled also in my AAD.
If it is linked to an AAD, the accounts have to be in there somehow.
If he creates his own AAD and doesn’t have admin access to the corp aad, users will be added as MSA users.
If he did add corp users as AAD users (not MSA users) in his AAD and they were deleted/disabled in the native AAD, they would not be
able to logon to his VSTS. (Same is true for MSA users, if the MSA
account is deleted/disabled they couldn’t logon to VSTS even though
they were in his AAD as #EXT)
Accoording to this doc, no.
Q: Why can't some users sign in?
A: This might happen because users must sign in with Microsoft accounts unless your Visual Studio
Team Services account controls access with Azure Active Directory
(Azure AD). If your account is connected to Azure AD, users must be
directory members to get access. How do I find out if my account uses
Azure Active Directory (Azure AD)?
If you're an Azure AD administrator, you can add users to the directory. If you're not, work with the directory administrator to add
them. Learn how to control account access with Azure AD.

Resources