Related to the outlook add-in for Acumatica... When our users try to authenticate with their azure login, we see the following error.
https://www.dropbox.com/s/le7t3ez5ua69qls/Screenshot%202020-04-23%2019.18.52.png?dl=0
NOTE:
we have 2 factor authentication on for our users through office 365, but i don't think that is the issue as i disabled and also tried using a app password which would bypass the 2 factor
we have customized the outlook plugin and it works just fine when use a regular login (direct username and pwd into acumatica as opposed to using single sign on)
We are running Acumatica 2020 R1, and have this working. I am not sure if it will work in 2019R1, but you can give it a try.
Our environment is synced with Local AD through Azure AD Connect. We have seamless SSO enabled with Passthrough Authentication, and the group policy trust enabled for the workstations. This allows the users to sign into office 365 from their domain controlled computers.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
When we enable automatic signon through AzureAD in the web.config, it works like a charm. We had issues in previous versions of Acumatica with our ADFS deployment. To enable automatic SSO in Acumatica you can modify your web.config:
<externalAuth authUrl="Frames/AuthDock.ashx" silentLogin="Federation" externalLogout="True" selfAssociate="True" instanceKey="" claimsAuth="False">
I would give this a try on off hours to see if it works with Outlook, and maybe change your production instance to sign in this way. You can always get to the login page by visiting https://acumaticainstance/Frames/Login.aspx?SilentLogin=None
Maybe setting auto signin will fix outlook and be easier for those users, and be more beneficial than the non-azure users?
Related
We have a custom web application which is hosted on a Hetzner server. The users get redirected to Azure AD to login when they want to access the site. Our goal is to enable MFA only for this application but it does not work. There is only normal login but no need for second factor.
We have added a custom cloud app in Azure AD and configured a policy for this app with MFA activated (no matter which client, location, etc.). When MFA is activated globally it works and the users have to enable/use second factor to get logged in by Azure AD. But with the policy it does not work.
The What-If tool says, that the policy is used. The Azure AD has a P2 license and for testing one user also has a Cloud App Security License.
Does anyone know why the conditional access rule is not taken into account?
I tested at my side, and everything was fine. Here is my conditional access setting:
Select users and groups
Choose the application
Set the grant access control
Enable the policy
Finally, when I tried to sign in to the web application, I will be asked to provide additional information. But, for other apps (Azure portal, Office portal and so on), I can still directly sign in.
Finally we found a solution for our web application.
Our application uses response_type code and used scope user.read when redirecting to Azure AD. We have added openid to scope and now the conditional access policy is executed.
I don't know why this fixes the issue, but maybe someone also falls into this trap and at least finds a solution.
I would like to integrate SAP custom Fiori Client into Microsoft Intune.
I generate the cordova project with SAP Kapsel SDK for iOS, do the needed adaptions (e.g. fioriURL) in xCode, sign it for enterprise distribution and wrap it with the Intune wrapping tool.
CA rules, App protection policy and App configuration policy are all set correctly.
I published the internal URL of the backend system via the Azure AD Webapplication proxy and it is reachable via Intune Managed Browser / Edge without any issues.
When starting the app it leads me to ADFS authentication which is succesful but before getting to the login page for the SAP system, following error appears:
Cant get there from here. The current browser is not supported, please use Microsoft Edge or Internet Explorer to acccess this application.
I checked it with Chrome for iOS and got the same error. Obviously Conditional Access rules only allow certain browser, but I could not find a way to change that.
Following link stated that a potential solution can be to change the parameter for InAppBrowser.open / window.open calls to "_system". Considering that a lot of cordova plugins use this functionality I do not want to change that in the plugins.
how to open a link in the Intune Managed browser.
I am searching for a solution to either change Conditional Access rules to allow different browsers or adapt the custom fiori client in a way that the respective browsers are used.
Thanks for all of your input :)
In the Microsoft docu https://learn.microsoft.com/en-us/intune/app-configuration-managed-browser
it says the following:
Conditional Access for protected browsers
The Managed Browser is now an approved client app for Conditional Access. This means that you can restrict mobile browser access to Azure AD-connected web apps where users can only use the Managed Browser, blocking access from any other unprotected browsers such as Safari or Chrome. This protection can be applied to Azure resources like Exchange Online and SharePoint Online, the Office portal, and even on-premises sites that you have exposed to external users via the Azure AD Application Proxy.
To restrict Azure AD-connected web apps to use the Intune Managed Browser on mobile platforms, you can create an Azure AD Conditional Access policy requiring approved client applications.
In the Azure portal, select Azure Active Directory > Enterprise applications > Conditional access > New policy.
Next, select Grant from the Access controls section of the blade.
Click Require approved client app.
Click Select on the Grant blade. This policy must be assigned to the cloud apps that you want to be accessible to only the Intune Managed Browser app.
Please check if above feature is turned on on Azure side.
This may be the reason that only Edge or Intune browser are allowed to access the page.
According to the Azure doc above it seems this was turned on by someone.
Otherwise you might also want to contact Microsoft for support on this.
I've been connecting to Azure through the Portal for a month or two. Today I went to connect and kept getting the following error:
"User account you used to sign in is not supported for this application. Please use a different account to sign in."
I searched for this error and every post I found was related to accessing Azure through Visual Studio and a problem with Update 4. I'm not using Visual Studio just trying to connect through the browser.
One of our other developers can successfully login using the same userid/password. I tried a few things...rebooting and logging in immediately before opening any other apps...tried login from a virtual but same problem occurred every time.
The other developer mentioned it could have something to do with Office 365. I think this is the first time that I have tried to login since we installed Office 365 last week. I use a different userid for Office 365. So I tried my Office 365 userid and it successfully logged in to Azure. I then tried entering a dummy yahoo email as the userid as a test. This resulted in me being taken to the "Login Live" webpage. The login failed as expected (unkown userid). But I then tried my Azure userid on this page and it was successful logging in to Azure.
Can anyone suggest why I can't login through the Portal ? Is there some sort of a conflict between the Office 365 user and the Azure login ?
Anthony.
Your scenario will arise if your previous account uses the same domain as is now hosted on Office 365. The Azure Portal login page will do "home realm discovery" based on your email "bob#example.com" and if it finds an Azure AD instance (used for Office 365 auth) then you will be directed to the Azure AD login page. If that email doesn't exist in Azure AD then the login will fail.
You should be able to use your Office 365 login to gain access though the username will need to be added as an Azure co-admin.
If you want to use your old account what you'll need to do in the Azure Portal login page is type "somethingrandom#hotmail.com" which will force you to the Microsoft Account login page. On that page put your old email address and password and you should be able to login.
I wrote a blog about this sitation which may explain it better than the above.
Have you tried clearing all the saved cookies on your computer first, then trying again?
Scenario
Our organization network in Yammer is configured with ADFS (SSO 2.0) which redirects to STS login prompt.
However, after integration in SharePoint CEWP using Yammer Embed or JS SDK we have to provide the credentials twice. Once for logging in to SP portal and other for yammer, where both the credentials are same.
Please let me know a way to avoid multiple login prompts.
Steps Tried
Set use_sso property to true as mentioned in yammer documentation.
Tried adding the yammer domains in trusted sites as mentioned here
Have you tried windows authentication? That way, ADFS will use the use_sso property to automatically login you in.
I have two questions on wss 3.0
How to know that kind of authentication is currently in use.
How do I set the authentication in such a way that users on office network don't have to input user name\password? So if users are in the office they can just go straight in without using a password? Those outside the office will obviously still have to use the password.
Detail answer would be really great.
For #2, you also need to make sure that Internet Explorer has your site listed as a trusted site or intranet site so that IE will be willing to pass the credentials to the Sharepoint Server
There are two build-in authentication types: windows and forms.
You can configure it in central administration (as far as I remember in "Application Management" section).
Windows authentication will use current user's windows credentials to login on site. So if SharePoint is configured with windows authentication and permissions were granted to user there will be no request to enter login/password. In other case (outside of office for example) site will ask for credentials.