Cant see my Azure Devops Organization after disconnecting it from AAD - azure

I am not able to see my DevOps organization after detaching it from the AAD on the left hand side panel after logging in, Though i can access it with a URL dev.azure.com/ and change the settings etc.
I only those organizations which are attached to the AAD. I also tried to switch my account type to Microsoft Account but the option is not there in the dropdown in the profile section.

I only see those organizations which are attached to the AAD.
According to your description, this should be an expected behavior. Since you organization is detached from the AAD. It will definitely not shown in the same list of those organizations still in AAD.
In other words, you are using the account which backed in AAD to login Azure DevOps.
To see this organization, you need to use personal account (Even it's totally the same name compared with work account) to login that Azure DevOps Organization.
but the option is not there in the dropdown in the profile section. Yes, there is no such option setting. You could take a look at our official doc here:
Why can't I sign in after I select "personal Microsoft account" or
"work or school account"?
Although both identities use the same sign-in address, they're
separate: they have different profiles, security settings, and
permissions. Sign out completely from Azure DevOps by completing the
following steps. Closing your browser might not sign you out
completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure
DevOps.
Open a private or incognito browsing session.
Go to this URL: https://aka.ms/vssignout.
You see a message that says, "Sign out in progress." After you sign
out, you're redirected to the Azure DevOps #dev.azure.microsoft.com
webpage.
If the sign-out page takes more than a minute to sign you out, close
the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
Suggest you to use a InPrivate mode browser to login, then use your Microsoft Account to authenticate, also select personal account if you need to choose between a "work or school account" and my "personal account".

Related

How to migrate Microsoft Authenticator App with Azure AD B2C account to new phone?

With Multi-Factor Authentication enabled Azure portal, it requires users to approve every login in users’ Authenticator App.
When I changed my phone, Authenticator app must be migrated to my new phone. I used Back and Recover function of Authenticator app. I backed up and recovered account details to new phone. As work or school accounts, the migration process requires Additional Security Verification, which requires to rescan all QR codes of all accounts in Authenticator app. I have rescanned all QR codes of work or school accounts that I created.
Now my issue for this migration is Azure AD B2C account. It was created by Azure when I created Azure AD B2C directory. The name of the account in Authenticator app is admin_mydomain.com#EXT##mydomain.onmicrosoft.com. It is not a work or school account. From the name, it may relate to my Azure login account (admin#mydomain.com a work or school account). I have spent many hours for it. But I still don’t know where this special account details stored. So I can’t get the QR code of the account for Authenticator app. I can’t finish my Authenticator app migration.
This account authentication is required when I switch from Azure primary directory to Azure AD B2C directory in Azure portal.
Please help me with this issue. Thanks.
[UPDATE] I just realized that what worked for me, ist the the solution Alfredo R already posted! So I can confirm that this works.
While I'm still struggeling to revalidate my [username]#[custom-domain].onmicrosoft.com account, I think I found a solution for the AAD B2C problem:
Login to https://myaccount.microsoft.com/
Main menu "Securityinformation" will show you registered devices for your current organization
Main menu "Organizations": You should at least see the other organization of the B2C tenant
In the top right menu, click your avatar, and switch organizations, and swtich to the B2C tenant
The UI should be the same, but now your're logged in through the B2C tenant
Go back to "Securityinformation" and add your new device
I was lucky that my old device is still working, so I could switch easily organizations. If you can't switch because of MFA and no access to your old device, I think you still need to disable MFA in the B2C tenant as described the other solution and then turn it back on?
But I think thats the way to get the QR code for a B2C tenant, login to your account and switch to the B2C tenant by switching organizations.
admin_mydomain.com#EXT##mydomain.onmicrosoft.com is the UPN (user principal name) for the user hosted in the Azure B2C tenant for your work account admin#mydomain.com. Scan QR as with others but switching first to the B2C tenant.
There are a few steps need to fix this issue.
Need a global admin account of Azure AD B2C active directory. But You can’t use the one that you are going to migrate. Please create one if there is no other global admin account available.
Go to Azure Active Directory of Azure AD B2C directory. Please click on the Properties in the left main menu. Then go to the bottom of the Properties page. Click on the link: Manage security defaults. Disable security defaults and save on the popup window.
Run local PowerShell as local admin. Run following cmdlet to connect to Azure AD B2C active directory.
PS C:\WINDOWS\system32> Connect-MsolService
MAF login will ask for user name and password. Please use the credential of the global
admin account mentioned above. If there is no error appear, run the following cmdlet:
PS C:\WINDOWS\system32> Set-MsolUser -UserPrincipalName
admin_mydomain.com#EXT##mydomain.onmicrosoft.com -StrongAuthenticationMethods #()
Go back to Azure Active Directory of Azure AD B2C tenant > Properties of the left main menu > the bottom of the Properties page > click the link: Manage security defaults. Enable security defaults and save.
Login to Azure portal with admin#mydomain.com, then switch to Azure AD B2C directory. You will see a popup security setting wizard. That is same wizard as we first set up the directory. Please follow the wizard. You will see the QR code for admin_mydomain.com#EXT##mydomain.onmicrosoft.com. You can scan the QR code to finish the MS Authenticator migration.

How can I be global administrator of my Azure portal?

I signed up for a trial Azure portal account.
Many times however, I see in the portal "admin consent required" and it seems I'm not an admin...
How can I be admin of my own portal I created?
In Enterprise applications | User settings I see the "Admin consent request grayed out" and set to "no"...
It’s possible to get this if you sign up with an email account that’s already associated with an Enterprise Agreement. It’s best to sign up for a trail account with a Live ID or similar and use in private browsing to initially set up so the portal doesn’t pick up any saved credentials.

MFA automatically enabled on Azure AD B2C tenant

I recently added an Azure AD B2C tenant to an existing subscription.
Whenever I want to manage that tenant on portal.azure.com, I have to verify my account:
After clicking Next I can only select Mobile app from the dropdown to verify my account. There is no option to verify by phone.
Since this tenant is new, I first have to register it in Microsoft Authenticator by selecting Set up:
This brings up an error message without Correlation ID or timestamp:
There are no Conditional Access policies. In fact, I cannot add any since this tenant does not have Azure AD Premium. Nor does the Azure AD tenant holding the subscription from which this AD B2C tenant was created.
MFA is only required when trying to manage the AD B2C tenant through portal.azure.com, not on other applications, and not when accessing the Azure AD tenant.
Questions:
How can I disable MFA for this AD B2C tenant? And why was it enabled in the first place?
If MFA cannot be disabled, how can I register my device or phone number?
Thx,
The issue is resolved. Not sure if Azure Support took action without notifying, or because of what I did.
Anyway, here are the steps I took:
On portal.azure.com, go to Azure AD > Users > Multi-Factor Authentication.
(It's in the top menu.)
The Multi-Factor Authentication page opens in a new browser window.
Enable MFA for the user account with the issue.
Logon with that account on account.activedirectory.windowsazure.com.
Click your account in the top-right corner to open a dropdown menu and select Profile.
Select 'Additional Security Verification'.
All verification options are available here, including call, text, or use mobile app (Microsoft Authenticator).
Complete the Additional Security Verification and make sure MFA works.
Go back to Azure AD > Users Multi-Factor Authentication, and Disable MFA again.
In our case, MFA was set to Disabled for all users but active anyway, both for local accounts in the AD B2C tenant and External Active Directory accounts.
MFA status of External Active Directory users cannot be changed on the Multi-Factor Authentication page of the AD B2C tenant. This has to be done in the Azure AD page of their respective AD tenant.
The problem is solved, but the cause is undetermined. We do not have an AD Premium subscription and should not have access to the MFA feature at all.
I think your answer #flip is part of the riddle. You're in effect pre-registering your phone number so when forced to setup MFA you're granted the additional TEXT options. We've noticed variations in the AAD join processes where sometimes you're prompted to enter a phone number prior to this step, and sometimes not.
For example if you log on to a device as a local user and join AAD as illustrated you can get both scenarios. I think the same is true for new build as in a previous Test we had to enter a mobile number but I can't recall exactly which scenario.
However, after several more days with Azure support we've managed to isolate root cause if anyone is interested. Turns out MFA IS being enforced through "Security Defaults" (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). MS have actually just updated their article TODAY to clarify.
In effect, disabling Security Defaults will stop the enforcement although be wary not to confuse the prompts with Windows Hello setup as we were (we tested by disabling completely via Group Policy). I'm convinced however this wasn't the case a week ago and something's been changed behind the scenes recently.
Bottom line, you're going to have to deploy MFA in some form to join AAD unless you disable Security Defaults. Not great for endpoint migration but at least we know where it's coming from now.
I think we may have partly figured this out. In our instance, disabling MDM User Scope allowed logon without any 'Additional Security Verification' being enforced. We don't have an InTune subscription either but this is under AAD > Mobility (MDM and MAM). It does mean however, devices aren't enrolled so where exactly MDM is picking up this configuration from is the next question. Will be putting this to Azure support when they call us again tomorrow!
Azure AD tenant comes with security default settings. You will have to disable this setting in the active directory.
Active directory > properties > Manage security defaults > toggle to No
this will disable the default MFA setup.

Sign-in to B2C using either Personal or Work or School email address

I am currently working on a B2C setup for my company.
In our Azure AD account, I have an email, say myemail#mycompany.com, which has a password.
I also have a Microsoft Live account using the same email, myemail#mycompany.com, which has a different password.
I have created a B2C setup using the following documentations.
https: //learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-msa-app
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-setup-msa-app/
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-app-registration/
After doing the B2C set up, I am able to obtain a link, below is an example.
https ://login.microsoftonline.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signin1&client_Id=&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=form_post&scope=openid&response_type=id_token&prompt=login
In my Azure setup, I already have both emails (Azure AD and Microsoft Live) added to my list of users.
My problem is, when I use the link generated from my B2C setup, it only seems to allow me to sign in using the Microsoft Live account (which has a different password from my Azure AD account).
Is there a way, or a configuration, which will allow my B2C setup to invoke the sign in page to choose either my Personal (Microsoft Live account) or work or school (Azure AD) account?
At the moment, B2C does not properly support work accounts from AAD (ironic, eh?). You're correct in that personal accounts from MSA work just fine.
In B2C, you can add "local accounts" as an IDP, which will allow users listed in your tenant to sign into the app. I can't actually recall if that local account option allows you to sign in with a work account in your B2C tenant. You could give it a try if that's what you need. Most people however need proper support for AAD tenants, where work accounts are a dedicated option on the "IDP selection" screen. B2C doesn't have that today.
I do have a scratched together sample .NET app on my GitHub that shows how you can add support for work accounts and B2C in the same app. It's not pretty, but it works.
As for the same email/different password problem. Even adding the above support won't help. We don't expect that users will really be able to decipher a "work Microsoft account" button from a "personal Microsoft account" button. So, we are doing work to eliminate these situations, by limiting the number of users who get into such a situation and by providing an account linking option for those that are.
We do plan to support AAD work accounts in the near future. Sometimes your own family members are the hardest to work with.
If you feel so inclined, you can add your feature requests to https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c

"User already registered" when signing in to Azure API Management Developer Portal with Azure Subscription Administrator

I have Azure AD and Microsoft identity configured successfully on in my APIM instance.
When I try to directly sign in with either identity provider to the Developer Portal (https://myapim.portal.azure-api.net/) of my APIM with the administrator account (which owns the Azure Subscription where APIM resides), the sign up screen is displayed and when I hit "sign up" I get:
User already registered
It seems a user with this email is already registered in the system. If you forgot your password, please try to restore it or contact our support team.
I currently have not found a way to get around the sign up step, even when I hit sign in again I get re-routed to sign up.
Signing in to Azure Portal first and then navigating across to Developer Portal just works fine - no sign up flow is invoked.
one remark: my MSA owning the Subscription is also linked into my AAD, therefore I could sign in with either way
In the end I used a functional/group account as APIM administrator - one we never would use to actually log on - then I was able to regularly login with my own account again.

Resources