logic app : use another account to send mail - azure

I am searching a way to automate some email reporting
I have build a process with a logic app to do that. The problem is when I want to create an API connection to office 365 with another account than mine (for example email.reporting#xxx.com), I cannot because I am log with my personal account, so it always use my account to create the API connection.
I cannot also log to the portal with this other account because it doesn't have any access. What is the best way to do that?
Is it possible to give the access to the logic app to this other account then I can access to it and change the connection?
Or there is a trick that allow to change api connection directly?
Thanks

In my test I could use two different account to send mails, cause you don't show how you add account, maybe you could refer to my below steps.
After I set an action to send mail then I add other action to send mail, choose Change connection, then choose Add new, it will pop up a page you could choose existing account also could Use another account.

Related

Azure AD: Send welcome email when user is assigned to the application

I would like to send a welcome email to the user when the Azure AD admin assigns the user to the application (enterprise or custom). It would be nice to use a custom template to define an access URL and maybe some additional info (how to use, some rules, etc.). I haven't found anything similar in the Azure portal.
Does Azure AD provide such functionality? Or should I build custom implementation (Graph API, EventGrid + Azure Functions, SCIM protocol, etc.)?
From what I understand, at the very base, you want an email to be sent whenever a user is assigned to an enterprise application (or custom - assuming that also falls under same). I assume you do not need to know much about who actually assigned the permissions. Either way, with the query below you should have enough to get going.
As far as I know there's no native support for this in AD (I couldn't find anything at all that's available but I could be wrong) but a workaround for us was to do it using Log Analytics + Azure Logic App. While our use case is slightly different (we use it to monitor and be alerted for logins to a specific account), the same logic might apply to you - I put together a few lines to query log analytics. but I couldn't get the alert part working - Azure could just be sleepy right now.
EDIT: Alert worked the following day. Just needed some time to warm up I guess.
Give it a try:
Make sure Azure AD has diagnostic settings configured to send logs to a Log Workspace
Query the workspace using the following:
AuditLogs
| where TimeGenerated > ago(5m) //Change as required
| where ActivityDisplayName has "Add app role assignment grant to user"
| project Time = TimeGenerated, Activity = ActivityDisplayName, Application=parse_json(TargetResources)[0].displayName, User=parse_json(TargetResources)[1].userPrincipalName
| where Application contains "myapp"
Create an alert from Log Analytics (hopefully you get it working right away - each alert cost USD 1.50/month).
(a) You will need to create an Action Group
(b) Under Action Group, configure your email in the Notifications.
(c) You will need to come back to reconfigure an Action field to the Logic App you will create below.
Create a Logic App and start with an HTTP connector as the trigger to receive the content in JSON format.
Setup a Send an Email (v2) action with all variables and such, or another connector if applicable in your case. Customise the email in HTML
One alternative to using Log Analytics and Alerts could also be to use PowerShell to query AAD logs and then parse the information to Logic App through the HTTP POST Url that shows up when you save the HTTP Connector.
Another alternative to using the HTTP Connector could be to use the O365 connector with trigger When a new email arrives (v3)
Things to consider:
There's at least a 5 minutes delay between the time the event is logged and triggered. This is just the way the alert query works.
You will need to login to Logic App using the mailbox from which you want to send that email. That's something you might want to manage separately - expiring credentials etc.
Hope this gives you some ideas.

How to disable the custom domains filtering in Azure AD

Do you know if there is a way to disable the only verified custom domains usage when new create a new Azure Active Directory user.For example i want to create a user that is using gmail. I have tried to add gmail as custom domain and verify it, but noticed that the steps are related to the dns records of the domain so i cannot do this. I know i can use the invitation service, but i want to directly to create the user without invitation. So did someone experienced this, and if soo i am open for advices.
Have a nice day and stay safe.
It is not possible to create a user in Azure Active Directory that is using Gmail. In order to create a user in Azure Active Directory you need to add your domain and verify in Azure Portal.
You need to get your domain name by Go daddy etc... then you need to add in Azure Active directory and verify it. After that you can create a user name under that domain.
I recommend you to go through this two documents to get more detailed information.

Cannot change authentication account on Logic Apps

I am trying to build a logic app to email results of a devops query on a regular basis. When I use the 'Get query results' block in logic apps, I am unable to authenticate with my primary email address. Instead Logic Apps keeps picking up my alias email address when I try to change connection. No sign in screen is displayed so I assume my credentials are cached somewhere.
Any ideas on how I can change the account I use to login with?
Update
Trying to add a new connector using 'add new'
No option to sign in. Defaults to .uk account rather than using .co.uk account that I am signed into through Azure.
Under API Connections you can find any connections the Logic App is using. Click a connection to be able to edit or delete it.
EDIT:
If you would like to use another email address instead of the current one, delete the connection and create a new one from the Logic Apps designer.

consumer account's for cloud identity via PI

I am using the Cloud Identity basic and I am admin.
my domain and it's subdomain have many consumer account, which we got to know via "Transfer tool for unmanaged users" . Now the question is :-
how to manage / add consumer accounts via API, as I am looking for the automated process
but details available below link is hard stop for me.
https://cloud.google.com/solutions/migrating-consumer-accounts-to-cloud-identity-or-g-suite
https://support.google.com/cloudidentity/answer/7044710?hl=en&ref_topic=7558419
it is going to create the account with overriding the existing managed id. which I do not want , I want to send email to user for account migration [which is possible via admin UI but seems not with API, but in my organization manual addition of many users is not ]
1) Is there a way by google API to identify adding user, is a consumer account for my domain and subdomain or not? some way or the another , so new user and consumer accounts can be managed separately.
2) I do not want to "Require users to rename their existing account." as it will be more difficult for my org and unmanaged.
Any direction will be welcome , and let me know if more information needed.
https://cloud.google.com/solutions/migrating-consumer-accounts-to-cloud-identity-or-g-suite
https://support.google.com/cloudidentity/answer/7044710?hl=en&ref_topic=7558419
Unfortunately, there is currently no public API to initiate a user transfer or to query whether a given email address is used by a consumer user account. This functionality is currently only exposed via the UI in the transfer tool for unmanaged users.
However, if you have a large number of consumer accounts that you need to send transfer, then Support might be able to help you.

Azure Applications; How to create a separate authorization page for out of network users

I've been tasked with figuring out a way to make a certain set of Azure users authenticate to a Web Application by accepting/denying a warning message that should be presented before the users are directed to the application itself. The users that should not go through this process are in-network users.. they should be able to input the URL and be presented with a sign-in page and from there they will have access into the application. This has already been configured via Azure AD but the previous issue for out of network users is what i'm having issues with.
My current thoughts on this is to create an a simple authorization page created by an azure function that out of network users will be directed to because the IP addresses will be placed in a conditional access rule to do so. From the simple page the user will be directed to the application or logged out if they choose cancel.
This is just a thought but definitely open to suggestions. Thoughts?
For those who may have been interested in an answer for this question I have figured it out. In order to do this I had to create a "Terms Of Use" within Azure Active Directory. This Terms of use consisted of a pdf file containing the information my user needed to view before accept/deny could be clicked. On the "Terms Of Use" was created I then created a custom conditional access policy which included users needing to accept the "Terms Of Use" before being able to access our Portal or Applications. Hope this helps

Resources