I'm looking for a way to extract report of my guest users in Azure AD with details who was the original invitee of each guest user.
You can use the Audit logs feature under Monitoring part in Azure Active Directory. Add filters to get the data you want and then download it if you want.
Related
My requirements are to find all the users not logged in via Azure AD since last 45 days and last 90days and take action. That is,
A daily nightly job to run on Azure AD and if it finds users not login since last 45days; it should automatically disable the users.
A daily nightly job to run on Azure AD and if it finds users not login since last 90days or previous inactive users; it should delete the users.
This link looks similar where it’s going via a review process. However, my requirements are bit simple.
Thanks.
There are several options for identifying and removing stale/inactive users:
The access review feature you linked for identifying and removing inactive users is the most seamless, built-in way to achieve this at the moment. You can specify the "days inactive" and then remove the accounts either after the review period passes or after no reviewer has responded. To create access reviews and identify inactive users, you do need to have a Premium P2 license.
Alternatively though, you could use an Azure Automation account or Azure Logic app to achieve the same thing. For instance, you could create an Azure Automation Powershell runbook with a daily schedule that checks the Azure AD sign-in logs and deletes the accounts based on the condition of whether they have recently signed in (i.e. where max_TimeGenerated <= ago(45d)). There is an example blog post here that implements this logic. Note that to update the accountEnabled property of admin users, you need to use delegate permissions which need to run in the context of a user.
Another option is to query based on the lastSignInDateTime property.
The documentation for How To Manage Inactive Users has an example of how to query users who haven't signed in after a certain date using Microsoft Graph API.
Example:
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z
To test the call, you can Sign in to Graph Explorer using the Global Administrator account of your tenant and execute the GET call.
Permissions Required:
Directory.AccessAsUser.All
Directory.Read.All
The SignInActivity property/endpoint is documented in detail here: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3--list-users-including-their-last-sign-in-time
If you don't want the full list of users, you can also search for a specific user by name and evaluate the lastSignInDateTime:
https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'marileet')&$select=displayName,signInActivity
Is there any ways to see the user logs? I know, there are two options which given "Signin logs" and "Audit logs" form "Users". However, i think that is not sufficient.
For example, some of the users complains,
they had access to Azure subscription and now its removed.
they has access to access package and now its removed etc...
However, when I'm trying to find those from "Signin logs" or "audit logs" I don't see any such details.
My question is, is there any way, I just give the user's email ID and get all the details ( what subscription assigned and when? what access package assigned and when? when user logged in and what activities performed? etc..) about user from the Azure portal? or lets say, when someone got access to certain resources and when the access removed?
they had acecss to Azure subscription and now its removed.
This could mean that their role assignment was deleted which will show up in the Activity Log of the subscription. Activity logs are just kept for a certain time so if you want to keep it for longer and allow a better way to search through it, send it to a permanent storage.
Or they were removed from an AAD group which has access to the subscription, this will show up in the Audit logs of AAD.
You can send those logs to the same Log Analytics workspace and query it. For example, to see the group membership changes for a user "user#test.com" who has a User Principal Name of "user_test.com" in the tenant you could use
AuditLogs
| where Category == "GroupManagement"
| where TargetResources has "user_test.com"
We have E5 account for Office 365. We have issue on SharePoint Online. My issue is that We have created one site collection and in that site collection one page is going to be access by external users. We did all the setting and now we can send email to external users and programmatically we add external user to certain SharePoint Group and this group have access to particular page.
External user is getting email too. Once external user clicked on it, it will take to our tenant and if the external user email is not Microsoft account than he can log-in successfully but it cannot access the resources. I get below error message
Your sign-in was successful but does not meet the criteria to access
this resource. For example, you might be signing in from a browser,
app, or location that is restricted by your admin
How can I solve it.
You will need to edit the conditions on your policy to meet your requirement. You did not list what you currently have so it's hard to say what needs to be done to fix it. You can find your policies under Azure AD in the portal. This post outlines where those settings can be found.
https://blogs.technet.microsoft.com/skypehybridguy/2017/08/31/microsoft-teams-restrict-usage-with-azure-ad-conditional-access/
I am new to Azure. I am getting myself confused very fast. My company has a project on Azure. We are looking to grant access to our external developers so they can log into our account and build a product for us ( setup a VM with mysql dbs and build an application ).
The only options I see are to invite users from another Active Directory or users who are in my own Active Directory? Is there no option to simply create a sign in credential for a user with say " email at gmail dot com" ?
What am I missing? I have created a Resource group but still can't invite anyone of our external consultants in there.
You can invite any user to manage your resources or your subscription.
There are 3 conditions for it:
You have the right to add it to your Azure AD
you are the owner of the subscription
The 'Guest user' already has an Azure account or a Microsoft Account
Then you have to go to:
Resources/Subscriptions
Access Control
Select a role (i.e. Contributor)
Type in the Account/Email of your external team member
check the checkbox and send the invitation
If you want to create generic users you can go straight forward to your AD and create a user i.e. developer1#contoso.onmicrosoft.com and add this user to the resource/subscription. Don't forget to take note of the credentials you created
So you would use Azure RBAC for that. Just click on the Resource Group > Access Control > Add.
You could also consult this blogpost for best practises.
If you just need them to develop and access SQL or a web App, you can pass the publish profile and SQL connection string to them.
Also, you can setup continous integration for the web App or virtual machine and pass git or GitHub or whatever source control you are using and pass the URL for the project, then they will commit the source code and fire a new build
I have created a trial account for Microsoft Azure. In Azure Active Directory, I'm trying to create a new user, but I'm not seeing email address field. I see only username, firstname, lastname and display name fields. Will Azure treat username (like testuser#mydomain.onmicrosoft.com) as an email? or I'm I missing something? I didn't find much information in its documentation.
No, Azure AD will not assume that the username (known as "UserPrincipalName", in the Azure AD Graph API and Azure AD PowerShell module) is actually an email address that can receive emails.
If you would simply want a place to store a given user's email address (one that actually has a mailbox behind it), you can use the "Alternate Email Address" field in the Azure Portal (under "Profile" section for a given user in your directory):
(Note: This field is known as otherMails in Azure AD Graph API, AlternateEmailAddresses in Azure AD PowerShell v1 (MSOnline), and OtherMails in Azure AD PowerShell v2 (AzureAD). In all cases, it's an array of strings, not a single value.)
You can create more user-friendly usernames by adding and verifying a custom domain name to you Azure AD directory: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-add-domain. Once you've done this, you can create users that have usernames such as user#contoso.com (assuming contoso.com is the domain you added).
At this point, it may be that user#contoso.com is also the email address of that user, but again—there is no assumption in Azure AD that this is the case.
For anyone running into issues using with this with an Office 365 developer account, make sure you go through the entire registration process. I thought I had completely setup my office 365 dev account, but I had missed a part related to setting up email.
Also if you are using your personal Microsoft account, for testing etc., be aware that it may appear like some things work the same as the full version or Office 365 dev, but they don't.