This link explains how to connect an Azure DevOps organization to Azure AD and indicates that in order for users to keep their accesses, that they should have the same e-mail in both the account from DevOps and the account from AD.
Now, I have this doubt:
If I have a user on DevOps with a MS Account (MSA) user#mydomain.com and a user on Azure AD user#mydomain.onmicrosoft.com (with NO custom domain set up, I have my custom domain running on GoDaddy for now), does this mean that all the work items created on DevOps with user#mydomain.com will be left "orphan"? What would be the outcome of doing this? And what would happen if I add my custom domain AFTER connecting DevOps to AAD?
If this user's MS Account is the same one which be added in AAD, you don't need worry about the data.
Just connect organization with this AAD, and login with the previous MS Account(don't need to change anything) . The data still be obtain now.
does this mean that all the work items created on DevOps with
user#mydomain.com will be left "orphan"?
This situation is only occurred on the MS account is not same with the account which be added in AAD. For this, if the user want to obtain and migrate the data from previous account. Need to contact our engineer here, and we will help user migrate data from backend.
Edit: May caused by my not clearly expression let it confusion.
In fact, for add MSA into AAD, it's normal for all user account to do this operation. The only one affection is the account which should be login to Org after connect AAD to Org.
Here has two account: a#outlook.com(person account), a#softcompany.com(work account).
Scene: The account you used usually is a#outlook.com.
(1)If add this account into AAD, you don't need to do anything like migrate data after connect the org with AAD. Just still login with this account is ok.
(2)If add another account(a#softcompany.com) into AAD, you need to finish the data migrate and identity transfer operation after connect org with AAD, if you want to retain the data history.
Note: these two does not belong to any AAD before add them into the new AAD you want to AAD. Or it will be a more complex operation. If you meet this, feel free to share it here, I can share the detailed process with you about this complex situation.
Related
Background: I am trying to setup my azure infrastructure to deploy my new web app. I am working with an external contractor cloud engineer and I only want her to be able to setup my cloud infrastructure.
Steps: I have 1 Subscription and 1 Resource Group. I have created a User in my organisation (so not a guest) in Azure AD - I will share these details with her.
I have put this new User inside a User Group and I have permissioned the User Group (as a Contributor) against my Resource Group. I have shared the username and password with her.
Problem: When she logs on to portal.azure.com she gets the message "Your sign-in was successful, but you don't have permission to access this resource."
Clearly I am missing something? I thought this was straightforward... alas
TIA.
Sometimes this may happen due to the internal policy, make sure to recheck them once again.
After this if you create a personal login detail separately then it will work out.
Here is the reference of Your sign-in was successful but you don't have permission to access this resource for the same above.
If the user is a guest user incase, then administrator of guest tenant will delete your account from their tenant.
Here is the Reference given by #Amanpreet Singh.
Common steps to be followed as below,
After login to the Azure portal as a Admin.
Go to Azure Active Directory
Select the All services, then Azure AD Conditional Access.
Here you can select the restriction policy and / or make sure to recheck the Assignments from the Users & Groups of various permissions for your given user.
VPN....
I switched off my VPN and it then worked just fine. No idea why but it works and I can now log straight in to the portal
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
We're trying to invite users (including those from different ADs) to ours in order to give them access to our enterprise app. We are using the AD to manage the app's users and permissions.
We send them an email to join our AD as a guest user.
However, when they already have an Azure AD account connected to a local AD (that's federated), we don't have the permission to create an account on our side.
There are a few articles on this problem including (resending invites till it works, asking them to add our organization to trusted, and creating our own account for them)
https://techcommunity.microsoft.com/t5/Microsoft-Teams/Invitation-redemption-failed-AADB2B-0001/td-p/292175
http://answers.flyppdevportal.com/MVC/Post/Thread/d9c92fea-a554-4c7a-91af-30016aa35111?category=windowsazuread
Our objective is to use their AD sign in for our apps as well. Is there an easy way, such as copying their AD profile or sending them a link that they have to simply click "Yes" without having to do much IT work on their side? Thank you!
Here's an example from a different post:
They have a local ad and an azure ad setup, but the specific user I was trying to invite doesn't have an account in their azure ad.
We can't create an azure ad account for them
They have to give the user an azure ad account
iam currently researching how to implement Single Sign On for our WebService.
This is what i came up with so far.
If a customer of our WebService has an AzureActiveDirectory they can log on with their active directory user account to our WebService if we provide the nessecary interfaces for SAML, Oauth2, OpenID or whatever authorization protocoll we chose and azure supports.
The customers could also have their local network Active Directory synced to their Azure AD and use their Domain accounts to log on to our WebApplication.
Customers need to use the myapps.microsoft.com portal to "wrap" authentication.
Once everything is set up correctly the Identity Provider (AzureAD) would provide use with (e.g) an authenticated User Identity.
Here is were my problem begins.
Of course i need to somehow map the identity provided by the AzureAD to a certain Account for our WebService - we cannot simply use the provided identity.
As far as i understand it, you can grant AzureAD the right to create an Account on the target WebService in the name of the user which is currently signing in.
(Its called : enabling automatic user provisioning in the azure management portal).
However, when testing this with the Box, Canvas or Google apps i failed. Either i got an error or in the case of google apps i was just promted to login with my azure AD test account and then asked for a password and username of my google account (i set up SSO as an azure AD trust relation- so this should not happen)
Can someone provide some insights on how to accomplish the following?
Once the user is authenticated by SSO I want to create an account for our WebSerivce and then save the credentials for that user only in the Active directory of that particular user.
So if the user logs in the second time we can check wether there is an account already existing and log in the user with this account.
(I was told by microsoft that this might be possible with Azure Rights Management, but i cannot really find good documentation on that)
Storing the relationship: "Microsoft AD Identity <-> our WebServiceAccount Credentials" on our side is not desired because we cannot securly encrypt the data in a way that we DONT know whats in there. (or there is , and i dont know of it yet)
"Bonus Question":
Can i support SSO for a desktop application too? (Do i need a provide proxy web application or can the desktop app do this directly?)
Please see my answer to a similar question here: asp.net azure active directory user profile data
However - I'm trying to understand if you need something different. Are you expecting your customers to already have a directory and Azure AD accounts (maybe through having Office 365 subscriptions), and use those to sign in to your web app, or does your app scenario require creation/provisioning of user accounts into your customer's Azure AD directory? Provisioning can be done through graph API (as per your link), as long as the admin of your customer grants consent to allow your app to write to their directory. You can find some samples on github, and I recommend you look through https://msdn.microsoft.com/en-us/library/azure/dn499820.aspx and https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx for code samples.
HTHs,
I think, without testing it. That using the Graph API enables me to save custom data for any Directory User effectively enabling my desired functionality.
This is the documentation i found very usefull.
https://msdn.microsoft.com/en-us/library/hh974476.aspx
We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.
The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.
Thanks.
Edit:
A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.
We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.
AAD does support roles / groups and you can administer them from the Azure Portal.
Howeve, these are not passed in the "canned" set of claims.
You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.
Update:
ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.
I assume your cloud app. runs in Azure?
Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.
Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.
So two options:
Customer does not have Azure tenant. They install ADFS and federate with AAD.
Customer's who do have Azure tenant use DirSync.
Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.
Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Hope that helps.
Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.
What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.