Who has invited a guest user - azure

I want to build a user review application for Azure AD. But unfortunately there is no Azure AD user property that indicates the inviting user.
Is there any way to find out who has invited a guest user?

Yeah you can find out who has invited Guest User in your tenant. To do this you have two ways:
1. Azure Portal
Log In to Azure portal
Click on Azure Active Directory
Under Monitoring Click on Audit logs
See the screen shot below:
Azure portal operation you could refer this docs
2. Microsoft Graph API Reference:
You can also retrieve who has invited Guest User in your tenant using MicrosftGraph API: See the below steps:
Request URL: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
Permission Required: AuditLog.Read.All
See the screen shot how would you do it in azure portal
Once you add permission then click on Grant admin consent for YourTenant
Test On Post Man:
You would seen on the picture initiatedBy your guest user.
If you need more information you could refer this official docs

Related

How to migrate Microsoft Authenticator App with Azure AD B2C account to new phone?

With Multi-Factor Authentication enabled Azure portal, it requires users to approve every login in users’ Authenticator App.
When I changed my phone, Authenticator app must be migrated to my new phone. I used Back and Recover function of Authenticator app. I backed up and recovered account details to new phone. As work or school accounts, the migration process requires Additional Security Verification, which requires to rescan all QR codes of all accounts in Authenticator app. I have rescanned all QR codes of work or school accounts that I created.
Now my issue for this migration is Azure AD B2C account. It was created by Azure when I created Azure AD B2C directory. The name of the account in Authenticator app is admin_mydomain.com#EXT##mydomain.onmicrosoft.com. It is not a work or school account. From the name, it may relate to my Azure login account (admin#mydomain.com a work or school account). I have spent many hours for it. But I still don’t know where this special account details stored. So I can’t get the QR code of the account for Authenticator app. I can’t finish my Authenticator app migration.
This account authentication is required when I switch from Azure primary directory to Azure AD B2C directory in Azure portal.
Please help me with this issue. Thanks.
[UPDATE] I just realized that what worked for me, ist the the solution Alfredo R already posted! So I can confirm that this works.
While I'm still struggeling to revalidate my [username]#[custom-domain].onmicrosoft.com account, I think I found a solution for the AAD B2C problem:
Login to https://myaccount.microsoft.com/
Main menu "Securityinformation" will show you registered devices for your current organization
Main menu "Organizations": You should at least see the other organization of the B2C tenant
In the top right menu, click your avatar, and switch organizations, and swtich to the B2C tenant
The UI should be the same, but now your're logged in through the B2C tenant
Go back to "Securityinformation" and add your new device
I was lucky that my old device is still working, so I could switch easily organizations. If you can't switch because of MFA and no access to your old device, I think you still need to disable MFA in the B2C tenant as described the other solution and then turn it back on?
But I think thats the way to get the QR code for a B2C tenant, login to your account and switch to the B2C tenant by switching organizations.
admin_mydomain.com#EXT##mydomain.onmicrosoft.com is the UPN (user principal name) for the user hosted in the Azure B2C tenant for your work account admin#mydomain.com. Scan QR as with others but switching first to the B2C tenant.
There are a few steps need to fix this issue.
Need a global admin account of Azure AD B2C active directory. But You can’t use the one that you are going to migrate. Please create one if there is no other global admin account available.
Go to Azure Active Directory of Azure AD B2C directory. Please click on the Properties in the left main menu. Then go to the bottom of the Properties page. Click on the link: Manage security defaults. Disable security defaults and save on the popup window.
Run local PowerShell as local admin. Run following cmdlet to connect to Azure AD B2C active directory.
PS C:\WINDOWS\system32> Connect-MsolService
MAF login will ask for user name and password. Please use the credential of the global
admin account mentioned above. If there is no error appear, run the following cmdlet:
PS C:\WINDOWS\system32> Set-MsolUser -UserPrincipalName
admin_mydomain.com#EXT##mydomain.onmicrosoft.com -StrongAuthenticationMethods #()
Go back to Azure Active Directory of Azure AD B2C tenant > Properties of the left main menu > the bottom of the Properties page > click the link: Manage security defaults. Enable security defaults and save.
Login to Azure portal with admin#mydomain.com, then switch to Azure AD B2C directory. You will see a popup security setting wizard. That is same wizard as we first set up the directory. Please follow the wizard. You will see the QR code for admin_mydomain.com#EXT##mydomain.onmicrosoft.com. You can scan the QR code to finish the MS Authenticator migration.

I'm unable to add user in Azure Devops Organization

I'm a user of a Azure DevOps organization with Basic access along with Project Access Administrator group membership
But when I try to add a user at organization level it gives me a error
You are a Guest in the connected Azure AD and Guests may not be able
to search users in the the Azure AD. Please contact your Azure AD
admin to make you a member of the connected Azure AD to enable
searching for users.
Could someone please help me on this?
I'm a AAD member and also the user whom I'm trying to add is also AAD Member not sure why it is telling that I'm a guest user.

Azure AD B2C invite as guest for administration

Recently I am starting to get an error when trying to invite a guest user to my Azure AD B2C tenant, for only user from a specific domain. The reason i'm inviting is to share the administration process with the specified user.
The error i'm getting is: User account is disabled
So far what I've tried:
Using the Users > New guest user" UI in Azure AD blade.
Using the "Organizational relationships > New guest user" UI in Azure AD blade.
Using the Users > New guest user" UI in Azure AD B2C blade.
Using graph api invitations endpoints.
Observation: Only happen for user from specific domain (External Azure D) but works for those with Microsoft account.
Just for everyone's benefit here I'm posting the answer after consulting with Microsoft support.
There are 2 possible issues that might cause you unable to invite the Guest user to the Azure AD:
Users are not properly deleted. When you search for the user email, it might not be visible in the UI, but still unable to invite. It's partly because the UI has some limited search capabilities (exact/startswith email or name only).
Solution: You can use graph api to query for the user. You should definitely try to look for the user based on the OtherMails field.
User you're trying to invite is from an Azure AD tenant that is also one of identity provider trusted in your Azure AD B2C. This is the cause of the issue with my implementation that I found.
When the user use their Azure AD credential logging in for the 1st time to my application (Azure AD B2C), a "social account" is created automatically in the Azure AD B2C. This account is created with the UserPrincipalName in the format of cpim_guid#yourtenant.onmicrosoft.com, and AccountEnabled false (disabled). Their Azure AD email will be in the OtherMails property. This is why you can't find the user by their email in the UI, and you have to know the exact name they use in their Azure AD in order to find them.
Solution: If you can find in the UI, typically their MemberType is Member Source is External Azure AD, you can just delete the user. If not, use graph api to query for their email in OtherMails property. Then immediately invite the user as guest. They should have no problem logging in to the B2C application again as the social account will be created automatically.
Note: Ensure that you don't use Azure AD B2C policies that adds additional attributes to the user logging in using social account. If yes, you'd need some other strategy for deleting the user, inviting as guest, recreating the social account, and restoring back the additional attributes.

Authorization_RequestDenied Message when creating BOTs

I am creating a bot based on the instruction on this link but I am getting the Authorization_RequestDenied message when submitting.
Insufficient privileges to complete the operation.
Please check that your account has sufficient access to the Microsoft App
Registration Portal link below.
Open App Registration Portal
I am able to access the registration portal link.
Note that I am using a free account.
From the troubleshooting page: https://learn.microsoft.com/en-us/bot-framework/bot-service-troubleshoot-general-problems#why-do-i-get-an-authorizationrequestdenied-exception-when-creating-a-bot
Why do I get an Authorization_RequestDenied exception when creating a bot?
Permission to create Azure Bot Service bots are managed through the Azure Active Directory (AAD) portal. If permissions are not properly configured in the AAD portal, users will get the Authorization_RequestDenied exception when trying to create a bot service.
First check whether you are a "Guest" of the directory:
Sign-in to Azure portal.
Click All services and search for active.
Select Azure Active Directory.
Click Users.
Find the user from the list and ensure that the User Type is not a Guest.
Azure Active Directory User-type
Once you verified that you are not a Guest, then to ensure that users within an active directory can create bot service, the directory administrator needs to configure the following settings:
Sign-in to AAD portal.
Go to Users and groups and select User settings.
Under App registration section, set Users can register applications to Yes. This allows users in your directory to create bot service.
Under the External users section, set Guest users permissions are limited to No. This allows guest users in your directory to create bot service.
Azure Active Directory Admin Center

Cannot enable MFA on Azure Microsoft accounts

I'm trying to enable the Multi-Factor Authentication on my Azure account, (To secure my access to the Azure portal), i am following the tutorial from here, but, unlike this picture :
I have no Enable button when I select my user:
I've tried to send a csv bulk request with only my user (the email address), but it says user does not exists.
I am trying to add MFA on the user william#[something].com when i'm logged with the william#[something].com MS account (i am the only one user, and i'm global administrator)
In the MFA management page, you can only manage/enable MFA for your own Microsoft Azure AD Accounts, including accounts creating in Azure AD or synced from your on-premise AD; not any Microsoft Account or accounts from other Microsoft Azure AD. As you said you're using a MS account, you surely can't see the enable button.
In Azure Classic Portal, you can easily see if it's a Microsoft account or a Microsoft Azure Active Directory account:
If you want to enable this for your Microsoft account, you need to use Microsoft service at here ,sign in and then click Set up two-step verification.
Follow steps afterwards, you'll enable Two-step Verification it for your Microsoft account.
Of course you can create a new account in your Microsoft Azure Active Directory (Type of User is: New user in your organization), then you can enable MFA for this new user. If you would like a Global Admin, you can click this user and assign user Global Admin role. So then later you can use this admin account for your management work.

Resources