I followed these steps in an attempt to create an Azure App that allows login from multiple Azure AD Tenants:
Create a new App Service and turn on Authentication
1) In Azure Portal: I created a brand-new empty Azure App Service and dialed its URL up in my browser to be sure it was working properly.
2) I navigated to my new App Service, then the "Authentication / Authorization" blade.
3) I turned On the "App Service Authentication" switch.
4) I chose "Log in with Azure Active Directory" from the "Action to take when request is not authenticated" dropdown.
5) Under "Authentication Providers" on the same blade, I clicked on "Azure Active Directory", which navigated me down to the "Azure Active Directory Settings" blade.
6) Within this blade, I selected "Express" on the "Management Mode" radio button. Selection of Active Directory was grayed-out but it was the one I wanted to use -- the current one.
Create a new Azure AD App that's associated with my App Service
7) I clicked on "Azure AD App" and it prompted me to create an Azure AD App, which by default had the same name as my App Service name, so I kept it.
8) Still on the "Azure Active Directory Settings" blade, I clicked the "Manage Application" button under the "Manage Azure Active Directory Application" heading. I was navigated one more blade down, where the heading was the name of the Azure AD App I just created.
9) Once here, I clicked the "Settings" button, then "Properties" in the Settings blade.
10) Within "Properties" I set the "Multi-Tenanted" radio button to "Yes".
11) Also within "Properties": as is said to be required for multi-tenant to work: I also changed the "App ID URI" to something unique, and also from a Verified URL within my organization. In my case I used:
https://<<MyTenantName>.onmicrosoft.com/login-ProofOfConcept
Test the Security Functionality
12) With everything presumably set up, I first tried logging-in to my new application with a user that existed within my current B2C Tenant. I dialed the URL up for my App Service, I got prompted by microsoftonline to Authenticate, I authenticated, and then I got straight into my application with no problem.
Here's The Problem
13) Then, I logged-out and tried to login again -- but this time as a user that's in another Azure AD, which is just one I spun-up under my personal gmail account. I was expecting it to "just work" but after I authenticated as this other user, this error was displayed onscreen:
AADSTS50020: User account 'MyUserName#gmail.com' from identity provider 'live.com' does not exist in tenant '[MyTenantName]' and cannot access the application '[MyApplicationGUID]'([AzureADApplicationName]) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This is precisely the behavior I was hoping to avoid by enabling Multi-Tenant. I was hoping that it would just "login" this user, who is the member of an existing Azure AD. Is there a configuration-step I missed?
I think you're maybe looking at Azure AD B2B here, whereby you need to invite the non Azure AD user first: see this learn.microsoft.com reference.
Assuming you have the default settings, which is allow all users to invite non Azure AD users to access in this instance an app, invite your second user #hotmail and then try and logon, see this learn.microsoft.com reference.
If you want anyone from #hotmail to be able to log into your app, consider using Azure AD B2C, see this learn.microsoft.com for more details.
Related
I have registered a new app using Power BI Developer and go to Portal Azure and do the following steps:
Azure Active Directory
App registrations
(Tab) Owned applications > Choose my app
(On the new page) > API Permissions (Choose the permissions)
Here is my problem!
In the old version of Portal Azure, on the top of the page where I choose de permissions, has a magical wonderful named "Grant Permissions", like the following image. This is a example:
But now, on the New Portal Azure, I cannot give User Consent to myself (because I can't find this button), like I do on the previous version of Portal Azure. Someone know where I can find it?
In the second image has a button named "Grant admin consent for my company", I have tried this button with my azure admin but it's not I need, I need "User Consent" not "Admin Consent".
Grant permission is replaced by Grant admin consent on new portal.
The permissions you added don't need admin consent, so when the users login in your application for the first time, they will be asked for consent(user consent). No need to do more steps on azure portal.
If you don't want the users to grant user consent when they login, you can grant admin consent for the whole tenant users on azure portal, the users will not be asked for consent again.
I would like to change the Azure AD B2C default sign-in picture using the steps listed in this Stack Overflow answer.
However, when I log into the Azure Portal and find my instance of Azure AD B2C, and click into it, I see the following lefthand sidebar, which doesn't include the "Users and Groups" tab under the "Manage" section, but only includes the "Users" tab (which, if clicking into it, doesn't have "Company Branding" tab inside).
How can I find the "Company Branding" tab? Do I have to upgrade my subscription or something to have access to it?
(Also, one difference I noticed between the screenshots in the SO answer linked above and the screenshot I provided is that the link's Azure AD B2C instance name is spottedmahnb2c.onmicrosoft.com; the name of my instance is login.mydomain.com. Potentially this points to the difference.)
UPDATE
It seems that there is no "Basic" vs "Premium" subscription for Azure AD B2C. However, I am adding a bit more information.
This is the link that describes how to modify the login UI for AADB2C. However, when clicking on the "Company Branding" link, it takes me to an AAD page. Does that mean in order to customize the login UI for AADB2C, I have to visit AAD's "Company Branding" page?
In an Azure AD B2C tenant, you have access to two (2) different menus for tenant admin.
Azure AD B2C
Azure Active Directory
The second one has the access to Users and Groups and Company Branding.
In the portal.azure.com, upper right, within the context of your b2c tenant, select All services then search for "b2c" or for "Active Directory" to find select the menu blade.
The "Company Branding" option is useful ONLY for the b2c sign-in journey/policy. All other policy types are customized following this guide: Azure Active Directory B2C: Customize the Azure AD B2C user interface (UI).
From within your B2C Tenant
Go to Azure Active Directory
Select Company Branding -> Edit
Note: The company branding link was under B2C -> All users previously. Reference.
Previous
Missing for me too. Must be an issue in Azure. Azure Support on Twitter could probably help.
when an app is registered in azure ad, to give permission to the app, we can grant consent to an application's delegated permissions on behalf of all the users in your tenant by clinking "Grant Permissions" button. How to undo this permission once it is given? Or, it can't be undo from azure portal once it is clicked? I am confused as it is always of same color and always ask "Do you want to grant...." dialog and "No" doesn't undo the action.
Revoking Tenant Wide Consent can be done through the Azure Portal.
See here: Revoking Consent for Azure Active Directory Applications
Using the Azure Portal to Remove Tenant Wide Consent
If you are a tenant administrator, and you want to revoke consent for
an application across your entire tenant, you can go to the Azure
Portal. Whether it be for a bunch of users who individually consented
or for an admin who consented on behalf of all the users, by simply
deleting the application’s service principal, you will remove all
delegation entries (the object used to store consent) for that
application. Think about removing the service principal like
uninstalling the application from your tenant.
You could delete the service principal a bunch of different ways like
through Azure Active Directory PowerShell or through the Microsoft
Graph API, but the easiest way for the average administrator is right
through the Azure Portal.
Navigate to the Enterprise Applications blade in the Azure portal:
Then click “All Applications” and search for the application you want
to revoke consent for:
When you click the application, you will be brought to an “Overview”
section, where a tempting button called “Delete” will be at the top.
Before you click this button, you might want to take a peak at the
“Permissions” section to see the types of consent that was granted to
this application:
Once you feel confident that you want to delete this application, go
back to “Overview” and click “Delete”!
Viola! The app and all consent associated with that app is now gone.
There are some screenshots included in the actual blog post.
I hope this helps!
As #Shwan Tabrizi said, you can refer to the blog's way to remove the app from Enterprise Application.Because once you click Grant Permissions bottom, the app will be auto added into Enterprise applications and assign permissions to user. You can also choose which user to remove permission as following steps:
1.Sign in to the Azure portal with an account that's a global admin for the directory.
2.Select More services, enter Azure Active Directory in the text box, and then select Enter.
3.On the Azure Active Directory - directoryname blade (that is, the Azure AD blade for the directory you are managing), select Enterprise
applications.
4.On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5.On the Enterprise applications - All applications blade, select an app.
6.On the appname blade (that is, the blade with the name of the selected app in the title), select Users & Groups.
7.On the appname - User & Group Assignment blade, select one of more users or groups and then select the Remove command. Confirm your
decision at the prompt.
I've been following this guide to get a B2C AD up and running
Create the B2C directory in the old portal (http://manage.windowsazure.com) ensuring "This is a B2C Directory" is checked.
Register an application in the new portal (http://portal.azure.com) under the B2C blade
Create the sign in policy.
When I try and test the sign in policy with the "Run now" and try and log in with my local account (the same one which has created the B2C AD -- the global administrator for this new AD) all I am met with is "We don't recognize this user ID or password".
What have I missed here?
I am able to reproduce this issue too. If you want to manage the users for the Azure B2C tenant, you can login the classic Azure Portal from here. However, currently there are a couple of known issues with user management (the Users tab) on the Azure classic portal:
Refer here about the Azure Active Directory B2C: Limitations and restrictions.
And if you want Azure AD to enable to login with the default global admin account, you can submit the feedback from here.
I have two Office 365 tenants one for Production and one for Testing.
I can see in manage.windowsazure.com my two Active Directories.
I noticed the following behavior when creating multi tenant user consent application.
When a multi tenant Azure AD application is registered in Azure AD 'X' then, this app is not available in the "My Apps Launcher" for Office 365 users in tenant 'X'. On the other hand, the app is accessible in launcher (after pinning it from 'View all my apps') for all users and tenants except 'X'.
Is that an expected behavior?
I think only apps that the user is assigned to show up in the Office portal.
If you create the app in your tenant, admin consent is applied automatically in your tenant, meaning that all users automatically get consented to it but none of them get assigned.
On the other hand, what you've been testing with users from another tenant is user consent, which consents just that user to the app, and also assigns them to it.
If that other tenant went through admin consent (by adding prompt=admin_consent to the login.microsoftonline.com), you'd see the same behavior as your tenant where everyone gets consented but no one assigned, and therefore no one would (by default) see it in the Office portal.
To have it show up in the case of admin_consent (whether it's in your tenant or some other one) you need to:
Go to the classic Azure portal and navigate Azure AD and your app.
Once in your app's Azure AD page, select Users & Groups
Select "All Users" from the Show filer and click on the check mark.
Select a user and click on the bottom at the bottom that says "Assign"
Doing that should make your app show up for that user in the Office Portal.