I created a new azure B2C AD and linked it to my subscription.
Now I want another colleague to be able to access the B2C tenant, register apps and edit ones I registered.
In the portal, I can switch directory to the B2C directory, however, when I tried to add the colleague as a new member to the AD of the directory it said their email (which is a member of the original subscription) is not a verified domain name for this directory.
In the new Azure portal, this experience has changed a bit. You will need to invite your colleague using the "New guest user" link. Once invitation has been sent, you an add them as a Global Administrator.
The invited guest will get an email with the invitation link. Once they click it and redeem the invite, they will have access to the directory as an administrator.
Find the user and open it.
Related
I have enabled the feature of Multi-Tenant in my application registration in my app. This is the following scree shot:
Now I want to add user from different tenant to this tenant without changing their domain name. What should i do?
Now I want to add user from different tenant to this tenant without
changing their domain name. What should i do?
For this, you would need to invite that user as a guest user in your Azure Tenant. To do so, go to "Users" and then click on "New guest user".
On the next screen, simply select "Invite user" option and provide all details for the guest user. They will be sent an invitation email and once they accept it, they will be added as a guest user in your Azure Tenant. They should be sign in using their existing "Work/school account".
I have created a webapp on Azure and have set the authentication mode to;
"Accounts in any organizational directory (Any Azure AD directory -
Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use
your application or API. This includes Office 365 subscribers."
It works perfectly for me and my colleges, and it works also for personal Microsoft accounts.
I am now trying to login users on a different Azure AD, but these cannot login. Here is the login log of an attempt taken from their AD. A similar message was displayed to the user onscreen
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
the sole purpose of the webapp is to get an Azure/MS verified email address of the user and perform a lookup in a user database.
Preferably this should be achieved without need the "other azure AD" admins to do anything on their end. But if need be this can be asked. I just don't know what to ask.
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
This error usually occurs for many reasons. Please check if below are helpful:
Case1:
Please check if your sign-in URL is something like this:
https://login.microsoftonline.com/<tenant_id>/
If it is like that, you may get error as you selected this option: “Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)” and users from other organizations can't access the application.
To resolve that error, try to change the sign-in URL as
https://login.microsoftonline.com/common
Apply this URL value in Authority Setting in your application code.
To know how to do that in detail, go through this link.
Case2:
There is also a possibility where the user has active session already signed in using different personal account other than Microsoft. To confirm this scenario, check User Account and Identity Provider values in error message.
To resolve that error, inform the user to sign out from their active session and sign in again from different browser or private browser session. Otherwise ask them to clear the cookies and cache, sign in as new.
If still the error won’t resolve means, please go through below reference if it is helpful.
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory | Microsoft Docs
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
I have an Azure Active Directory "ddddd" (hosted at xxxxx.onmicrosoft.com) with a Guest User that has ALREADY responded to an invitation. But he responded with his Microsoft personal account instead of his work account (both have the same email address). In the user profile, I see the source is currently "Microsoft Account".
This Active Directory "ddddd" is linked to Azure DevOps (Team Services) organization "ttttt" (i.e. the Directory setting of the "ttttt" DevOps organization is connected to my Active Directory "ddddd"). This user is already set up in "ttttt" and linked properly.
How do I re-invite or directly update the user profile so the Source is tied to "External Azure Active Directory" linked to his work place (which is an on-prem Active Directory linked through ADFS to Office 365 via yyyyy.onmicrosoft.com)?
One idea that occurs to me is to delete the user and re-create in Azure AD "ddddd" (at xxxxx.onmicrosoft.com), re-invite and ask him to accept the invitation using his work address (via adfs to yyyyy.onmicrosoft.com).
So my second question is: will recreating the user affect the user in my Azure DevOps "ttttt" ? The email address of his work and personal Microsoft account is the same.
At this point, Azure AD doesn't support changing the authentication type of an external (guest or member) user, so if the user is authenticating with MSA and you'd prefer they use their Azure AD credentials, you'll have to delete their existing guest account and re-invite them with instructions that they should use their Azure AD credentials to accept.
As for the Azure DevOps tenant, I'm less familiar with that set up but if those are really separate tenants doing this operation in ddddd shouldn't affect ttttt.
I've logged in to azure portal using my work account (Azure AD) and created new vsts account and team project. I can now login to vsts using my work account and add my colleagues from the same AD to team project.
Is it possible to add users/stakeholders from another company to my team project if I don't have admin access to my company's AD?
EDIT:
please vote for multi-tenant authentication in VSTS on uservoice
Answer from Microsoft support:
Any user who wants to use VSTS will have to be in that AAD. Normally they would get added as an MSA account, or an account in another AAD.
Me: I was thinking about creating my own AAD in Azure and adding users from another AAD to it, but I’m not sure whether they will still be able to log in using their corporate login and in case their account will be disabled in their AAD, it will be disabled also in my AAD.
If it is linked to an AAD, the accounts have to be in there somehow.
If he creates his own AAD and doesn’t have admin access to the corp aad, users will be added as MSA users.
If he did add corp users as AAD users (not MSA users) in his AAD and they were deleted/disabled in the native AAD, they would not be
able to logon to his VSTS. (Same is true for MSA users, if the MSA
account is deleted/disabled they couldn’t logon to VSTS even though
they were in his AAD as #EXT)
Accoording to this doc, no.
Q: Why can't some users sign in?
A: This might happen because users must sign in with Microsoft accounts unless your Visual Studio
Team Services account controls access with Azure Active Directory
(Azure AD). If your account is connected to Azure AD, users must be
directory members to get access. How do I find out if my account uses
Azure Active Directory (Azure AD)?
If you're an Azure AD administrator, you can add users to the directory. If you're not, work with the directory administrator to add
them. Learn how to control account access with Azure AD.