I have a Spring boot application run on Azure App Service, from which I want to send emails to users.
I can already do that with a gmail account I created myself, I just needed to turn on "allow less secure apps" feature.
However, I'm required to use another gmail account which belongs to a organization and thus is forced to use 2-step verification as per the organization policy.
Is it possible to complete the 2-step verification process from Azure's App service? What other options do I have?
Is it possible to complete the 2-step verification process from Azure's App service?
In short, we couldn't do that from Azure's App service directly with you gmail account.
From goolge document we could know
that 2-Step Verification adds an extra layer of security to your users' managed Google accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.
In your case, according to your organization policy the google account is forced to enable 2-Step Verification. Based on my understanding, we can't do from the Azure's App service directly.
What other options do I have?
Based on my experince, you could registry a SendGrid account with your organization gmail account. Then you could use sendgrid to send the email to other users. Then other users could get the email from the organization gmail account but maybe there is no sent mails in the organization gmail account. More detail please refer to How to Send Email Using SendGrid with Azure.
Note: I don't test it on my side.
Related
I have a MEAN Stack application hosted in Azure which targets users from different organizations. The Node API app is hosted as an App Service. When a user registers, I have to send a verification email to their email-id from a common email-id (like hello#contoso.com). I have an Office 365 Business custom email account for this purpose.
I googled a lot about this but most of the Microsoft documents are talking about using logged in user's credential to access Graph API ("me/sendMail"). I want to implement the email feature independent of logged in user. Please suggest a good design. Sample code will help me save time.
We can Use an authenticated SMTP relay service, which is known as a Smart Host, with TLS capability to deliver emails from Azure VMs or App services.
The most common SMTP relay service to integrate with Microsoft Azure is SendGrid.
For complete setup and more information please refer to this BLOG & SO THREAD
We have an on-premises (self-hosted) app which supports sending email notifications to users by providing SMTP mail server settings. Our users are all in Azure AD and are the only users of this on-premises app. Our users want to be able to receive email notifications from this app.
What is the recommended/best practice method for achieving this? Ideally the solution wouldn't require any additional subscriptions or added cost. It would be nice if the sending email address could be branded to match the app service it is coming from.
Here are some options that I've come up with:
Create a new user in Azure AD solely for sending email
Seems wasteful, and we are billed monthly per user
Use an existing user (i.e. my own) to provide authorization to the SMTP server
Rather not tie my own user credentials to this, and will break if I ever change my password
Use an entirely different email account (e.g. gmail?) for sending email
No relation to Azure AD tenant at all, harder for others to manage
Some existing method/service in Azure that is meant for this purpose, if it exists
Here's my idea on your case.
I watched this document, and I found that we can use API Key to initialize 'new SendGridClient', and it mentioned that we can stored this key into azure key vault.
So if you just wanna use azure ad to achieve the goal of protect your local app from unauthorized user, you may try my idea. First, create azure key vault in azure portal, and you could create a new secret to store your SendGrid Api key. Next to create an azure ad application used to achieve authentication, such as 'ROPC' flow(use user account and password to get access token). Now we can set access policy in azure key vault, added the azure ad app and all your user accounts so that every one could access API key via that azure ad app. After that, your app could send email.
I have GSuite organisation and Google Cloud Project. I need to send auto-generated email from f.e auto#myorg.com on google cloud invocation. Is it possible?
There are lots of examples how to send email via gmail from cloud function. But how can I use my organisation email as a sender source.
You can try using a service account.
You'll need to delegate domain-wide authority to a service account that's bound to your GCP project and enable the appropriate scopes to send email via the gmail api.
Once you have your service account properly configured you can then leverage the google api node.js client library with your service account credentials in your cloud function to send emails on behalf of any user within your organization.
Using Azure AD B2C with 'Email' specified for the user id.
I've tested the 'Sign up' and 'Sign up v2' user flows in Azure AD B2C. Both of these require the user to verify their email address by sending/entering a verification code. I've enabled MFA for both of these flows, so the mobile number needs to get verified as well.
The product guys have asked if its possible for email verification to be done asynchronously e.g. an email getting sent to the user, but they can verify this (e.g. via a hyperlink in the email) in their own time without having to enter a verification code during the registration process. Is this possible?
FYI. I think the reasoning from the product guys is that MFA via SMS to their mobile is enough. Multiple verifications (i.e. for email AND mobile) is a bit too much in terms of the UX...
One potential solution.
It's possible to disable email verification:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-disable-ev
Can then do and then do external orchestration to send async email. When they click on the link, we can update the verification status via MS Graph API. Don't love this solution, but it's an option...
In AWS I was able to set up MFA so that when I log into the console I have to enter an MFA code from my phone in addition to a password?
Is there a way to set MFA for https://portal.azure.com?
Per my understanding, you are looking for Azure Multi-Factor Authentication.
Add protection for Azure administrator accounts
Multi-Factor Authentication adds a layer of security to your Azure administrator account at no additional cost. When it's turned on, you need to confirm your identity to spin up a virtual machine, manage storage, or use other Azure services.
Azure Multi-Factor Authentication is Microsoft's two-step verification solution.
It helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers authentication via a range of verification methods, including phone call, text message, or mobile app verification.
Azure Multi-Factor Authentication in the cloud
Enable Azure Multi-Factor Authentication
Turn on two-step verification for users
You could get start with it in the cloud by this article.