Continuous sync of photos from AD to AAD using AAD Connect tool - azure

Need to continuously sync(not just once) photos of users into AD environment, and then into Azure AD. According to the article below, this attribute is only synced one time on initial sync. These photos are updated by our Security group when someone gets a new badge and then we update the photo in AD. Can they sync these ongoing, on a continuous basis, using the AD Connect tool? If so, do we have a document that can assist my customer with this type of configuration/need?
https://support.microsoft.com/en-us/help/3062745/user-photos-aren-t-synced-from-the-on-premises-environment-to-exchange

As stated in the article, for now, the only method I see available for you to use, is the Set-UserPhoto cmdlet.
Br,

Related

How to automatically clean up users not logged in since 90days in Azure AD

My requirements are to find all the users not logged in via Azure AD since last 45 days and last 90days and take action. That is,
A daily nightly job to run on Azure AD and if it finds users not login since last 45days; it should automatically disable the users.
A daily nightly job to run on Azure AD and if it finds users not login since last 90days or previous inactive users; it should delete the users.
This link looks similar where it’s going via a review process. However, my requirements are bit simple.
Thanks.
There are several options for identifying and removing stale/inactive users:
The access review feature you linked for identifying and removing inactive users is the most seamless, built-in way to achieve this at the moment. You can specify the "days inactive" and then remove the accounts either after the review period passes or after no reviewer has responded. To create access reviews and identify inactive users, you do need to have a Premium P2 license.
Alternatively though, you could use an Azure Automation account or Azure Logic app to achieve the same thing. For instance, you could create an Azure Automation Powershell runbook with a daily schedule that checks the Azure AD sign-in logs and deletes the accounts based on the condition of whether they have recently signed in (i.e. where max_TimeGenerated <= ago(45d)). There is an example blog post here that implements this logic. Note that to update the accountEnabled property of admin users, you need to use delegate permissions which need to run in the context of a user.
Another option is to query based on the lastSignInDateTime property.
The documentation for How To Manage Inactive Users has an example of how to query users who haven't signed in after a certain date using Microsoft Graph API.
Example:
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z
To test the call, you can Sign in to Graph Explorer using the Global Administrator account of your tenant and execute the GET call.
Permissions Required:
Directory.AccessAsUser.All
Directory.Read.All
The SignInActivity property/endpoint is documented in detail here: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3--list-users-including-their-last-sign-in-time
If you don't want the full list of users, you can also search for a specific user by name and evaluate the lastSignInDateTime:
https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'marileet')&$select=displayName,signInActivity

Azure AD Not Syncing Mail Attribute Correctly

Let me preface this by saying I'm not that familiar at all with Azure AD, and that this is basically something I've inherited.
We have Azure AD Sync set up to sync our on-premises AD to Azure.
We've recently upgraded our SSO solution, and it's now authenticating against Azure AD. We've ran into a problem as not all of our users attributes are syncing correctly.
All these users have their on-premises mail attribute set in the form of:
jdoe#subdomain.domain.com
However, for a majority of our users that we've tracked down to, anyone created after 2018/2019 does not sync their mail attribute to this format. Instead, their mail attribute in Azure is set in the following format:
SamAccountName#domain.com
Note that for our users SamAccountName and their mail attribute do differ in the format used for the naming schema.
Now, for those who were created pre 2018/2019, their mail attribute in Azure is syncing properly in the format of:
jdoe#subdomain.domain.com
The only thing we can think of is that pre that date, we had been using one automated solution to generate our users accounts, and then post that date we switched to a different provider.
That new generation process includes a once a day provisioning of accounts into Office365.
We need these attributes to be sync'd correctly with the jdoe#subdomain.domain.com format in order to work with one of our SSO integrations.
Any thoughts on what the issue is and how to resolve it?
Solution:
After some testing, it was determined that licensing for Office365 is the culprit.
When we would assign our users licensing (Specifically Office 365 A1 for students), the following two applications would cause the overwrite of that attribute:
Information Barriers
Exchange Online
As long as the user is not licensed for those applications, everything works as expected.

Cannot access Video Indexer API?

I'm trying to use Video Indexer API (v2). But when I try to sign in to it using the the Azure Active Directory, I get this message:
Selected user account does not exist in tenant 'Microsoft' and cannot access the application 'da0eb6e2-d2bd-4cbd-ad65-81ddc43546e2' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
I'm not sure what the issue is?
Sign-in to the VideoIndexer developer portal has been revised.
We unified the developer portal sign-in with that of the VideoIndexer site.
The screenshot in #Mohit_Garg comment in no longer relevant. This is our new sign-in experience.
The first option should be used in case of Active Directory accounts. This is also the only option that will allow you to use Video Indexer paid.
In many cases users selected the Microsoft option in the old authentication method when they actually wanted AAD option.
After the new experience they select the first option "Sign in with a corporate account" and get a message saying that an account with that E-Mail already exit.
An Email is unique in Video Indexer developer portal. So if you want to use your AAD but previously opened an account in the developer portal using a different authentication method you will need to sign-in using the original authentication method and close the account in your developer profile page. After the account removal you will be able to sign in with different authentication method.
More info can be found in the official video indexer documentation
Clarification: I'm a developer in the Video Indexer team.
Follow below steps to Subscribe to the API -
Sign in.
To start developing with Video Indexer, you must first Sign In to the Video Indexer portal.
If signing in with an AAD account (for example, alice#contoso.onmicrosoft.com) you must go through two preliminary steps:
A. Contact us at visupport#microsoft.com to register your AAD organization’s domain (contoso.onmicrosoft.com).
B. Your AAD organization’s admin must first sign in to grant the portal permissions to your org. To do this, the organization's admin must navigate to https://videobreakdown.portal.azure-api.net/signin-callback?provider=Aad, sign in and give consent.
Subscribe.
Select the Products tab. Then, select Production and subscribe.
Once you subscribe, you will be able to see your subscription and your primary and secondary keys. The keys should be protected. The keys should only be used by your server code. They should not be available on the client side (.js, .html, etc.).
Start developing.
You are ready to start integrating with the API. Find the detailed description of each Video Indexer REST API.

Control Access to Microsoft Azure Account

Our company has a Microsoft Azure account (Pay-As-You-Go).
We had a programmer that developed our web app. We gave him full access to our Azure account. So, he had access to everything.
We intend to hire another developer to make modifications to the web app, so he'll need access to the App Services and SQL Databases. Our intention is to just allow him access to those features.
We did our research and came across the documentation, Resources, roles, and access control in Application Insights. We followed it step by step, but there's an issue. Doc LINK
We tested the procedure by adding one of our IT staff's Microsoft account (personal Outlook.com account) and assigning him the Contributor role, and sent him an invite. He's not seeing the invite. We did the same for another staff, but it's the same problem.
Can we get some assistance please?
It was not working earlier .I tried with one gmail id. Now it is working perfectly fine and I am able to receive the invitation email.
To send invitation, you need to go to active directory. Add user's email as a guest under add user option (Add guest user).

How to connect Azure AD with PowerApps forms

I am creating a Leave Request form on PowerApps and i want to connect it with Azure AD of my organization.
The scenario is:
1. User fills up the form of Leave Request
2. The "Employee Name" and "Department" fields should be called by itself in the text box. I want to call these identities from Azure AD.
How can i perform this?
As far as I know, it is not available to connect to Azure AD to get the data in the PowerApps.
However it is able to get the user information using the User().FullName function to get the current username. If you also want it support to retrieve the department of current user, you may submit the feedback from here.
There is a system called Microsoft Flows where you can interface between Azure AD and your PowerApps application. I've been using it and albeit the fact that it's new and a little buggy, it's a possible solution for your problem.

Resources