Not able Add the B2B invitation in Azure new portal - azure

Currently we are working on Azure SSO migration project and doing most of the task using old azure site. we have received a mail from the Microsoft via Client to use the new azure portal.
To provide the access for B2B, in old portal we straight uploaded the files with application id and the group id and that worked well.
But, in new portal when the did the same, the ids' are getting created in azure AD portal but they are not mapped in the groups that we have created for B2B invitation for the application.
Is there any approach is there. please help.
Regards,
Avisekh

The feature in the Azure Portal allows you to add individual requests by adding guest accounts, but if you need to invite multiple people or have any type of automation, you should:
Use PowerShell New-AzureADMSInvitation cmdlet
[or]
Use the Microsoft Graph API invitations
If you need to add users to groups, then you can also use the Dynamic Groups feature in Azure B2B (perhaps this is more similar to what you used to have), as well as Graph API Groups API or via PowerShell.

Related

Azure AD "Description" field missing when sync'd using Azure AD Connect

We're using Azure AD Connect to sync our on-premises Active Directory to Azure AD. We have the free version that comes with the Office 365 business plans.
Azure AD Connect shows the Description field as being synchronized to Azure AD, yet, the field does not appear anywhere.
We're using a third-party service to read data from our user profiles to generate email signatures, but the service cannot read the data as it doesn't "exist" in Azure.
I even tried going into our Azure AD Connect configuration, enabled Directory extension attribute sync and added the Description field for user accounts...but it created a new "description" field with a weird name instead.
Is there something I'm missing ? Do we perhaps need to have Azure AD Premium ?
Thanks for your help people!
Based on the official documentation, the attribute for Description has been synced to Azure AD. You can verify it by open Synchronization Service Manager, and check the properties for the specific user by Metaverse Search.
However, if you need to retrieve the attribute values for specific user, you must use Azure AD Graph API. For your scenario, the third-party service may leverage Azure AD Graph API for retrieving user properties.
Then, if you check the Graph API reference, you can find that Description is not included in the list, which means you can't retrieve the Description attribute from Azure AD.
As a workaround, you can use Directory extension, but the attributes are prefixed with extension_{AppClientId}_. The AppClientId has the same value for all attributes in your Azure AD tenant.
Also, you can submit your requirements to the following website, which collects feedbacks for Azure AD from users.
https://feedback.azure.com/forums/169401-azure-active-directory?query=attribute

Unable to enable Organizational Authorization for custom domain in O365 Azure AD

I want to publish a web application to a Azure Web App and enable Organizational Authentication during the process. The wizard offers the following options:
I've added two custom domains to our Office 365 subscription that also show up in the corresponding Azure AD tenant.
Instead of using the default domain mycompany.onmicrosoft.com I want to use one of those custom domains so that this domain is shown to the user on various web pages that handle authentication and consent. I was able to use the custom domain without any problem when configuring Azure AD authentication for the web project.
When using the custom domain in the wizard (field domain in the screenshot), I first need to enter my O365 credentials. Shortly after, the following error is displayed:
Provisioning the destination end point failed with the error:
'The user account 'x#y.z' doesn't have the required permissions to access the domain 'y.z'.'
If you don't intend to enable Orgnizational Authentication during
publish, please turn that option off in the publish dialog.
The Directory Role of the account is Global Administrator and I've already registered multiple apps using this account. So I don't think that this has anything to do with permissions.
Do I have to use the *.onmicrosoft.com domain or can I solve this in a different way?
As a sidenote (just if this is makes a difference): the web app resides in a Azure subscription that belongs to my Microsoft account whereas the O365 Azure AD is administered by my work account and does not belong to a subscription. Of course, not the most straightforward way, but I guess pretty common for Microsoft partners as the Azure benefits can only be actived on a Microsoft account even if the partner already has a O365 subscription.
To use the custom domain for the organization authentication we need to enable it as the primary domain.
You can check it from the old Azure portal here like figure below:
Update( change the primary domain in new Azure portal)
locate Azure Active Directory->Domain names->select the domain which want to set as primary domain like figure below:

Using Google Apps for Work account to sign in to access Azure portal

In our organization, we are using Google Apps for Work for emails, calendar, document repository.
We also have some other services that we are using our google account to authenticate with SSO support. Simply google account is our SSO account that we want to use in all services we are using.
There are few exceptional services that we were not able to setup Google as identity provider. One of them is Azure Services. In azure, you can provision Azure Active Directory and create accounts in it and use that accounts to access many other Azure Services, such as Azure SQL Databases. If you are using Visual Studio Team Service, you can also configure VSTS to backed by AAD, then you can access to VSTS using AAD Account.
My question is, is there a way to configure AAD to delegate authentication on google side ?
If we can do this, then we would be able to use our Google Account to access all azure services
No, Microsoft services pretty much don't support any accounts other than Azure AD & Microsoft Account at this time.
You could set up Azure AD as the Identity Provider for your Google Apps account. I'm sure there would be some tedious steps in the process to get your users moved over but it should work. When your users attempt to login to Google Apps they would get redirected to an Azure AD sign in page and then redirected back to Google.
Some marketing material can be found here:
https://azure.microsoft.com/en-us/marketplace/partners/google/googleapps/

Azure Active Directory B2C deployment via resource manager (or code)

Our company is considering using AAD B2C as the backing store for our SaaS user accounts. Our plan is use Resource Manager templates to deploy the Azure infrastructure (web, storage, sql, etc) for each client. AAD B2C will be part of that if this works out, but as of now there doesn't appear to be a way to include AAD B2C in resource manager templates.
My view of the intent of the B2C product is that it serves as a replacement for the auth and user store components of an app, and should therefore be considered infrastructure. Right now the hierarchy between AAD and resource groups in the new azure portal doesn't reflect that - resource groups (and their resources) appear 'under' an identity in an AAD account. But why is that? Is an AAD a parent to a resource group? I'm trying to understand how the two fit together.
If AAD B2C is really intended to serve this purpose when it leaves preview, it will need to support automation. After a quick search I can't even find code samples to provision a new directory, let alone do so using Resource Manager templates.
Am I looking at this all wrong?
Currently there is no way to automate the creation of an AAD B2C tenant like there is also no way to automate the creation of an AAD tenant.
After you created a tenant you can access it programmatically via the Graph API. You can read more about this in the documentation: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/.
The first paragraph of this documentation mentions the following:
Azure Active Directory (Azure AD) B2C tenants tend to be very large. This means that many common tenant management tasks need to be performed programmatically. A primary example is user management. You might need to migrate an existing user store to a B2C tenant. You may want to host user registration on your own page and create user accounts in Azure AD behind the scenes. These types of tasks require the ability to create, read, update, and delete user accounts. You can do these tasks by using the Azure AD Graph API.
Caution: at the point of writing this is still in preview so the API can change any time and you have no SLA.
For the latest status about which Azure services support ARM you can read this page: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-supported-services/

Enable Azure Active Directory Access Control with Office 365 Azure Active Directory tenant

I currently have an Office 365 tenant with around 1,400 users all licensed. We have enabled the Azure AD tenant with the same account and are now using Azure AD Dirsync to have same sign-on to Office 365.
We are now having an external Sharepoint site developed and have been offered either ADFS or Azure AD ACS as an authentication method. As we've already got an Azure AD subscription (through Office 365) I thought this would be the easiest method. However, when in my tenant on https://manage.windowsazure.com, I have access to Active Directory, can add a new directory but cannot add a new Access Control service. It's greyed out and says "not available" underneath.
I've tried talking to Office 365 support, who referred me to Azure support, who then said we don't have support so can't help. I've spoken to Azure sales and they've referred me to Azure support, who then guess what, said we don't have support.
Has anyone else managed to implement an Azure Access Control service from an Office 365 tenancy using the free Azure Active Directory subscription? I get the feeling I just need to buy a cheap Azure subscription and the option would become available, but without knowing for sure I'm a bit hesitant about taking the plunge.
Thanks.
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried in one of my pay-as-you-go subscriptions.
You are (still) able to create a namespace but I suggest you to also take a look into the identity possibilities Azure AD itself has. Azure AD has currently only support for SAML 2.0 (and a lot of other protocols but they are not directly relevant for SharePoint). I know SharePoint (on-premises) only talks SAML 1.1 so that's where ACS comes in. You can read more about this topic here. Azure AD itself is going to support SAML 1.1. The only question is when. (see one of the comments from the source mentioned below this answer)
I also would make one remark about Azure AD ACS because this is going to be replaced by Azure AD. The only question left is when.
ACS Capabilities in Azure AD
As we've mentioned previously, we are adding ACS-like capabilities into Azure AD. In the coming months, as part of a feature preview Azure AD administrators will be able to add federation with social identity providers, and later custom identity providers to Azure AD. This will allow app developers to use Azure AD to simplify the identity implementation in their apps, similar to how developers use ACS today. We look forward to getting your feedback on the preview to improve these experiences.
Migrating ACS Customers to Azure AD
Once these new ACS capabilities of Azure AD are out of preview and generally available, we will start migrating ACS namespaces to use the new Azure AD capabilities.
Source: The future of Azure ACS is Azure Active Directory
Quick solution:
Create an Azure paid account. Add the administrator user of the paid account in the Office 365 directory, and set it as global administrator of this later directory (you can add users from other directories).
Then switch back to the paid account. The new global administrator will be able to manage the Office 365 directory and add a namespace.

Resources