I've logged in to azure portal using my work account (Azure AD) and created new vsts account and team project. I can now login to vsts using my work account and add my colleagues from the same AD to team project.
Is it possible to add users/stakeholders from another company to my team project if I don't have admin access to my company's AD?
EDIT:
please vote for multi-tenant authentication in VSTS on uservoice
Answer from Microsoft support:
Any user who wants to use VSTS will have to be in that AAD. Normally they would get added as an MSA account, or an account in another AAD.
Me: I was thinking about creating my own AAD in Azure and adding users from another AAD to it, but I’m not sure whether they will still be able to log in using their corporate login and in case their account will be disabled in their AAD, it will be disabled also in my AAD.
If it is linked to an AAD, the accounts have to be in there somehow.
If he creates his own AAD and doesn’t have admin access to the corp aad, users will be added as MSA users.
If he did add corp users as AAD users (not MSA users) in his AAD and they were deleted/disabled in the native AAD, they would not be
able to logon to his VSTS. (Same is true for MSA users, if the MSA
account is deleted/disabled they couldn’t logon to VSTS even though
they were in his AAD as #EXT)
Accoording to this doc, no.
Q: Why can't some users sign in?
A: This might happen because users must sign in with Microsoft accounts unless your Visual Studio
Team Services account controls access with Azure Active Directory
(Azure AD). If your account is connected to Azure AD, users must be
directory members to get access. How do I find out if my account uses
Azure Active Directory (Azure AD)?
If you're an Azure AD administrator, you can add users to the directory. If you're not, work with the directory administrator to add
them. Learn how to control account access with Azure AD.
Related
I'm developing system where any user can login through Microsoft Azure SSO.
I have done following
Create B2C tenant (Initially tried B2B)
Create enterprise application
Set "AzureADandPersonalMicrosoftAccount" for "signInAudience"
Setup SSO with SAML using "https://simplesamlphp.org/"
Now everything is working fine for my account. But if I trying with other personal user (which I haven't added as guest user in my tenant), then it returns error
User account 'user#domain.com' from identity provider 'live.com' does not exist in tenant 'xxxx'
and cannot access the application in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
I want any personal Microsoft user can login through SSO (without adding it as guest user in tenant).
Thanks in advance!
I tried to reproduce the same in my environment and got the below results:
Please note that, if you are creating Enterprise Application in Azure AD b2c Tenant it will be authenticated via Azure Active Directory only not Azure AD b2c.
When I tried to login through Personal Account, I got the same error as below:
As Enterprise Applications authenticate via Azure AD, it is not
possible to authenticate users with personal Microsoft accounts
without adding them as Guest Users.
The only approach is that you add them as Guest users and login to SAML SSO without invitation.
Go to Azure Portal -> External Identities -> External collaboration settings -> Enable guest self-service sign up via user flows
On the left blade, Click on User flows -> New User Flow,
Once the user flow gets created successfully, click on the user flow, select applications and add your application like below:
And try signing to your application with Microsoft Personal Account.
I have set up an Azure B2C tenant using this tutorial.
This creates a new AD for B2C that is separate to our company AAD (If I try to add B2C on the companys' main Azure AD, it states it is 'not a B2C tenancy', so I went with the tutorial and created a new B2C Tenancy).
When I (the creator of the B2C tenant) log in, I can access the company AAD and the B2C Tenant (details obfuscated). My standard Office365 shows both.
However, other developers in the team can't see the B2C Tenant.
I want them to be able to access it via their Office365 credentials.
Looking online, I found this and this, but they both seem to be about logging people from your company AAD into your app, rather than inviting other devs as administrators. I tried the former to get a developers records in the User table, but after giving them rights, they still cannot see the B2C Tenant.
I then tried to Add A Connected Organisation, but I still can't access people from the main tenant to give them access.
The Invite users from the Portal doesn't seem to offer the choice of a Microsoft Login. If I try 'Create User', the domain doesn't show and 'Invite User' seems to make them Guests with non-work logins.
I don't want to set the devs up with 'non-work' logins, as that seems a bit messy.
How do I add other developers from the company AAD to my B2C Tenant using their work credentials (Office365/Azure AD) so they too can also administer the application?
You Need to choose the Guest User and choose Invite User and after providing the User information assign the role as Application administrator or Global Administarator. Once you invite the user will recive a invitation to access the B2C tenant. They can Access the B2C Tenant with there own credentials.
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
We're trying to invite users (including those from different ADs) to ours in order to give them access to our enterprise app. We are using the AD to manage the app's users and permissions.
We send them an email to join our AD as a guest user.
However, when they already have an Azure AD account connected to a local AD (that's federated), we don't have the permission to create an account on our side.
There are a few articles on this problem including (resending invites till it works, asking them to add our organization to trusted, and creating our own account for them)
https://techcommunity.microsoft.com/t5/Microsoft-Teams/Invitation-redemption-failed-AADB2B-0001/td-p/292175
http://answers.flyppdevportal.com/MVC/Post/Thread/d9c92fea-a554-4c7a-91af-30016aa35111?category=windowsazuread
Our objective is to use their AD sign in for our apps as well. Is there an easy way, such as copying their AD profile or sending them a link that they have to simply click "Yes" without having to do much IT work on their side? Thank you!
Here's an example from a different post:
They have a local ad and an azure ad setup, but the specific user I was trying to invite doesn't have an account in their azure ad.
We can't create an azure ad account for them
They have to give the user an azure ad account
I'm trying to enable the Multi-Factor Authentication on my Azure account, (To secure my access to the Azure portal), i am following the tutorial from here, but, unlike this picture :
I have no Enable button when I select my user:
I've tried to send a csv bulk request with only my user (the email address), but it says user does not exists.
I am trying to add MFA on the user william#[something].com when i'm logged with the william#[something].com MS account (i am the only one user, and i'm global administrator)
In the MFA management page, you can only manage/enable MFA for your own Microsoft Azure AD Accounts, including accounts creating in Azure AD or synced from your on-premise AD; not any Microsoft Account or accounts from other Microsoft Azure AD. As you said you're using a MS account, you surely can't see the enable button.
In Azure Classic Portal, you can easily see if it's a Microsoft account or a Microsoft Azure Active Directory account:
If you want to enable this for your Microsoft account, you need to use Microsoft service at here ,sign in and then click Set up two-step verification.
Follow steps afterwards, you'll enable Two-step Verification it for your Microsoft account.
Of course you can create a new account in your Microsoft Azure Active Directory (Type of User is: New user in your organization), then you can enable MFA for this new user. If you would like a Global Admin, you can click this user and assign user Global Admin role. So then later you can use this admin account for your management work.