If one of our SharePoint online Sites has been shared with a external user using his LiveID (Microsoft Account like hotmail).
Does this external user can be authenticated by our Azure AD to be able to call applications using OAuth? Does this user get a valid access token by our Azure AD?
Yes, it is able for guest users to consent to applications, granting them the same access that members have in your directory.
More detail about guest user management and limitations you can refer here.
Related
I'm developing a system where user can give access for fetching users/groups from his/her azure account.
I did following:
Create B2C tenant (Initially tried B2B)
Create enterprise application
Set "AzureADandPersonalMicrosoftAccount" for "signInAudience"
Provide group.readAll, user.readAll, offline_access etc permissions
Then ask for adminconsent using
https://login.microsoftonline.com/common/adminconsent?client_id=xxxx&state=state&redirect_uri=url
After response in redirect_uri, I'm accessing "client_credentials" using client secret, which returns token.
Using that token, I'm fetching groups & users for that account using graph API.
Doc:
https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0
Everything is working fine for my account. But if I trying with other personal user (which I haven't added as guest user in my tenant), then it returns error.
User account is a personal Microsoft account.
Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization
Try signing out and signing back in with an organizational account.
I have tried through another account, which is also in azure and has few users in his account.
So Azure don't allow to fetch users/groups from any account which has users in his azure account?
Help me to find out if I missed something.
Thanks in advance!
As mentioned in the documents for both Users and groups for fetching the list of them is not supported for personal Microsoft accounts.
Hope this helps.
I am using Azure AD to authenticate users and then use the user and access their claims, access msgraph, and insert data to their calendar.
Now what I want is to save this user so an admin in my asp.net web core app can insert data to this user that exists in the database. Is that possible?
An AAD admin can insert data to other users' calendar only when the admin have access to those users' mailboxes.
To archive this, you need to configure that other user gives mailbox permissions "Full Access" to the admin account. And add delegated permission: Calendars.ReadWrite.Shared into the Azure AD app.
See details from my previous answer.
I am not entirely sure about what can guest users in Azure can do.
as to my understanding guest users gain accesses to my azure portal if I allow them. But, is there any possibility to authenticate guest users in my application using the ADAL library? or the ADAL library are looking for a created Microsoft Azure User? I would like for the authentication to take place in my .NET based server. I look at this guide:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp
and it says:
"At the end of this guide, your application will be able to accept sign-ins of personal accounts (including outlook.com, live.com, and others) as well as work and school accounts from any company or organization that has integrated with Azure Active Directory."
How can I able my guest users to access as well?
Thanks!
How can I able my guest users to access as well?
First step is to have these external users add to your Azure AD. Any arbitrary user will not be able to sign in into your application.
Next, in your requests for authentication/authorization, you will need to use your tenant endpoint i.e. yourazureadname.onmicrosoft.com instead of common endpoint.
Step 9 in the link you shared, you would need to change the value of tenant configuration setting:
<add key="Tenant" value="yourazureadname.onmicrosoft.com" />
<add key="Authority" value="https://login.microsoftonline.com/{0}/v2.0" />
there are two main questions regarding the architecture of your application and your audience or users.
as described in here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison
if you're application is targeting people with personal emails (outlook, gmail).. you should think of B2C authentication
if you're targeting companies that have azure ad, then you have a B2B scenario.
you can find a comparison in here:
https://learn.microsoft.com/en-us/azure/active-directory/b2b/compare-with-b2c
if you are using AAD V2 Endpoint you have to use the Microsoft Authentication Library (MSAL) is designed to work with the Azure AD v2.0 endpoint.
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries
Azure Guest users are external users to your AAD subscription, Guest users from other tenants can be invited by administrators or by other users. This capability also applies to social identities such as Microsoft accounts which can be more of security issue or hard to manage to some organizations.
https://learn.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews
I am trying to create a multi-tenant application in Azure AD, which can login all users like Microsoft live/hotmail and also get the access permissions to access their management resource apis. I can get work accounts from other domain login but not live account. I get this error-
User account 'mitesh_***#live.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '382dfccb-33af-4567-90cd********' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have heard of MSAL v2 endpoint to login both type of accounts, but I heard that this endpoint doesnt support permissions to access Resource management libraries yet.
Is there any way to achieve this with ADAL or any other way?
Thanks,
Mitesh
The azure ad v2.0 endpoint supports both personal Microsoft accounts and work accounts from Azure Active Directory . But the v2.0 endpoint issues access tokens only for:
-The app that requested the token. An app can acquire an access token for itself, if the logical app is composed of several different components or tiers.
-The Outlook Mail, Calendar, and Contacts REST APIs, all of which are located at https://outlook.office.com.
-Microsoft Graph APIs. You can learn more about Microsoft Graph and the data that is available to you.
v2.0 endpoint doesn't support management apis .And azure ad v1.0 endpoint it supports work accounts unless Microsoft accounts are added as an external user in the tenant first . In my opinion , currently there is no other ways or workaround to achieve your requirement .
my organisation has recently upgraded their Sharepoint to 365. Previous versions of Sharepoint had the facility to grant access to a service account (EMEA\xxx...), however it appears 365 can only grant access to users via an email address. Is this correct? If not, please can you let me know how I can provide access to the service account?
Thanks very much in advance for any help you can offer
Regards,
David
I think you mix up a couple of things here. Office365 separates internal tenant's accounts or external accounts.
External accounts:
External accounts get created when one invites an external user to a shared resource. An external can only be invited based on their e-mail address.
Read more: https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85
Internal accounts: in a cloud-only ootb setup, internal accounts only live in the Azure Active Directory assiociated with your Office365 tenant. You can extend the setup by using a synchronized or federated setup using a Directory Synchronization tool.
Identities in Azure Active Directory are identified by either the User Principle Name (UPN) or the user's e-mail address. The classic DOMAIN\USER representation is not supported.
With both setups, accounts from your on-premise Active Directory get copied to your Azure Active Directory (AAD). In the synchronized setup the password gets (securily) copied, so that users can log in with their login and password they now from their on-premise experience.
In the federated setup a user gets redirected to an on-premise ADFS end-point for authentication. At this end-point one can still use the DOMAIN\USER format for authentication.
Read more:
https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
In short: you should sync your service accounts towards Office365 and start using their UPN or "virtual" e-mail address. After having synced your service accounts you then can perfectly assign global Office365 admin rights to the AAD identity if that is what you would like to get established.