I'm using Azure's SSO service, and every time a user wants to login in to their Office 365 portal, they have to enter their whole username and their domain?
Is it possible to create a website so that Azure knows what domain we are so the users don't have to type in their domain? This is an issue for us because their actual email and Active Directory usernames are two different things.
You van specify a domain hint, which sends users to the correct azure login page: https://blogs.technet.microsoft.com/enterprisemobility/2015/02/11/using-azure-ad-to-land-users-on-their-custom-login-page-from-within-your-app/
Related
I am creating user with gmail, Facebook and any business account with azure ad. It will not create a new account with this domain. It uses a its custom domain for create account that we created in azure costum domain .
The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.
My login feature is independent of domain, so how can this be resolved?
The domain portion of the userPrincipalName property is invalid. You
must use one of the verified domain names in your organization.
You might get this type of error when you added your custom domain in Azure AD tenant, but you haven’t verified that domain yet. Would suggest you to please verified that custom domain in Azure AD by adding TXT records of your domain.
Please refer this Microsoft Document to know how to verified domain.
Coming to your next problem you can add your Gmail or Facebook users in Azure AD by sending them Invitation as well as a guest user.
I've got an MVC 5 app that first logs in business users with their SQL Standard credentials, and then redirects them to the Azure AD login page. (We can't use any sort of SSO solution. The tool that the app exposes makes extensive use of SQL logins. We need the Azure AD to do MFA with the Microsoft Authenticator app. This isn't a publicly available application, it's for known vetted users only).
What I'd really like to do is populate the email address field on that login page with the email address we've got stored for the user in our database. I've looked around quite a bit and this doesn't seem easily possible. Any ideas? What am I missing?
In the sign in request, you can append &login_hint=username#company.com
The documentation for this is here: (CTRL+F login_hint) https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request
I have a web app that is using an Azure AD to hold user accounts and allow authentication. The app has some internal users that are able to authenticate, but I also want to allow external users into the app (customers external to the company).
I am able to do this, but only by creating users that have "#mydomain.onmicrosoft.com" in the username. That is fine I guess.. but can I at configure the sign-on page somehow to not require the username to type this in??
Ex: if a username is "joe.bob#mydomain.onmicrosoft.com" I want them to be able to login with a username of "joe.bob" and that's it!
Full disclosure there is another question like this: Logging into Azure Active Directory without a Domain Name and I've posted a comment asking if anything has change since the question was active (2014). So if this is a duplicate question, then so be it, but I am wanting to know if there are any new developments (pun intended) regarding this.
Based on the description, you want to collaborate to work with external users. However you were create a account in the tenant directly. There are some difference between the Azure AD user and external user, more detail refer this link.
And AFAIK, Azure Active Directory still doesn't support to login with the username without domain name at present.
However the Azure AD B2C also provides the feature to work with external users and it allows Local Accounts login-in with (email address and password, or username and password).(refer here). You may consider to use Azure AD B2C if you want to login without the domain name.
And below link also helpful about to learn the difference between B2B collaboration and B2C:
Compare B2B collaboration and B2C in Azure Active Directory
In-addition, if you have any idea or feedback about Azure AD, you can submit them from here.
I've developed a feature on my web-site that allow to log-in using Azure.
So users in my web-site can sign-in using:
Azure (OAuth2). We're using a multi-tenant app. We're just using the application to log in users. So we don't really use the Access-Token to make requests. We just use the access-token to obtain the user email (decoding it with JWT).
Their own email-password they can set on my site.
This creates a problem:
Imagine an person that starts working in a company. The IT team give him an email that belongs to their azure account (with their account domain). This team also have an account on my site (configured with the same domains they use on Azure). So this user will try to log in my site using his credentials. We'll create his profile on their company account (due to the email domain). He sets his password. Sometimes he use Azure to log-in and sometimes he use his email-password to log-in.
The next month and, this person get fired. The IT team delete him from Azure. Although, the IT team forget about deleting him also on my site. So this user has permissions to sign-in with his email-password credentials and still be able to see private information (he can even delete private files).
I would like to know if there is a way to sync my app with every Directory that is using it. So I would be able to receive user action notifications (like user deletions). It would be great to receive a call to an endpoint with information about users important actions. This way we'll be able to delete the user also from our platform. So the company can forget about deleting an user on my site without having the stolen-information problem.
PS: I've seen you have a logout sync using SAML, but I wonder if we would be able to receive other kind of notifications, because we don't want to log-out the user when this logs-out from Azure.
If you have permission from the ex-user tenant administrator to access their directory, you can check if the user is listed or not by using Microsoft Graph API
I've been talking with microsoft support and there is no way of having microsoft calling our endpoint to receive some notifications.
So the only solution is ask for admin permission or, having the refresh_token from Oauth2, check the user still appears on Graph (https://graph.microsoft.com/v1.0/me).
I want to set up a website on Azure according to the following requirements and are wondering if it is even possible?
As a internal team member, I must be able to login to the site with Windows Authentication
As a external customer, I must be able to login to the site with user name and password
As a external customer, I must not be able to access a subset of the site
As a unauthorized user, I must not be able to access anything on the site
I guess I have to set up a VPN connection between Azure and the Active Directory in my company. How do I do that?
Is it at all possible to meet my requirements?
Background Information
We are a small project with about 10 team members.
We have four large customers who need access to the site, and there are a few people in each customer who needs to have access to the site.
Customers will just have read only access to static, non-sensitive information.
The team members will have write access, and will also handle some sensitive information.
** Edit **
I have now managed to create efficient synchronization of our projects local AD to Azure, thanks user18044. Unfortunately, the accounts for the team members is located in the company's AD (corp.mycompany.com), and out AD has one-way trust with it.
We have groups in the project-AD pointing to our accounts in the company's AD, but the members in the groups is not synchronizing over to Azure.
Can this be solved?
Yes, I think what you are describing is doable.
Your first two bullet points are about authentication. As Azure Active Directory does not directly support Windows Authentication, federation is the way to go here.
When you as an internal team member log on, you land on what is called a home-realm discovery page, where you pick the realm you want to authenticate in. Picking the realm of your company, you get redirected to the STS (for example ADFS) your company has set up to authenticate you. If you are in the same Windows Active Directory network as the STS is authenticating against, you should be able to use Kerberos to be issued a token.
An external customer would be redirected to another STS that would use forms authentication against a credential store to issue security tokens.
Both security tokens are then posted back to Azure Active Directory which is configured to trust both STS's and issues a token of its own. See here for an example.
As for the second two bullets, the authorization part you can do based on roles you assign to your users. Depending on which STS authenticated your user, you assign them a certain role. Based on that role you can give access to certain parts of your website or not. How to implement this depends on what stack you are using for your web application, but a Google search should give you some leads.