I'm seeking a method of automatically provisioning an ‘active’ Yammer user account for a new O365 user account (and existing ones, as a once off), without requiring the user to ‘click the Yammer tile’ or otherwise login to Yammer.
The default process (as articulated in this post) is:
The Office 365 admin creates a user in Office 365 (or Azure AD).
The user logs on to Office 365 using the identity provider that is configured for the tenant.
The user clicks the Yammer tile in the app launcher to go to Yammer.
A new Yammer user is created for the Office 365 user.
The user's profile properties from Azure Active Directory are automatically populated in the user's Yammer profile.
We're building an employee app, which currently displays company news. We wish to add social functionality, leveraging the Yammer platform, via the REST API. We have developed a solution to impersonate existing users and like/comment on behalf their behalf.
However, most employees are ‘unsophisticated’ blue-collar workers, and it is anticipated that they will not complete steps 2, 3 & 4 above to ‘create/activate’ their Yammer user account (the activation steps).
Methods considered or explored so far:
Using the REST API to create a new user – this creates a user in the ‘pending’ state, which remains pending until the activation steps are completed.
Using the Bulk Update Users to create new users from a CSV:
a) If a password is set, then a new ‘active’ user is successfully created (great!). However, that user account appears to be entirely disconnected from the corresponding O365 user account (meaning changes to user profile properties will not sync to/from Azure AD, passwords may be different, and users who are deleted/suspended in AAD will not sync to Yammer). These accounts are only linked if/when the activation steps are completed.
b) If a password is not set, then the new user is created in a ‘pending’ state, much the same as using the REST API.
Questions:
Is there any other way to create an 'active' user in Yammer, which is linked to the user’s O365 account?
Could a provider hosted app be used to impersonate a user and complete the activation steps on their behalf?
Not that it solves the problem, but does the REST API allow you to update a user’s state from 'pending' to 'active' (or create an 'active' user in the first place)?
Your steps about the default process are pretty acurate but I would add that once a user is created in AD users can simply go to Yammer.com (either on web or on iphone/android) and sign in through there. Iphone and Android use an Azure Authentication library that will find the users Office account.
Is there any other way to create an 'active' user in Yammer, which is linked to the user’s O365 account?
There isn't at this time.
Could a provider hosted app be used to impersonate a user and complete the activation steps on their behalf?
This isn't supported at this time.
Not that it solves the problem, but does the REST API allow you to update a user’s state from 'pending' to 'active' (or create an 'active' user in the first place)?
There is not an api for this.
Related
My requirements are to find all the users not logged in via Azure AD since last 45 days and last 90days and take action. That is,
A daily nightly job to run on Azure AD and if it finds users not login since last 45days; it should automatically disable the users.
A daily nightly job to run on Azure AD and if it finds users not login since last 90days or previous inactive users; it should delete the users.
This link looks similar where it’s going via a review process. However, my requirements are bit simple.
Thanks.
There are several options for identifying and removing stale/inactive users:
The access review feature you linked for identifying and removing inactive users is the most seamless, built-in way to achieve this at the moment. You can specify the "days inactive" and then remove the accounts either after the review period passes or after no reviewer has responded. To create access reviews and identify inactive users, you do need to have a Premium P2 license.
Alternatively though, you could use an Azure Automation account or Azure Logic app to achieve the same thing. For instance, you could create an Azure Automation Powershell runbook with a daily schedule that checks the Azure AD sign-in logs and deletes the accounts based on the condition of whether they have recently signed in (i.e. where max_TimeGenerated <= ago(45d)). There is an example blog post here that implements this logic. Note that to update the accountEnabled property of admin users, you need to use delegate permissions which need to run in the context of a user.
Another option is to query based on the lastSignInDateTime property.
The documentation for How To Manage Inactive Users has an example of how to query users who haven't signed in after a certain date using Microsoft Graph API.
Example:
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z
To test the call, you can Sign in to Graph Explorer using the Global Administrator account of your tenant and execute the GET call.
Permissions Required:
Directory.AccessAsUser.All
Directory.Read.All
The SignInActivity property/endpoint is documented in detail here: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3--list-users-including-their-last-sign-in-time
If you don't want the full list of users, you can also search for a specific user by name and evaluate the lastSignInDateTime:
https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'marileet')&$select=displayName,signInActivity
I have a to-do app, where users can log in, I assign certain tickets to them, they can see only the tickets assigned to them, and they can mark them as done (this is a simplified version of a real app with about 300 users).
My current authentication set-up is a simple email/hashed password saved on the database. I have a list of users, in my tickets table I have assigned_to_id where I save user_id.
Now, if I want to migrate to Azure AD B2C (I can't use basic Azure AD Connect because my users are using their personal email, if I understand well I need to use Azure AD B2C), how will I know the id of the user to which I should assign it to? How do I know which tickets I should show to the authenticated user?
I find it a bit confusing when I don't get to manage this on my own db.
Do I need to change the assigned_to_email and compare the assigned email and authenticated email? When there is a new user, do I have to create it on Azure and on my db?
I am new to powerapps, and I need to create an app with AzureAD authentication. But I am confused by this authentication. Do I understand correctly that I don't have to implement user sign-up and login screens, because every user which will be added to AzureAD would be able to login to microsoft account and will have an access to my powerapp?
So, I don't have to write any code for user signup/login/forgot password?
But in the Internet I saw that some people use AzureAD.getUser() and Office365.User. When do I need it?
PowerApps is building enterprise apps for your organization staffs. This app has to be developed, published and shared to AD users, and users can sign-in using Active directory single sign-on.
You can invite/share with AD individuals, security group or O365 group. But not Distribution groups. You can share the app to all users by sharing with “Everyone”.
Even PowerApps can be shared with external users (guests) but they must be guest users of an Azure Active Directory tenant.
How to share a PowerApp?
Yes, no signup or login other than Microsoft AD login/challenge screen.
Those snippets will be used to get current logged in user details.
Everything #ArunVinoth said and to add a little more info about:
But in the Internet I saw that some people use AzureAD.getUser() and Office365.User. When do I need it?:
These are PowerApps connectors (API wrappers) that allow you to surface AD/O365 data within the app for your users.
Example:
You may have a way for users to lookup contact information for people within the org.
You would add the Office365Users connector to your application
Then execute the .SearchUser method from that connector to display contact info based on user input.
These connectors are not for authenticating to the app, but rather providing lookup capabilities for your users. Or automating these lookups for your app logic.
I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.
The API I am calling (with new user log-in) to first retrieve all applications:
https://graph.microsoft.com/beta/applications
Response is:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
Of course I have apps in that tenant.
Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.
Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.
So it will query the apps list for the personal account rather than tenant_y.
So now you have two choices:
Create a new user in tenant_y by following add a new user and
then use this new user to log into Microsoft Graph Explorer to query
the apps list.
Implement Get access on behalf of a user and make sure that you
call {your tenant} endpoint rather than common endpoint while
requesting the access token. And you should use another tool (for
example Postman) instead of Microsoft Graph Explorer.
Update:
You can modify the permissions in Microsoft Graph Explorer like this:
Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.
Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format
https://login.microsoftonline.com/{tenantId}/V2.0
Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).
The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.
Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo.
Our company has a Microsoft Azure account (Pay-As-You-Go).
We had a programmer that developed our web app. We gave him full access to our Azure account. So, he had access to everything.
We intend to hire another developer to make modifications to the web app, so he'll need access to the App Services and SQL Databases. Our intention is to just allow him access to those features.
We did our research and came across the documentation, Resources, roles, and access control in Application Insights. We followed it step by step, but there's an issue. Doc LINK
We tested the procedure by adding one of our IT staff's Microsoft account (personal Outlook.com account) and assigning him the Contributor role, and sent him an invite. He's not seeing the invite. We did the same for another staff, but it's the same problem.
Can we get some assistance please?
It was not working earlier .I tried with one gmail id. Now it is working perfectly fine and I am able to receive the invitation email.
To send invitation, you need to go to active directory. Add user's email as a guest under add user option (Add guest user).