my organisation has recently upgraded their Sharepoint to 365. Previous versions of Sharepoint had the facility to grant access to a service account (EMEA\xxx...), however it appears 365 can only grant access to users via an email address. Is this correct? If not, please can you let me know how I can provide access to the service account?
Thanks very much in advance for any help you can offer
Regards,
David
I think you mix up a couple of things here. Office365 separates internal tenant's accounts or external accounts.
External accounts:
External accounts get created when one invites an external user to a shared resource. An external can only be invited based on their e-mail address.
Read more: https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85
Internal accounts: in a cloud-only ootb setup, internal accounts only live in the Azure Active Directory assiociated with your Office365 tenant. You can extend the setup by using a synchronized or federated setup using a Directory Synchronization tool.
Identities in Azure Active Directory are identified by either the User Principle Name (UPN) or the user's e-mail address. The classic DOMAIN\USER representation is not supported.
With both setups, accounts from your on-premise Active Directory get copied to your Azure Active Directory (AAD). In the synchronized setup the password gets (securily) copied, so that users can log in with their login and password they now from their on-premise experience.
In the federated setup a user gets redirected to an on-premise ADFS end-point for authentication. At this end-point one can still use the DOMAIN\USER format for authentication.
Read more:
https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
In short: you should sync your service accounts towards Office365 and start using their UPN or "virtual" e-mail address. After having synced your service accounts you then can perfectly assign global Office365 admin rights to the AAD identity if that is what you would like to get established.
Related
I have created a webapp on Azure and have set the authentication mode to;
"Accounts in any organizational directory (Any Azure AD directory -
Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use
your application or API. This includes Office 365 subscribers."
It works perfectly for me and my colleges, and it works also for personal Microsoft accounts.
I am now trying to login users on a different Azure AD, but these cannot login. Here is the login log of an attempt taken from their AD. A similar message was displayed to the user onscreen
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
the sole purpose of the webapp is to get an Azure/MS verified email address of the user and perform a lookup in a user database.
Preferably this should be achieved without need the "other azure AD" admins to do anything on their end. But if need be this can be asked. I just don't know what to ask.
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
This error usually occurs for many reasons. Please check if below are helpful:
Case1:
Please check if your sign-in URL is something like this:
https://login.microsoftonline.com/<tenant_id>/
If it is like that, you may get error as you selected this option: “Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)” and users from other organizations can't access the application.
To resolve that error, try to change the sign-in URL as
https://login.microsoftonline.com/common
Apply this URL value in Authority Setting in your application code.
To know how to do that in detail, go through this link.
Case2:
There is also a possibility where the user has active session already signed in using different personal account other than Microsoft. To confirm this scenario, check User Account and Identity Provider values in error message.
To resolve that error, inform the user to sign out from their active session and sign in again from different browser or private browser session. Otherwise ask them to clear the cookies and cache, sign in as new.
If still the error won’t resolve means, please go through below reference if it is helpful.
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory | Microsoft Docs
When I try to verify my domain on Azure AD (after creating the TX record at my DNS provider) I get the following message (in red at the bottom of image):
This may have been done in error by Azure when I tried to make use of the early access feature of EOTP (Email one-time passcode) - other then that I don't see how my domain could have gotten into a different tenant I never had anything to do with.
I obviously don't have access to cqearlyaccess.onmicrosoft.com and so I am stuck!
Ideas?
You can take over an unmanaged directory as an administrator in Azure Active Directory and remove your domain and then add it to your Azure AD Tenant.
For Internal Admin Takeover :
Create a Power BI user account that uses the domain name for the organization.
Verify the confirmation mail from Power BI.
Sign in to Microsoft 365 Admin Center with the Power BI user account.
You will receive a message that instructs you to Become the Admin of the domain name that was already verified in the unmanaged organization. Select Yes, I want to be the admin.
Add the TXT record to prove that you own the domain name at your domain name registrar.
After verification is completed, you will be the global administrator of the Organization in Microsoft 365.
You can now remove your Domain from Microsoft 365 and add it to your Azure AD Tenant.
Reference : Admin takeover of an unmanaged directory - Azure AD | Microsoft Docs
I've got an application hosted by 3rd party and the goal to grant access for this app from other sources than our Azure tenant. I added my personal account into Azure AD for test and the MS login works fine but the application show an authentication issue. With a discussion of the vendor we figured out that the name (myprivateaccount#mydomain.ie) is different than the nameid match in azure (myprivateaccount_mydomain.ie#myazuretennant.onmicrosoft.com).
Is there any easy way to fix it in the Azure side? Which work even the user name or user's domain have _ in the name/domain as well?
Regards,
Tamas
If you add your personal account into Azure AD, this account will be recognized as a guest user(external user). This personal account will be able to login in your application under your tenant.
And like #juunas said, you shouldn't use the user principal name for authorization.
I have an Azure Active Directory "ddddd" (hosted at xxxxx.onmicrosoft.com) with a Guest User that has ALREADY responded to an invitation. But he responded with his Microsoft personal account instead of his work account (both have the same email address). In the user profile, I see the source is currently "Microsoft Account".
This Active Directory "ddddd" is linked to Azure DevOps (Team Services) organization "ttttt" (i.e. the Directory setting of the "ttttt" DevOps organization is connected to my Active Directory "ddddd"). This user is already set up in "ttttt" and linked properly.
How do I re-invite or directly update the user profile so the Source is tied to "External Azure Active Directory" linked to his work place (which is an on-prem Active Directory linked through ADFS to Office 365 via yyyyy.onmicrosoft.com)?
One idea that occurs to me is to delete the user and re-create in Azure AD "ddddd" (at xxxxx.onmicrosoft.com), re-invite and ask him to accept the invitation using his work address (via adfs to yyyyy.onmicrosoft.com).
So my second question is: will recreating the user affect the user in my Azure DevOps "ttttt" ? The email address of his work and personal Microsoft account is the same.
At this point, Azure AD doesn't support changing the authentication type of an external (guest or member) user, so if the user is authenticating with MSA and you'd prefer they use their Azure AD credentials, you'll have to delete their existing guest account and re-invite them with instructions that they should use their Azure AD credentials to accept.
As for the Azure DevOps tenant, I'm less familiar with that set up but if those are really separate tenants doing this operation in ddddd shouldn't affect ttttt.
If one of our SharePoint online Sites has been shared with a external user using his LiveID (Microsoft Account like hotmail).
Does this external user can be authenticated by our Azure AD to be able to call applications using OAuth? Does this user get a valid access token by our Azure AD?
Yes, it is able for guest users to consent to applications, granting them the same access that members have in your directory.
More detail about guest user management and limitations you can refer here.