SharePoint does integrate active directory accounts, of course, but how about security groups? Have a few sites where I'm fairly confident access is going through an existing Active Directory (AD) security groups (i.e. only an AD security group has been granted permissions through the 'People and Groups') In another situation, where I created the AD group and granted it permissions to a site, the customers were not able to access immediately. Eventually had to fast-track it and add the individuals to the People and Groups to keep the project going, but hoping not to have to maintain it that way.
Any specific requirements of the security group in AD? Universal, Global, or domain local? Is there any time delay between modifying group members in AD and having that take effect in SharePoint?
Any AD group type is usable by SharePoint so long as that group is usable by the server SharePoint is running on. Said another way, if you were using the OS level tools on the server and the OS recognizes your group, then you can use it in SharePoint.
As for when group memberships changes become effective, it has always been near real time for me but I can't say that I can speak to all possible AD topology deployments.
Related
I have this dilemma where i need to grant a non-admin domain user permissions to start/stop multiple services that start with a specific ID. Originally I could have used service control or mmc to create a template to give one user non-admin rights to start/stop a service and it works just fine but they have many different services that they need access to. Many of the services start with two letter ex. MX-service-name. I was thinking maybe i can create a group and give it permissions to start/stop services, but there are multiple services and this also needs to be done on multiple servers as well. Is there a way i can create a security template that applies my security group to any service that specifically starts with MX. Maybe there is a way to make each server apply a security rule to a a group that enables the users in said group to have non-admin privs to the services they need. Sorry if its confusing :)
After delete Azure Active directory user and resync. I lost access to multyple places, company environment in AzureDevOps
If you mean you can not access some resources in Azure DevOps, you need to check the access level and permission of your account and the group you belong to.
First, check the access level of your account or group. If you have Stakeholder access level, change to Basic level:
The Basic access level and higher supports full access to all
Azure Boards features. Stakeholder access level provides partial
support to select features, allowing users to view and modify work
items, but not use all features. Stakeholder access is available
to support free access to a limited set of features by an unlimited
set of stakeholders.
https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions-access?view=azure-devops
If the access level is already Basic level, check the permission of your account or group. You need to check the following link to grant your account or group appropriate permission for the resources:
https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page
I need to build a solution that utilizes Azure B2B Collaboration to on-board customers from different organizations to use my system.
Each customer may have 100's or 1000's of users, where some may have Azure AD and other don't.
The application will have different user roles/groups structure that controls access to my API's.
What is the best way to design this and can you provide references?
Option 1: Create a separate Azure AD for each customer
Each customer will have their own Azure AD and I can use Azure Groups to control access.
What is the limit of Azure AD's per subscription? (can't find a
definitive answer in MS docs) https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-service-limits-restrictions
Is this a good "Azure" practice? can you provide references?
Any info about structuring/organizing this for easy maintinance.
Any complications that I need to be aware of?
Option 2: Create a single Azure AD for all customers/users
All users for all customers will be added to a single Azure AD and for users segregation, each customer's users belong to a separate Azure Security Group.
In this scenario, I will probably need to maintain each customer groups in a local database since they may have different groups.
Any concerns from having all customer's users in the same directory?
Options 3:???
In my opinion single tenant is better. Creating a tenant for each customer makes management much harder (also login becomes harder to implement). Limit of Azure AD per subscription probably does not exist since directories are above subscriptions in the hierarchy. Yes, you can setup a group for each customer and keep the id of the group in your database.
The users will be added as Guests to your directory, make sure that the setting Guest user permissions are limited is enabled in the external collaboration settings.
That will make it so that they cannot access the user or group list at all in your tenant.
My organization has On Premises Active Directory and many AD Security groups and also has Azure presence (AD Sync up). Is it possible for me to write a code and run in Azure that can check if a specific user/logged in user is part of AD Security Group (On Prem)?
Thanks
It can be achieved by setting up Azure AD connect service. Once this is successfully done the synchronization component makes sure that the identity information for your on-premises users and groups is matching the cloud.
Once the sync is done you can query and get the user information one of which is the user's group information.
https://azure.microsoft.com/en-in/documentation/articles/active-directory-aadconnect/
I have a business requirement where Azure Subscription owner will Provision User Groups like Infrastructure Admin, Billing Admin, Enterprise Users. Ifra Admin people should login to this Portal & can only see options related to Infra provisioning. Billing Admin people should have access to Azure usage Enterprise wide - And they should be able to generate bills for respective teams(which are part of the organization). Enterprise Users are those who want to procure azure storage, VMs etc. and they want estimate cost for required infra.
I am looking out for a solution/approach for this requirement. If Azure Portal is already providing this feature then please provide me reference material. If i should build new custom Web application which internally use Azure APIs then let me know about that option as well.
If there are any products which already doing this even am open for that.
Deeply appreciating your help. Thanks a lot :)
Vishal.
Let me answer by breaking your question in 2 parts:
Managing Users - This is something you can do today in Azure. Some time ago, Azure announced Role-based access control (RBAC) and that fits the bill nicely for you as far as managing users and granting them permissions to do things. So in your scenario, the owner will create users and groups in Azure Active Directory and then put these users and groups in appropriate roles. When a user or a group member tries to manage the resources (either by logging into the portal or using other tools like Azure PowerShell Cmdlets), they will only be able to do things the role they are in allows.
Managing Billing - Though Azure Portal exposes the billing functionality (and there's a billing/usage REST API), it does not have the capability you're looking for. What you would need to do is look for ITFM (IT Financial Management) Systems that has support for Azure. Off the top of my head, two tools come to my mind - Cloudyn & Cloud Cruiser. You can learn more about it here: https://azure.microsoft.com/en-in/documentation/articles/billing-usage-rate-card-overview/. You could always consume the Billing/Usage REST API to create a solution of your own. If you're writing your own solution, you may want to check out Billing Samples on GitHub.