How do i get access to ITSM 7 / GIM (Global Incident Management System) ?
If you are a Beluni User -
Step 1 :- Contact your local IT helpdesk to log an incident on your behalf.
Step 2 :- Provide the PID of someone else from your team so that the account can be activated and the access would be provided.
If you are an OMNI User -
Step 1 :- Please raise a MyAccess request via the link below -
http://myaccess.app.csfb.net/MyAccess/Pages/Request/CreateRequest.aspx
Step 2 :- From Application select "Remedy Global Incident Management (ITSM 7 - GIM)".
Step 3 :- In the form that pops-up , ensure the clone ID id populated. A cloneID is a Windows ID / NT ID of someone from the same team or possibly your manager (other than your own ID) whose account is active in ITSM 7 System so that you can be added to the same group as your clone.
Once the MyAccess is approved , the account would be created.
Related
We are developing a PowerAutomate Flow to automate the process of inviting external users to a SharePoint Site.
Below are the steps being followed so far
Created an MS Form for an external user to register
Passing the response**(Email)** from the form to the flow
Adding the user to a SharePoint Group using email parameter and sending an email invite to the External User(Requirement)
I have been able to get to point no 2 , However I have been experiencing challenges achieving point no 3
Came across different articles online for adding a guest users , However most of them talk about adding the guest to Azure AD as shown below
https://medium.com/southworks/adding-a-guest-to-an-office-365-sharepoint-site-with-javascript-fa7604ad8678
https://laurakokkarinen.com/how-to-build-a-guest-user-self-service-registration-for-office-365-with-azure/
https://www.timlinenterprises.com/how-to-invite-external-users-using-microsoft-flow-and-microsoft-graph-api/
Also checked a few articles for running PowerShell commands from Flow , However this approach doesn't look straightforward either
The below article works only for internal users
https://www.c-sharpcorner.com/article/add-the-users-to-the-sharepoint-groups-using-microsoft-flow/
The end goal here is to invite external user to a SharePoint Site once the user registers himself through a registration form (MS Form)
Would appreciate if anyone could help me out in achieving this.
Thanks in advance
Before inviting the user to SharePoint you must add him to Azure AD. So you will need to configure an HTTP action to invite the user first.
If you are using SharePoint Modern Sites (those who have Microsoft 365 groups associated), you need to create a HTTP action to add the guest to the group:
HTTP Action Configuration Here
NOTE: HTTP will not accept "#" sign directly, so you need to put it into a "Compose" or "Variable" and add it as per my screenshot.
In the URI you have the Group ID from Azure AD.
In the Body it's the guest user ID
You will need to register and Azure AD App to use for the HTTP action and give it the following permissions:
Graph -> Application -> GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All
https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http#permissions
Use the App ID and Secret to connect the HTTP action.
This is my solution to add Guest Users to Private Channels in MS Teams with PowerAutomate.
Step0 - Register the domain of the Guest Users in your AD account as a valida Guest Domain
Step1 - User a registration form (MS Forms)
Step2 - Create a Trigger Process in MS PowerAutomate to receive the Form Data. I like to create small/short flows to only capture and validate form data, and then call a separate Flow / RestService. This makes your solution a little bit more decoupled and reusable. (Imagine replacing the Form with a web app form or mobile app form in the future).
Create a second HTTP request trigger flow receiving the Form data (optional way to setup multi-flow solution)
Step3 - Create a Private Channel in teams via GrapAPI
GraphAPI - POST https://graph.microsoft.com/v1.0/teams/<teams_id>/channels
POST BODY:
{
"membershipType": "private",
"displayName": "<e.g. channel name from form data>",
"description": "<e.g. description from form data>",
"members": [
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('owner.user#mydomain.com')",
"roles": [
"owner"
]
}
],
"#odata.type": "#Microsoft.Graph.channel"
}
Step4 - Call GraphAPI to retrieve the Guest User Details
GraphAPI: GET https://graph.microsoft.com/v1.0/users?$filter=mail eq 'guest.user#email.com'
I have added this in a loop - since I had many members who had to be added - and I also included a condition check to check if the domain is indeed valid
Now you can assign the output (or portions of the output) to some variables
Step5 - Retrieve the ID value from the step above (Step4). This is the value that must be used to add the new guest member.
Retrieve the ID from the Step4 output
Also set a variable to the account type - which should (MUST BE) be "guest"
Now - Add guest users to the private teams channel
Step6 - Call GraphAPI to add guest members
GraphAPI: POST https://graph.microsoft.com/v1.0/teams/<team_id>/channels/<channel_id>/members
Post Body:
The role must be "guest" for guest account
But valid options for other types of access can be
owner
member
guest
Microsoft documentation (HERE) states roles must be owner or empty
This did not work so well for me.
Use guest
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": [
"#{variables('membership_type')}"
],
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('#{variables('principal_user')}')"
}
Bonus Step
Now you can catch all responses from the previous steps and respond back with an HTTP Request/Response connector.
A 200 response on successful executions
A non-200 response on failed executions (or how ever you desire)
To configure exception handling or failure handling responses do this below
We are unable to access LUIS.ai portal. A prompt appears stating error validating credentials with Active directory although I have an Azure account with the same credentials and resources created. Please find the attached screenshot and log.
{
"Error": "interaction_required",
"ErrorDescription": "AADSTS50105: The signed in user '{EmailHidden}' is not assigned to a role for the application '65920ba3-ab61-4a9b-9b10-505e5ce61b58'(luis.ai.live). - Trace ID: 2bbd72d5-4251-4e20-b018-5dcb6a5a2d00 - Correlation ID: 9e5d2000-7ff1-40ed-b358-797c6ef2b45c - Timestamp: 2020-01-02 05:28:01Z"
}
Navigate to the Azure Active Directory in the Azure portal -> Enterprise applications -> select Application Type with All applications -> search by luis.ai.live -> click the app -> Users and groups -> Add your user account as a role (At least you need to be the Owner of the app to add user).
Or you can navigate to the Properties of the app, set the User assignment required to No, it can also solve the problem.
Also note, the two ways both need Properties -> Enabled for users to sign-in set to Yes.
I am trying to get Azure AD Authentication working against my Azure SQL Database.
I created a PaaS database and it's associated PaaS Sql Server.
I assigned MY Azure AD account as "Active Directory admin" of the "PaaS Sql Server".
Next, I logged in to SSMS using MY domain account to create the user:
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
GO
sp_addrolemember db_datareader, [xxx#yyy.com];
GO
sp_addrolemember
db_datawriter, [xxx#yyy.com];
GO
When I attempt to login with the xxxxx#yyy.com account , I get back:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (.Net SqlClient Data Provider)
Server Name: zzzzz.database.windows.net
Error Number: 18456
Severity: 14
State: 1
Line Number: 65536
What am I missing ?
Weird observation, if I intentionally use the wrong password I get back this error:
AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password, that tells the AD is somehow working, but something is broken in the overall process.
Another weird observation:
If I add a valid AD account, it succeeds
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
If I generate a bad AD account
CREATE USER [xxxABC#yyy.com] FROM EXTERNAL PROVIDER;
I get back:
Principal 'xxxABC#yyy.com' could not be found or this principal type is not supported.
From a "simialr post"
The Anonymous Logon error occurs when you haven't specified the database you want to connect to. Simply select "options" on the SSMS login screen and type in the database name you want to connect to. This is because your user is a contained user on the database it was created in. It does not exist on Master. – Greg Grater Mar 7 '17 at 1:23
This fixed my issue -- hours wasted!!!
Note: for ODBC conenctions the user must also be created in master
I'm using azure active directory to control access to my web app using group membership. I have 2 groups (user & admin). In my app I've setup application permissions for Microsoft graph to read users profiles and read all groups.
I'm then using the graph api in my app to get a list of all groups available. This works ok in my local dev environment and when I deploy to the app up in azure, the process work ok there too. The problem arises when I upload and test in my 2 'slots' in the app service environment. I have two that im using, a dev version and a QA version. As soon as I try to access the graph api from either of those I get this error
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
I was getting this when I initially started developing, but setting up and granting app permissions solved it. So why am I getting this in my other 2 'apps' ? I need these to test (me as the developer and our testing team in QA)
Are there any other steps I need to take for my dev & qa slots to work in the same way ?
** this is how I access the graph api, it works ok in my main app, but not in the slots
GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
Group group = await graphClient.Groups[admin].Request().GetAsync();
**Update
The issue is with the apps running in my slots. Both my Dev & QA slots dont have any group information in the ClaimsIdentity object after a user logs in. Ive checked this by logging the info in the Claimsidentity object, when I run it locally and in the main app up in Azure, the group info is present, when I run it in the azure qa & dev environments, the groups arent present in the Claimsidentity object. Why would this be ? Do the slots inherit the active directory settings or should they be setup separately ? Im pretty new to azure and the security model so any help would be greatly appreciated.
I have redirect urls setup in azure and also in my web.config, I use different transforms for each environment using the appropriate redirect for each environment.
Im using OpenID
**update 2
When I created the slots, I based them (copied) on my main app. Should each slot have its own ClientID and secret in its web.config file ? Also do I need to register each slot as an application in active directory ? At the moment just my main app is registered
Here are the claims from each of my app, you can see the qa app has no groups
my QA slot in azure
Claim type - ver
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Claim type - http://schemas.microsoft.com/identity/claims/tenantid
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Claim type - onprem_sid
Claim type - nonce
Claim type - http://schemas.microsoft.com/identity/claims/objectidentifier
Claim type - name
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Claim type - ipaddr
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Claim type - http://schemas.microsoft.com/claims/authnmethodsreferences
Claim type - c_hash
Claim type - aio
Claim type - exp
Claim type - nbf
Claim type - iss
Claim type - iat
Claim type - aud
authentication type ; Cookies
My Main App in Azure
Claim type - ver
Claim type - http://schemas.microsoft.com/identity/claims/tenantid
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Claim type - http://schemas.microsoft.com/identity/claims/objectidentifier
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Claim type - nonce
Claim type - name
Claim type - ipaddr
Claim type - http://schemas.microsoft.com/identity/claims/identityprovider
Claim type - groups
Claim type - groups
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Claim type - c_hash
Claim type - http://schemas.microsoft.com/claims/authnmethodsreferences
Claim type - exp
Claim type - aio
Claim type - nbf
Claim type - iss
Claim type - iat
Claim type - aud
authentication type ; Cookies
** OK, I've tried adding the QA app to azure active directory as a registered app, I've got a clientID and a secret, I've given it the same permissions for azure active directory and Microsoft graph as my main app. I've included the clientid & secret in my web.config transform, so basically its setup in the same way as my main app and STILL no group info in the Claimsidentity. How on earth is this meant to work ?
***Another update
permissions granted
windows azure active directory
- delegated permissions : read all groups, read all users full profiles
Microsoft Graph
- application permissions : read all users full profiles, read all groups
- delegated permissions : read all groups, read all users full profiles, sign in and read user profile
Just as a test, I've also granted every permission for active directory and Microsoft graph and it made no difference.
This is becoming a serious problem for me now, I cant see that theres anything else I can do, it works perfectly well in my main app, but not in the 'slots' is there a major flaw/bug with Azure ?, or am I doing something fundamentally wrong here ?
Can anyone help me out ?
To read groups via Microsoft Graph, the Group.Read.All,Group.ReadWrite.All, Directory.Read.All or Directory.ReadWrite.All is required.
What's the permission you have granted to the app which have this issue? Also please check the scp claims in the token to ensure that the correct permission already be grant. You can decode the access token from this link
More detail about permissions about Microsoft Graph REST, please refer the link below:
Microsoft Graph permissions reference
We have mostly Linux users who login via Kerberos. But we also have a few (<50) users who use both Linux and Windows. This is supposed to grow in the future.
We would like to keep our User database on the Unix/Kerberos side.
But for some reason that eludes me I can not get it to work yet.
I did the following after reading some guides (domains anonymized):
1) Add the ADDC to /etc/krb5.conf on the linux KDC and Linux hosts
AD.DOMAIN = {
kdc = PDC.AD.DOMAIN
admin_server = PDC.AD.DOMAIN
default_domain = ad.domain
}
2) Add cross realm principals on the Linux side
addprinc -pw <longPW> -requires_preauth krbtgt#AD.DOMAIN
addprinc -pw <longPW> -requires_preauth krbtgt/LINUX.REALM#AD.DOMAIN
addprinc -pw <longPW> -requires_preauth krbtgt/AD.DOMAIN#LINUX.REALM
3) Add realm info via ksetup to Windows ADDC and other Windows machines
ksetup
default realm = ad.domain (NT Domain)
LINUX.REALM:
kdc = kdc.linux.realm
kpasswd = kdc.linux.realm
Realm Flags = 0x0No Realm Flags
Mapping all users (*) to a local account by the same name (*).
4) Add Two-Way trust on Windows side via
netdom trust /d:LINUX.REALM ad /add /PT:longPW /realm /twoway
Check returns
nltest /TRUSTED_DOMAINS
List of domain trusts:
0: LINUX.REALM (MIT) (Direct Outbound) (Direct Inbound) ( Attr: non-trans )
1: AD ad.domain (NT 5) (Forest Tree Root) (Primary Domain) (Native)
The command completed successfully
But also
netdom trust lst /d:LINUX.REALM /verify /KERBEROS /twoway
The command failed to complete successfully.
5) Add mapping to users
altSecurityIdentities for user ad\test shows kerberos: test#LINUX.REALM
I can login with ad\test (which is not what I want) but I can not log in as test#LINUX.REALM which is what I wanted
On the other hand:
kinit test#AD.DOMAIN
Password for test#AD.DOMAIN:
root#kdc:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test#AD.DOMAIN
Valid starting Expires Service principal
21/07/2017 13:24 21/07/2017 23:24 krbtgt/AD.DOMAIN#AD.DOMAIN
renew until 22/07/2017 13:24
My problem:
I cannot login on the windows side with principals test#LINUX.REALM. As written in the topic we want the Linux Realm to be the account domain, not the AD, which should be possible as well, shouldn't it? We only want to have to handle account creation, deletion etc. in the Linux Realm, having the Windows Users log in with their Linux Account/Password.
What am I missing?
Doing
ksetup /addhosttorealmmap .dns.domain LINUX.REALM
on each windows client mostly fixed this problem.
I can now login with user#LINUX.REALM to the windows client with correct mapping.