If we add employee ID to Azure AD, is there any way we can restrict access to it? Are there any ‘bolt on’ services we could add to Azure to add restricted information to
Azure AD?
↧
Hide data in Azure Active Directory
↧
Azure AD SCIM Provisioning - How to sync passwords?
I am trying to implement SCIM protocol in a custom app (python) and sync users from Azure AD to my app.
I reached out to Azure support and got a confirmation that all attributes are synced. I can get user creation request from Azure with, name, username, email and preffered lagnuage atrributes however the password is not sent.
I updated mapping for the app to include "passwordProfile.password" attribute but the POST request that comes to my app for user create action does not include the password.
Is it even possible to get user password synced? Am I missing something?
Many thanks.
↧
↧
Managing SaaS Users & Groups via Azure AD SCIM
Using Azure AD Premium, Enterprise App & SCIM 2.0 Provisioning Scope - Only assigned Users & Groups
I'm trying to work through the use case below:
- SCIM provisioning of users that are assigned to a given AD Group
- When a user is added it correctly fires off a POST /Users to Create the User
- When a user is removed it skips the user a reports - "Details : User details: Skip reason = NotEffectivelyEntitled, Active = True, Assigned = False, Passed scope filter: True;" But does not send a PATCH or a DELETE to inform the saas app that the user is no longer valid.
So question what is the correct mechanism for using SCIM provisioning to manage only a subset of users in the AD as active users of the system.
e.g. only 1 department in company uses saas app so users list for assigning tickets etc should only be those, and if a user changes departments and no longer has access to the saas app they shouldn't be seen as a valid user of the saas app directory. The saas licensing will count all registered users so syncing 20,000 users for no reason is not an option.
Seems like SCIM supports this use case with PATCH & DELETE, but Azure AD isn't propagating changes from the users & groups in the enterprise app as expected.
Any suggestions appreciated.
Thanks
↧
Azure AD Provisioning Group sync does not send objectId as GET/objectId or PATCH/objectId in request
Hello everyone,
I am using Azure AD to provision Users/Groups with my SCIM enabled application using non-gallery app. I am able to configure application properly and receiving required requests which Azure AD sends for Users and Groups.
But the problem is with Group requests. For Group requests, Azure AD always sends GET/<displayName> (same case for PATCH). However, I need GET/PATCH/DELETE requests with <objectId> instead of <displayName>. Consider below example :
For example, if I am having following group info in my Azure AD account:
Group name : Group1
Object Id : abc-123-def-456
Current GET request for groups is : GET/Group1
Required request : GET/abc-123-def-456
(same case for PATCH/DELETE)
I am new to Azure AD so might be missing something. Can anyone suggest what configuration changes required to achieve above scenario.
Thanks & Regards
Mohit Shah
↧
Azure B2C - SAML Imeplementation
Hi All,
We have applications using SAML 2.0 open standard for the authentication .
we wanted to integrate those applications with Azure B2C AD.
Can you guys please help me how to do the implementation ?
Selvakumar Rathinam
↧
↧
Invalid grant error while retrieving access token via Postman
Hi,
I am not able to get the access token via Postman.
I followed all the steps mentioned in the microsoft article for "Authorize access to blobs and queues with Azure Active Directory from a client application"
but I am getting the following error while retrieving access token:
error : invalid_grant, error_description : AADSTS65001
Please help!!
↧
Can SSPR be used for synchronized guest users?
I want to synch users from our local directory to the cloud as guests.
This users do not get any license assigned. I wonder if those users can use SSPR? Can also password writeback be used?
In SSPR it is stated that only user of the "organization" can use SSPR.
↧
Not Getting Custom Field in SCIM Post Request
We have created one custom field call "tags" in SCIM mapping. But when we create a user, the POST request doesn't contain "tags" field. The same field gets updated when next PATCH call happens during an update. Here is the mapping for"tags" field:
Join(":", [jobTitle], [department]) tags
Apply this mapping : Always
Also pasting request body for reference. Please check & let us know why "tags" field is not coming as part of POST request. "tags" is part of schema "urn:ietf:params:scim:schemas:core:2.0:User"
{"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"externalId": "new.scim.user5",
"userName": "new.scim.user5",
"active": true,
"displayName": "new.scim.user5 DN",
"emails": [{
"primary": true,
"type": "work",
"value": "new.scim.user5@BlueJeansNetwork.onmicrosoft.com"
}],
"meta": {
"resourceType": "User"
},
"name": {
"formatted": "new.scim.user5 FN new.scim.user5 LN",
"familyName": "new.scim.user5 LN",
"givenName": "new.scim.user5 FN"
},
"roles": [],
"title": "QA Lead",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"department": "Q&A Engineering"
}
}
↧
Simple API help
Is it possible for someone to walk me through getting Microsoft Azure API to work?
I want a complete beginners walk through. I am not a programmer. Two days ago I did not know what an API really even was and it took me 5 mins to set up Google API and get it working from a web browser and an app. Microsoft Graph seems impossible to get to work outside Graph Explorer, and even then it wont actually work for the query I want.
All I want to do is get a OneDrive personal file embed link through API call. Thats it.
1. Is that possible to do with an Office365 Personal subscription and a free Azure Trial account?
2. How?
↧
↧
Changed hosting of wordpress site
Hi,
I have a wordpress website that is running the Power BI Embedded plugin. I have just changed hosting, and now these elements don't work at all.
I get an error message under Azure Authorization that says:
Oauth StatusAADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000009-0000-0000-c000-000000000000'. Trace ID: 29374611-18d3-40b2-9cca-fd0103901d00 Correlation ID: 5217f8fd-e686-4434-9ea9-0cffeb6a8023 Timestamp: 2019-09-19 13:57:38Z
Can someone please help me to change something in Azure AD to fix this problem?
Thanks,
Dean
↧
Dynamically populate Azure/Office 365 Groups from existing Distribution Groups - NO conversion
So I have a dilemma here. I need to create about 862 office 365 groups, but I do not want to convert the existing distribution groups. Dynamic Groups are only achievable inside Azure Active Directory or powershell. I would like to replicate all groups as Office 365 for the purpose of Teams. The trick here is I do not want to have to edit to sets of groups.
So is there a way to query a Distribution Group list of members into an Office 365 Group?
↧
Can't connect to Azure SQL with MF using Microsoft Access and OLEDB and/or ODBC
Our client has asked us to develop a Microsoft Access solution with Azure SQL that has MF and Azure Directory integration, we can login just fine using SSMS but when we try to connect with Microsoft Access using OLE DB driver 18.2.2 and ODBC for SQL Server 17.4 it will not work.
Do the latest OLE DB or ODBC drivers support Azure active directory with Multi Factor Authentication? If they do that would point us towards a solution, otherwise we would need to figure out another way of doing it.
Founder AccessExperts.net Blog: AccessExperts.net/blog
↧
Azure App registration
Hi Team,
I am running into many issues with app I registered , If you have any thoughts please do share !
1. I am trying to redirect users to login screen after logout and clear all MS cache using below but it is accepting it on Azure though I remove part from Post_logout it does take it but does not help ?
https://login.microsoftonline.com/tenantID/oauth2/v2.0/logout?post_logout_redirect_uri=https://dev.domain.net/login_callback
2. We are checking users groups membership (group ID) using graph API below , only for one user we are not able to fetch on group id and assign application role . He has many groups assigned so I was wondering If there is any limitation ?
https://graph.microsoft.com/beta/users/UPN/transitiveMemberOf
3. Is there a way to see user login details like : how many times he logged in or when last time he logged in ? We do not see details in Jwt Token ?
↧
↧
Azure AD SAML integration
Hello Team,
we have few questions to answer , could you please help ?
For a SAML 2.0 based solution, does the SP support encrypted assertions? |
Does the SP support SHA1 algorithm for signing? where do we check this in enterprise application If supported ? |
Does the SP support AES128 alorithm for encryptionwhere do we check this in enterprise application If supported ? |
Does your third party SAML compliant product or custom solution support deep-linking into your application? |
Thanks Team in Advance |
↧
Can't save Provisioning configuration
Hi :-)
I am running into a problem while trying to setup Provisioning to an external SCIM application.
To reproduce:
From portal.azure.com -> "Enterprise Applications" -> "New Application" -> "Non-gallery application" -> Enter a name -> "Add"
Then "Manage: Provisioning" -> Select 'Automatic'
I entered a "Tenant URL" which points to our SCIM endpoint and entered a "Secret Token".
Click "Test Connection": says it is ok.
Cllick "Save" and I get an error:
Testing connection to APP NAME We encountered an error while updating provisioning configuration for APP_NAME
I think this is a related correlation id: a68bc4c7-122c-4ab8-b703-286c99e960ad (but I am not sure)
I can privately share Tenant URL and a secret if that helps with debugging (It is a test system that will be destroyed again after testing).
Something that is unusual and I imagine could cause problems is that the Secret Token is pretty long (861 Characters).
Cheers
Stefan
↧
Azure active directory unable to verify domain
Hello,
I followed the steps exactly as specified at Azure documentation to add a new custom domain gas-ad.com . Even though I added the @ TXT entry in DNS (managed at Amazon DNS/Route 53) and waited for many hours, the domain is not verifying the domain.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
I am able to verify the @ gas-ad.com at a third party DNS lookup tools online it seems to be fine.
https://dnslookup.online/txt.html
Thanks in advance for your help!
Biju
↧
Joining a co-located server with AAD DS
Reading through all the different documentation and various forums, I am getting confusing/conflicting answers as to whether or not I can have a VM running in an external datacenter (i.e. HostWay), but have my VMs in that data center join the Azure Active Directory - Domain Services without installing a AD controller within the datacenter.
To be more specific:
I have put physical hardware in an off-site location.
I have 3 VMs on that physical server that I want to join to our AAD DS. (Using Windows 2019 or 2016)
Can I do this without creating a 4th VM that serves as an on-prem Active Directory DC?
I just want users to be able to log into the VMs and use the services using their Azure credentials, and if I can avoid creating a DC, that would be ideal.
If it is possible, can someone point me to a step by step process for configuring Azure and the VMs to make this happen?
↧
↧
Azure AD Single Sign-on: Passing parameters from client to Azure for lookup or transformation within a claim / response
Background:
I'm assessing functionality between PingFederate and Azure AD. We currently use PingFederate. As a need, some of our clients use an 'Reference ID Adapter' (https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html)
as a means to provide PingFederate with information that it can then use to customize claims. The customization could be as simple as a transformation, or a lookup against Active Directory for additional information.
Example, imagine an application that's used to grant users access to file containers. How this is determined is based on a claim that's returned within a SAML response. A user is a member of a group in AD which will correspond to this location (a very easy lookup). Let's say this user is a member of many groups, which in turn corresponds to many containers on the site. You can easily filter the groups and submit a claim for each, but the user only wants to be granted access to a single one of containers of their choosing. Without the user being able to pre-select what gets sent in the claim, there's no way to limit this access to a single container. How we accomplished this was to perform a first mile/ last mile approach. The user would be authenticated, and a claim sent to a 3rd party, trusted site, that displayed all the users pertinent groups (or possible containers). The user would then select a single container, which initiates another SSO, but also sends this group name to PingFederate to include within a claim. The result is the final claim to the application will only contain 1 group, instead of all that meet the filter criteria. For those familiar with AWS, how would you authenticate to a single app?
Question:
Does Azure AD provide similar functionality where a client can send parameters during the SSO process that can then be acted on for claim creation? This can be either within the initiation URL, or behind the scenes with a possible Graph call. Links to documentation detailing this would be much appreciated (I'm not having luck on my own).
Thanks!
↧
Trying to add users to an Enterprise application
Whenever we add someone - either via the GUI or in Powershell, we get the same response. Removing and adding them back doesn't fix it. Has anyone seen this?
User details: Skip reason = NotEffectivelyEntitled, Active = True, Assigned = True, Passed scope filter: True
↧
unable to create sql registry resource
I keep getting an error that the name is in use when trying to create a SQL registry resource. It doesn't matter what I put for the name.
Sam
SB
↧