We use Azure AD user provisioning, to create and manage users in Salesforce. In itself this is working correctly. But... we have created a new (custom) profile in Salesforce (which Azure AD refers to as role) and this new profile is not being loaded into Azure AD. When creating a new user, we see our old custom profiles, but not the new one.
We started looking in the provisioning logs and saw a lot of "failed" entries. The first part of these logs reads like this:
The name, id, and claim properties of an app role in Azure AD must be
unique. We are unable to update an app role as one or more properties
are not unique. This is most commonly caused by having non-unique role
names in the directory from which roles are being imported.
And then a bunch of non-unique profiles/roles are listed. These are all standard profiles, such as Standard User and System Administrator. They appear twice in the list.
Going back to the screen where we add users, sure enough, these double entries are there as well. Each duplicate being an inactive choice. And: some old custom profiles are shown, also inactive. But not the new one.
This has worked before, as we see the old custom profiles listed. But somewhere/somehow double entries have been added and now we are stuck.
What is the solution? I have no idea on how to remove those duplicate entries from Azure AD. In Salesforce, there are no duplicate profiles. And even if I could remove the duplicate entries from Azure AD, maybe they would be added again on the first provisioning run.
Related
We have Azure AD sync'ing user accounts to Salesforce - this is working fine. In Salesforce we have a few custom 'Profiles'. And in Azure AD > Enterprise Apps > Salesforce > Users & Groups, we have AD Groups mapped to these profiles https://i.imgur.com/TjjdT7H.png
Due to additional development in Salesforce, we are now making use of a few Permission Sets (and Permission Set Groups), as well as Public Groups.
Rather than manually managing assignments to these various groups when new users are provisioned, I would like to automate it, based on Azure AD group membership.
I have read a bunch of threads on this topic. One suggesting the way to do this is to create an new App Role (link - see comment by Mike-S122). This is done via App Registrations > Salesforce > App Roles. So I created an App Role, which shows up when in Enterprise Apps > Salesforce > Users & Groups - I can click 'Add user/group', select the new Role in the list, and assign an AD Group, but if I try to provision-on-demand a user, I get an error that the user cannot belong to two groups. That makes sense.
Perhaps I need to edit the provisioning mappings instead? My current mapping looks like this.
I've been forcefully (replaced old IT) tasked to create new AD with new domain name.
Current setup is something.local with connector to AAD where users are logging in as user#domain.tld.
I've been tasked to create completely new domain with domain name "domain.tld" and they want me to sync this new domain to current AAD (where users will still log in as user#domain.tld) (to keep data in groups for teams etc.)
I don't care about personal OneDrives since users never really used them, and I can reassign users to groups manually.
Edit
Is it even possible to sync this new AD without breaking everything apart? Or do I have to delete everything and start all over again?
I have a Microsoft Teams free account that I created under an earlier organization name that I now wish to change. This is because my second Teams site undesirably reveals that it exists under the original organization name of my first Teams site.
Now, inviting users to my second Teams site inadvertently discloses to them that I also run the first Teams site. It comes up during certain Microsoft authentication screens. I don't want them to see that; it's distracting. Although both are non-profits, one organization has nothing to do with the other. A new user entering my second Teams site by invitation may feel confused when, upon initial entry, they're presented with my first organization's name.
I've since learned that I can indeed change my original organization name. Creating my first MS Teams site implicitly created the organization by that name within a personal Azure account that uses my credentials. It's at https://portal.azure.com, and my first Teams site shows up in there. It appears as a group within Azure Active Directory (AAD). My personal directory itself bears that initial name of my organization. The same name was automatically applied to the group representing my first Teams site.
Now, the directory itself is identified both by
the organization name, and
a corresponding subdomain name.
Both were the same, except the subdomain had no spaces embedded in it, obviously.
While I can change the directory's organization name, I don't see how to change the URL subdomain name (e.g., MySite.onmicrosoft.com) for my Teams site.
I know Microsoft Teams users aren't ever exposed to that technical subdomain information in normal everyday use anyway. However, that original name does become revealed when a new user is invited to the new Teams site. On the Android app, for example, upon initial login and setup, the new Teams user is asked to tap on the organization name. And there was my first disappointment, because it was the name of the other unrelated organization! After tapping it, users are then led to the correct Teams site that I did intend to make available to them.
That's what prompted me to want to change my organization name.
I was successful with that by changing the organization name under Properties for my directory. THis resolved the issue for the newly authenticated Android Microsoft Teams user.
However, I cannot see how to rename the subdomain itself. And that's important, because PC users at least (or those trying to enter my Teams site from a web browser) are in fact presented with a permissions prompt where that undesired subdomain name appears!
Is there a way to rename the subdomain?
POSTSCRIPT - Guess what? I can create new directories in AAD alongside my original one! What if I move my Teams group from the unrelated directory to a new one I create? Would that be safe? Will my Teams site still be functional?
To answer your edit. a teams organization is associated with a specific azure active directory, even if you have a second directory, i don't believe there is any way to "move" things across. you would have to create everything from scratch.
to answer your general question, you would probably have to create a new directory as you described, then create a new teams, replicate the information, remove all the users from the old teams. and remove them from the original directory. then invite them to the newly created one.
The reason for this is, if you invite someone, you are essentially adding their email / login to your azure tenant. of they have been invited to multiple teams tenants. then when they log into teams there is functionality for them to switch between all the directories that they are a guest of. so they will be able to see it. the only way to remove that is to delete the guest users from azure ad.
I am added to project collection administrator group in VSTS. Still not able to add a new user. I am added using my official email ID i.e. Microsoft work account.
Its says
Guest users are not allowed to perform this action.
I saw the reason on this link
I believe the primary reason for this error is because when a co-admin
with Microsoft account is added to a subscription, it gets added into
the subscription AD as Guest user type.
but since it is very old thread i like to know if there is an easy way to get myself ability to add new user or basically manage VSTS on behalf of client. I hate requesting client to add a new user in team. Also he is not tech savvy so I would like suggest him a simple solution (running Powershell might be annoying for him).
You are inviting users from outside directory. The user will be able to access the account and its resources, so you need the enough permission to add new user to the AD, but you are the Guest user, so it throws Guest Users are not allowed to perform this action.
You need to contact to the corresponding user (e.g. AD admin) to add users to AD or grant the enough role and permission to you to add user to AD.
No easy way to do this, because it is related to security.
I have an Azure Active Directory (AAD) set up in my Azure subscription associated with an email address of mine, which we'll call A.
Some time later, I updated my Microsoft Account to use a new email address B as the primary email address, with A being associated with it still so it can still be used and the two email addresses treated as being one.
In AAD there is one user, whose user Id is A which appears not to be able to be changed as it is greyed-out. Attempting to add B fails with the error: You cannot add yourself.
Is there a way I can force the user name of the AAD user to be B instead of A?
The reason I ask is because I am trying to setup an Azure Key Vault in my subscription as it appears to be failing because whether or not I sign in as A or B in Azure Powershell, I am always signed in as B. This then causes this error message, which I appear to be unable to work around:
New-AzureKeyVault : Cannot find the Active Directory object 'B' in tenant
'{Tenant Id}'. Please make sure that the user or application service principal you are
authorizing is registered in the current subscription's Azure Active directory. The TenantID displayed by the cmdlet
'get-AzureSubscription -current' is the current subscription's Azure Active directory.
Can you check that you are using the latest bits for Key Vault PowerShell?
I talked with some folks internally and we believe that an experience like this may be expected if you are using an older version of the PowerShell CMDLETs, but the lastest version should be update to date and not run into the issue you are having.
If you find that you still hit this issue after upgrading, we may have a bug on our side that we should fix.
In that case, my suggestion is for you to create a new Admin User. Then delete the old Admin Account (you may need to Transfer Onwership of your AAD Subscription to the new Admin), and then recreate your account, which will pull the lastest information from that user.
However, I only reccommend trying this after having updated the PowerShell bits.
Please let us know if either of these methods resolves your issues.
Thanks,
Shawn Tabrizi