I'm using Strapi V4 and have configured Microsoft Azure Active Directory as the provider to login. By default, this extracts basic information like the users email and saves it to the Strapi User. Active Directory provides additional fields, like user groups and roles, and I'd like those values to be saved on the Strapi User too. Each time the user logs in I'd like it to update the Strapi user record in case the users Active Directory values change.
How do you modify the core user record information that is saved when using a custom provider?
You can set up a webhook that will periodically sync the group membership from Azure AD to Strapi.
To set up a webhook that will periodically sync the group membership from Azure AD to Strapi, you will need to follow the steps which include installing and configuring the Azure AD integration plugin for Strapi, creating a subscription using the Azure AD Graph API, and creating a server-side script to handle the incoming webhook request and update the user roles in Strapi.
You would like to connect with Strapi for the script and webhook setup.
Thanks
Related
I'm trying to setup a user lifecycle flow that will allow me to create an Azure Active Directory user (Member, not Guest) when an employee is created in our HRIS tool (HiBob). There is a pre-existing integration which is enabled and allows us to get basic information (name, location, etc.).
In the HRIS system we also store some more unique data that I would like to be added to the users AAD profile (maybe an emergency contact for example) that we can then use to provision other applications (like Slack).
My issue is trying to create these custom property fields. I have read about Azure B2C as well as directory schema, custom security extensions and using MS Graph. None of these seem to be totally relevant to my situation.
FYI we are fully cloud, so Azure AD Connect is also not an option.
To store custom data in Azure AD objects such as users you can leverage Azure AD Directory Extensions in tandem with Azure AD Provisioning trough SCIM.
I would like to test my scim integration with Azure Active Directory.
I created provisioning in DataBricks, but the list of attributes is missing email.
How do I add it?
Update after the answer was accepted: I was trying to use DataBricks in order to test my SCIM implementation for Azure. The right way is to create an app, edit mappings according to the needs and submit the app to the Azure AD.
Your question is unclear. How are you trying to provision from Azure AD to Databricks? You should be adding the Databricks Enterprise App from the gallery (see documentation for exact steps). The gallery app has the mappings preconfigured in a way tailored to Databricks - specifically, it's set to not attempt updates on userName or email attributes as both are immutable in the Databricks system.
My Azure AD admin have created an Enterprise App for me and I'm Configuration Owner for it.
The app Provisioning is setup to:
Provision Azure Active Directory Groups
Provision Azure Active Directory Users
to my SCIM server.
The setup is working fine, users are created via and groups are updated also.
My problem is that in my company workflow when a consultant contract is renewed the user's AccountEnabled property is set to false and then later re-enabled with AccountEnabled=true, this is translating right now into a Delete / Create via SCIM in my app.
My impression was that AccountEnabled=false would translate to a isSoftDeleted=true (as mentioned in Customizing user provisioning attribute-mappings for SaaS application in Azure Active Directory) and that in turn will translate to a SCIM Disable User request because of the attribute mapping settings of the app is to map the Azure Active Directory Attribute Not([IsSoftDeleted]) to active attribute in the app.
But it's not disabling the user it's deleting it.
The user resides in a on-premises Active Directory then synced to Azure AD.
All the information that I could find (like this) suggest that a SCIM Delete should only happened after 30 days when a user is hard deleted and not when AccountEnabled=false so I guess it may be another factor at play.
So, how do I stop Azure AD from issuing Delete user for disabled users in my app?.
EDIT: I tested with a local user in Azure AD (not synced from the on-premises AD) and with that user when the user is disabled it triggers an update user not a delete. So it must be related with synced users only (I'm still troubleshooting)
Certain applications don't support soft deletes so the Azure AD provisioning service sends a delete in place of an update. What app are you using?
The attribute mapping blade allows you to de-select delete as an option, do the deletes stop when you do that?
I recommend keeping the attribute mappings as close to the default as possible.
Try removing the "not" function and using the default attribute mappings. The default mapping uses a switch statement to map false to true and true to false. It sends the request as a string rather than a boolean.
How to find out which account was used to register outlook app in azure?
I have app name, creation date, api client id and and api secret id but cannot find account which was used to register the app to be able to manage it.
It's production app with thousands of users connected so disconnecting all users and creating new one is the last option...
You can login in azure portal by using any user account which belongs to your AD.
Go to Azure Active Directory->App registrations->find your application by using app name or client id->click Owners under Manage part->you will find the owner of the application.
Update:
we have a screen in our application that is used to update Azure AD users through Graph API. If users are created using Azure Portal or Graph API, I'm able to updated user profile using this screen.
But if the user is Created/Sync using AD Connect(e.g in case of O365 Users) while updating these Users Microsoft Graph returns following error:
Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration
I have following queries:
Is it possible to update a user through Graph API that is created from on-premises to Azure AD?
Is there any settings on azure portal or Ad connect that allow user to be
updated through Graph API?
Also How to tell the difference between if a user is created on-premises or on Azure AD through Microsoft Graph API. Any attribute in Microsoft.Graph.User Class?
To answer your questions:
No this isn't possible because of the way they are synced. If Microsoft would allow changes on both sides, it would have to implement some kind of duplicate change resolution system. So they just blocked changing properties except for some cloud only properties like licenses.
No there isn't because of the above reason
Yes there is, but it's kinda hacky.
To see if a Graph user is created through the sync you should request the User.Read.All scope for your application and then do a request to the Get user endpoint with the select all properties querystring ?$select=*.
The synced users should have the OnPremisesSamAccountName property amongh others that don't appear on a non-synced user.
Once you found out the user is an on-premise user, your application could do an update straight to your AD with the System.DirectoryServices.AccountManagement api.