I have a need to identify AD users that have not set up MFA via the Microsoft Authenticator (or equivalent). How do I identify these users?
Presumably, the MFA OATH key is stored somewhere on the user account.
Related
We use Azure AD for our organisation's AD to manage our users. We are also setting up an Azure AD B2C environment for our external websites. As part of this we are allowing our staff to log into these sites using their windows accounts.
Is it possible to manage the staff's B2C user account from Azure AD? For example, in B2C we have setup groups. We would ideally like to be able to create new user accounts in B2C from our Azure AD, and assign users to groups. Is this possible? Or can we only manage these users from only within B2C or through using the Microsoft Graph API?
Finally, when a user is disabled in our Azure AD, would this then prevent their account being used to sign into one of our websites as that user is no longer active in the identity provider?
Is it possible if your Azure AD B2C tenant federates with the Azure AD tenant. If the user account id disabled it won't be able to sigin any application.
I added to my Azure AD B2C option to log in by an external provider - Azure AD. Later on, I added my account from that tenant to Azure AD B2C as external users.
Unfortunately, when I log in, I get "User does not exist. Please sign up before you can sign in.".
When I use a different policy that allows me to sign in, my account is duplicated as Federated Azure Active Directory.
How we can prepopulate Azure AD B2C with external users to avoid signing in new accounts? I would like to move existing data from the tenant and avoid filling in unnecessary data. Moreover, I would like to allow particular users only to be able to log in to our application.
The problem here is that users added via the portal are essentially B2B or portal admin users.
These are not local accounts and hence cannot login to B2C.
If you have users in another AAD tenant that is federated with B2C, you do not have to manually add these users to B2C. A "linked account" (using the #EXT# format) is created when those users authenticate via their Azure AD.
I guess what you are saying is "avoid registering new users."
Azure B2C is for Consumer, not for Azure AD tenant. You should use Azure B2B feature to add guest user to your Azure AD B2C tenant and assign the necessary role/permissions to the guest user.
You could simply choose to use the + New guest user on Azure portal or Microsoft Graph API to add external users.
In single-tenant scenarios, why does Azure AD sign in require that the user provide the domain?
Because you can have multiple domains registered in AAD,
and most organizations have users with more than one domain name.
When you log in, you must specify your user principal name.
Same as when logging in to on-prem AD, you'd use e.g. CONTOSO\username or username#contoso.com.
Setting a default is not possible, and is usually not desired.
It looks like what I should be looking at is Azure AD B2C.
From this MSFT FAQ:
What are local accounts in Azure AD B2C? How are they different from
work or school accounts in Azure AD? In an Azure AD tenant, users that
belong to the tenant sign-in with an email address of the form
#. The is one of the verified
domains in the tenant or the initial <...>.onmicrosoft.com domain.
This type of account is a work or school account.
In an Azure AD B2C tenant, most apps want the user to sign-in with any
arbitrary email address (for example, joe#comcast.net, bob#gmail.com,
sarah#contoso.com, or jim#live.com). This type of account is a local
account. We also support arbitrary user names as local accounts (for
example, joe, bob, sarah, or jim). You can choose one of these two
local account types when configuring identity providers for Azure AD
B2C in the Azure portal. In your Azure AD B2C tenant, click Identity
providers and then select Username under Local accounts.
I thought UserPrincipalName (UPN) are single valued per user in the Directory, but when I run an LDAP query for a specific user, I get the UPN: AO0S0020#mydomain.local,
And when running an OAuth (OpenId Connect) authorization against Azure AD (which is synced using AD Connect), I see that the claims UPN for the same user: nati#mydomain.com
What am I missing here?
You are missing the concept of Alternate login id.
It seems your Azure AD connect is configured with alternate login id. Thus the difference.
We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.