We have multiple Active Directories in our company, such as :
finance-dc1.company.com
finance-dc2.company.com
sale-dc1.company.com
sale-dc2.company.com
development-dc1.company.com
development-dc2.company.com
...
Our development team want to authenticate (bind) and search users against one AD and not multiple ADs, so is there any solution to have a replica of all ADs into one AD (e.g: proxy-dc.company.com)?
Related
We use Azure AD user provisioning, to create and manage users in Salesforce. In itself this is working correctly. But... we have created a new (custom) profile in Salesforce (which Azure AD refers to as role) and this new profile is not being loaded into Azure AD. When creating a new user, we see our old custom profiles, but not the new one.
We started looking in the provisioning logs and saw a lot of "failed" entries. The first part of these logs reads like this:
The name, id, and claim properties of an app role in Azure AD must be
unique. We are unable to update an app role as one or more properties
are not unique. This is most commonly caused by having non-unique role
names in the directory from which roles are being imported.
And then a bunch of non-unique profiles/roles are listed. These are all standard profiles, such as Standard User and System Administrator. They appear twice in the list.
Going back to the screen where we add users, sure enough, these double entries are there as well. Each duplicate being an inactive choice. And: some old custom profiles are shown, also inactive. But not the new one.
This has worked before, as we see the old custom profiles listed. But somewhere/somehow double entries have been added and now we are stuck.
What is the solution? I have no idea on how to remove those duplicate entries from Azure AD. In Salesforce, there are no duplicate profiles. And even if I could remove the duplicate entries from Azure AD, maybe they would be added again on the first provisioning run.
We have Azure AD sync'ing user accounts to Salesforce - this is working fine. In Salesforce we have a few custom 'Profiles'. And in Azure AD > Enterprise Apps > Salesforce > Users & Groups, we have AD Groups mapped to these profiles https://i.imgur.com/TjjdT7H.png
Due to additional development in Salesforce, we are now making use of a few Permission Sets (and Permission Set Groups), as well as Public Groups.
Rather than manually managing assignments to these various groups when new users are provisioned, I would like to automate it, based on Azure AD group membership.
I have read a bunch of threads on this topic. One suggesting the way to do this is to create an new App Role (link - see comment by Mike-S122). This is done via App Registrations > Salesforce > App Roles. So I created an App Role, which shows up when in Enterprise Apps > Salesforce > Users & Groups - I can click 'Add user/group', select the new Role in the list, and assign an AD Group, but if I try to provision-on-demand a user, I get an error that the user cannot belong to two groups. That makes sense.
Perhaps I need to edit the provisioning mappings instead? My current mapping looks like this.
I have a Microsoft Teams free account that I created under an earlier organization name that I now wish to change. This is because my second Teams site undesirably reveals that it exists under the original organization name of my first Teams site.
Now, inviting users to my second Teams site inadvertently discloses to them that I also run the first Teams site. It comes up during certain Microsoft authentication screens. I don't want them to see that; it's distracting. Although both are non-profits, one organization has nothing to do with the other. A new user entering my second Teams site by invitation may feel confused when, upon initial entry, they're presented with my first organization's name.
I've since learned that I can indeed change my original organization name. Creating my first MS Teams site implicitly created the organization by that name within a personal Azure account that uses my credentials. It's at https://portal.azure.com, and my first Teams site shows up in there. It appears as a group within Azure Active Directory (AAD). My personal directory itself bears that initial name of my organization. The same name was automatically applied to the group representing my first Teams site.
Now, the directory itself is identified both by
the organization name, and
a corresponding subdomain name.
Both were the same, except the subdomain had no spaces embedded in it, obviously.
While I can change the directory's organization name, I don't see how to change the URL subdomain name (e.g., MySite.onmicrosoft.com) for my Teams site.
I know Microsoft Teams users aren't ever exposed to that technical subdomain information in normal everyday use anyway. However, that original name does become revealed when a new user is invited to the new Teams site. On the Android app, for example, upon initial login and setup, the new Teams user is asked to tap on the organization name. And there was my first disappointment, because it was the name of the other unrelated organization! After tapping it, users are then led to the correct Teams site that I did intend to make available to them.
That's what prompted me to want to change my organization name.
I was successful with that by changing the organization name under Properties for my directory. THis resolved the issue for the newly authenticated Android Microsoft Teams user.
However, I cannot see how to rename the subdomain itself. And that's important, because PC users at least (or those trying to enter my Teams site from a web browser) are in fact presented with a permissions prompt where that undesired subdomain name appears!
Is there a way to rename the subdomain?
POSTSCRIPT - Guess what? I can create new directories in AAD alongside my original one! What if I move my Teams group from the unrelated directory to a new one I create? Would that be safe? Will my Teams site still be functional?
To answer your edit. a teams organization is associated with a specific azure active directory, even if you have a second directory, i don't believe there is any way to "move" things across. you would have to create everything from scratch.
to answer your general question, you would probably have to create a new directory as you described, then create a new teams, replicate the information, remove all the users from the old teams. and remove them from the original directory. then invite them to the newly created one.
The reason for this is, if you invite someone, you are essentially adding their email / login to your azure tenant. of they have been invited to multiple teams tenants. then when they log into teams there is functionality for them to switch between all the directories that they are a guest of. so they will be able to see it. the only way to remove that is to delete the guest users from azure ad.
I am going to use Rundeck in production.
While reading docs, I found that users management is based on local ACL files.
And AD authentication is available.
My question is: Is it possible to manage users access to Jobs and Nodes by AD groups?
Fox example:
AD groups: rundeck_restrat_svcName1, rundeck_restrat_svcName2, ect..
Thanks for any information.
Yes.. You can do that.
1, Create a jaas configuration file for AD, say jaas-AD.conf at /etc/rundeck folder like this
2, Modify the profile file's two lines.
export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-AD.conf
-Dloginmodule.name=activedirectory
3,In AD create a new group, say rundeck_users and create an .aclpolicy file to set the ACL. There you have to use group as rundeck_users. You can create .aclpolicy file yml frame by rd-acl binary
I use Exchange 2003 and I have been searching a lot and found related queries like
(&(UserAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=*)(objectClass=User))
Which enumerates disabled user accounts with mailboxes, but what I want is quite the opposite, user accounts (enabled or disabled) with CLOSED mailboxes. Thanks beforehand for any help!
Exchange and Active Directory are separate, if user is created on AD doesn’t mean that it will have mailbox account too but usually both are used together.
You can use any LDAP browser like JXplorer or LDAPadmin to check the settings for your users on Active Directory. You will find disabled users on AD moved to different OU or there should be some attribute which will differentiate it from active users.
You can export LDIF file (by LDAP browser like LDAPadmin) for one active user and one disabled user and compare both to find relevant attribute for disabled entity and use it for your query filter. You can consult your IT team also who is managing Active directory for more details. HTH :)