I am trying to setup MaaS360 device compliance through Azure AD Conditional Access and having an issue with Azure Integration menu in MaaS360.
Basically one of the steps requires to setup "Device compliance status sync for Android and iOS" which requires the Azure tenant ID and Client ID established.
I am not able to see this checkbox when I go to the Setup->Azure Integration menu in MaaS360.
I only have 2 checkboxes that I allowed to configure:
User Authentication
User Visibility
I have been provided full admin roles on my account and I am not sure why else I cannot see this menu.
Here is the IBM article that I am following and if you see step 7 it shows the menu option.
https://www.ibm.com/docs/en/maas360?topic=iaam-integrating-maas360-microsoft-enforce-device-compliance-through-azure-ad-conditional-access
Any help is appreciated.
Thanks
I was able to solve this, needed to enable this by opening a case with IBM to enable Azure conditional access.
Related
I have a React Application that uses Microsoft AD to authenticate users.
As a first step, and according to Microsoft Documentation, we need to register the application with the Microsoft identity platform.
This is inline with Microsoft Identity Platform Documentation, in this diagram we can see that for ALL types of applications (SPA, Web App, etc), we always need to configure an application in AzureAD:
This process is "cumbersome", and i'm trying to remove it by having the application installed automatically.
Several third-parties do this, such as Zapier, SpecFlow, etc.
Basically, they have a process where:
User logs in on Zapier
User is redirected to Azure AD sign-in page
User is authenticated and authorized
AzureAD shows the Consent Page
User consents
Application is installed on user's AzureAD
I've been reading and searching in Microsoft's Documentation, and i cannot find a single document that shows or even mentions this type of flow.
BUT, i know that this is possible, as there are several third parties that are doing exactly this, as Zapier, for example.
Can anyone point me in the right direction, there must exist some Microsoft document that explains how this process is done!
Apologies if this should be a comment, not an answer. I do not have enough SO reputation to write comments.
Zapier is published to the Azure Active Directory application gallery (1c76d9b0-0826-4b19-8706-29572657af1e). You can do this as well:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing
If an application already exists in the gallery, it does not need to be "registered" in the user's tenant, as the registration definition is defined in the gallery.
Once an app is in the gallery, users can use it only if their tenant's administrators allow this, per the settings on this page:
Enterprise applications | User settings
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/UserSettings
From the user's end, there are other governance controls that may impact the user's ability to use your app, but I think "register your app in the gallery" is probably what you're asking for.
I have a web app that uses the Azure Active Directory (AD) login (Microsoft login), where I have a development environment, staging, and production environment.
The AD login works for my development environment, but I am getting an error when I try to use the same login for my staging environment.
The error I am getting is
Your sign-in was successful but did not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location your admin restricts
I am attaching the screenshot for more details. Any help is highly appreciable.
Best Regards,
Janak Darji
I have tried to enter my public IP under the network tab as an allowed IP but that didn't work.
You can follow steps below to find which policy cause the issue.
Sign-in your azure portal, and click Azure Active Directory.
Find the user, and click it.
Find the sign-in logs.
Then you can find the login record. And Click it to check the Conditional Access. You can find which policy block it.
You can disable all the policy for test.
You are being blocked by a conditional access policy
In your Azure AD you can use the What If tool to troubleshoot Conditional Access policies
The Conditional Access What If policy tool allows you to understand the impact of Conditional Access policies in your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
You can find the What If tool in the Azure portal under Azure Active Directory > Security > Conditional Access > What If.
Before you can run the What If tool, you must provide the conditions you want to evaluate.
The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions
Hope this helps!
We moved most in our company to outlook for mobile app on there phones, however some have not yet moved. We want to block exchange active sync via CA policies. I'm most positive I set it up correctly however a few users that I placed in the include policy are still able to use it. Please see policy below and if anyone has any ideas that would be great thanks.
Note : We do not have Intune and have no plans on purchasing. Also we have all users under an azure p1 plan.
Policy
Users and Workloads
-Include
--Users in question
Cloud Apps or actions
-All Cloud Apps (include)
Conditions
-Client Apps
--Exchange Active Sync
Access Controls
-Grant
--Block Access
Thanks.
To block exchange active sync via CA policies please check this official document make sure before using conditional policy try to Enable security defaults as yes
In Conditional Access Policy follow the below steps;
In Users and groups select all users
Cloud apps or actions click Select Apps and import Office 365 Exchange Online
In condition at device platform select any device and in client apps select Mobile apps and desktop clients and Exchange
Grant block access and enable policy
For more information in detail, please refer below links:
Blocking ActiveSync with Conditional Access credits by Adam Fowler
I'd appreciate if anyone could provide a clear description on SSRS user access configuration.
I've installed latest SSRS and its database on a single server, set the web portal and everything works fine, except I cannot grant access to a specific user group for a specific folder. Till now all the users have access to everything.
I've been struggling with this for several weeks and still couldn't find any tutorial.
Based on documentation Reporting Services provides an authentication subsystem and role-based authorization model. Authentication and authorization models vary depending on whether the report server runs in native mode or SharePoint mode. Here is detailed explanation called Secure Reports and Resources related to native mode and this one talks about Set Permissions for Report Server Operations in a SharePoint Web Application. Also this youtube tutorial and this one was helpful to get me started.
You have probably added the user group to a role using the Site Settings / Security page, or added them to the Home folder / Manage / Security page. A typical user group should not appear in either list.
Instead, navigate to the "specific folder" / Manage / Security page, click Customize security (if required) and then assign the user group to a role (typically Browser).
Here's the full doco on those tasks:
https://learn.microsoft.com/en-us/sql/reporting-services/security/grant-user-access-to-a-report-server?view=sql-server-2017
We are planning to create two sharepoint web applications using SharePoint 2010 Enterprise Edition.
All Users that have access to web app 1, should also be able to access web app 2.
This authentication shall be powered by server 2003 active directory.
--> do I need to use claims based authentication?
If so --> can I use Windows Based Authentication with NTLM for that?
The only thing I really want is that users navigating from web app 1 to web app 2 (and vice versa) do not have to authenticate twice.
I do NOT want to configure Kerberos if it is not absolutely necessare though...
Can you give me any hints?
Thanks!
EDIT:
ok - I'll try to be more precise:
In our SharePoint 2010 environment, we've got two web applications running
http(s)://humanresources.domain.com
http(s)://sales.domain.com
Both are running on the same IIS and have host headers configured (with wildcard domain certificate for HTTPS).
Both apps provide a link to the other web application (sales -> humanresources and humanresources -> sales)
Now whenever someone logged in to sales navigates to humaresources, I do not want that that person needs to login again. Therefore I thought I would need claims based authentication???...
Please enlight my brain! :D
EDIT 2:
Thank you for your answers!
#Panagiotis Kanavos - yes we have Users accessing the site from outside our environment: 1) Users which have an AD accound and are working on their laptops outside of our building (e.g.: they have been all day at a customer and are working at home for the remaining hours) 2) We plan to have users without an AD Accound --> Forms Based Authentication: (e.g.: customers accessing our TFS 2010 project protals to get an overview of the project). As far as I know, if you want FBA and WIN-Auth you need to configure Claims Based Authentication...
However configuring a Web Application with Claims Based Authentication did not work. I chose "Enable Windows Authentication" together with "Integrated Windows authentication -> NTLM" as we do not have Kerberos configured (and I'd love to leave it like that ;-)).
However the Users could not login to that application sometimes, and five minutes afterwards it worked. Additionally, when I added permissions to an AD user, SharePoint seemed to save the Token instead of the Group-/Account Id:
e.g.: Instead of MyDomain\user1 it saved something like "0|=MyDomain\user1" and for groups it even only saved weird character strings "022-12.3"
Could it be the case, that my 2003 windows AD does not support that?
IF you are using Active Directory and running both sites within your domain you should not be challenged when users go to either site. It just becomes an implementation issue about who has access to what, either via AD Groups or SharePoint groups.
Claims based authentication is a bit of a different animal. You need to have a security token which contains a number of "claims" about the user, for example UserA is a member of HR and UserB is a member of Sales. Based on these claims you can then have your site/application respond correspondingly. Claims based auth is relatively new for SharePoint and Microsoft and is a bit of steeper learning curve. It may make more sense if you have a mixed mode environment, with both AD and Forms Based Users getting access. However with your described heterogeneous environment it doesn't seem like it's needed.
More info on SharePoint 2010 Authentication is available here.
John
The easiest solution is to create an AD group with the users of both sites and add the group as a user to the Members Sharepoint group of each site. This way users will not have to login at all since Sharepoint will detect the identity of the logged-in user automatically.
Why are you asking about login, claims, and why are you using certificates? None of this is necessary in an intranet scenario where the farm and users are in the same domain or if the farm's domain trusts the user's domain. Do you have users accessing the site from outside your domain?