We moved most in our company to outlook for mobile app on there phones, however some have not yet moved. We want to block exchange active sync via CA policies. I'm most positive I set it up correctly however a few users that I placed in the include policy are still able to use it. Please see policy below and if anyone has any ideas that would be great thanks.
Note : We do not have Intune and have no plans on purchasing. Also we have all users under an azure p1 plan.
Policy
Users and Workloads
-Include
--Users in question
Cloud Apps or actions
-All Cloud Apps (include)
Conditions
-Client Apps
--Exchange Active Sync
Access Controls
-Grant
--Block Access
Thanks.
To block exchange active sync via CA policies please check this official document make sure before using conditional policy try to Enable security defaults as yes
In Conditional Access Policy follow the below steps;
In Users and groups select all users
Cloud apps or actions click Select Apps and import Office 365 Exchange Online
In condition at device platform select any device and in client apps select Mobile apps and desktop clients and Exchange
Grant block access and enable policy
For more information in detail, please refer below links:
Blocking ActiveSync with Conditional Access credits by Adam Fowler
Related
I have a React Application that uses Microsoft AD to authenticate users.
As a first step, and according to Microsoft Documentation, we need to register the application with the Microsoft identity platform.
This is inline with Microsoft Identity Platform Documentation, in this diagram we can see that for ALL types of applications (SPA, Web App, etc), we always need to configure an application in AzureAD:
This process is "cumbersome", and i'm trying to remove it by having the application installed automatically.
Several third-parties do this, such as Zapier, SpecFlow, etc.
Basically, they have a process where:
User logs in on Zapier
User is redirected to Azure AD sign-in page
User is authenticated and authorized
AzureAD shows the Consent Page
User consents
Application is installed on user's AzureAD
I've been reading and searching in Microsoft's Documentation, and i cannot find a single document that shows or even mentions this type of flow.
BUT, i know that this is possible, as there are several third parties that are doing exactly this, as Zapier, for example.
Can anyone point me in the right direction, there must exist some Microsoft document that explains how this process is done!
Apologies if this should be a comment, not an answer. I do not have enough SO reputation to write comments.
Zapier is published to the Azure Active Directory application gallery (1c76d9b0-0826-4b19-8706-29572657af1e). You can do this as well:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing
If an application already exists in the gallery, it does not need to be "registered" in the user's tenant, as the registration definition is defined in the gallery.
Once an app is in the gallery, users can use it only if their tenant's administrators allow this, per the settings on this page:
Enterprise applications | User settings
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/UserSettings
From the user's end, there are other governance controls that may impact the user's ability to use your app, but I think "register your app in the gallery" is probably what you're asking for.
I have a web app that uses the Azure Active Directory (AD) login (Microsoft login), where I have a development environment, staging, and production environment.
The AD login works for my development environment, but I am getting an error when I try to use the same login for my staging environment.
The error I am getting is
Your sign-in was successful but did not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location your admin restricts
I am attaching the screenshot for more details. Any help is highly appreciable.
Best Regards,
Janak Darji
I have tried to enter my public IP under the network tab as an allowed IP but that didn't work.
You can follow steps below to find which policy cause the issue.
Sign-in your azure portal, and click Azure Active Directory.
Find the user, and click it.
Find the sign-in logs.
Then you can find the login record. And Click it to check the Conditional Access. You can find which policy block it.
You can disable all the policy for test.
You are being blocked by a conditional access policy
In your Azure AD you can use the What If tool to troubleshoot Conditional Access policies
The Conditional Access What If policy tool allows you to understand the impact of Conditional Access policies in your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
You can find the What If tool in the Azure portal under Azure Active Directory > Security > Conditional Access > What If.
Before you can run the What If tool, you must provide the conditions you want to evaluate.
The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions
Hope this helps!
We are trying to integrate Onedrive with a WebApplication. Intent is to get the content from Onedrive into WebApplication on any event.
We are able to integrate and using the "APP Register" in Azure Active Directory and configuring with Graph API for delegation and then using the client id, client secret and tenant id from WebApplication.
Here, I would like to understand, Is it possible for us to create an app on our azure subscription and have a way for others (other companies/clients) to install it on their azure system using OAuth process in order to avoid any creation of app and sharing other details.
Please let me know if the query is clear or not. If not, I will explain more in detail.
Thanks
Sakti
Yes, you can share your application with other organizations, you only need to change your application to a multi-tenant application, because changing the application to multi-tenant application allows any tenant to log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.
However, you need to note that after sharing your application, the permissions granted to it in the original tenant will not exist. If you need the application to access the resources of other company tenants, you must request the other company's IT to grant similar access permissions.
We are looking to set up a solution to monitor primarily the Global Admin role in Azure AD, so if a user is added to or removed from the role an e-mail is sent to a specific mailbox.
On our local AD we have a working solution for this, but I can't seem to find a similar solution for AAD.
In the Office 365 Security & Compliance Center > Alerts > Alert Policies there is a policy called "Elevation of Exchange admin privilege" which basically does what I want, except it only targets the Exchange Admin role.
I've tried creating a new policy from scratch, but as far as I can tell there is no way to choose to target a specific role. There is only the "Granted Exchange admin permission" and nothing really comes up when I search for "role" or "admin" in the "Activity is" drop down.
I've also looked at the MCAS (MS Cloud App Security) policies but nothing there seems to be what I need either.
I found this article: Monitor Office 365 admin role changes in all customer tenants but it seems to be geared more towards multitenant environments and requires quite a bit och additional setup. I was hoping there was a simpler solution for a single tenant environment.
Kind regards
If you have MCAS, I think it's possible that you have PIM as well (privileged identity Management. it requires aad P2 skus. But assuming you do, then it's very simple to do this. You would just go into the PIM in azure, click azure ad roles, click manage roles, choose the global admin role, Click role settings, and you will see options like this
If you don't have PIM, then it becomes quite a bit more complicated but could probably be less complicated than your example, you could set up log analytics to ingest azure ad data, and using a query pull out that information (role assignment event for example), then you could set up an alert in monitor referencing a log analytics workspace. https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics
I am using Office 365 to manage my calendars. I would just like to publish one of my calendars to my blog. Also, I would like to fully control the style of the calendar. I can enter API URLs into the browser and basic authentication to access my own calendars. So, I could do that from the server to build my calendar page using a server side http client. In this case, I don't really need the full power of OAuth2, which is mainly for letting multiple visitors manage their own content on a third-party site.
It would be nice if Microsoft's Office365 libraries would handle this scenario. It could also include a step where I register for a keys similar to the way Google Maps does. Or do they offer this already?
Does anyone know what steps to take so my scenario would work? Also, would I run up against any usage limits for a popular blog?
While the API is supporting Basic at the moment, that will eventually go away. You can definitely make your scenario work using the authorization code grant flow that's in place today, but it sounds like you may be more interested in the client credential flow which we are going to be releasing support for soon. That would allow you as the administrator of your Office 365 organization to authorize an app to access calendars in your organization without requiring user sign-in.
You register for client IDs and client secrets via Azure AD.
Azure AD is included with Office 365, and registering apps doesn't include any additional paid Azure services.
The client IDs and secrets obtained with the Visual Studio tool are permanent, and not just for debugging. Can you point me at the documentation that said otherwise so I can get it corrected? :)