Hopefully someone can help me get my head around this one.
As an example, I have a single AzureAD tenant with 4 users, 4 enterprise applications and 4 locations connect via Oauth2.
User1 may need access to App1 at Location1.
User1 may also need access to App2 and App3 at Location2.
It is possible for all apps to be available a location.
I am looking for the best possible way to organize this in AzureAD. My app will query for data /grant access using Graph API.
Any help would be great
Cheers
Yes this can be possible you just need to create a conditional access policies under tenant->Secuirity->Conditional Access.
User1 may need access to App1 at Location1. User1 may also need access
to App2 and App3 at Location2. It is possible for all apps to be
available a location
for this scenario you need to create two conditions access policy for same user one for App1 at Location1 and second for App2 and App3 at Location2
You can refer this Document to create a plocies for a Named Location
Related
You've got this great new feature in Azure AD under Entitlement management: Access Packages.
Packages including groups and what more for specific users and roles.
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create
The issue I'm struggling with, is how can I add users by dynamic group without them having to request access first?
I feel like I'm overseeing something, but as it looks now you can only add a Dynamic Group & the users in the group can request access to the AccessPackages.
Has anyone else dealt with this already?
Please check the references and if below can be worked around in your case.
According to Create a new access package in entitlement management - Azure AD | Microsoft Docs.
If you want to bypass access requests and allow administrators to directly assign specific users to this access package. click None (administrator direct assignments only) in request section to create a policy where users need not request for access. For this group selection is not there.Users won't have to request the access package.
But if you need to select specific dynamic group for policy .
You can create a access package with dynamic groups selected .
You can create a policy separately for the users for dynamic group with require approval disabled and requests disabled.
Then while assignment requests are bypassed and approved even if the policy has request approval.
Even if require approval and requests are enabled in first step, you can set a separate policy by setting the by pass approval to yes.
Note :Dynamic group is to be given the owner role for access packages.
Reference: active-directory-entitlement-management-request-policy | (github)
Can anyone tell me what is the difference between a MS AD user created inside the Users Container and the ones that i can create, directly at the root of my domain?
I am kind of running into some issues with the authentication with the users that i created at the root
The won't be any difference between users you create yourself in both places. However, the Users container is where the built-in user objects are, and there are differences between the built-in user objects and users you create yourself.
If you tell us what issues you're having, I might be able to help more.
Usually, your user accounts should go in an Organizational Unit (OU), since policies can be applied to those (policies cannot be applied to containers).
I was wondering how would I go about provisioning a team that will have hundreds of guest users?
I looked at PowerShell and School Data Sync, but it's only possible to add members within the organization. Is there a way to add about 13.000 guests (in an organisation that has 250 employees), without having to add them individually?
It's an EDU tenant.
We would split 13.000 users to multiple teams, so 10k limit will not be reached per team.
Thanks
Well there are two ways to do this. One which you already mentioned - PowerShell - You can add people outside your organization(Guests). Adding guests is a two step process. 1st you need to invite user, 2nd add him to the team. Check this documentation for how to add the guest and how to add bulk users using PowerShell script.
And second option is to use api.
As per my knowledge, you have to add guest users in azure active directory. If you need some special features like MFA then for guest users you can add up to 5 guest users for 1 license otherwise there are no restrictions. In the past I created 132 guest users for my azure account.
Yes, it is possible to add guest users in your Teams organization.
Add guest users as mail contacts in your exchange organization
Add the contacts in to Teams
You can find a short video tutorial prepared in my blog explaining this in the link shown below:
If you are looking for the solution which I explain in my blog, I can help out further in preparing PowerShell script to add all users by PowerShell cmdlet
Add External Contacts in Microsoft Teams
Thanks,
Manu
I have two applications in my workspace, APP 1 and APP 2.
In my case, user will log in to APP 1. from there, i put a menu(or a link) to APP 2. however APP 2 requires authentication. So it will take me to a login page. i would like to eliminate that and get the current user's credentials on APP 1 and login to APP 2.
i'm looking for a simple straightforward method (but need to consider security) to login to APP 2.
what i could think of is apex_collection..i could store credentials n use it to create a login process for APP 2. however apex_collection is session based. eventhough i've set session for APP 2, it still wont read values from my apex_collection.
Does anyone have a suggestion or a solution?
All you need to do is use the same authentication scheme in both applications and set the cookie name attribute to the same value in both authentication schemes like this:
APEX will then use the same session across the two applications and the user will not have to log in again when they navigate from one to the other, provided of course that you pass the SESSION_ID in the URL.
A Few Comments on Default APEX Workspace Authentication Security
It may also be helpful to expand on an explanation of why the solution posted by #TonyAndrews works.
For any Apex Apps within the same workspace, if they use the default "APEX Application Authentication" method, they will consult the same authentication user list... so USER1 and its password is a valid login for any of the "neighboring" applications...
This may be a concern if you are hosting different clients or users that should not be intermingling with the other applications. You can also define user GROUPS in the same place as you set up each workspace user. Each application can have its own security filter that permits access by membership of BOTH user/password authentication AND membership in the appropriate access group.
Sharing workspaces may also be a problem because of the unique user name restriction of a single workspace. You can get around that by:
Defining different name-spaces for each application:
Email addresses are good: "someuser#sampledomain.com"
An app id prefix such as: SHOP_EDNA, SHOP_GARRETT, TC_KAREN, TC_MARLOWE, MY_BORIS etc.
Different name styles: first name only, first name + last initial, etc.
To keep things simple, you can always just spin up a brand new workspace: a warning however is that common user names like `ADMIN` are NOT the same between separate workspaces. There shouldn't be much concern however because apps or workspace users may have the same or different schema access privileges to the database back end.
A Word of Caution to Administrators and Developers:
When you go live with an application or multiple applications on a user-facing system, keep in mind the deployment destination (i.e., the workspace) and what else is sharing that workspace. There are some real situations where apps are not intended to be shared or accessed by other "inside" users. Be sure to read up and understand the security constraints and methods of using Default Apex Authentication security so that it's more than luck that protects your own production/live deployed applications.
I do have the similar requirement, linking from one application page to another.
Tried the above mentioned solution, but still asking to login to second application. My Apex ver is 5.0.3 and trying in same workspace.
Created new authentication schemes for each app with same cookie name and set them as current authentication. Scheme type are Application express accounts.
Setting the link as below from first app page to second.
href="http://servername:port/apex/f?p=224:2:&APP_SESSION"
Could anyone provide a solution, please?
Just an update on this.
I am currently using v21.2 and this is how I do it:
In both applications, go to Shared Components > Authentication Schemes > (Select your Auth Scheme);
Scroll down to Session Sharing and select 'Workspace Sharing';
In one of the applications (source), create a link (as a Navigation Bar List entry, for example) like f?p=173:1:&SESSION., where 173 is the target application ID and 1 is the target page.
After some research, I've found out that this feature (Session Sharing Type) is available since v18 of APEX.
I'm building four websites. They all should have the same login-datas (user can registrate on website 1 and also can use website 2 and 3 by using the same Login-Name).
My idea was to use the MS SQL Membershipprovider (good idea?).
Now I don't know where to place the SQL-Mebershipprovider (in an extra databse? or together with the websites? -> sound like getting chaos^^)
A other idea I've read was to create a webservice to the authentification?
But I think I'm getting problems with the data consitency, because I think there is no way to point from one database to an other (linking for example the usertable in database one to the texttable in databse 2).
I want to use MVC3 and a MS SQL-database.
Any experiences or ideas?
Thanks a lot!
You can use a separate membership database to do this and just point the providers of each site at this database.
If you wanted to use the role provider you would have to have the same roles in all four websites which may not be what you want. You could use a central database to just handle authentication and then create a local user record in each website that links back to your central user database (you will have to do this linking manually i.e. no relationship). This will then let you role your own role provider for each site.