I have web app which implements Azure AD sign in for authentication. After authenticating user with the help of Microsoft Graph I grab few details like email of the user and then look for user in my database.
The problem is, lets say the user gets authenticated in Azure AD account but the email is not present in database. In that case I want when user again try to authenticate then Sign in page by azure should be showed again.
Related
We are not able to caputre User sign_In details, when user try to use "Login with OTP" in AAD >Sign-In Logs.
According to [!NOTE] in azure-docs/view-audit-logs.md at master · MicrosoftDocs/azure-docs (github.com)
You wont be able to see user sign-ins for individual Azure AD B2C applications
under the Users section of the Azure Active Directory or Azure AD B2C
pages in the Azure portal. The sign-in activity over there show user
activity, but can't be correlated back to the B2C application that the
user signed in to. You must use the audit logs to see the sig-in
activity for that.
Sign-in logs
Audit logs:
And we need to note that Audit log events are retained only for seven days.
Reference:
signup-signin-with-phone-number - azure-ad-b2c/samples (github.com)
On guest user login on redirect URI I got an error:
AADSTS1000031: Application {App name} cannot be accessed at this time. Contact your administrator.
I'm using multi-tenant approach. The authorization URL looks good and it redirects me with such an error.
But I can't find any description of the error or configuration in the azure related to this error.
Also, "normal" users can log in without any issues.
I have such configuration in my Azure App:
Could you please advise how can I enable guest accounts support here?
This error can occur if you have not granted admin consent.
Go to Azure Active Directory within the Azure portal.
Go to Application registrations.
Select the Application based on the App-Id.
Go to API Permissions.
Click Grant Admin consent.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Has this SSO been setup as an Enterprise application?
Or are you just trying to get a guest user logged in to your tenancy as a guest?
If it is the later just create a new Guest user within your tenancy, make sure you have the rights to to do this first.
Then have the guest user accept the email invitation they receive.
Confirm within Azure they have accepted the invite.
Also make sure they are using the same email address as the invite was sent to and not an alias, which can cause confusion.
I have a question. Does anybody know what the exact off-boarding process would look like for an Azure AD user that is synchronized from an on-premise AD (Windows server AD, see picture below)?
I know what it's like for a normal Azure AD user (I got the information from here: https://www.agileit.com/news/offboarding-office-365/), but I would need to know if there are any differences (for example: differences to completely delete a user, differences in saving OneDrive content, ..).
Here is the process of offboarding a normal Azure AD user (summarized in my own words):
Sign the user out of OneDrive (initiate sign-out in Microsoft 365 admin center)
Logging the user out of all current sessions:
- Resetting user password in the Microsoft 365 admin center: Create or generate a new password
Save mailbox content:
- Either:
- Migrate the mailbox to another user
- Place the mailbox on Litigation Hold (In-Place Hold, via the Exchange Admin Center)
- Converting to a shared mailbox
(if the offboarding employee has a company owned mobile device) blocking and wiping the employee’s mobile device:
- Wipe data & block under Mobile devices (via Exchange Admin center)
Block access to Office 365 data (after logging the user out of his current sessions) via Microsoft 365 admin center
Remove the Office 365 license from the user (via Microsoft 365 admin center)
Remove the license so the payment for it stops (via Microsoft 365 admin center)
Deleting the user account (via Microsoft 365 admin center)
If any of you guys know any differences, please help me out. Thank you!
most of your points about azure ad user apply to a sync'ed ad user as well.
some of the differences would be after logging user out of all current sessions, they wouldn't be logged off of on prem sessions that are logged in via on-prem ad.
I believe the main difference comes in when / how you delete the user. if you disable the user on prem, and it no longer syncs that user to aad, that user will be deleted from aad. along with all the ramifications of deleting the user on aad, mailbox deleted, etc. Basically treat on-prem ad unsync as a delete operation on azure ad. that's the biggest difference.
one of the caveats with both aad and ad deletion is, if you turn the mailbox into a shared mailbox, it still has to be anchored to a user. so if you deleted the user that its anchored to, the mailbox will be in an orphaned state. so be careful with that.
as for one drive, when the user is deleted from aad, their "manager" will automatically get access to their onedrive content for some period of time, usually 30 days, because the content is deleted.
Again, so if you stop syncing a user to azure ad from on-prem, azure ad treats it as a delete operation.
All this to say, all the other steps in that article are azure/o365 related, so follow all those steps, and for the last step of delete, don't delete it from azure ad. Just unsync it or delete from on prem.
Where does MS Graph get the user information from when I run "https://graph.microsoft.com/v1.0/me/"? I have entered mobile phone in my profile in both Azure AD and Office 365, but it still wont show up when I run /me.
How do I get the Azure AD user´s role, after a successful Azure AD login? Must I have a Premium paying account to get it?
I can use https://graph.microsoft.com/v1.0/me?$select=mobilePhone to get the mobile phone.
Please have a try with it.
For how to get the Azure AD user's role, please refer to List memberOf.
You will get a response like this:
.
"Company Administrator" means the role of the user is Global Admin.
When I log onto the Microsoft Graph Explorer with my Microsoft account and run the following query https://graph.microsoft.com/v1.0/users/ I get the correct user returned.
On Azure AD (using the same login) I created an application with a key and when I sign in through c# using Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials with a token for resource https://graph.microsoft.com and run the same query I get a completely different user. They are out of sync and I'm baffled.
Any ideas? Should I create a new Azure account as I've had the Azure account from day 1 and I'm only doing this now to test for a client request.
Don't create a new Azure account. When you are using Graph Explorer, are you signed in with a user from your Azure AD tenant? If not, Graph Explorer will default to use a demo tenant for your queries.
Also (if you have more than one tenant) you need to make sure that you select the correct tenant as part of the token acquisition (from https://login.microsoftonline.com/{tenantId | tenantDomain}. If you want the results to match between Graph Explorer and your app, the tenant the signed-in user belongs to (for Graph Explorer case) and the tenant used by your app needs to be the same.
UPDATE based on comment below:
I think I know what's going on here. In graph explorer, you are signing in with your personal account - and it's showing you profile data of that personal account, including the unique ID for this account in the Microsoft Account system. In this case you aren't signing into an Azure AD tenant at all. Microsoft Graph supports access from both personal and commercial accounts.
Now, additionally, I'm guessing when you signed up for an Azure subscription, you used this personal account. When you do that, it creates an Azure AD tenant, and creates a guest user in that tenant that is (linked to) your personal account - this account is also configured as an admin account. This mechanism allows you to sign in with your personal account (authenticated by the Microsoft Account system) into an Azure AD tenant, because the personal account maps to this guest user in your tenant. In your application, you are getting an app token to your Azure AD tenant. When you query the tenant for users, you don't see any user with the same id or email address as you did with graph explorer. However if you actually look at the userPrincipalName, you'll see it should be a mangled form of the original email address of your personal account. This indicates that this Azure AD user account in your tenant is a guest/external user (similar to a foreign principal).
Hope this helps,