By default all the User Principle Name and mail for O365 will be same but how to change User Principle Name and also how can we create an user with different User Principle Name and different mail.
To change the User Principal Name, execute the following command,
Set-MsolUserPrincipalName -UserPrincipalName "davidc#contoso.com" -NewUserPrincipalName "davidchew#contoso.com"
The Set-MsolUserPrincipalName cmdlet changes the User Principal Name, or user ID, of a user.
It is not recommended to use different UPN and Mail-id due to the below reasons:
User confusion
Skype for Business Online
Office ProPlus
Mobile Applications
ActiveSync
To know more in detail please refer these links,
Ref1, Ref2.
Related
For two of my snowflake user accounts, an icon is showing up on the right that has a popup when I hover over it:
Why is this link showing up for two of my users?
Obviously I'm now confused about what these two "users" are and how they were created:
Are these users really service accounts?
If so, what is a snowflake service account and how does that differ from a user?
How do I designate some user accounts as service accounts and what are the pros/cons of doing so?
I've tried clicking the button and it just takes me to the user account details page and I don't see any "create user" type of language on the account details page.
I've tried to find anything in Snowflake's documentation that indicates a difference between service accounts and user accounts but I only find blog posts about how you need to treat your service accouns with care (and implement password rotation policies, etc).
I can't find anything definitive (yet) about designating users as "service acounts". (The closest thing is this stackoverflow about how service accounts are the same as normal user accounts.
Obviously there is something special about these two user accounts, though, since the snowflake UI is indicating these two users are actually service accounts.
The icon appears when a comment is set for the user. This comment can be set by yourself for a user to determine what is the purpose of it.
You may un/set it using the statements:
alter user user1 set comment='Create New User for Service Account';
alter user user1 unset comment;
More details: https://docs.snowflake.com/en/sql-reference/sql/alter-user.html#alter-user
Is it just me who's finding AD group is very complex? ;-(
I have a web service that only allows a certain number of role groups to have access. Say we allow people within role group 'rGroupA' to have access.
At some point, a user logs on to our web server, and we have the user name. However, we would not like to ask the user to type in the password.
Is it possible for us to know if this user belongs to 'rGroupA' somehow?
Currently, I could logon our LDAP server with my username and password and see the list of groups I am in. However, I could not search for the groups for my colleagues.
I have searched google for a while but haven't found the answer. It could be that I don't understand LDAP mechanism very well.
Many thanks!
I'm building a static website in Azure and want to use this function:
https://learn.microsoft.com/de-de/azure/static-web-apps/authentication-authorization
When I try to invite a user, it explains that an administrator as to accept this invitation, but where does he have to do this? I cannot see an option for this in portal.azure.com
it also seems not to be possible to "preload" the roleassignments to the users. because on the "acccessmanagement" site for this website in portal.azure.com it grants the access to the complete resource in portal.azure.com, but I just want the user to use the website.
Any ideas?
Thanks,
kind regards
If you are following the invitation instructions in that document, you need to copy the link from the "Invite" link box and actually send it to the person.
Navigate to a Static Web Apps resource in the Azure portal.
Under Settings, click on Role Management.
Click on the Invite button.
Select an Authorization provider from the list of options.
Add either the username or email address of the recipient in the Invitee details box. For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.
Select the domain of your static site from the Domain drop-down.
The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.
Add a comma-separated list of role names in the Role box.
Enter the maximum number of hours you want the invitation to remain valid.
The maximum possible limit is 168 hours, which is 7 days.
Click the Generate button.
Copy the link from the Invite link box.
Email the invitation link to the person you're granting access to your app.
Every developer in my company has one email address. eg: Name#country.domain.com
But they also have a domain address/name Name#country.domain.net(hereby refereed as DN)
This is causing a lot of confusion
One is used as email(.com) while the other is not, even-though they both look like emails
Some applications use DN to provide access, some applications use email address to provide access
Some developers country changed, they decided not to change the email which was okay for network admin. But the DN had to be changed to the correct country they are in. Why is it mandatory for domain address to change the country while email can remain as it is?
Due to the last problem #3, we had to find the applications that use DN and update them all.
Here are some more questions:
Why this is email address and then a DN, why cant there be only one?
What exactly is the purpose of DN?
Does every user need to have this(or just developers)?
The abbreviation "DN" refers to the distinguishedName attribute in AD. It also uniquely identifies the account, but it is not what you're talking about here.
What you're talking about is the userPrincipalName attribute (or UPN). It is usually the "username" (sAMAccountName attribute) followed by # and the DNS domain name of the AD domain. It sounds like that is how your organization is setup. Since the accounts moved domains, the domain portion of the UPN needs to change.
However, technically, the UPN suffix (the domain portion) can be anything, especially any domain that your organization controls. It could even be set the same as the email address, it just doesn't have to be.
So if the UPN in your organization does not match the email address, then either your admins just haven't put the effort into making that happen, or they have a reason for not doing so.
You cannot authenticate to AD directly with an email address. If an application just asks for an email and password and using that to authenticate against AD, then it would have to look up that email address on the domain to find the username and then use the username (either sAMAccountName or userPrincipalName) to authenticate.
There is some more reading here that might help: User Naming Attributes
user story: a anonymous user should be able to create survey, paste in survey participants' email from their outlook, these participants will become valid user in AD, with their emails as primary search key as extension property in AD. User will get mail, being notified that a survey is ready for them......etc.
Since Azure Email property is only readable, I can only add the user mail as an extension property. When extension property such as "SkeypID", "Email" is added, the searchability is also available?
ex. DirectoryService.users.Where(it => it.myproperty!= null && it.myproperty.Equals('test#gmail.com')).SingleOrDefault();
Let's assume that I want to give access to anonymous user creating user in Active directory, (Sorry, did not try this one myself before asking), does it work without using a user identity as company administrator?
Yes, extension attributes are searchable. Use a query like the one referenced at the GitHub README for my OrgChart extensions sample application. The link should look something like this:
GET https://graph.windows.net/contoso.com/users/joe#contoso.com?api-version=1.21-preview&$filter=extension_d8dde29f1095422e91537a6cb22a2f74_skypeId+eq+'joe.smith'
To allow an anonymous user to create a user in ActiveDirectory you could create an application with write permissions to your directory and have that application allow anonymous access. My OrgChart extensions sample application allows you to create and delete users, but you need to provide it application credentials and a tenant where that app has write consent.