We have company giving us managed support for our azure subscription?
Can we enable MFA for them as well i.e for guest accounts?
Is AzureAD PIM works for external users i.e guest accounts?
Yes. It's best practice to enforce MFA for guest users.
Yes, you can assign PIM roles for guest users and use PIM for assigning access to Azure resources.
Related
I have a setup where I have installed the Azure AD on-prem cloud provisioning agent on a Domain joined server. The setup was successful. I followed the documentation here:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-provisioning/how-to-prerequisites
After configuring the agent in Azure AD, Users can only be synced as Member.
Is there a way to sync users as Guest using the provisioning agent?
Also, is there a Microsoft Graph API to validate the agent and do the configuration?
On-prem AD isn't synced to Azure AD as Guest and those synced users cannot be a Guest user and it's as per design.
You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. Any user sync via AD connect will not be a guest user.
Most of my customers have a split AD environment, they are logging into their machine via their local AD e.g. user1#domain1.net and accessing O365 with user1#fire.domain2.gov the UPNs do not match. The Azure tenant and Azure AD exist on the O365 UPN.
Only workaround we have found is to add the UPN fire.domain2.gov to the local AD object or add the O365 account to the local domain. Any other workarounds that might work and has anyone else ran into this?
I'm told Alternate login ID will not work. No, AltID is used with ADFS. There is no ADFS in La County anymore (Dan Jorenby)
We are trying to setup a deployment for an government entity in LA county where they already have a local Ad and AAD accounts for Office 365, but no sync is set between them. Do you have any suggestion on how he can bind them together to be able to use them in WVD?
In order to access your on-premises and Azure resources with single identity, you need to sync your user's objects from on-premises active directory to Azure Active directory via azure ad connect.
You need to create a custom domain in Azure in order to sync your user objects from on-premises to Azure.
Ex: you can configure a custom domain for fire.domain2.gov in azure. You can add the same domain name in on-premises by adding additional UPN suffix in Active directory domain and trust.
In order to get the detailed information check Article
In the AAD there is no predefined administrator role that gives a user the right to manage only guest users. There is the "user administrator", but it can manage all users and not only guest users. Then there is the "guest inviter", which only has the right to invite guest users, but not to manage all aspects of them.
Is there a way to create a custom administrator role that has these rights?
The reason for this is that we have implemented a partner portal in SharePoint in my company. Our partners access the corresponding SharePoint pages via guest accounts. Therefore our partner managers should be able to manage only these partner/ guest users. They could do this via the AAD admin center, if there would be a suitable administrator role for it.
Is there a way to create a custom administrator role that has these
rights?
Currently, the answer is no.
Now only permissions for Application registrations are supported in custom roles. More permissions are coming soon.
In single-tenant scenarios, why does Azure AD sign in require that the user provide the domain?
Because you can have multiple domains registered in AAD,
and most organizations have users with more than one domain name.
When you log in, you must specify your user principal name.
Same as when logging in to on-prem AD, you'd use e.g. CONTOSO\username or username#contoso.com.
Setting a default is not possible, and is usually not desired.
It looks like what I should be looking at is Azure AD B2C.
From this MSFT FAQ:
What are local accounts in Azure AD B2C? How are they different from
work or school accounts in Azure AD? In an Azure AD tenant, users that
belong to the tenant sign-in with an email address of the form
#. The is one of the verified
domains in the tenant or the initial <...>.onmicrosoft.com domain.
This type of account is a work or school account.
In an Azure AD B2C tenant, most apps want the user to sign-in with any
arbitrary email address (for example, joe#comcast.net, bob#gmail.com,
sarah#contoso.com, or jim#live.com). This type of account is a local
account. We also support arbitrary user names as local accounts (for
example, joe, bob, sarah, or jim). You can choose one of these two
local account types when configuring identity providers for Azure AD
B2C in the Azure portal. In your Azure AD B2C tenant, click Identity
providers and then select Username under Local accounts.
I've just started to use Azure AD B2C and found that we could create both domain accounts ({tenant}.onmicrosoft.com) and local accounts (any email address), which are called as "guest user". What is the difference between the two? Is there any use case in which we should use domain accounts?
Azure Portal
Is there any use case in which we should use domain accounts?
Yes, when you need to connect over PowerShell. Please see this documentation about 'Configuring delete permissions for your application'.
Note: there could be more scenarios, that is just one that I know of.