Azure AD SCIM - How to Enable the Provisioning Section - azure-active-directory

I need Azure AD users to be synced into my application, so I've been researching how to implement SCIM and configure Azure AD to work with it. My end goal is to have my application listed as the ones here: https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/tutorial-list, and to do this, it should support SSO + User provisioning.
The implementation is kind of straightforward as SCIM is a standard and I just need to implement a bunch of APIs complying with a specific contract, so this should work.
The problem I'm having, though, is I cannot find how to enable the "Provisioning" feature for my application. I've been reading the articles and watching the videos Microsoft provided (https://learn.microsoft.com/en-gb/azure/active-directory/app-provisioning/configure-automatic-user-provisioning-portal for instance) and it seems that when I click the Provisioning section in my app, I should be able to configure it. Unfortunately, I don't see the UI shown in the tutorials, so I suppose I've been missing some step that is not explained in the docs. Also, I'd expect to have somewhere to configure the base URL that should contain all endpoints required for the SCIM standard. I don't see this either, which confirms my feeling I'm missing something essential.
Here are the steps I've been taking:
Open the Azure portal
Create an enterprise app - Click on Enterprise applications, Create your own application, and Integrate any other application you don't find in the gallery (Non-gallery)
Once the application gets created, I can't see anything in the "Provisioning" settings

I found a solution to the problem I've described above. Unfortunately, I somehow the big blue "Get Started" button in the middle of the screen. When you click this button, the configuration I've been looking for appears and it is all good.

Related

Can I use a Sharepoint view in an iFrame on an external website/app that has users autheticated with Azure AD SSO

We have a new intranet site that uses our AzureAD credentials with SSO (via SAML2.0). There's a widget that can display personal or specific Sharepoint Document folders but I've found that this is lacking in detail - particularly some of the document metadata.
Is there a way to use a curated Sharepoint View in an iFrame on this cross-domain website?
At present when I try, it comes up with an error
Refused to display "sharepoint-site-page" in a frame because it is set
'X-Frame-Options' to 'sameorigin'
I'd be grateful for any assistance if possible. Thanks!
Not sure if this applies to your particular view,
however this is a pretty well known thing that microsoft locks down sp to not allow cross site iframing by default,
you could try this solution:
https://www.sharepointpals.com/post/how-to-bypass-cross-domain-issues-to-display-sharepoint-online-pages-within-iframe-from-an-external-domain/
it makes use of the allowframing tag, that microsoft allows to do exactly that.
as per : https://learn.microsoft.com/en-us/archive/blogs/officeapps/iframing-sharepoint-hosted-pages-in-apps
hope this helps you a bit.

Azure Logic App - Am Unable to "create a SugarCRM Connector API" - not found in my view of the marketplace

I am just getting started with Azure Logic Apps and want to try connecting to SugarCRM.
I was pleased to see this guidance suggesting I should be able to find the SugarCRM connector in the Azure marketplace
https://github.com/Huachao/azure-content/blob/master/articles/app-service-logic/app-service-logic-connector-sugarcrm.md
However, when I try to find it by going to the marketplace on portal.azure.com and searching for SugarCRM, I do not see the connector in the results as described in the above link.
Either it is no longer published or I am doing something wrong. Do I need to do anything special to be able to access this?
I check this on the portal I could find it, then I consult the Azure official. The response is
SugarCRM was on product plan and later was removed. So it was never formally released.
So this feature is not available, if you insist on using this you could go to feedback and vote up this feature. When there are enough people vote for it, there is more chance for it to be added. Here is the feedback link:https://feedback.azure.com/forums/287593-logic-apps/suggestions/20565706-add-sugarcrm

User authentication through Office365

We're are about to build a new intranet system for our company, leaving SharePoint behind. The system will be built using Ruby on Rails. Since we're using Office365 for mail, calendar etc., we would like to authenticate our intranet users through Office365.
I'm aware of Microsoft Graph API, but I have a hard time figuring out of there is a possibility to authenticate users from a third-party application. Moreover, we would like to retrieve general information about the user, like profile picture and calendar information.
Is anybody knowledgeable about Microsoft Graph API and know if it's possible to achieve our goals using the API?
You're on the right track. You would authenticate with Azure AD, which is in the 365 ecosystem.
I wrote (and answered) a detailed guide here:
How to get the JWT (using OpenIdConnect) from HttpContext, and pass to Azure AD Graph API
Note that this is the OpenIdConnect flow. I think the Saml2 flow is somewhat different.
Don't take my advice on storing the authentication codes or try to acquire the token silently - it ended up causing issues in production that weren't seen in test. Rather, just use the user object id as your key attribute.
The microsoft documentation on the topic is a little cerebral and abstract, so it'll take a little head scratching, but have a look at the samples mentioned in the post I linked above, they'll get you started.
Yes, using Microsoft Graph is the right way to go about achieving the stated goals here.
There are quiet a few samples and tutorials provided on the Microsoft identity platform code samples page that will teach how to build an app that calls Microsoft Graph.

Desktop client flow for MicrosoftAccount access to Azure Mobile Service API

I have followed Adrian Halls book to create a cross platform app with a Mobile Service API backend. I have successfully got unsecured access to the backend working from Android, iOS and Desktop (WPF) clients. I am moving on to adding security to the API using the Authorise attribute. I would like to add social authentication using MicrosoftAccount (formerly passport/Live ID).
Since Adrian wrote his book the Microsoft.Azure.Mobile.Client and the authentication and authorisation landscape seem to have moved on. The samples given in the book no longer build and Microsoft's social authentication and AAD authentication seem to have been rolled into one API.
I have spent days searching for up to date and relevant information but there seems to be lots of stuff on the internet that is either out of date or only shows examples of authenticating using Facebook or Google from Xamarin clients or authenticating against Azure AD.
I am using .NET 4.7 and WPF for the desktop app. I am also using Microsoft.Azure.Mobile.Client V4.0.1. and my questions are:
Should I be using the Microsoft.Identity.Client to authenticate users from my desktop client; and,
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
According to your requirement, you want to use client-flow authentication with MSA. As I known, MSA authentication uses the Live SDK for signing users.
Since Live SDK is deprecated, you could leverage OneDrive SDK for CSharp for logging with MSA, and you could follow the detailed steps for achieving this purpose:
Install the client libraries via NuGet:
Microsoft.OneDriveSDK
Microsoft.OneDriveSdk.Authentication
Log into Microsoft Account Developer Center and create your app, add the native application platform, then Register your app with Microsoft Account.
Then you could follow the code below and add to your WPF application as follows:
For more details about OneDrive SDK for CSharp, you could refer to here and Authentication Adapter for the OneDrive SDK.
UPDATE:
It's my fault. I did not mention that the above code would automatically open a web browser. Per my test, you could configure the parameter returnUrl to https://login.microsoftonline.com/common/oauth2/nativeclient when constructing your MsaAuthenticationProvider instance.
I was in a similar boat - and here is summary from the top of my head - There two security libraries currently in play for authorization- ADAL, and MSAL.
ADAL
This is the first library that came out, and services like B2C must each be handle separately using this library.
MSAL
One security framework to rule them all!
https://github.com/Azure-Samples/active-directory-xamarin-native-v2
This library has a go live license, but technically it's still in Beta.
Head to Mobile.azure.com for the last info in creating a mobile application, and this article on a V2 endpoint.
When you register an application for Authorization - there are two categories a "Converged" application, and a "Live SDK application" ( see https://apps.dev.microsoft.com/#/appList) - why they would choose these names is beyond me to understand. IMPORTANT Translation - Converged application ONLY work with MSAL, the other ONLY works with ADAL. THAT will go a long way for you to get the authentication working, as the Application / Client ID must match the correct SDK, and hence endpoint.
In the end, we chose to stay with ADAL for now as we were having problems with MSAL. MSAL is the future however, as all services will be incorporated, and it should be an easier SDK to use.
Here are some links that I kept, all of which refer to ADAL or MSAL:
http://aka.ms/aadv2
https://azure.microsoft.com/develop/identity
https://learn.microsoft.com/en-ca/azure/active-directory/develop/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/AzureAD
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
These links are about month old - HTH

How do you use Active Directory in a "hosted solution"?

Yesterday I got a call from a Microsoft representative asking if we supply "hosted solutions", presumably as part of the big Windows Azure push. As soon as I got off that call, our marketing director came into my office and said the majority of our customers are demanding Active Directory integration in the next version. Then it occurred to me: how does one use Active Directory in a "hosted solution" if the application does not live on the customer's network?
As a more general question about Active Directory integration, what kind of functional changes does that usually imply for an app? Does it mean a user is signed into the app just by authenticating to Active Directory or does it mean the app gets its list of users from Active Directory or does the creation of new users or groups in the app create new users or groups in Active Directory?
Am I just caught in the crossfire of a war of buzzwords?
You're not. Active Directory can be run across the public Internet, though this complicates the security and setup of the network rather considerably.
Generally, authenticating an app against Active Directory means that your membership provider (for example) would call into Active Directory to do the authentication and, after that, the user is simply logged in; you don't keep active credentials, etc, in your own database. However I would consider it smart to cache that information as well, and be prepared to authenticate against that cache in addition to the directory, in case the domain controller is unavailable for authentication (an especially large risk if you're running the directory across the Internet).
You can use Active Directory Federated Services to enable authentication using AD over the internet between two organizations. See: http://technet.microsoft.com/en-us/library/cc786469.aspx
I've never used it only read about it. Hope it helps.
The accepted answer explains the role of Active Directory and I agree that caching basic user information may be useful in many instances.
Active Directory can be expanded outside of a corporate network, to the internet and connected web services. As another user mentioned, this is achieved through ADFS (Active Directory Federation Services) which allows "trusted" connections to be set up between separate authentication services. There were a number of scenarios explained as part of the "Office 365 Jump Start" webinars:
http://technet.microsoft.com/en-us/edge/office-365-jump-start-04-microsoft-office-365-identity-and-access-solutions
After viewing these, I immediately thought that a "hosted" AD and ADFS service would be useful, where a customer doesn't want to maintain the AD servers internally (Microsoft don't recommend running less than 5 seperate servers if you're doing this!) Recently, Microsoft have also launched their Azure cloud platform. One of the services they provide is labelled "Identity" which you can see here:
http://www.windowsazure.com/en-us/services/identity/
This is Microsoft's own solution to hosted AD services. In fact, they even mention using their "Identity" hosted service as a solution for SSO (Single Sign-On) for Office 356 and even Google web apps.
I am still learning about AD and Microsoft's cloud offerings, but I hope this points you in the right direction.
There's an article here: http://www.developerfusion.com/article/121561/integrating-active-directory-into-azure/ which describes in-depth how to integrate Active Directory with Azure - hope that helps.
Active Directory can be run across the public internet but you will experience lag times which may cause your app to time out or crash depending on your bandwidth. In the past, I have setup accounts with another company called ultradns.com who specializes in these types of scenarios. hope that helps.
You'd be best off going with a true hosting framework if you would like any support from MS.
I'm sure you'd like some links so:
HMC (Hosted Messaging and Collaboration)
The ONLY true blog I know about on the framework is from Kip Ng
The ASP.NET forums are a good resource for questions on the Framework as well.
An example of the work that goes into configuring AD for Exchange multitenancy is here, though it is based on an older version of the framework a lot of the same principles apply.
Also, try searching on the keyword multitenancy for some articles.

Resources