Is it possible to allow all users in a specific AAD tenant to access an app?
Something like a tenant trust. Tenant 1 trusts Tenant 2 and I can add 'tenant2\AllUsers' to a permission.
I want to allow all users of a partner tenant (current and future) to be able to access a SharePoint site and a few other apps.
I've looked at B2B but it requires invitations which is hard to manage at scale.
Entitlement management looks nice but requires P2 licenses and has lots of capabilities we just don't need.
Does anyone have a simple way to do a 'tenant trust'? Am I missing something?
Firstly, you have a misunderstanding of "tenant trust".
When we say tenant trust, it means the tenant trusts an app and then the app can access the data of that tenant. There is not a way to make a tenant trust another tenant.
Anyway, using the official admin consent URL you can grant admin consent for a whole tenant to an app.
See Construct the URL for granting tenant-wide admin consent.
https://login.microsoftonline.com/{tenant-id of partner tenant}/adminconsent?client_id={client-id}
Sign in with an admin account from partner tenant and do the admin consent. Then all users from partner tenant can sign in to this app.
For SharePoint user case, you can take advantage of self-enroll service. Please refer to Use SharePoint as a business-to-business (B2B) extranet solution and Create a B2B extranet with managed guests.
Related
I have an app (ASP.Net Classic) that is using Azure AD authentication. Now, we want to allow user outside of the organization to sign in. I read few document B2C and B2B, but I am unable to see which one to good for me.
I am looking that members in the organization should sign in and doesn't have to create new account. One of the option B2B suggested that to add user to in AD as a guest user but this is the manual process, it would be good if it can be automated. Also that doesn't describe how user would send the request to for login info.
It depends on your use case.
Imagine a large company. They have Azure AD for their employees. Now they want some suppliers to have access to their billing system. Those suppliers are guest users. That's B2B.
For guest users, an admin can send an invitation email that contains a redemption link.
B2C is for the customers of the company. They use the company's e-commerce system. They do not need access to the billing system.
B2C is self-service i.e. these users self-register and can change their profile or reset their password.
In our organization, we have been inviting guest users to our AAD Tenant to successfully share resources with our B2B partners. However, we have a fear that there may be some business users that have been oversharing with individuals (e.g. xxx#gmail.com accounts or Business accounts we don't approve of).
We would like to better monitor these scenarios, and I've been able to determine a user's source via the Azure Portal:
Here, we can easily see that this particular user is coming from an External Azure Active Directory.
Is there a Microsoft Graph API or Azure AD API where I can get this information, so we can write some automation around this? Also, is there a way to determine which tenant this user is homed in? I have played around with the Users endpoint a bit, but don't see this information...maybe there is a different endpoint or permissions scope that I need?
Thanks for any assistance!
You cannot get tenant information of a guest user, but we can handle users by domain the user belongs to. you can allow or block invitations to B2B users from specific organizations .Please refer to this document.
Is there any Azure B2C end-user queryable endpoint that will allow that owner to identify which tenants they have authenticated to?
A dashboard for B2C users that is an aggregate of all tenants they have federated with? Is there some extension of the /common endpoint I could make an OAuth query to? (ideally including AAD B2B guest accounts)
https://account.live.com/Activity
https://account.activedirectory.windowsazure.com/r#/applications
myapps.microsoft.com
4/24/20 Edit:
I found this in the portal that implies a portal is available.
I'm looking for the API in which to programmatically add applications to it before a migration.
I need to have the applications already 'signed in' or linked to applications I own in the B2C directory (OIDC/SAML2 apps)
Your question is the equivalent of asking, "Can i find out if i registered at StackOverflow and Facebook with this/my email?". You cannot do this, AAD B2C is isolated tenancies representing a single organisations' identities. There is no equivalent of /common endpoint for AAD B2C. In AAD and AAD B2B accounts, there is a mapping created from the original account to identify which tenants they are in. This is to maintain a single identity across the Microsoft ecosystem.
In AAD B2C, this doesn't exist, goes back to my first sentence for 'why', they are separate applications, and inherently have no relationship, nor do the identities.
My AD tenant has user consent disabled, i.e., all permissions added to AD app registration need an admin consent.
For an application using static permissions/scopes (v1.0 OAuth/OpenId endpoint), is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Microsoft docs say: "The app needs to know all of the resources it would ever access ahead of time. It was difficult to create apps that could access an arbitrary number of resources." Does it mean that for my scenario, all users need to wait for admin consent before they can access the app?
I receive the below error when a user tries logging in to the app using the Open ID Connect flow. For reference, my login URL is similar to https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=id_token&client_id=b8ad6a99-cd23-40a6-a1b4-1184af990aa2&redirect_uri=https%3A%2F%2Flocalhost%2F&state=13ccfb84-cfd1-4cb0-bfe3-bb2c227e19f7&client-request-id=4d76947a-0000-48af-aeff-7bc2d5e40000&x-client-SKU=Js&x-client-Ver=1.0.17&nonce=ef1caa16-d3fe-4523-a9c9-000000000000
is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Yes, you can.
When the admin consent the API permission of an AD App(App registration), the permissions essentially will be given to the service principal(Enterprise application) in your AAD tenant. Actually if you use the AD App in your tenant, the permissions are essentially from the service principal.
You could refer to the screenshot below, there are four permissions, the two permission has been granted.
Navigate to the Overview, click the option Manage application in local directory.
Then in the Permissions, you will find the two permissions which have been consent.
When you add the new scopes, the app will keep working, but it will only be able to access the old scopes until the admin consents to the new scopes.
Thanks!
Alex Simons
When registering a native application on the Azure AD 1.0 endpoint, and assigning Graph API permissions, it seems like consented permissions are 'cached' somewhere and can't be managed properly.
Example scenario:
Application registered and permission scopes (incl. ones requiring admin consent) assigned.
Administrator consents to the permission scopes
Simple user can use the app with consented permissions.
Permission scopes change (adding a new one for example)
Same admin doesn't get the consent form anymore
Simple user is stuck with "consent required, have an admin account?"
Another global admin must use the app for the first time to trigger the consent page.
Note that #7 doesn't always work; even if the other admin provides consent, simple users can't get through sometimes.
This is a multi-tenant application, yet when start using it in another tenant, I can not see its consented permissions in the AAD portal under enterprise applications.
Shouldn't permissions that have been consented to be listed in other tenants so that the admin can at least see what has been consented to?
Also, when I register an app on the V1.0 endpoint in my own tenant, I have an option to 'grant permissions' centrally, from the Azure AD portal for my tenant.
This option isn't available if I'm looking at an application that was registered in another tenant.
Am I overlooking something? Any help much appreciated.
When you change permissions, it does not automatically re-consent (for user or admin). You can find a detailed overview of this at Understanding user and admin consent.
You'll first need kick off the Admin Consent workflow. For a multi-tenant app this is done by adding prompt=admin_consent to your OAUTH URL and having an Admin authenticate.
Once that is done you can also force existing users to re-consent as well by adding prompt=consent to your Auth URL.