I'm attempting to delete an AAD tenant. It fails because there are two Managed Identities still configured. But I can't delete them due to insufficient rights. There is no Azure Subscription attached to the AAD tenant and the Managed Identities don't list a Azure resource ID. Also, there are no applications registered in the AAD tenant.
Please ask your Global administrator who will have sufficient rights to remove the managed identities. More details here https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal
Related
I have a need to identify AD users that have not set up MFA via the Microsoft Authenticator (or equivalent). How do I identify these users?
Presumably, the MFA OATH key is stored somewhere on the user account.
I know that I have to create a service principal when I need an identity for an app that connects to Azure resources. But if someone asked me "Why not just create an AAD user and authenticate as that user?" I honestly couldn't answer besides "That's not how you do it.".
Can someone give me a proper explanation on why using an AAD service user instead of an app registration would be a bad idea?
Service principal is an application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service, or automation tool, when an organization is using Azure Active Directory
By using a Service Principal, we can avoid creating "fake users" (similar to service account in on-premises Active Directory) in Azure AD to manage authentication when you need to access Azure Resources
The Service Principals' access can be restricted by assigning Azure RBAC roles so that they can access the specific set of Azure resources only
So for better security purpose, we can use service principal instead of Azure AD User from an to authenticate and access Azure Resources.
Most of my customers have a split AD environment, they are logging into their machine via their local AD e.g. user1#domain1.net and accessing O365 with user1#fire.domain2.gov the UPNs do not match. The Azure tenant and Azure AD exist on the O365 UPN.
Only workaround we have found is to add the UPN fire.domain2.gov to the local AD object or add the O365 account to the local domain. Any other workarounds that might work and has anyone else ran into this?
I'm told Alternate login ID will not work. No, AltID is used with ADFS. There is no ADFS in La County anymore (Dan Jorenby)
We are trying to setup a deployment for an government entity in LA county where they already have a local Ad and AAD accounts for Office 365, but no sync is set between them. Do you have any suggestion on how he can bind them together to be able to use them in WVD?
In order to access your on-premises and Azure resources with single identity, you need to sync your user's objects from on-premises active directory to Azure Active directory via azure ad connect.
You need to create a custom domain in Azure in order to sync your user objects from on-premises to Azure.
Ex: you can configure a custom domain for fire.domain2.gov in azure. You can add the same domain name in on-premises by adding additional UPN suffix in Active directory domain and trust.
In order to get the detailed information check Article
I added to my Azure AD B2C option to log in by an external provider - Azure AD. Later on, I added my account from that tenant to Azure AD B2C as external users.
Unfortunately, when I log in, I get "User does not exist. Please sign up before you can sign in.".
When I use a different policy that allows me to sign in, my account is duplicated as Federated Azure Active Directory.
How we can prepopulate Azure AD B2C with external users to avoid signing in new accounts? I would like to move existing data from the tenant and avoid filling in unnecessary data. Moreover, I would like to allow particular users only to be able to log in to our application.
The problem here is that users added via the portal are essentially B2B or portal admin users.
These are not local accounts and hence cannot login to B2C.
If you have users in another AAD tenant that is federated with B2C, you do not have to manually add these users to B2C. A "linked account" (using the #EXT# format) is created when those users authenticate via their Azure AD.
I guess what you are saying is "avoid registering new users."
Azure B2C is for Consumer, not for Azure AD tenant. You should use Azure B2B feature to add guest user to your Azure AD B2C tenant and assign the necessary role/permissions to the guest user.
You could simply choose to use the + New guest user on Azure portal or Microsoft Graph API to add external users.
We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.