I am looking for an Office365 API which enables me to edit the "multi factor authentication" flag for a particular user.
Currently I can do this via logging in to the azure portal (see attached)Check the image for what I am looking for
Currently this is not available via api. I found a vote in azure feedback https://feedback.azure.com/forums/34192--general-feedback/suggestions/32683693-add-mfa-status-to-user-entity-info-returned-by-gra
If MFA authentication needs to be enforced, maybe an alternative would be to have a conditional access policy requiring MFA for a group of users (e.g. the baseline MFA for admins) and check that the user is a member of that group using Graph API.
Related
I've got a single page application that currently uses Azure AD B2C authentication to allow users to sign in, and then use the auth cookies to talk directly to internal services. There is now a requirement that we use two factor auth on top of the existing AD auth. We've already rolled our own 'second factor' auth, and we need to be able to integrate with that (I'd much rather use the built in MFA that Azure provides, but for this question assume that isn't an option).
Our issue is that we don't want to call our MFA service until the user has authenticated succesfully with AD - but of course, once they have, they are already authenticated, and it's too late.
When Azure AD hands back to us via the call back (we are using CookieAuthenticationEvents), is there any way to defer the access token being available until our own second factor auth step succeeds?
Just as juunas suggested, try to use custom polices which are designed primarily to address complex scenarios.
Reference:
Custom policies in Azure Active Directory B2C
How can one explicitly trigger an a MFA prompt e.g. from a web service for Azure Active Directory or ADFS users?
An example scenario could be that after a user authenticates and starts a session with the web app, certain actions would be gated by a MFA verification.
I see there are workarounds that could establish similar behavior by using MFA for login and then having the software prompt for login, but SSO would prevent these prompts from always reaching the user:
Phone Sign-In (Microsoft accounts)
MFA as Primary Auth (ADFS)
The intent here is to trigger a MFA verification that is separate from auth.
The actions that require gating would need to be a resource that requires MFA. If the resource requires MFA and the user did not sign in with MFA, they will be prompted. This article appears to cover this use case:
Quickstart: Require MFA for specific apps with Azure Active Directory conditional access
To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud apps using a user name and a password. However, many environments have at least a few apps for which it is advisable to require a stronger form of account verification, such as multi-factor authentication (MFA). This might be, for example true, for access to your organization's email system or your HR apps. In Azure Active Directory (Azure AD), you can accomplish this goal with a conditional access policy.
I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
How could I use AAD Graph API to determine whether guest invitations are allowed for a tenant? Specifically I'm looking for information about how to attain the settings listed here: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations#control-who-can-invite.
AFAIK, both Azure AD Graph and Microsoft Graph doesn't support this feature at present. If you want this feature in the future, you can submit the feedback from Feedback for Azure Active Directory or Feedback for Microsoft Graph.
I got Azure AD B2C up and running in my ASP.NET Core web app. But I wonder what's the best way to actually approve new users when they sign up? Is there anything built-in?
Now, anyone can click on Sign-Up link and there you go, you provide your data and click a button. And you're in my tenant Azure AD B2C directory! Now, I'd like to have some control over this.
Did I mention every user costs $1/month when you want to customize Azure AD UI??? (as far as I understand it, correct me if I'm wrong). So if someone goes and sign up 1000 users I'll have to pay for it $1000??
At this time there is not built-in support for user sign up approval workflows.
You can achieve this by:
Having a custom attribute to determine whether a user has been "approved" or not. You would let users sign up by themselves and you would create an experience or flow that queries the Azure AD Graph for users that haven't been "approved" and then either approve them or delete them.
Building an invitation flow. When you invite a user, you'd create the user through the Azure AD Graph. You would then direct your users to the Password Reset policy as their "account verification" flow.
As for your pricing question, if you customize the UI via the newer unified sign-up/sign-in policies, you'll only pay the regular Azure AD B2C pricing model: between $0.0011 and $0.00063 per user depending on how many you have.
Customizing the UI in the older sign-up policy is not really available. As a workaround, you can use Azure AD Premium's company branding feature which is the one that costs $1 per user. If this is the route you are pursuing, I'd recommend voting for this ask: Fully Customizable Sign-In Page.