Is there a way to exclude an access package site from requiring MFA for external users?
No we can't exclude a particular page from Conditional Access MFA.
Please raise user voice on this in Azure feedback portal
Related
I have a web app that uses the Azure Active Directory (AD) login (Microsoft login), where I have a development environment, staging, and production environment.
The AD login works for my development environment, but I am getting an error when I try to use the same login for my staging environment.
The error I am getting is
Your sign-in was successful but did not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location your admin restricts
I am attaching the screenshot for more details. Any help is highly appreciable.
Best Regards,
Janak Darji
I have tried to enter my public IP under the network tab as an allowed IP but that didn't work.
You can follow steps below to find which policy cause the issue.
Sign-in your azure portal, and click Azure Active Directory.
Find the user, and click it.
Find the sign-in logs.
Then you can find the login record. And Click it to check the Conditional Access. You can find which policy block it.
You can disable all the policy for test.
You are being blocked by a conditional access policy
In your Azure AD you can use the What If tool to troubleshoot Conditional Access policies
The Conditional Access What If policy tool allows you to understand the impact of Conditional Access policies in your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
You can find the What If tool in the Azure portal under Azure Active Directory > Security > Conditional Access > What If.
Before you can run the What If tool, you must provide the conditions you want to evaluate.
The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions
Hope this helps!
I have a dotnet 5 Blazor Server-Side website deployed to Azure App Service. I've followed the tutorial at https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service to provide Authentication. Now, any attempt to reach my site requires a login from a user of the Azure AD.
Unfortunately, I haven't been able to find any guidance on how to manage Authorization though. For example, I'd like to restrict access to pages to members of specific groups within the Azure AD. I seem to remember years ago, there was some kind of membership provider database that the site would check.
The kind of thing I'm looking for is to be able to decorate the razor page with the name of an Azure AD group of which anyone attempting to load the page must be a member. Does anyone know of a link that describes the "official" way to achieve this?
Role-based access control (RBAC) a way to authorize applications based on the role permissions granted by the administrator to individual users/groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
Please refer this link for more details on how you can access the razor pages base on the roles assigned to the users/groups.
I am looking for an Office365 API which enables me to edit the "multi factor authentication" flag for a particular user.
Currently I can do this via logging in to the azure portal (see attached)Check the image for what I am looking for
Currently this is not available via api. I found a vote in azure feedback https://feedback.azure.com/forums/34192--general-feedback/suggestions/32683693-add-mfa-status-to-user-entity-info-returned-by-gra
If MFA authentication needs to be enforced, maybe an alternative would be to have a conditional access policy requiring MFA for a group of users (e.g. the baseline MFA for admins) and check that the user is a member of that group using Graph API.
Today I was trying to add an external user to VSTS and got below error message.
You are trying to invite a user from outside your directory, but
something went wrong. Please try again later. If the issue persists,
please contact support.
I have followed the step mentioned in below link and "External guest access" is enabled.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/add-external-user?view=azure-devops&viewFallbackFrom=vsts&tabs=new-nav
Not sure where I am going wrong with this and looking for a solution.
After signing-out and sign-in again it works.
It seems this happened after password reset for my AAD account.
The reason was a missing refresh of the user AAD token. After
completely signing out from Azue DevOps (deleting all browser caches)
it was working.
Source: https://developercommunity.visualstudio.com/t/you-are-trying-to-invite-a-user-from-outside-your/395999
Before this will work, you need to have the external domain added as an approved domain for collaboration. Then you will be able to invite them to your Office 365/Azure tenant. I had to have this approved through Global Security and then the work was done for our organization.
For future reference, I had a similar issue and discover that Project Collection Administrators/Owners manage the policy: Allow team and project administrators to invite new users.
Source Azure DevOps Documentation
We have a multi-tenant Saas application providing sign in using our username/pwd authentication system and using Azure AD (OAuth 2.0 flows). When a user signs in using Azure AD, we can get the user's profile using https://graph.windows.net/{tenantid}/me. We want however to get more information using the memberOf or getMemberGroups operations to retrieve the user's groups in the tenants directory, to map specific groups from the tenant to an organizational structure in our application. However these operations always fail with a Forbidden statuscode. Are we missing required permissions or is it just not possible to query for the groups and roles of another tenant.
Thanks in advance
This is totally possible, but today requires that you request the "Read Directory" permission. This permission does require and admin of the tenant to consent. We are looking at adding some additional fine grained permissions for Graph API that will allow users to consent (to get group membership information).
Another option for you is to configure your application to request group membership claims (which should appear in any user or JWT token). You can do this by going to the azure management portal and getting to your app's config page. From there download the application manifest file and update the groupMembershipClaims property. You can see most of the properties in the application manifest described here: https://msdn.microsoft.com/en-us/library/azure/dn151677.aspx. Once updated, you can upload this app manifest file, and this will configure your application accordingly. Once done, AAD will issue group membership claims in the token. Dushyant has written a nice blog about authorizing access to a web app, using group membership claims or app roles. You can find it via Alex Simons blog post here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
HTHs