How to find out which account was used to register outlook app in azure?
I have app name, creation date, api client id and and api secret id but cannot find account which was used to register the app to be able to manage it.
It's production app with thousands of users connected so disconnecting all users and creating new one is the last option...
You can login in azure portal by using any user account which belongs to your AD.
Go to Azure Active Directory->App registrations->find your application by using app name or client id->click Owners under Manage part->you will find the owner of the application.
Update:
Related
I'm using Strapi V4 and have configured Microsoft Azure Active Directory as the provider to login. By default, this extracts basic information like the users email and saves it to the Strapi User. Active Directory provides additional fields, like user groups and roles, and I'd like those values to be saved on the Strapi User too. Each time the user logs in I'd like it to update the Strapi user record in case the users Active Directory values change.
How do you modify the core user record information that is saved when using a custom provider?
You can set up a webhook that will periodically sync the group membership from Azure AD to Strapi.
To set up a webhook that will periodically sync the group membership from Azure AD to Strapi, you will need to follow the steps which include installing and configuring the Azure AD integration plugin for Strapi, creating a subscription using the Azure AD Graph API, and creating a server-side script to handle the incoming webhook request and update the user roles in Strapi.
You would like to connect with Strapi for the script and webhook setup.
Thanks
I am migrating a "On-Premise WinForms App" to a "Multi-tenant SaaS App" written in ASP.NET CORE. The SaaS application will be used by multiple tenants and the tenants don't see each others data. In our legacy product, user profiles and credentials were stored in each customer's database and the CUSTOMER could add/remove users from the system, as they saw fit.
In a web environment, it looks like an Identity Provider is the suggested route, by separating the user profiles and credentials from the application data itself. However, much of our data is tied to a UserId, so its important to know which USER created a record.
Now, in Azure AD, the setup would put ALL users from ALL CUSTOMERS into 1 Azure AD. I don't particularly have an issue with that, but HOW do I know what CUSTOMER the USER account belongs to?
For example, customer ACME has 2 users: Bob and Bill. My other customer FOOBAR has 2 users: Jean and Jack. If Jean authenticates against Azure AD, I need to know a unique ID for FOOBAR, so I can filter data in the web application. When Azure AD sends back an IDToken from OpenId Connect, the TenantId in the claims is the TenantId of my company, NOT a tenant identifier for the CUSTOMER.
What is the recommended setup if we are going to deploy a multi-tenant SaaS application and use Azure AD for Authentication and still control which users can access the application? Azure Active Directory B2B?
You group users using security groups (one per customer) and Configure group claims so that you get them in the tokens.
when an application is registered to Azure AD via consent, a service principal is created. The application object resides in another tenant.
From my understanding, the applicationID refers back to the application object.
When the application object resides in another tenant, is it possible to find out in which tenant based on the applicationID? Or may there is another value on a service principal which is an indicator where the application object resides (if its not an app registration).
BR
Thomas
Yes, you can. But you need to make sure the service principal is in your tenant.
Navigate to the Azure Active Directory-> Enterprise applications in the portal. Search for the APPLICATION ID (select the Application Type with All Applications option), then you will find the service principal, copy the OBJECT ID.
Then navigate to the MS Graph Explorer, call the MS Graph API : Get servicePrincipal as below, in the result you could find the "appOwnerOrganizationId": "xxxxxxxx","publisherName": "Organization name" which is the tenant id and name you are looking for.
GET https://graph.microsoft.com/beta/servicePrincipals/{OBJECT ID}
When I log onto the Microsoft Graph Explorer with my Microsoft account and run the following query https://graph.microsoft.com/v1.0/users/ I get the correct user returned.
On Azure AD (using the same login) I created an application with a key and when I sign in through c# using Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials with a token for resource https://graph.microsoft.com and run the same query I get a completely different user. They are out of sync and I'm baffled.
Any ideas? Should I create a new Azure account as I've had the Azure account from day 1 and I'm only doing this now to test for a client request.
Don't create a new Azure account. When you are using Graph Explorer, are you signed in with a user from your Azure AD tenant? If not, Graph Explorer will default to use a demo tenant for your queries.
Also (if you have more than one tenant) you need to make sure that you select the correct tenant as part of the token acquisition (from https://login.microsoftonline.com/{tenantId | tenantDomain}. If you want the results to match between Graph Explorer and your app, the tenant the signed-in user belongs to (for Graph Explorer case) and the tenant used by your app needs to be the same.
UPDATE based on comment below:
I think I know what's going on here. In graph explorer, you are signing in with your personal account - and it's showing you profile data of that personal account, including the unique ID for this account in the Microsoft Account system. In this case you aren't signing into an Azure AD tenant at all. Microsoft Graph supports access from both personal and commercial accounts.
Now, additionally, I'm guessing when you signed up for an Azure subscription, you used this personal account. When you do that, it creates an Azure AD tenant, and creates a guest user in that tenant that is (linked to) your personal account - this account is also configured as an admin account. This mechanism allows you to sign in with your personal account (authenticated by the Microsoft Account system) into an Azure AD tenant, because the personal account maps to this guest user in your tenant. In your application, you are getting an app token to your Azure AD tenant. When you query the tenant for users, you don't see any user with the same id or email address as you did with graph explorer. However if you actually look at the userPrincipalName, you'll see it should be a mangled form of the original email address of your personal account. This indicates that this Azure AD user account in your tenant is a guest/external user (similar to a foreign principal).
Hope this helps,
I am using a visualstudio account in Azure. i have created a new user and given admin access to the active directory to this user. I also added this user as the owner to the subscriptions i had.
I now login as this into the new portal. I can see the subscription that i have. However i do not see the icon for Azure ActiveDirectory. Therefore i try to login to the old portal. This time I get stopped by a "No subscriptions found" prompt which does not let me for farther.
What is going on? why is there such discrepency between the two sites?
The classic (i.e. old) site only works with the old access model (service admin and co-admin), and requires at least one subscription to get into the site. The new site uses the fine-grained RBAC model (owner, contributor, etc...), and does not require any subscription just to get in to the site.
Adding a user as an 'Owner' in the new Azure portal does not make them a co-administrator, and thus, does not give them access to the classic portal:
The owners you added through the Azure portal cannot manage services in the Azure classic portal.
In order for your new user to get into the classic Azure portal, they need to have service admin or co-admin access to an Azure subscription. You can do one of the following:
Add the new user as a co-admin to your existing subscription (you would do this in the classic portal)
Make the new user the service admin for the subscription
Transfer the entire subscription to the new user (which also makes the new user the account admin)