I'm new to managing a small company using Intune and Azure Active Directory. I need to create an email alias (info#, webmaster#, etc) and have those emails go to a specific user. I created a group with the email alias I want to use but this appears to be more of a shared email box that has to be logged into.
Can someone help me or point me to the correct MS docs to accomplish this?
I've tried googling for the answer to this question but maybe I'm not using the correct search terms.
You could add email alias in Microsoft 365 admin center.
Please refer to the detailed steps: Add email aliases to a user。
Note the step 2:
On the Active Users page, select the user > Manage email aliases.
You won't see this option if the person doesn't have a license assigned to them.
So you need to make sure the user has Exchange Online license.
Related
Is it just me who's finding AD group is very complex? ;-(
I have a web service that only allows a certain number of role groups to have access. Say we allow people within role group 'rGroupA' to have access.
At some point, a user logs on to our web server, and we have the user name. However, we would not like to ask the user to type in the password.
Is it possible for us to know if this user belongs to 'rGroupA' somehow?
Currently, I could logon our LDAP server with my username and password and see the list of groups I am in. However, I could not search for the groups for my colleagues.
I have searched google for a while but haven't found the answer. It could be that I don't understand LDAP mechanism very well.
Many thanks!
So... this question is maybe not solely a programming question but I hope one of you can shed some light on my issue:
The base need we have in our software is to query the groups a user is associated too with
LDAP. For this task we actually use parts of LDAP Admin to query the user. Actually we want to query for the UserPrincipalName which at least to my knowledge is the most common way right?
So.. our problem is that the AD is setup such that the user has an UPN like foo#HUS
but the user actually is bound to the domain HUS.adomain.com (aka LDAP base: dc=HUS,dc=adomain,dc=com) and searching using an UPN like foo#HUS.adomain.com does not work - only foo#HUS works. So... the question is:
Is this common?
And is there a name/resource for that?
(sorry I'm quite new to that all...)
The goal would be to use as less parameters in the administration tool as possible
aka only the base (and form from the base the UPN username).
Update: I found at least one resource (in German) that states that this is possible but not recommended by Microsoft for Azure AD. (aka having a different mail address than UPN )
When you initiate a LDAP search using a UPN like foo#HUS.adomain.com it wont work because this value is not present in the userPrincipalName value. When you search for a user by building its UPN using all the domain suffix available in the forest, then you would not consider searching the userPrincipalName attribute.
It is very difficult to build every constructed attribute from base for querying because every Active directory environment would be different. As you have mentioned that you would like to build the attribute from base, it may work if this is the only AD infra that you are targeting. Every AD infra would have its own ways in which it will be setup.
However if you would want your tool to work in any AD environment you would have to consider some other parameters.
UPN is a editable attribute . An organization can set it up or can create a user without a UPN value. Below is example of user created programmatically by using old ADSI libraries. You can repro the same by removing any users userprincipalName attribute value and the user logon account name as shown in the pictures below.
UPN is an optional attribute and a user account can be present in AD without it as well. Coming back to your specific environment in this environment only foo#HUS works because "HUS" might be setup as a valid domain suffix within the Active directory. You can check this by opening the domain.msc console on any domain controller or a machine with Remote Server Administration Tools installed. You would find the UPN suffix as shown below . I changed it in my environment as shown below.
The value you will add will now show up in the . If you remove HUS from here for example any existing user who have user#HUS userPrincipalName populated will get removed because this is a optional constructed attribute in AD. And you will have to setup this for all the users in the environment . For example check below after I changed the username to dh # HUS .
The userprincipalName value also got populated with the same.
Hope this helps clarify your query and understand more on how to use the native Active directory tools to understand more while you develop your custom LDAP search functionality/tool.
I'm setting up SAML SSO for an application. I have it working except that I'm unable to return a suitable value for the NameID claim. Existing userid's in the application are firstname + last initial so they don't match display names, email addresses, or any of the typical stuff found in Azure AD. I could use a transform to generate that but the available functions don't appear to do what I need.
I could also manually enter the userid in Azure AD and then map the claim to that but I hate to "misuse" an existing field (e.g. putting the userid in user.jobtitle or some such).
I also don't want to have to change everyone's userid in the app to match something that already exists in Azure.
I feel like I'm missing something obvious here since there have to be a lot of apps that don't use a common Azure property as their userid.
Thanks in advance for any help here!
Tom
You can map the attributes & claims present in the active directory to your app fields. For example if user.givenname is present in the active directory and in your app, the field name is firstName, you can achieve this by doing the mapping in manage claim section of User attributes & claims. Same could be done for others fields.
You go into the Enterprise applications > Your App > SAML-based Sign-on > click on edit
I'm building a static website in Azure and want to use this function:
https://learn.microsoft.com/de-de/azure/static-web-apps/authentication-authorization
When I try to invite a user, it explains that an administrator as to accept this invitation, but where does he have to do this? I cannot see an option for this in portal.azure.com
it also seems not to be possible to "preload" the roleassignments to the users. because on the "acccessmanagement" site for this website in portal.azure.com it grants the access to the complete resource in portal.azure.com, but I just want the user to use the website.
Any ideas?
Thanks,
kind regards
If you are following the invitation instructions in that document, you need to copy the link from the "Invite" link box and actually send it to the person.
Navigate to a Static Web Apps resource in the Azure portal.
Under Settings, click on Role Management.
Click on the Invite button.
Select an Authorization provider from the list of options.
Add either the username or email address of the recipient in the Invitee details box. For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.
Select the domain of your static site from the Domain drop-down.
The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.
Add a comma-separated list of role names in the Role box.
Enter the maximum number of hours you want the invitation to remain valid.
The maximum possible limit is 168 hours, which is 7 days.
Click the Generate button.
Copy the link from the Invite link box.
Email the invitation link to the person you're granting access to your app.
I was wondering how would I go about provisioning a team that will have hundreds of guest users?
I looked at PowerShell and School Data Sync, but it's only possible to add members within the organization. Is there a way to add about 13.000 guests (in an organisation that has 250 employees), without having to add them individually?
It's an EDU tenant.
We would split 13.000 users to multiple teams, so 10k limit will not be reached per team.
Thanks
Well there are two ways to do this. One which you already mentioned - PowerShell - You can add people outside your organization(Guests). Adding guests is a two step process. 1st you need to invite user, 2nd add him to the team. Check this documentation for how to add the guest and how to add bulk users using PowerShell script.
And second option is to use api.
As per my knowledge, you have to add guest users in azure active directory. If you need some special features like MFA then for guest users you can add up to 5 guest users for 1 license otherwise there are no restrictions. In the past I created 132 guest users for my azure account.
Yes, it is possible to add guest users in your Teams organization.
Add guest users as mail contacts in your exchange organization
Add the contacts in to Teams
You can find a short video tutorial prepared in my blog explaining this in the link shown below:
If you are looking for the solution which I explain in my blog, I can help out further in preparing PowerShell script to add all users by PowerShell cmdlet
Add External Contacts in Microsoft Teams
Thanks,
Manu