I have a Microsoft Teams free account that I created under an earlier organization name that I now wish to change. This is because my second Teams site undesirably reveals that it exists under the original organization name of my first Teams site.
Now, inviting users to my second Teams site inadvertently discloses to them that I also run the first Teams site. It comes up during certain Microsoft authentication screens. I don't want them to see that; it's distracting. Although both are non-profits, one organization has nothing to do with the other. A new user entering my second Teams site by invitation may feel confused when, upon initial entry, they're presented with my first organization's name.
I've since learned that I can indeed change my original organization name. Creating my first MS Teams site implicitly created the organization by that name within a personal Azure account that uses my credentials. It's at https://portal.azure.com, and my first Teams site shows up in there. It appears as a group within Azure Active Directory (AAD). My personal directory itself bears that initial name of my organization. The same name was automatically applied to the group representing my first Teams site.
Now, the directory itself is identified both by
the organization name, and
a corresponding subdomain name.
Both were the same, except the subdomain had no spaces embedded in it, obviously.
While I can change the directory's organization name, I don't see how to change the URL subdomain name (e.g., MySite.onmicrosoft.com) for my Teams site.
I know Microsoft Teams users aren't ever exposed to that technical subdomain information in normal everyday use anyway. However, that original name does become revealed when a new user is invited to the new Teams site. On the Android app, for example, upon initial login and setup, the new Teams user is asked to tap on the organization name. And there was my first disappointment, because it was the name of the other unrelated organization! After tapping it, users are then led to the correct Teams site that I did intend to make available to them.
That's what prompted me to want to change my organization name.
I was successful with that by changing the organization name under Properties for my directory. THis resolved the issue for the newly authenticated Android Microsoft Teams user.
However, I cannot see how to rename the subdomain itself. And that's important, because PC users at least (or those trying to enter my Teams site from a web browser) are in fact presented with a permissions prompt where that undesired subdomain name appears!
Is there a way to rename the subdomain?
POSTSCRIPT - Guess what? I can create new directories in AAD alongside my original one! What if I move my Teams group from the unrelated directory to a new one I create? Would that be safe? Will my Teams site still be functional?
To answer your edit. a teams organization is associated with a specific azure active directory, even if you have a second directory, i don't believe there is any way to "move" things across. you would have to create everything from scratch.
to answer your general question, you would probably have to create a new directory as you described, then create a new teams, replicate the information, remove all the users from the old teams. and remove them from the original directory. then invite them to the newly created one.
The reason for this is, if you invite someone, you are essentially adding their email / login to your azure tenant. of they have been invited to multiple teams tenants. then when they log into teams there is functionality for them to switch between all the directories that they are a guest of. so they will be able to see it. the only way to remove that is to delete the guest users from azure ad.
Related
We use Azure AD user provisioning, to create and manage users in Salesforce. In itself this is working correctly. But... we have created a new (custom) profile in Salesforce (which Azure AD refers to as role) and this new profile is not being loaded into Azure AD. When creating a new user, we see our old custom profiles, but not the new one.
We started looking in the provisioning logs and saw a lot of "failed" entries. The first part of these logs reads like this:
The name, id, and claim properties of an app role in Azure AD must be
unique. We are unable to update an app role as one or more properties
are not unique. This is most commonly caused by having non-unique role
names in the directory from which roles are being imported.
And then a bunch of non-unique profiles/roles are listed. These are all standard profiles, such as Standard User and System Administrator. They appear twice in the list.
Going back to the screen where we add users, sure enough, these double entries are there as well. Each duplicate being an inactive choice. And: some old custom profiles are shown, also inactive. But not the new one.
This has worked before, as we see the old custom profiles listed. But somewhere/somehow double entries have been added and now we are stuck.
What is the solution? I have no idea on how to remove those duplicate entries from Azure AD. In Salesforce, there are no duplicate profiles. And even if I could remove the duplicate entries from Azure AD, maybe they would be added again on the first provisioning run.
I have a websites agriculture related with info's.
The script is very limited and do not allow me to create a classified section to my website, so, i need to create another one.
For the new website (created on subdomain, but with the same script), if i use the same database, user accounts will be kept?
In fact, that's what interests me. My users from the info's site automatically keep their accounts on the classified site, without the need for another account.
I just want to keep user accounts and nothing else.
enter image description here
The database should keep all of the data in it regardless of how many sites its connected to, however all of said sites can now see and edit it.
We have an application where we store users login name in the format domain\username. We authenticate via windows and then get additional info from our database by matching the domain\username we get from the user to our database.
Now they want to move to the cloud. We authenticate users via apps in Azure AD. However, the user identifier we get back is first.last#domain.com.
I have fiddled around with https://graph.microsoft.com/v1.0/users/email and the select command to try and get the 'old' name. Howev,er I have not yet found out how to get it.
The reason they move to the cloud is that they are merging two ADs. So some users will be DomainA and some DomainB, but in the same tenant. So my first thought was to try and convert the mail to the other format. However, the two different ADs have different naming standards. One has DOMAINA\fila (two first letters from the first name and two first letters from the last name) and the other one has DOMAINB\firlas. Also it feels really ugly to try and solve it that way.
Is it possible to fetch the users loginname formatted as domain\username via Microsoft Graph?
Using the beta edition of Graph, you can obtain the user's domain and username from the onPremisesDomainName and onPremisesSamAccountName properties:
/beta/users?$select=userPrincipalName,onPremisesDomainName,onPremisesSamAccountName
The domain is stored as a FQDN so you'll need to do some translation. For example, domainName.ad.contoso.com might translate to domainName\).
This will give you a workaround so you can match up users with your internal databases. It is however only a temporary solution. Long-term, you really want to migrate to using the userPrincipalName. This is the primary user identifier and guaranteed to be unique within a given tenant.
Azure AD is a little different than the legacy Active Directory. Certain concepts from legacy AD such as Organizational Units (OUs), Group Policy Objects (GPOs), Kerberos Authentication, Lightweight Directory Access Protocol (LDAP), Domain trusts between multiple domains, and several others simply do not exist in the cloud.
Microsoft Docs has substantive info on adding users to VSTS via Active Directory, but I'm not finding specific info on what happens when you delete a VSTS user from AD, or what ripple effects take place when you delete them from VSTS itself. MSFT says removing them from AD may make them still appear in VSTS, but they won't be able to log in, yet also says it may take up to 24 hours for a change in AD to show up in VSTS.
When VSTS is linked to AD, does removing a VSTS user from AD ever remove them from VSTS, or does the user always need to be removed from VSTS manually?
Does removing a user directly from within VSTS remove them from any other place in VSTS like "Assigned To" fields, project teams, security groups... anything?
Are users deleted from AAD when they are deleted from VSTS
No, they are not. AAD is the master list and only when a user is deleted from AAD, are they deleted from other applications, not the other way around. That same user may be present in Office 365 and a long list of other applications or may have been assigned one or more azure resources. As such only from AAD can you completely remove a user.
When deleting does the user stay visible
The user will remain visible in Work Items, Changesets, Git Commits, Build history, Release history. These records are kept for historical purposes and auditability and they remain.
The active configuration such as security group access, license assignments etc will be dropped in 24h.
Regarding the second question, the user will be removed from project teams and security groups, but the Assigned to fields won’t be changed even through assigned to this user.
I have an Azure Active Directory (AAD) set up in my Azure subscription associated with an email address of mine, which we'll call A.
Some time later, I updated my Microsoft Account to use a new email address B as the primary email address, with A being associated with it still so it can still be used and the two email addresses treated as being one.
In AAD there is one user, whose user Id is A which appears not to be able to be changed as it is greyed-out. Attempting to add B fails with the error: You cannot add yourself.
Is there a way I can force the user name of the AAD user to be B instead of A?
The reason I ask is because I am trying to setup an Azure Key Vault in my subscription as it appears to be failing because whether or not I sign in as A or B in Azure Powershell, I am always signed in as B. This then causes this error message, which I appear to be unable to work around:
New-AzureKeyVault : Cannot find the Active Directory object 'B' in tenant
'{Tenant Id}'. Please make sure that the user or application service principal you are
authorizing is registered in the current subscription's Azure Active directory. The TenantID displayed by the cmdlet
'get-AzureSubscription -current' is the current subscription's Azure Active directory.
Can you check that you are using the latest bits for Key Vault PowerShell?
I talked with some folks internally and we believe that an experience like this may be expected if you are using an older version of the PowerShell CMDLETs, but the lastest version should be update to date and not run into the issue you are having.
If you find that you still hit this issue after upgrading, we may have a bug on our side that we should fix.
In that case, my suggestion is for you to create a new Admin User. Then delete the old Admin Account (you may need to Transfer Onwership of your AAD Subscription to the new Admin), and then recreate your account, which will pull the lastest information from that user.
However, I only reccommend trying this after having updated the PowerShell bits.
Please let us know if either of these methods resolves your issues.
Thanks,
Shawn Tabrizi