Are there any differences between logs for sign-in to access one’s own tenant resources and resources of a tenant where the one is invited as guest?
A customer would like to know if they can check their employees activity on different tenant where their employees are invited as guest users by analyzing AAD sign-in logs on Azure Sentinel.
The following is the summary of what I would like to ask.
Activities of the user1#contoso.com that belong to Company1.com will only be logged in company1.com logs.
So, an admin from contoso.com will not be able to track them directly.
However, through Azure Sentinel, you can collect logs from multiple tenants and if someone from company1.com authorizes Sentinel then your admin can see the logs in a single portal.
Related
I've been evaluating Azure Active Directory B2C as a solution for an identity provider I need for an upcoming project.
During my evaluation I noticed the following behavior that I am not sure should be possible:
I am in my B2C tenant and I invite a new guest user. In this case it is for a different email address that I control. This email address has no association to this B2C instance nor the parent AD instance, the Azure account or anything related. It is a throw away account I am using for testing.
I get the invitation sent to that address and log in through a different browser in incognito mode. I create my account and complete that flow.
Now here is where I am slightly concerned with security:
Logged in as this user I am able to do the following:
Log into the B2C instance and see some top level info such as the TenantId, etc...
I do not see other users BUT I can click on the "New Guest User" button ("New User" is greyed out) and can attempt to create/invite users. I am blocked from all the operations I tried but it seems strange to surface this UI.
Even though it said the operation was blocked my invitation to another email address I control actually went through. I was able to go through the invitation flow. There were some errors and it even said the invitation code was not valid... but despite this the invitation completed and I was able to log into the tenant management UI with this new user.
This user was also able to create invitations.
I also see this new user that was invited by the guest in my user list logged in as the account admin.
So my questions are:
Is this by design? Why?
Is this a possible bug?
Can this be blocked?
Why can B2C guest users invite other users and initiate the flow?
Why can B2C guest users even log into the tenant management site?
I can't imagine why a default scenario would allow new users that have not been given any privileges to view your tenant and invite other guests. In my scenario this should not be possible.
The idea of guest users in B2C is to invite other people who can be admins.
These people are not local users.
If you want to invite people to be local users, use a magic link.
I have an app (ASP.Net Classic) that is using Azure AD authentication. Now, we want to allow user outside of the organization to sign in. I read few document B2C and B2B, but I am unable to see which one to good for me.
I am looking that members in the organization should sign in and doesn't have to create new account. One of the option B2B suggested that to add user to in AD as a guest user but this is the manual process, it would be good if it can be automated. Also that doesn't describe how user would send the request to for login info.
It depends on your use case.
Imagine a large company. They have Azure AD for their employees. Now they want some suppliers to have access to their billing system. Those suppliers are guest users. That's B2B.
For guest users, an admin can send an invitation email that contains a redemption link.
B2C is for the customers of the company. They use the company's e-commerce system. They do not need access to the billing system.
B2C is self-service i.e. these users self-register and can change their profile or reset their password.
In our organization, we have been inviting guest users to our AAD Tenant to successfully share resources with our B2B partners. However, we have a fear that there may be some business users that have been oversharing with individuals (e.g. xxx#gmail.com accounts or Business accounts we don't approve of).
We would like to better monitor these scenarios, and I've been able to determine a user's source via the Azure Portal:
Here, we can easily see that this particular user is coming from an External Azure Active Directory.
Is there a Microsoft Graph API or Azure AD API where I can get this information, so we can write some automation around this? Also, is there a way to determine which tenant this user is homed in? I have played around with the Users endpoint a bit, but don't see this information...maybe there is a different endpoint or permissions scope that I need?
Thanks for any assistance!
You cannot get tenant information of a guest user, but we can handle users by domain the user belongs to. you can allow or block invitations to B2B users from specific organizations .Please refer to this document.
We have an application which uses AAD B2B collaboration to invite users. These users are created as guest users in our AAD. This all works great:
Users that have an AAD/Office 365 can use their normal credentials to sign in.
Users that don't have an AAD/Office 365 create their account in the invite redeem process, and can use it to sign in. Microsoft stores these acounts in an external, for us hidden AAD.
Situation:
An organization uses our application. This organization doesn't have an own AAD/Office 365 yet. We invite some employees of this organization in our AAD using their email addresses. They get guest accounts in our AAD.
After a while this organization gets its own AAD/Office 365, for their existing domainname. This domainname was previously used in the email addresses in the invite redeem process.
The AAD admin of the organization creates the AAD, and immediately sees existing user accounts: all the accounts that have been invited are shown in the AAD. He didn't expected this when creating a new AAD, and he doesn't know where they come from.
It appears the external, for us hidden AAD, has become visible to the AAD admin.
The AAD admin might decide to delete these accounts, to start with an empty AAD. As a result the employees aren't able to sign in anymore in our application.
Our application uses the Microsoft Graph API to invite the users.
Is there a way to mark the users in the external hidden AAD in some way to make clear where the accounts are coming from? Like mentioning our organization/application in an existing field?
So to be clear: We don't want to set properties on the guest account. We want to set properties on the user account that an AAD admin sees when he has created the AAD. We want to make clear he must not delete this user, because it's created by/for application X.
No, this is a feature of Azure AD.
A domain owner can choose to take over the hidden Azure AD if they choose to create one later.
They control the domain, and thus control the users so it is up to them.
Now of course if you create an AAD Guest user with a Gmail account, they don't actually get added to a huge hidden Google Azure AD.
If AAD thinks the account is a social account, currently they create a personal Microsoft account transparently for that user (so the user always is in control of their account).
So if you invite users using their work emails, you must expect their domain owner to have control over their users' accounts.
AFAIK, there is no property that you could set.
I have 2 tenants:
One for my organization, where I manage users (A)
One that I manage the applications and permissions (B)
My webapp is on tenant A and I configured authentication on the portal using Azure AD on tenant B.
On tenant B I registered the application with only one permission which does not require admin consent: Windows Azure Active Directory > Sign in and read user profile.
When the user logs in he gets the following error:
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I believe that this error should not be raised, since the only permission required by the application doesn't required admin.
EDIT
This is the URL that I am redirected to when I try to access the application when I'm not logged in
https://login.microsoftonline.com/d6ac45af-3289-4f79-a826-27824e1c467d/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Ftechnipfmc-tools-app-test.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=d340f0ed-5eb3-43e8-9a50-c449649f3ee1&scope=openid+profile+email&response_mode=form_post&nonce=1895ec0ffef64447bbb712bdae61c7fb_20170521070654&state=redir%3D%252F
EDIT 2
I found out a solution here:
As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. This will prevent the consent dialog from appearing for every user in the tenant. You can do this from the Azure portal from your application page. From the Settings blade for your application, click Required Permissions and click on the Grant Permissions button.
I don't know why had to do that since I'm only using permissions that don't require admin consent.
There are several potential problems with your setup:
Your authorization request is set to a specific tenant, the one with tenantId d6ac45af-3289-4f79-a826-27824e1c467d. Only users from that tenant will be able to log in. If this tenantId corresponds to the one for your organization, where you manage users (A), then disregard this point. Otherwise you should either replace this with the tenantId of that tenant or with common which will allow users from any tenant to sign in.
Your application is not multi-tenant. For testing purposes, I replaced the tenantId with common and wasn't able to use this with my test tenant due to the following error: AADSTS70001: Application with identifier 'd340f0ed-5eb3-43e8-9a50-c449649f3ee1' was not found in the directory <MY_TEST_TENANT>. This indicates that the application isn't configured as a multi-tenant application. This is something you must explicitly turn on.
Your organization's tenant (A) might have disabled the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be set up in the tenant. To test to see if this is the case, address points #1 (use /common/) and #2 above and try with any other tenant. If you are able to consent with that other tenant but not your organization's tenant, then you'll know that admin consent is required for your organization.
You should check out the How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern article as it explains all of the points above in more detail.
I think that error appears when you are passing "&prompt=admin_consent" in the Login URL.
Even though you are not requesting Admin permissions, if you pass that query string, it will try to show you a consent dialogue so that you can consent on behalf of the whole tenant, which is an operation that only an admin can do.