Can one use ADFS/pass-through authentication to authenticate to Azure service (Portal) by on-premise AD without synchronizing user accounts? Can one assign RBAC for an on-premise user with Azure services?
For example, grant a VM contributor role to an on-premise user without sync all user information between on-premise AD and AAD.
You need to sync users to Azure AD. Password hashes do not need to be synced, you can use ADFS for login. But you do need to sync users so Azure AD knows what users exist.
Related
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
I know that I have to create a service principal when I need an identity for an app that connects to Azure resources. But if someone asked me "Why not just create an AAD user and authenticate as that user?" I honestly couldn't answer besides "That's not how you do it.".
Can someone give me a proper explanation on why using an AAD service user instead of an app registration would be a bad idea?
Service principal is an application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service, or automation tool, when an organization is using Azure Active Directory
By using a Service Principal, we can avoid creating "fake users" (similar to service account in on-premises Active Directory) in Azure AD to manage authentication when you need to access Azure Resources
The Service Principals' access can be restricted by assigning Azure RBAC roles so that they can access the specific set of Azure resources only
So for better security purpose, we can use service principal instead of Azure AD User from an to authenticate and access Azure Resources.
We use Azure AD for our organisation's AD to manage our users. We are also setting up an Azure AD B2C environment for our external websites. As part of this we are allowing our staff to log into these sites using their windows accounts.
Is it possible to manage the staff's B2C user account from Azure AD? For example, in B2C we have setup groups. We would ideally like to be able to create new user accounts in B2C from our Azure AD, and assign users to groups. Is this possible? Or can we only manage these users from only within B2C or through using the Microsoft Graph API?
Finally, when a user is disabled in our Azure AD, would this then prevent their account being used to sign into one of our websites as that user is no longer active in the identity provider?
Is it possible if your Azure AD B2C tenant federates with the Azure AD tenant. If the user account id disabled it won't be able to sigin any application.
I have a setup where I have installed the Azure AD on-prem cloud provisioning agent on a Domain joined server. The setup was successful. I followed the documentation here:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-provisioning/how-to-prerequisites
After configuring the agent in Azure AD, Users can only be synced as Member.
Is there a way to sync users as Guest using the provisioning agent?
Also, is there a Microsoft Graph API to validate the agent and do the configuration?
On-prem AD isn't synced to Azure AD as Guest and those synced users cannot be a Guest user and it's as per design.
You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. Any user sync via AD connect will not be a guest user.
We have synced our on prem active directory to our Azure instance active directory using Azure AD connect (Express install). We can see the users in Azure from our on prem AD. The sync shows as successful.
Now we would like to use the domain name that we have synced to azure for user authentication in to the azure portal. The documentation that we have read says this is possible, but we can get it to work.
When we try to use an existing AD user we get the message that “We don’t recognize this users ID or password” but if we create a new user in Azure and assign it to our synced AD we can use it to login to the azure portal.
We have searched for a detailed document on prem AD synced to Azure AD to use for portal login and found some documents that we followed but did not help.
Can we use our on prem AD user name and password to allow users to login to the Azure portal?
Thanks for your help
John
yes, you can use users in Azure AD with tag "Sourced from: Local Active Direcotry" to login to azure portal.
The custom domain should be verified.
Password Synchronization should be enabled.
Also, assign coadmin right for at least one subscription to login to Management Portal.