I am using Redgate Data Platform Studio to transfer data from on-premise SQL Server to Azure-hosted SQL Server. This web-based application has the ability to use an Azure Storage account (for data transfer purpose) simply by logging into my company's ADFS. The web application can successfully see storage accounts inside a subscription (let's call it Subscription A) owned by my ADFS user, when I log in to my company's active directory (via ADFS). Let's call my company's AD Directory A.
I also have subscription B owned by a Microsoft account NOT related to my company's Active Directory. This subscription B is managed by another Azure AD Tenant B, with that Microsoft account as the Service Administrator & Owner. To link the two directories, I used B2B State 3 configuration described here. So in Directory B, my Directory A user shows up as Guest User with the Source=External Azure Active Directory.
For the storage accounts in Directory B, I grant the built-in role "Storage Blob Data Contributor" and "Storage Account Contributor" to the Guest User (source=external AAD Directory A). Therefore, in both Microsoft Azure Storage Explorer as well as in portal.azure.com I can see storage accounts inside Subscription B.
BUT if I log in to the Redgate application using Directory A credential (via my company's ADFS), only storage account inside Subscription A shows up in the Redgate application. I already tried giving the guest user in Directory B the following roles to the user, even at the highest Subscription B level, but no luck:
As Co-Administrator
As Contributor
As Storage Account Contributor
As Storage Blob Data Owner
My question: is this the application's limitation of not being able to access subscription in another directory (B), or is there some configuration either in directory A/B and/or subscription A/B that I need to set?
Is this the application's limitation of not being able to access subscription in another directory?
As per my official document and my understanding you cannot assign your subscription among many directory.
As said on official document "Multiple subscriptions can trust the
same Azure AD directory, but each subscription can only trust a single directory".
See the below screen shot and refer here
Note: When you associate a subscription to a different directory, users that have roles assigned using role-based access control (RBAC)
will lose their access. Classic subscription administrators
(Service Administrator and Co-Administrators) will also lose
access. Please check the Important Note here
If you want to know more details please refer this docs
Related
I'm not able to access any tabs in AAD. What could be the issue?
Please check if below points can be worked around in your case.
Buttions or options being greyed out maybe because , you may not have had global admin rights/user administrator rights on the azure AD tenant. There are a few roles which can create users within the directory. You may not have any roles within the directory which permit the operations.
Reference: github issue.
Even in Azure AD free edition ,one should be able to create the users if you have proper roles .
On completion of the first 30 days of Microsoft Azure’s free trial,
your ‘Free Trial’ Azure Subscription will be disabled. To fix this,
the subscription needs to be changed to the ‘Pay-As-You-Go’ plan
instead of the ‘Free Trial’ plan which it is currently on.
For example :For applications under Enterprise application, one of the following roles: Global Administrator, Cloud Application
Administrator, Application Administrator, or owner of the service
principal.
You can check Azure AD built-in roles, and by checking the
description of role , assign the required one to manage identity .
You can Assign Azure AD roles to users to manage the identities
if you have global or role administrator rights. Approach the
admin to assign the roles .Also see custom roles in Azure AD
if needed.
Please check if this issue in - Microsoft Q&A can relate .
If issue still remains you can raise a support request in troubleshoot+support blade.
we have an on premises Active Directory. The environment got hacked and domain controllers were restored to a backup that is clean according to forensic people.
For better explanation, let's assume the hack occurred on October 1st and the backup it got restored to was from September 1st.
All local accounts that were created and synchronized before September 1st are fine. All local accounts that were created and synchronized between September 1st and October 1st are lost on premises.
A new AADC instance has been installed, configured and is synchronizing happily. For some reason, the accounts created after September 1st and before October 1st were not deleted in the cloud when AADC started synchronizing again. We do not know why. They do not exist on premises any more though.
These local accounts are supposed to be created again, so they can access on premises resources.
I looked at Microsoft documentation about soft/hard matching in AADC: Azure AD Connect: When you already have Azure AD | Microsoft Docs
It states that object newly imported to AADC will be hard matched or soft matched if possible and afterwards, AAD will mark them as " Directory synced". It also states:
The match is only evaluated for new objects coming from Connect. If you change an existing object so it is matching any of these attributes, then you see an error instead.
My question is: If we have those accounts in the cloud that are marked as "Directory synced" and create them on premises, will this be considered as a "new object" by AADC and hard matched or soft matched? Or will this cause duplicate accounts in the cloud or the error mentioned above?
If we stop the AADC sync service locally, create the accounts on premises and assign those newly created on premises accounts the same "sourceAnchor/immutableID" value as the cloud object and restart synchronization, will this work or will it cause an error?
Thanks!!!
• First, reverse synchronization, i.e., synchronization of user identities from Azure AD to on premises AD is not possible as of today even using Azure AD Connect. There are only few attributes that can be written back, and that's mostly for hybrid configurations, and passwords if you have the corresponding feature (and licenses) enabled. So, in your case, if you have enabled ‘password writeback’ and ‘password hash synchronization’ in Azure AD Connect, then only you can edit these properties of the users in on premises through Azure AD. Also, if that’s what you want, you can simply export the list of users via PowerShell (Get-MsolUser/Get-AzureADUser) or the Graph API, along with any relevant attributes, then use the exported data to recreate them in AD (again, PowerShell helps). You cannot export passwords. Once the export/import is done, you can "match" the on-premises users with the cloud ones and give them the SSO experience. The process is known as soft match. The other type of syncing between both the environments is called hard match. You can find more details in the link below: -
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant#sync-with-existing-users-in-azure-ad
• But there is a way you can try as given in the links below by creating those users who were created during that month whose backup isn’t available and ensuring their domain suffix and email as well as alias attributes are identical to those as synced in Azure AD during that month. Thus, when you create users identical, primary SMTP, email, alias, and domain suffix, you may be able to sync these users’ identity once again to the same identities synced(created) in Azure AD earlier. Please refer the links below for detailed steps to follow: -
https://support.microsoft.com/en-us/topic/how-to-use-smtp-matching-to-match-on-premises-user-accounts-to-office-365-user-accounts-for-directory-synchronization-75673b94-e1b8-8a9e-c413-ee5a2a1a6a78
https://www.slashadmin.co.uk/how-to-sync-an-existing-office365-tenant-into-a-new-active-directory-domain/
I have registered an app in AAD and as a admin I want to provide permission for user to read or access the data of particular group list not all group available in my MS team account. How can be achieve this any idea?
No. Azure AD app doesn't provide such a feature that scopes Microsoft Graph application permissions to specific Microsoft Teams/Groups.
The client credential flow is used to as an authorization grant typically when the client is acting on its own behalf. When you give Group.Read.All or Files.Read.All or other similar application permissions, it means the client has access to all the files/groups across the entire tenant.
You can achieve this by implement the business logic in your code. For example, providing a configuration file which includes the particular groups'/teams' object ids. And then restrict the access for users to only these groups/teams by checking if the object ids (which users are trying to access) are in the configuration file.
How do you change the owner of an Azure AD directory? I have two accounts and see the tenant/directory I want listed as a directory. I want to transfer the ownership to the other account.
UPDATE
Ok. More information. I had one subscription and created 3 B2C directories. Each time I linked to the subscription, which is part of the process. Apparently you cannot have more than 1 B2C tenant linked to a subscription, so the other two were left "stranded" outside of a subscription. So I had to create a new subscription and associate the B2C directory with it, so it was a resource of the subscription. Then I used IAM to add the 2nd Azure account as a co-administrator of the subscription. I transferred the subscription to the 2nd Azure account.
The biggest authority in Azure AD is Global administrator. If you want to transfer ownership to another user, you only need to give that user Global administrator.
I am using differential query (AzureAD graph API) to detect changes in Azure AD from the last sync. I am getting all users, group memberships, manager changes. Only missing information is Directory Role assignment (e.g Billing administrator, SharePoint administrator etc).
How can I detect a change in roles of any user?
API - https://graph.windows.net/{org}/directoryObjects?api-version=1.5&deltaLink=xxxxxttttxxxxxxxx
First, if you have enabled those Directory Roles, you can use AAD Graph API operations on directory roles to list members of those roles.
GET https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version=1.6
But, This API can also list service principals which assigned this role.