We have leveraged B2B to add 8 domains into one domain. Upon completion of adding other domain users as guest users, they are able to access the SharePoint site successfully. But the user logged in information like login name, Email address & user ID information is empty in SP page context info.
I have tried with a scenario like adding my organization account to the client tenant and verified. I'm able to get the context info about login name, email address & User ID.
Let me know if any one faced similar issue & any configurations to be made at source Azure AD/New Azure AD?
Related
As the title says, I have a user "User1" in a group "Techs" and "Techs" is a Role Enabled Azure AD, Cloud Only, Security Group that is assigned both the Exchange Administrator, Helpdesk Administrator and Exchange Recipients Administrator roles.
User1 is able to powershell and use most cmdlets for mailbox management, but is unable to access the EAC. Attempting to access EAC sends User1 to a mailbox management page for their own mailbox, and attempting to Edit Mailbox Properties for a user in the Microsoft 365 Portal greets User1 with a 403 forbidden page.
Direct assignment of exchange admin role works, but defeats the purpose of using a group. Anyone else experience this or know how I can fix it?
Currently, it is possible to switch back to the existing EAC (often called the "classic" EAC), but at a future date, the classic EAC will be retired.
But I suggest not to use "classic" EAC for work because according to my test, the methods listed here cannot allow the exchange admin to manage the mailboxes in the tenant.
It's recommended to access new EAC using these 2 methods.
Sign in to Microsoft 365 or Office 365 using your work or school account.
In the left navigation pane, navigate to Admin centers > Exchange.
You can also get to the new Exchange admin center directly by using
the URL https://admin.exchange.microsoft.com and signing in using your
credentials.
As the document suggests, Be sure to use a private browsing session (not a regular session) to access the Exchange admin center using the direct URL. This will prevent the credential that you are currently logged on with from being used.
In this way, your user which is assigned Exchange Admin role with Group inherit way should be able to access EAC successfully.
I'm building a static website in Azure and want to use this function:
https://learn.microsoft.com/de-de/azure/static-web-apps/authentication-authorization
When I try to invite a user, it explains that an administrator as to accept this invitation, but where does he have to do this? I cannot see an option for this in portal.azure.com
it also seems not to be possible to "preload" the roleassignments to the users. because on the "acccessmanagement" site for this website in portal.azure.com it grants the access to the complete resource in portal.azure.com, but I just want the user to use the website.
Any ideas?
Thanks,
kind regards
If you are following the invitation instructions in that document, you need to copy the link from the "Invite" link box and actually send it to the person.
Navigate to a Static Web Apps resource in the Azure portal.
Under Settings, click on Role Management.
Click on the Invite button.
Select an Authorization provider from the list of options.
Add either the username or email address of the recipient in the Invitee details box. For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.
Select the domain of your static site from the Domain drop-down.
The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.
Add a comma-separated list of role names in the Role box.
Enter the maximum number of hours you want the invitation to remain valid.
The maximum possible limit is 168 hours, which is 7 days.
Click the Generate button.
Copy the link from the Invite link box.
Email the invitation link to the person you're granting access to your app.
I was just recently created as a new user in Microsoft 365 Admin Center (https://admin.microsoft.com/) and during account creation, when setting up password, there was a field to send the password /setup details to me through another email address (my previous email address, outside O365).
I received my new account notification at this other email address, and now this email address gets notifications etc. but when we look at my Azure AD membership, I can't find where this email address is configured in the settings. Where is this forwarding address being stored?
We checked Azure Admin portal (portal.azure.com) Authentication contact info for my entry and it's not filled in.
It's not in Manage User Name or contact information in the https://admin.microsoft.com/Adminportal/Home#/users page
It's not in my account profile anywhere in https://portal.office.com/account/#personalinfo
Totally stumped! Apologies if the answer is obvious.
Mystery solved: The forwarding was happening through billing notifications setup:
https://admin.microsoft.com/AdminPortal/Home#/BillingNotifications
did you check in the account profile under security and privacy? there is an email field there as well. https://portal.office.com/account/#security
if not there. then there is a different spot,
make sure you're logged into portal.office.com
then go here
https://myaccount.microsoft.com/
then click security info. enter your password again, and there is a authentication email there as well.
hope this is what you're looking for.
I have a multi-tenant scenario in which one email can be associated with multiple tenants.
I've thus configured a custom AccountChooserResponseGenerator that inherits from the built-in AuthorizeInteractionResponseGenerator class.
After the user authenticates, the UI correctly diverts the user to an Account Chooser view, which lists the tenants the email address is associated with. The idea being that the user must now select the Tenant he/she wants to log in to, and then get redirected to that Tenant's URI.
My problem though is that I can't figure out how, after selecting a Tenant, I can add that Tenant Id as a Claim to the token that gets passed to the app from IdentityServer (multiple tenants could share the same URL so I need something in the token to know which Tenant has context).
So in the AccountChooserController.TenantSelected(long tenantId) method, I'm expecting to be able to add this tenantId to the User Claims, but it does not seem like this is supported.
Please advise if this is possible, and how?
Put the tenant information into the cookie when calling SignInAsync - you can then retrieve it from your profile service.
I configured a AD FS 3.0 server an proxy and federated this with Office 365.
The active directory domain name is domain.local, the users email address is domain-plus.be. It's not an option to change the users UPN so I chose to configure the alternative login ID for Office 365. I also changed the Microsoft Office 365 Identity Platform claim following this post.
That way users would be able to login to adfs with there email address user#domain-plus.be without changing the upn.
Now i'm experiencing the following situation:
When I login to a domain joined computer and add the AD FS signin page URL in the internet sites of the user. The user navigates to https://portal.office.com, enters his emails address and is redirected and automatically logged on to the Office 365 portal. No password is requested, as it should be.
When I use the same domain joined computer and use Chrome instead of IE, i'm redirected to the AD FS signin page after entering the email address on https://portal.office.com. But when I enter the password in there I get the following error in the AD FS logs:
Protocol Name:
wsfed
Relying Party:
urn:federation:MicrosoftOnline
Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8013: CanonicalName:'' of the user:'CN=Testmailmigration,OU=Users,OU=Bio,DC=BIO,DC=local' is in bad format.
The user is still the same user that was logged on to the Office 365 portal minutes ago. There users are working internally so the AD FS proxy is not used.
When I try to login external I experience the same issues as the 2nd
scenario.
The username and password are correct, that we can conclude from scenario 1.
Does someone also experienced this error when configuring a simular setup?
Thanks in advance,
Gijs.
We were able to resolve the issue with Chrome by expanding the SupportedUserAgents on ADFS with the following command:
Set-AdfsProperties –WIASupportedUserAgents #("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","Mozilla/5.0","Edge/12")
Regarding the authentication issues, we noticed that there were special read permissions on the OU were the users existed. These permissions were changed on purpose or because of a software installation (like a cpsm portal).
Authenticated users were not able to do a full read on the OU anymore, so a LDAP query wasn't possible.
We gave our service accounts full read rights on the necessary OU's which solved the issue.
So in our case the following error wasn't about receiving data in bad format, we couldn't read the data at all.
Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8013: CanonicalName:'' of the user:'CN=Testmailmigration,OU=Users,OU=Bio,DC=BIO,DC=local' is in bad format
Regards,
Gijs