We have an Azure Web App published that includes pages with Excel Add In integration using the Office.JS library. We've secured the Web App using Azure AD authorization and it is working well as long as the user it logged into Office/Excel with the same domain credentials. How can we allow our customers who are logged into Office with their companies credentials get access to our Add In site using credentials within our domain? Federating the 2 domains would work but isn't an option in most cases.
You could use Azure B2B to invite your customers as guest users in your AAD.
You could invite the user by using the Azure portal as an Azure AD administrator.
Azure Active Directory > Users > All users > add New guest user
For the details, you could read here.
Or you could use the powershell:
New-AzureADMSInvitation -InvitedUserDisplayName "Sanda" -InvitedUserEmailAddress sanda#fabrikam.com -InviteRedirectURL https://myapps.azure.com -SendInvitationMessage $true
For the details, please refer to this docs.
If you want to bulk invite users, you could create a CSV file, and then use the powershell to import it. For the details, you could read bulk invite B2B.
Related
I have a php application that I want active directory users to be able to login to using azure sso. Getting this working with simplesamlphp was really easy.
Now I am trying to allow non organization users to be able to login as guests.
I updated azure AD to allow external entities, and then created a workflow allowing AD users, microsoft.com accounts and one time password. I have enabled "guest self-service signup" and I have associated this user flow with my azure application however the authentication flow hasn't changed at all. There isn't any option for guests to login. Am I missing something? I am using the azure ad federation metadata document xml in the simplesaml metadata converter and using the output of that for my metadata provider in simplesaml.
Here is the screen a user gets when trying to sign in to azure:
I am following a tutorial Build Java apps with Microsoft Graph
and after using my personal account for Azure AD to register the application. I am not able to sign in using my personal account but I set the support account as 'Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts. Any help?
Screenshot
You need to change the /tenant id endpoint to the /common endpoint.
The /tenant id endpoint only allows users with work/school accounts
of a specific Azure AD tenant to log in to the application. It does
not support personal accounts.
Only the /common endpoints will allow personal Microsoft accounts to
log in to the application.
As per below link, we can assign Global Administrator or Security Administrator role in Azure AD to an user and that provides full access to Microsoft Cloud App Security portal.
https://learn.microsoft.com/en-us/cloud-app-security/manage-admins#office-365-and-azure-ad-roles-with-access-to-cloud-app-security
However, with these roles users get privileged admin access to other features of Azure AD as well. We want restrict the role to provide full access in Microsoft Cloud App Security portal only. Is it possible to create a custom role with permissions only for Microsoft Cloud App Security?
Unfortunately it's not supported to create a custom AAD role with the full access permission of Microsoft Cloud App Security portal.
Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. See the details here.
The full access permission of Microsoft Cloud App Security portal should be microsoft.directory/cloudAppSecurity/allProperties/allTasks. You can see that it's not listed in the page when I try to look for it in Azure portal.
You can query microsoft.directory/cloudAppSecurity/allProperties/allTasks in this page and choose the one with the least permissions to assign to users who need to be assigned the Cloud App Security portal administrator role.
Recently Microsoft has came up with a new role named "Cloud App Security Administrator". This role provides full admin access to MCAS without providing any privileged access other Azure AD configurations. Didn't find any documentation, but it is visible in Azure AD portal.
Is it possible to access sharepoint online from desktop app with azure ad token, but as a currently logged user?
I already registered client app in the azure ad and i'm able to connect to share point when the api permissions are set to "Application permissions", but when i set the permissions to "Delegated permissions" I can't access sharepoint site.
What i need is a way to create sp ClientContext based on the token i get from the azure. I know it's possible to try with SharePointOnlineCredentials, but i don't want to mess with users credentials.
To get the Access Token for Azure, pls use the below article.
active-directory-dotnet-native-headless
Below are the steps you have to follow:
Followed the steps mentioned in the article
Added Office 365 Sharepoint Online API access permissions for the App.
Selected necessary permissions for the App.
We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.