#Azure AD and Microsoft Account Overlap
Has there been any movement on this? I currently pay for O365 Business for my email, I would like to consolidate my personal Live account (used only for Xbox account) into my primary email (O365) but seems I cannot. Is there a future state that will allow this or shall I take my domain and move to a different paid email platform? Thought? Thanks.
As I know, you cannot consolidate the personal live account into the O365 email for the time being, but you could use them side by side.
For the details, please read here.
Related
I’ve been asked by a customer to find a way to collect all permissions for all app registrations in the customer’s AzureAD tenant. The customer has 1500+ App Registrations, so checking each manually isn’t an option. Most of these are redundant but the customer wants to review all of them to look for Graph API permissions that they’ve deemed sensitive. The problem is, there isn’t a way to export this info in the portal and Get-AzADApplication doesn’t give me actual permissions, just friendly descriptions of them. The customer would like the ACTUAL Graph API, such as Mail.Read.
I’ve attempted to script this with the assistance of a few more senior PFEs, but we’ve been unable to make any progress passing various properties between Get-AzAdApplication, Get-AzADServicePrincipal and Get-AzureADOAuth2PermissionGrant. We reached the point where we were able to get the Graph API permissions from the Service Principals, but the resultant permissions were in an unusable format.
If anyone has any suggestions on how to get this information into a concise format with (preferably) the Graph API permissions as mentioned above, I’d greatly appreciate it. I’d rather not go back to the customer and say it isn’t possible, as this is a new customer and I’d rather not say ‘No’ to my first task. 😊
Use Microsoft Cloud App Security for that purpose. This is tool designed, beside other features, especially for that purpose.
You open https://security.microsoft.com/ as a Global or Security Administrator, then you have quick overview on central place:
This will bring you to the MCAS portal, where you have solicit view on all applications with a rating, according to Microsoft standards for "Highly priviledged" access:
A direct view to applications, which users are using these applications, what permissions are granted. It even has filtering capabilities allowing you filter apps based on access level sevirity or even some Graph permissions - like Access e-mail on behalf of the user.
Your customer should really be using the Microsoft Security Center and monitor their security score: https://learn.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center
Then looking at MCAS: https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security
You can use this script to list all delegated permissions and application permissions in Azure AD.
The key of the script is Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId.
Based on my test, the permissions in the result is in this format: email offline_access openid profile User.Read.
I think it's what you need.
We have an application which reads and verifies the group memberships from the PAC info. There is a customer situation where the PAC contains group memberships from another domain(in forest trust with primary domain). And this other domain is offline so our app can't validate these groups and failing.
I can't seem to understand which groups might these be. I tried adding my primary domain users to trusted domain's "domain local groups" but those groups don't show up in the PAC.
Can't ask the customer since they are not cooperating. I wish to recreate the issue locally.
Any suggestions which groups might these be ?
I had a detailed discussion with Microsoft support folks on this.
For anyone interested, they may check this MS forum link
I am required to write an Excel Macro to get order and inventory details for my client (using Amazon MWS).
But my client needs my developer ID to grant me access to his account.
I searched a lot but didn't find any link where I can register as a developer and get my Amazon Developer Identifier.
From where I can register as developer and get my developer ID?
Reference: https://developer.amazonservices.ca/gp/mws/faq.html#developForSeller
You can find your developer ID using the "Sign up for MWS" wizard located here: https://sellercentral.amazon.com/gp/mws/registration/register.html
You will need to have a seller account on the "Professional" plan or higher. If you don't already have one, you can sign up here:
http://www.amazon.com/gp/seller-account/mm-summary-page.html
Note that this will only work for vendors on the American version of Amazon - if your client is selling on one of the localized Amazon sites like Amazon.ca, then you will need a developer ID and seller account from the localized sites. In the case of Europe, a European account can authorize any other European account (e.g. a UK seller can authorize a French Amazon account.)
Apparently, you must have an eligible Amazon Seller account in order to obtain a Developer Account Identifier, and those accounts start at $39.99 per month.
There are multiple discussions on the amazon sellers forum about this. This is probably the most on-topic:
https://sellercentral.amazon.com/forums/message.jspa?messageID=2958433
It appears there truly is no free nor less expensive option, and that Amazon simply does double-dip and charge both the actual seller and the developer just to use MWS at all.
Once logged in to your paid seller account... in the upper right corner of the screen, Settings > User Permissions, then under the text "Amazon MWS Developer Access Keys" press the button "Visit Developer Credentials".
If you already have a Developer ID but it is no longer working, you have to apply again here: https://sellercentral.amazon.com/mws/register/warning
Before applying, I suggest you study hard the information in these links. I think if you answer even one of the questions wrong while applying for the developer ID, you will be denied. Also, if you get denied, they don't tell you the reason
http://docs.developer.amazonservices.com/en_US/dev_guide/DG_DataProtectionPolicy.html
http://docs.developer.amazonservices.com/en_US/dev_guide/DG_AcceptableUsePolicy.html
In addition, FYI:
It used to be that anyone with a paid seller account could get developer credentials just by clicking some buttons. However, Amazon is now vetting developers with a more through process which could take up to 30 days.
From Amazon:
I am a developer and I want to develop software using MWS for another Amazon seller. What should I do?
Only the owner of the Amazon seller account can authorize a third-party to access their seller account. You as the third-party developer must first sign up to use MWS for your own Amazon seller account and keep a record of the MWS developer account identifier that is displayed on the final registration page. Then, give that number to the Amazon seller who wants to use your services as a developer. When the Amazon seller registers, they will use this MWS developer account identifier to grant MWS access to you. Also, they must send their seller account identifiers to you so you can make MWS requests on their behalf. You can give your Amazon sellers the following instructions to guide them through the MWS registration process.
https://docs.developer.amazonservices.com/en_US/faq.html#faq__developForSeller
Anyone who wants to develop could of course ask their client to request credentials and use those.
However, I am unclear if this would breach Amazon Policies and your client would need to trust your capabilities as any breaches of the Amazon Policies would most likely result in your client being suspended from selling on Amazon.
First off, I'm a newbie at AD; I know how to setup a basic domain, but that's it.
I'm running a hosting service for some Windows Applications. User permissions is based on Active Directory security groups.
Let's say I have Contoso.local as my Forest - the NetBIOS name is CONTOSO. I want to provide a SaaS where clients can sync their Active Directory users and/or groups to my AD while keeping their own NetBIOS name. For example, if I had a client who somewhere on the globe was named Acme and their forest domain was Acme.local and their NetBIOS name was ACME, then I would want John Doe to have the ability of logging into my SaaS as ACME\John.Doe instead of me having to manage all users for my clients and requiring John to login as CONTOSO\John.Doe. The idea here is white labeling.
Immediately, you're probably thinking AD FS, but my SaaS doesn't support Federated Services.
I could set up another domain controller on my network to replicate against my client, but that seems overkill. And, I don't know how to accomplish this.
Is there no way for my AD to simply sync and/or authenticate against another domain's users and groups? (I need groups too, because depending on the security role, a user has access to specific info.) Can I setup a Trust or LDS to accomplish this?
If so, or if not, please provide suggestions. Some how-to's would also be much appreciated!
Thanks,
Joshua
I'm not sure I completely understood exactly what it is you are trying to do, but yes, Federation might have been an answer. Apart from federation, I suppose using forest trusts might be one way to accomplish the objective of letting users log in with their native domain\account names. Just an idea.
We are trying to build one simple website using force.com sites.Here User logged into website and need to perform different actions by moving to different VF pages.
We are facing a Problem to maintaine Session of particular user. We need help regarding how to maintaine session for particular user.
Kindly give your help. Please provide any sample code.
Thanks.
You can't ;)
Think about it, you can store usernames/passwords in your data objects and if they allow you to login and maintain a session for that user and use it to walk around apex pages and builtin forms why would you buy a salesforce license? You could operate a 1000 employees rig with just one administrative license and a site URL. For that reason salesforce does not allow you session control, it grants you one when you buy and expense a license.
For sites, you have to purchase either Customer Portal license or volume-based High Volume Customer Portal set and then use those to "promote" a contact into a login user with the above license. Then, when that user logs into site it has its own session.
This document http://wiki.developerforce.com/index.php/Authenticating_Users_on_Force.com_Sites might be of great help.
This tutorial shows you how to authenticate users on Force.com Sites. It provides a description of Customer Portal, which is needed for the authentication, and shows you how to set up such a site and process to allow site visitors to become authenticated users.
The points on customer portal are correct, and you have to pay for these licences. If you build your own auth on Force.com Sites and salesforce.com finds out they'll be very unhappy. That said you can still do it using cookies (http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_sites_cookie.htm) but it's not perfect because it's client-side.
I highly recommend that you steer clear of this approach though. You're better off building your UI layer on another platform (Google App Engine or Heroku) and using web services created on the Force.com platform through that UI.