We have an application which uses AAD B2B collaboration to invite users. These users are created as guest users in our AAD. This all works great:
Users that have an AAD/Office 365 can use their normal credentials to sign in.
Users that don't have an AAD/Office 365 create their account in the invite redeem process, and can use it to sign in. Microsoft stores these acounts in an external, for us hidden AAD.
Situation:
An organization uses our application. This organization doesn't have an own AAD/Office 365 yet. We invite some employees of this organization in our AAD using their email addresses. They get guest accounts in our AAD.
After a while this organization gets its own AAD/Office 365, for their existing domainname. This domainname was previously used in the email addresses in the invite redeem process.
The AAD admin of the organization creates the AAD, and immediately sees existing user accounts: all the accounts that have been invited are shown in the AAD. He didn't expected this when creating a new AAD, and he doesn't know where they come from.
It appears the external, for us hidden AAD, has become visible to the AAD admin.
The AAD admin might decide to delete these accounts, to start with an empty AAD. As a result the employees aren't able to sign in anymore in our application.
Our application uses the Microsoft Graph API to invite the users.
Is there a way to mark the users in the external hidden AAD in some way to make clear where the accounts are coming from? Like mentioning our organization/application in an existing field?
So to be clear: We don't want to set properties on the guest account. We want to set properties on the user account that an AAD admin sees when he has created the AAD. We want to make clear he must not delete this user, because it's created by/for application X.
No, this is a feature of Azure AD.
A domain owner can choose to take over the hidden Azure AD if they choose to create one later.
They control the domain, and thus control the users so it is up to them.
Now of course if you create an AAD Guest user with a Gmail account, they don't actually get added to a huge hidden Google Azure AD.
If AAD thinks the account is a social account, currently they create a personal Microsoft account transparently for that user (so the user always is in control of their account).
So if you invite users using their work emails, you must expect their domain owner to have control over their users' accounts.
AFAIK, there is no property that you could set.
Related
I have an app (ASP.Net Classic) that is using Azure AD authentication. Now, we want to allow user outside of the organization to sign in. I read few document B2C and B2B, but I am unable to see which one to good for me.
I am looking that members in the organization should sign in and doesn't have to create new account. One of the option B2B suggested that to add user to in AD as a guest user but this is the manual process, it would be good if it can be automated. Also that doesn't describe how user would send the request to for login info.
It depends on your use case.
Imagine a large company. They have Azure AD for their employees. Now they want some suppliers to have access to their billing system. Those suppliers are guest users. That's B2B.
For guest users, an admin can send an invitation email that contains a redemption link.
B2C is for the customers of the company. They use the company's e-commerce system. They do not need access to the billing system.
B2C is self-service i.e. these users self-register and can change their profile or reset their password.
Are Azure Active Directory app roles only supported for accounts in the same tenancy?
I am trying to use Azure Active Directory to authenticate users both on my tenancy, others, and social accounts, and be able to manually assign different app-level roles.
What I would like:
Users would sign up using any of these methods, and I would see them in the 'Users and groups' blade of the Enterprise Application in Azure portal (or I could invite them). I would assign app roles (roles specific to my app, eg engineer/technician/residential user) via the 'Add user/group' button.
When logging in to my app, I retrieve the app roles via idTokenClaims.roles[]
What happens instead:
This works fine for user accounts already in my Azure tenancy. But for other Microsoft accounts (eg theirname#outlook.com or MS accounts created with any email address), the user doesn't appear in Azure portal after logging in unless I manually invite them. After inviting them (and accepting the invite), I see a user like theirname_outlook.com#EXT##mytenancy.onmicrosoft.com. I can assign app roles to this user, but their idTokenClaims.roles[] is not returned.
Other social accounts (eg Twitter, facebook) seem to not be supported at all
What else I tried
I also investigated AD B2C, which gives the developer more control over the login flow, and supports other social accounts other than MS (which looks good), but it seems that doesn't support app roles at all.
Am I trying to use the wrong tool for the job?
All I want to do is support any user to sign up to my app, and for an admin to set what their app-specific roles should be.
Update
I am using the MSAL auth library, following the instructions
https://login.microsoftonline.com/Enter_the_Tenant_Id_here should be one of the following:
If your application supports accounts in this organizational directory, replace this value with the Tenant ID or Tenant name. For example, contoso.microsoft.com.
If your application supports accounts in any organizational directory, replace this value with organizations.
If your application supports accounts in any organizational directory and personal Microsoft accounts, replace this value with common.
To restrict support to personal Microsoft accounts only, replace this value with consumers.
Because I wanted this to work with any social account, I chose https://login.microsoftonline.com/common. This shows a UI that allows you to use any organisation or personal MS account, or sign up for a personal MS account with any email address. But I noticed the objectId returned for personal accounts is different to the id when I manually invite the account in azure portal. I changed to use my TenantID instead, and that worked. Personal accounts that have been previously invited via portal can log in. Other personal accounts get an error and cant log in. App roles are now returned for these personal accounts. This now partially solves my original problem, but I still have some unsolved issues:
this method shows a slightly different UI that doesn't allow the user to sign up for a new MS account in this flow
I still can't use other oauth accounts eg Twitter/Facebook. Do these not support app roles at all?
the instructions quoted above seem incorrect, clearly it is possible to log in using "accounts in any organizational directory and personal Microsoft accounts" via TenentID, not common, once they've been invited to the app
App roles absolutely support guest accounts. But as you can see, the id token of the guest account does not seem to contain the roles claim, and it is not clear whether this is by design. But the roles claim will appear in the access token.
I think an access token you can be used, and the access token also contains user information.
In our organization, we have been inviting guest users to our AAD Tenant to successfully share resources with our B2B partners. However, we have a fear that there may be some business users that have been oversharing with individuals (e.g. xxx#gmail.com accounts or Business accounts we don't approve of).
We would like to better monitor these scenarios, and I've been able to determine a user's source via the Azure Portal:
Here, we can easily see that this particular user is coming from an External Azure Active Directory.
Is there a Microsoft Graph API or Azure AD API where I can get this information, so we can write some automation around this? Also, is there a way to determine which tenant this user is homed in? I have played around with the Users endpoint a bit, but don't see this information...maybe there is a different endpoint or permissions scope that I need?
Thanks for any assistance!
You cannot get tenant information of a guest user, but we can handle users by domain the user belongs to. you can allow or block invitations to B2B users from specific organizations .Please refer to this document.
Our application is mainly used by internal users, who authenticate through AAD. Some pages need to be accessible to third-parties. Right now we are using custom tokens, but would like to switch to Azure AD B2B Invite API.
We just did some manual test runs and it seems to work exactly as expected, except for one thing: when inviting my standalone email address, I was asked to create a Microsoft account, which is fine. However, to do so, I had to first verify my email address (code sent to email) and then my phone (code sent via sms).
Is there any way to disable ideally both or at least the phone verification?
The only resource I found so far states that it's possible in B2C, which is not what we want.
The standalone email addresses has to undergo the invitation redemption process. In order to be able to invite people without redemption in Azure AD B2B you need an account with directory read permission of the partners tenant. Then you can add that user to your tenant with "Guest Inviter" role. Then that user can add the users to your tenant without invitation redemption process. Refer: Azure AD B2B: How to bulk add guest users without invitation redemption.
Hi we are looking into using a AAD as identity provider for a B2B SaaS application.
As not all future users of the application will have a Office 365/AAD account and tenant, we are looking into creating it as a SingleTeant application and provision users in a internal directory for this purpose (user1#ourappdir.onmicrosoft.com and so on).
However as far as i can figure this will allow any user to get a list of all other users, using the graph api for example.
Can i lock this down in any way, so a user will only be able to see info about him/her self and not anything else, no matter how they try. (Portal, graphApi, powershell...)
By default, if you use a user account in the Directory role as User to generate the access token, and request the resource in graph, then this token only has the permission for the user himself.
There are two possible cases, allowing you to see all user profiles from graph.
You called Microsoft Graph in a service or daemon app
The user account you used to generate the token is in the role of administrator in your tenant.
You can try to use a user account in User role to continue the test. You can refer to https://learn.microsoft.com/en-us/azure/active-directory/active-directory-users-assign-role-azure-portal for how to assign a user role.