Is there any programmatic way to enable user MFA settings in Azure AD?
I know there is a powershell module MSONLINE. Unfortunately, my client is a pure linux environment.
Is there any approach, e.g. python sdk or java?
The Azure MFA SDK lets you build two step verifications to sign-in process of applications in you Azure AD tenant. Refer: GitHub Link.
Related
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
I am trying to integrate Office365 as an Identity Provider for Cognito.
Following instructions from AWS (https://aws.amazon.com/blogs/security/how-to-set-up-amazon-cognito-for-federated-authentication-using-azure-ad/) and a few other sources all have the same instructions.
Those instructions work, but they only allow users that are already in my Azure AD to use SSO. I need this to work just like social accounts (Google, Facebook).
Any advice on how to modify the above-linked instructions to work with any valid Office365 credentials, even if the account is not in my Azure AD?
try adding app registration instead of enterprise app
Is someone already configure Google Workspace working with Snowflake and has user automatically created (as Okta can purpose)
Thanks for the help
If GSuite support SCIM, Then One thing that you may try is Custom SCIM integration as suggested here- https://docs.snowflake.com/en/user-guide/scim-custom.html
Currently, Custom SCIM integrations are supported for identity providers that are neither Okta nor Microsoft Azure AD.
Although I've not tested this with Gsuite, you may give it a try provided Gsuite has support for SCIM.
Google Workspace supports SCIM autoprovisioning on SAML apps that are already part of their Pre-integrated SAML apps catalog, although this is not explicitly mentioned in their documentation, Automated user provisioning is available only for Supported apps:
See About automated user provisioning
Snowflake would need to work with Google Workspace to see if their solution could be added to the catalog.
Lets say, an organization uses Azure AD B2C for their IAM needs and their APIs are protected by AD B2C. Any client application that needs to obtain tokens from Azure AD B2C can utilize the client library [MSAL] to interact with IAM.
This mandates the organisation to suggest using MSAL to their partner or independent client App developers. In this case if the organisation do not want their developers/partners to know that they are using azure AD B2C, what will be the right approach? Should they build their own custom client libraries? Or are there any other suggestions?
Could you not just instruct them that you use OpenId Connect or OAuth and point them to your metadata URL? Let them then decide on the library they would like to use.
In this case if the organisation do not want their developers/partners to know that they are using azure AD B2C
I don't think you can fully hide that. Even w/ custom domains, your fully qualified tenant name is in the URL your-tenant.onmicrosoft.com.
OIDC Well known configuration URL example:
https://login.microsoftonline.com/spottedmahnb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SO-Herbener
That said, OAuth 2 and SAML so any library that supports that those technologies support B2C 😊. For example, here's a SPA sample that uses Hello.JS.
Azure AD B2C now supports SPAs. But is this supported by Angular? While implementing Azure AD (not B2C) I found a file adal-angular.js. I can inject its services, call its extended end points and get my way done.
Is there any file for Azure AD B2C? Or adal-angular.js works for Azure AD B2C too? Please correct me if anything I wrote above is wrong.
adal-angular.js will only work for non-converged AzureAD apps (apps that are registered in the Azure Portal AzureAD Blade). AzureAD B2C apps are converged so this library will not help you.
AzureAD B2C does in fact support SPA's using the open source library hello.js. Here is a SPA code sample. There is not currently any Angular code samples for AzureAD B2C, but as an oAuth 2.0 service you should be able to hook up almost any open source Angular oAuth2.0 library that supports implicit flow.
We just released our solution to integrate Angular with AAD B2C: https://github.com/3DSemantix/angular-asp.net-core-aad-b2c
The "SPA code sample" from MS is a bit weird when I looked at it (refreshing the token feels hacky).