I need to know how I can
Retrieve all organization units for my tenant (Azure AD)
Fetch users for belonging to a certain Organization Unit.
Is there any REST API documentation for this purpose? Let's say if I need to access the data for my tenant users belonging to a certain OU, where do I start?
Is there any REST API documentation for this purpose?
Organization Unit is a concept in on-premise Windows Active Directory. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units.
Azure AD is a cloud based identity service, unlike the Windows domain service, there is no concept named "Organization Unit". I'm afraid there is no such REST API to query user which the Organization Units he belongs to.
For new feature requests about Azure Active Directory, you can submit your feedback here.
Related
I am reading this docs that talks about security for a multi tenant application. https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/.
Let's say that my application is Tailspin. At least 2 companies, Contoso and Fabrikam, decide to use my application.
Those are my questions
Do I need to create a tenant for each customer that decide to start using my service?
Let's say Fabrikam already use a provider other than Azure Active Directory. If Fabrikam wants to use Tailspin, am I going force them to create a tenant?
EDIT
This short video shows how to start using Slack.
The first person to join Slack will enter all the information to create the space.
After that, that person will enter emails, inviting people to join the organization in Slack.
What I have noticed is that, they invitees don't need to belong to an organization [tenant] as they can have gmail, yahoo, etc. Yet, when user is logged in a space, he/she only sees what's in user's space.
I don't know how slack works, but if you have to implement something similar using Azure Active Directory as Identity provider:
Are you going to create a tenant for each customer [you said I shouldn't do that]
Should I create a security group for each customer that join so that its members can be part of that group?
Thanks for helping
You shouldn’t create a separate tenant for these companies. if in case those companies are hosted on different Identity provider. You can federate those Companies identity provider with your application IDP, and you will be accessing the application from their company’s identity itself.
Note: Your application should have capabilities to Federate with other IDP.
You can refer this document how to Microsoft federate with other IDP.
Note: For multi-Tenant, tenants share physical resources (such as VMs or storage), each tenant gets its own logical instance of the app.
For Single Tenant Architecture where each tenant has a dedicated physical instance
My company uses a single tenant azure active directory. How do i keep app registrations organized such that i classify app registrations per business unit or prod and non-prod etc.?
In my experience, AAD doesn't provide such a feature that allows you to classify app registrations.
You can manually set their names to the same format to distinguish them. Or add the same type of apps to the same security group.
If you want to restrict different users from using different apps, you need to Configure an application to require user assignment and Assign or unassign users, and groups, for an app using the Azure portal.
In our organization, we have been inviting guest users to our AAD Tenant to successfully share resources with our B2B partners. However, we have a fear that there may be some business users that have been oversharing with individuals (e.g. xxx#gmail.com accounts or Business accounts we don't approve of).
We would like to better monitor these scenarios, and I've been able to determine a user's source via the Azure Portal:
Here, we can easily see that this particular user is coming from an External Azure Active Directory.
Is there a Microsoft Graph API or Azure AD API where I can get this information, so we can write some automation around this? Also, is there a way to determine which tenant this user is homed in? I have played around with the Users endpoint a bit, but don't see this information...maybe there is a different endpoint or permissions scope that I need?
Thanks for any assistance!
You cannot get tenant information of a guest user, but we can handle users by domain the user belongs to. you can allow or block invitations to B2B users from specific organizations .Please refer to this document.
I am reading "What is Azure Active Directory?". Here there is a glossary showing some basic terms to better understand Azure AD and its documentation. One of these is "Single tenant". According that glossary the definition of this term is "Azure tenants that access other services in a dedicated environment are considered single tenant." Could you help me, to understand this definition with an example, please? Specifically, I would like to understand what are examples of "other services in a dedicated environment" in the Azure Active Directory context.
You need to learn more about Tenancy in Azure Active Directory.
For "other services", we can think of it as your application or API.
Single-tenant corresponds to multi-tenant.
For Single tenant, It means accounts in this directory only can use your application or API. Use this option if your target audience is internal to your organization.
If you want accounts in any Azure AD directory (for example, your customers from their own tenant) can use your application or API, you should choose multi-tenant.
I am working on a solution in which we are securing Hadoop echo system and its components.
My use case is I want to Authenticate the user from its AD and these ADs can be multiple. in short, this is a multi-tenant solution and each tenant or customer have their own AD so how can I link OpenLDAP with multiple AD
NOTE: There is no trust relationship needed between the ADs. means a user must authenticate from its own AD not any other.
Assuming you've considered the possible security implications of doing this (i.e. ensure CustomerA cannot adversely impact CustomerB) as well as potential customer unease (I've had to maintain completely separate servers to house different customer directories because clients were uneasy about having the service running their partition on the same machine running some other customer's directory service) ... Referrals should be able to do this -- different OUs in OpenLDAP would refer out to the various AD environments. You may need to configure an option within your application to follow referrals.