Currently we are creating users in Azure AD through Azure AD Graph API. Our users, among other thinks, uses Sharepoint Online and Skype for Bussiness Online. All of our users have his mailbox in an Exchange 2010 (on-premise), so they don't have the Exchange Online Plan. For Skype for Bussiness integration with Outlook, it's needed that the mail attribute on the Azure AD object be the same as the mail address in Outlook. The problem is that this attribute is read only throug rest API, and only is populated when you assign a Exchange Online plan to the user. Also, in Sharepoint Online, we can't send notifications to these users because they sharepoint profile doesn't have an email address.
How I should inform the email adress to an Azure AD User using Rest API?
Regards
Related
I have Auth0 configured with Social Connections > Microsoft Account.
This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
When I log in through my app, I can authenticate successfully using my personal account eg. blah.blah#gmail.com
However, when I try to authenticate with my work account blah.blah#myawesomecompany.ai, which is managed with an Azure Active Directory, it fails with
"That Microsoft account doesn’t exist. Enter a different account or get a new one.":
I thought given the Microsoft settings it would allow it connect.
How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?
Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?
Is there a way to configure this without having to upgrade to Auth0 Enterprise?
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.
For sample I used the below endpoint to authorize the users:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I tried to sign-in with the personal account, the user logged in successfully like below:
And now I tried to login with other tenant user like below:
By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.
To limit the feature to specific companies AAD, check this blog.
Auth0 Enterprise is required to authorize tenants to the Azure AD Application.
For more in detail, refer below MsDocs:
Use tenant restrictions to manage access to SaaS apps - Microsoft Entra
Multi-tenant application with a whitelist on tenants authorized by Marshaljs
Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).
Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like user#tenantA.onmicrosoft.com to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.
If you want users in tenantB to sign in your app with account like user#tenantB.onmicrosoft.com, then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, user#tenantB.onmicrosoft.com can sign in this application.
I have a client email that ends with .gserviceaccount.com. I was told I have to share this email with my google sheets. I cant however. It says that it cannot share sheets to emails outside of the organization. Is there another way to connect to my Google sheets besides sharing with the client email?
You could change your sheet's sharing settings, and share it to anyone with the link. Then give the link to the user with a service account that's not in your organization.
However, your organization's admin might have your sharing settings restricted to only users within your org.
Note that: A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
Further reading:
What are service accounts ?
Differences between a service account and a user account
The integration between OIM and Microsoft Exchange is in place. Now we want to provision lync or skype for business to this user. What are the possible ways to do it? Also is it necessary to have O365 email id for every user whom we want to grant skype for business access?
My research says :
Create custom O365 connector and use Graph APIs to perform user life cycle operations like provisioning deprovisioning.
Use Exchange connector and create a process task that will call some API to create skype account.
The approach we choose to solve this problem is we created Skype Enabled user group in AD , and assigning the users to this AD group if they have skype enabled flag true in the user profile.
At Active directory end Admin guys are managing the provisioning of Skype for Business Account.
Can I integrate Outlook with Yammer in such a way that people in my contacts (Outlook) can be directly added in a group on Yammer ?
Or can I forward a mail directly to a user on Yammer as a message?
Is it possible to create an application that allows me to exchange data between Yammer and Outlook?
What you are looking at seems totally possible for me. I believe the best approach would be to register your app with Azure AD. Both Yammer and Outlook REST APIs can be discovered with Azure AD, see this link for example.
So now that you know that you will target Azure AD with OAUTH flow. You have to ask yourself if you want your app to do the requests or your web server will do it (see OAUTH flow "implicit" vs "code authorization").
So SharePoint 2010 has this handy new calendar overlays feature which allows you to render up 10 other calendars inside of one master SharePoint calendar. There is an option to pull from Exchange calendar as well. The only parameters it provides is the OWA url and the OWA web service url.
We use Exchange online and it isn't working whatsoever. I don't see any fields that store the credential information to connect to Exchange anywhere, and we get back a message saying that there is no email address configured in the profile (there really is). Documentation on the web is sparse for this. My questions are:
Is there a place where I can set credentials for this connection (if so where)?
Can I have it link to shared group calendars in Exchange not just an individuals calendar?
Will this work with MS hosted Exchange online?
I eliminated the "no email address configured" message by adding my exchange email to my SharePoint user profile.
It should pass the current user's credentials (used to connect to SharePoint) through the source services.
So far, I've been unable to connect to shared calendars in Exchange successfully.