User Profile
Unnie
Iron Contributor
Joined 10 years ago
User Widgets
Recent Discussions
Azure AD App with wild card reply urls
Hi all, I have an Angular 5 app which is authenticated using Azure AD using AdalJs. The whole app is protected by azure ad and user needs to be logged in to be able to access any page. Now in my Azure Ad app I have added reply url as "https://app.domain.com". Scenario 1: In a fresh session User hits https://app.domain.com and gets authenticated by azure ad and returns to the web site. Scenario 2: In a fresh session User hits https://app.domain.com/page1 and gets authenticated by Azure AD and Azure AD does not return the user back to my website with an error "https://app.domain.com/page1 " is not registered as a reply url in the Azure AD app. Now if I go to my Azure AD app and make the reply URL as a wildcard URL like "https://app.domain.com/*" then the redirection flow after authentication works perfectly for all pages inside my website. I see this is one http://paulryan.com.au/2016/azure-ad-app-wildcard-reply-url/ So is the wildcard URL approach in reply URL safe to be used? The blog above says there is some security concerns but I cannot find out what those concerns are? Also, is the wildcard URL approach the correct approach here? ThanksAzure Proxy Prerequisites
Hi, I am exploring usage of Azure AD Proxy to protect my on-premise web application. The prerequisites says : " A https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/active-directory-whatis and an Azure AD directory for which you are a global administrator." https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy So if my tenant is Azure AD P1 and I have lot of guest accounts who do not have basic or premium licenses, will this Azure AD proxy work for them? AFAIK, the proxy should be per app rather than per user. Could someone guide me here?Azure AD - Prevent guest access on an Azure website
I have an Azure Website built on Angular5 protected by Azure AD for authentication. The API layer is developed as Azure function app, also authenticated by Azure AD. Now , I want this website to be available to all users in my organisation and not allow any guest users registered in the tenant to access the web site & API. What are my options here? Currently the app & API can be accessed by even the guest accounts.MS Teams Invitation redemption & Self service account sign up is disabled
Hi there, I am invited to join a MS Teams group from another organization. when I try to redeem the invitation , it asks me create a password and display name rather than allowing me to Sign in using my Microsoft Account (Since my organisation does not have a Azure AD yet). But when I try to go through by creating a password, then I get an error that: "We cannot create a self-service Azure AD account for you because has <orga name> disabled self-service account sign-up by email validation. Ask admin to enable EmailVerified users or create an account for you." My organisation does not have any Azure AD and I have a Microsoft Account created using my official email id. What is going on here? Any help is much appreciated 🙂Exchange online retention policy affecting SharePoint & OneDrive
We have an exchange online retention policy applied to retain content forever. Strangely, this policy also affects SharePoint sites even though they are not part of the target locations in retention policy. Retention policy PowerShell outputs: I check the status of the policy via PowerShell and output shows that SharePointLocation field is blank. But when I try to delete a folder in SharePoint, it throws the error that all items inside folder should be deleted before you can delete the folder, which is common when there is a retention policy applied to that site. I contacted MS support and this is the reply I received: This answer does not make much sense to me and am not able to find any documentation on this side effect anywhere. Anyone has any tips or guidance on this?SharePoint Events webpart error "There may be too many sites selected or too many filters added."
Hello, In our Intranet (Hub site), we started getting below error in events webpart (view all page): "There may be too many sites selected or too many filters added. Try Selecting fewer sites or remove some filters to continue." The events webpart is configured to show events from all sites in the Hub. There are around 51 site collections associated to this hub. Anyone experienced same problem and have some tips on this?Labeling of physical archive
Hi there, We have a set of business process which generates few documents inside SharePoint. These documents are arranged inside a SharePoint Document Set, and all shared properties are kept in the document set metadata. We also have a physical archive, where we label and store all these documents. The physical archive currently uses a software called ColorBar Gold 3.5 which can create archive labels to help find theses physical documents easily. The software enables to print labels with some color coding based on the document metadata and archivist then later paste this label in to the physical folder. See sample below of how this physical paper label looks like. This software currently reads data from a database & has no support to read from SharePoint list/library. Has anyone done the same but using SharePoint libraries to fetch the metadata?Re: Azure AD Sign in issue: “The account might not exist or it might not be synchronized"
Okta authentication is working for the 2 users, but post authentication hen the users are returned to Azure AD page, they get this error. Also, for all other users who did not have any Azure AD Connect sync error during setup, federated authentication via Okta is working properly.Azure AD Sign in issue: “The account might not exist or it might not be synchronized"
Scenario: We have Azure AD tenant set up with user provisioning and federated authentication done via Okta. So, Okta was synchronizing users to Azure AD. Now, we installed Azure AD Connect and switched off Okta based user provisioning (Still keeping Okta for federated authentication). We have successfully matched existing users in Azure AD to their AD objects using hard matching based on ObjectGuid. The Azure AD connect based sync was run on all users and it worked for all except 2 users. These users had a mismatch between Azure AD immutableId and ObjectGuid in AD. Then we got sync errors for these 2 users and Azure AD created duplicate account for them with email format as : username-<somenumber>@<tenant>.onmicrosoft.com We have corrected those user's immutableId by running PowerShell commands to change the immutableId. Once, the immmutableId of those users were corrected the sync was run again and Azure AD connect now properly matches the Azure AD user with their correct AD object (we tested by changing some irrelevant Ad attributes and they are properly propagated). But, when the user tries to login they are first redirected to Okta for login and after Okta login, the tokens are forwarded to Azure AD and user get below error from Azure AD login page: “The account might not exist or it might not be synchronized. Contact your administrator to add or synchronize the account" We do not have any major services provisioned in M 365 yet, so can live with user's Azure AD account being recreated. Some additional things tested out, but all leads to same sign in behavior: Change the immutable ID of the Azure AD account to match AD object and run sync = All props are synced but login failure. Delete the existing Azure AD account and run sync to create new account = New Azure AD account created but login fails as before. Create a cloud account, changed the immutable Id to match the AD objectGuid, changed the UPN to match the AD object email, run sync = The cloud account gets synced to AD object and properties are updated, but login fails The issue is only for the 2 user account which had this sync error in the beginning, for all other users login is working properly. Any ideas or pointers to check. What are we missing here?Re: Adding external users (hotmail , gmail ) users to teams convesation
ripsy85If you do not have Google set up as federated identity provider to your tenant, then users cannot login directly with their gmail account. The user will need to create a Microsoft account with the invited gmail.com account and use that for logging in to teams.Re: MS Teams Invitation redemption & Self service account sign up is disabled
a-yates True, but the problem is my org do not have Azure AD , so naturally I must be asked to create a Microsoft account for my email or use my existing Microsoft account attached to that email. But strangely, this does not happen, am suspicious that maybe some IT PRO in our org created a dummy Azure Ad with my org name and probably added it with our org domain.Re: Having internal AD users as unlicensed, shared customer accounts
Martype If I understand correctly, you want to create the "user" in your Organisation AD/AAD & grant them access to SharePoint without providing any license. This will technically work but I suppose you might run into compliance issue as the user is created in your Organisation directory, so will be treated as "internal user". You need to check external sharing capabilities of SharePoint, where you invite the external user into your tenant. This user will not be treated as an internal user. https://sharegate.com/blog/ultimate-guide-deal-with-office-365-external-sharing https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview
