How to differentiate between users created via GCDS sync from Ldap server and user created in Google workspace by Admin console or using APIs.
I have created some users in Google Workspace using Admin Console and I used GCDS and synced some users from LDAP Server. Is there any way to find which users are created by GCDS.
Checked if there is any user attribute in Google workspace to differentiate on-prem synced user or Admin console created user, but no luck.
Related
I have been working with the Android Management API to try and manage the policy of my company's existing enterprise. My company account has the Owner role within the organization and the roles Owner and Service Account Admin for the service account mentioned later.
I followed the Quickstart Guide to get familiar with the API and made some modifications for a more permanent solution along the way such as creating a service account with the Android Management User role via the Google Cloud Platform and generating a JSON key to acquire credentials rather than going through the OAuth2 flow like in the guide. This allowed me to authenticate properly, but when it comes time to patch the policy as such,
androidmanagement.enterprises().policies().patch(
name=policy_name,
body=policy_json
).execute()
I get the following error:
<HttpError 403 when requesting https://androidmanagement.googleapis.com/v1/enterprises/XXXXXXXXX/policies/<policy_name>?alt=json returned "Caller is not authorized to manage enterprise.". Details: "Caller is not authorized to manage enterprise.">
I have verified that the service account I am authenticating with has the Android Management User role, and thus has the androidmanagement.enterprises.manage permission.
I have also attempted to make this call with an elevated admin role in the organization.
Is there a chance that I need to have created the enterprise with my own account to manage the enterprise? The guide suggests that an organization can create multiple enterprises. In which case, would I need to create a new Google account not associated with my organization's enterprise and create a new enterprise that way?
It is advisable to use your own google account to call Android Management API since your organization account may not be compatible with the quickstart.
To access the Android Management API your service account requires the androidmanagement.enterprises.manage permission, which can be granted by the Android Management User role (or roles/androidmanagement.user). Kindly check this link for details regarding creating a service account.
Please keep in mind that the enterprise you created as part of the colab instructions can only be managed using the colab itself. To allow your cloud project to manage an organization, you will need to create one using the client configuration from your cloud project.
I am using Microsoft Graph API to send messages to private users in Microsoft Teams. I registered an App in Azure Active Directory, gave proper permissions and called the API and was able to successfully send the message.
My question is what would be the most efficient way to deliver this integration to different clients? Do we have to register an App in every azure directory of the client individually, or is there a way I can publish the app that I have created with all the API permissions required and the administrators can install the app in their azure directory
You would have to publish your application in your home tenant as a Multi-tenant application.
When a user from the client's tenant access your app, they will be prompted for login and post that either the user or an admin will have to consent to the app and the required permissions. This will create a service principal in the corresponding user's directory where the consent objects are stored. This way you don't have to register application in each directory.
You can follow the steps listed here for more detailed instructions to convert your application into a multi-tenant app.
I have set up Azure AD authentication on my SonarQube server as well as the corresponding app registration listed in Azure AD. The problem I am facing is that when I try to authenticate to the SonarQube portal using my Azure login, it logs me into the portal but doesn't place my account in the correct group!
My account is placed in the "sonar-users" default group when it should be fed into the other group which is named exactly the same as the group listed in Azure AD (as per the SQ documentation).
Has any one experienced any issues similar to this? If so, did you manage to resolve it?
Have you checked, that your APP-registration has the corresponding permissions to the AAD?
Sign in and read user profile
Read all users' basic profiles
Read directory data
https://github.com/hkamel/sonar-auth-aad Point 7
Using a server application with C#, how is it supposed to work when accessing users in the same domain if the authentication is only possible using:
OAuth2Authenticator interface?
I'm able to access the admin of the domain's Drive, but I'm missing the 3 legged OAuth in 2.0.
Looking at this description found at this link: https://developers.google.com/drive/delegation
Since this is not executed as a Service, and is not using Google Apps and cannot then
access: https://www.google.com/a/cpanel/mydomain
Also the IP is not known from where the machine running the server-application.
Currently I'm using: "Client ID for installed applications", and it works. But what I need is to also store files in other users in the same domain.
A other solution that works temporarily is to first store them at the admin domain account and then move them to the user domain account. But this removes the possibility to direct it to a parent/folder at the end user's drive. It will always be stored in root for that end user.
Basically what I want is following:
A Server application is running on a local machine (admin domain account can be used)
The application upload files to different users that are in the same domain, but with their own email address and also then have their own Drive.
Yes, you can do that through 2 legged oauth, which can provide domain-wide authorization.
Here are some links for your reference:
https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth
http://support.google.com/a/bin/answer.py?hl=en&answer=2538798
Our developers have recently built a new internal 'image viewer' application for our staff to use. The image viewer runs as a website and uses Active Directory to authenticate the user and control what type of images that user is allowed to view.
I have this setup and working fine by running the website as an impersonated domain user. The problem I now face is that all the images are held on a non-domain share. How can I access this share using the domain user? The share is on a Novell Netware 6.5 server.
Alternatively I can run the website as a non-domain user and connect to the Netware server to retrieve the images, but then I am unable to query Active Directory.
Can I allow a non-domain user access to query AD? I don't wish to allow anonymous queries on my domain controllers.
No, a non-domain user cannot query Active Directory unless you configure your domain to allow anonymous queries.
Depending on how everything is setup in the web application, you may be able to insert some code to switch security contexts and impersonate a domain user at the point where the query happens.