Create a Enterprise using a service account - android-management-api

Here in my company we use G-suite, and it's not possible to create enterprises using our accounts. So, it's possible to create enterprises using services accounts?
Thanks.

You can’t use a service account to create enterprises. Service accounts are used to authorize API access when you build a server-based EMM solution.
To create an enterprise you need a Gmail account that's not already associated with an enterprise. I suggest checking this documentation for more information.

Related

Azure B2C Custom Domain has been Previously Configured Using an existing Azure AD or Office 365

I am planning to move some of my applications from AzureAD authentication to Azure B2C. I have an existing Azure AD Tenant that has a custom domain assigned and verified and I use this for all of my internal Office 365 and AzureAD authenticated applications. I do not want to change any of this as it is working well.
I then created an Azure B2C tenant using the instructions provided here https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant. That also worked and I have been able to register applications and create sample Flows.
However, I now want to assign a custom domain to the Azure B2C tenant and I would like to use the same domain that I am using for my existing applications in the AzureAD tenant. I use subdomains on my web server to separate the various applications.
I used the instructions here to create the custom domain in my Azure B2C tenant and add the TXT record to my domain registrar. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow.
However, when I try to verify my domain, I get a message stating that
This domain has been previously configured on
[Azure Domain Prefix].onmicrosoft.com using an existing Azure AD or Office 365.
To verify this domain name, you will first need to remove the domain
name from the existing directory.
I tried adding the subdomain to the Azure B2C tennant, but understandably this "domain" was not able to be found in the verification step.
Does anyone know how I can get around this? My understanding is that I can't add the B2C functionality to an existing AzureAD tenant and I really don't want to move everything from my existing AzureAD tenant, nor create a new domain.
I have now worked out why I had this problem and will post an answer to help anyone else.
The issue was that I was trying to add my top-level domain to the Azure B2C instance. However, if I followed the instructions more closely, I would have seen that I should be registering login.[my-doimain].com.au. I found the following graphic from https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow useful to understand B2C a bit better.

Android Management API: Failed to patch policy - Caller is not authorized to manage enterprise

I have been working with the Android Management API to try and manage the policy of my company's existing enterprise. My company account has the Owner role within the organization and the roles Owner and Service Account Admin for the service account mentioned later.
I followed the Quickstart Guide to get familiar with the API and made some modifications for a more permanent solution along the way such as creating a service account with the Android Management User role via the Google Cloud Platform and generating a JSON key to acquire credentials rather than going through the OAuth2 flow like in the guide. This allowed me to authenticate properly, but when it comes time to patch the policy as such,
androidmanagement.enterprises().policies().patch(
name=policy_name,
body=policy_json
).execute()
I get the following error:
<HttpError 403 when requesting https://androidmanagement.googleapis.com/v1/enterprises/XXXXXXXXX/policies/<policy_name>?alt=json returned "Caller is not authorized to manage enterprise.". Details: "Caller is not authorized to manage enterprise.">
I have verified that the service account I am authenticating with has the Android Management User role, and thus has the androidmanagement.enterprises.manage permission.
I have also attempted to make this call with an elevated admin role in the organization.
Is there a chance that I need to have created the enterprise with my own account to manage the enterprise? The guide suggests that an organization can create multiple enterprises. In which case, would I need to create a new Google account not associated with my organization's enterprise and create a new enterprise that way?
It is advisable to use your own google account to call Android Management API since your organization account may not be compatible with the quickstart.
To access the Android Management API your service account requires the androidmanagement.enterprises.manage permission, which can be granted by the Android Management User role (or roles/androidmanagement.user). Kindly check this link for details regarding creating a service account.
Please keep in mind that the enterprise you created as part of the colab instructions can only be managed using the colab itself. To allow your cloud project to manage an organization, you will need to create one using the client configuration from your cloud project.

How can I restrict particular users in my organization to access Azure DevOps from outside of our office IP

We have almost 16 users in our Azure DevOps Organisation. I am having the admin privilege for the azure account. I saw a few blogs regarding Active Directory Enabling method and all. But it was not clear.
How can we manage this restriction in Azure DevOps.
NB:-Our users are accessing Azure DevOps through their outlook account.For ex:-sample.orgnization#outlook.com
Depending on your setup, there are a couple of options:
Azure DevOps configured as MSA backed with AAD guests in Azure DevOps
When your Azure DevOps account is configured to be backed by Microsoft Accounts (formerly Live IDs, or Outlook.com or Hotmail.com), it can add Azure Active Directory users as guests into the account. This feature was added last autumn.
In this configuration, you can invite AAd and MSA users directly from Azure DevOps and the MSA users don't get any access to the Azure account.
Azure DevOps configured as AAD backed with MSA guests in Azure Active Directory
When your Azure DevOps account is configured to be backed by Azure Active Directory, it can only add users who are known in Azure Active Directory. However, you can invite Microsoft Accounts into your AAD as guests. You can even invite users from other AADs as federated guests.
In this configuration you can only invite users who are known by AAD into you Azure DevOps account. If they're not in AAD, you'll have to invite them into AAD first.
Switching
You can switch the account between the different association modes. To migrate existing users from one type to another (AAD->MSA, MSA->AAD) you currently need to open a support request to get all of the users mapped over. In this scenario you get an excel export from your account and you provide a mapping between the old and the new uesr account. Support will mapthem for you.
Manual process
You can also take a manual approach. This model isn't well documented. And when manually mappign you'll have to re-apply the security permissions manually as well. As such, thsi approach isn't recommended.
Once in AAD
Once your users are all in Azure Active directory, you can set policies on their access patterns, restrict IP addresses, require 2FA tokens and such. The value is questionable for external users as it won't work for all guest types. It will be valuable for your own users. You can enforce policy on users in your AAD. It's recommended to work with your federation partners to ensure that they're also using the right policies for their own users.
I think this will help you, I also faced the same problem which I mentioned, this article explained in details very clearly that how we can apply 'Conditional Access Policies' to avoid unauthorized access on Azure repositories(Code). after apply the policies on Azure portal, We need to enable the option on dev.portal Enable Conditional Access for Azure DevOps, Hope this will helps you.

Google IAM api to add GSuite domain wide delegation

I am working on a application that is using google service account with domain wide delegation.
I don't want client to do setting of domain wide delegation and download private key. I could create private key using IAM api.
is there a way to achieve domain wide delegation also via API ?
Thanks
Google's IAM API is part of their Google Cloud API's. As far as I'm aware, there is no equivalent API for standard Google developer project IAM, which is where you would do anything around projects targeting G Suite API's (and the only place where there is a Domain Wide Delegation setting for a service account, AFAIK).
You can grant a service account permission at the Organization level in Google Cloud, but I'm not sure whether that has any effect on the GSuite access controls, as nferrell mentions.

Why is it mandatory to use Azure Active Directory for accessing CRM online instance through Web API from outside CRM?

I am curious to know why we always need to register our CRM online instance on an Azure Active Directory in order to authenticate the Web API while accessing from outside CRM domain.
That is, for example, if I need to access CRM online instance through another website using CRM's Web API endpoint, then I must register my CRM instance to Azure Active Directory.
Though I am aware that, its a very nominal charge to create an Azure Active Directory, still I would need to subscribe to Azure even if I just want to perform some general research for CRM connectivity through Web API.
Why this is must? Are there any security considerations behind this?
Why can't we use the same authentication mechanism as we used to do with Organization service?
Any details on this will be much appreciated.
The CRM WebAPI uses OAuth2 and Azure AD is the only currently supported authentication platform to provide this (Windows Server 2016 will support OAuth2 for on-premise).
The Organisation service is a WCF service and as such uses SOAP for authentication and authorization. This is an entirely different technology stack that brings it's own set of problems, many of which the OAuth2 protocol tries to solve in this scenario.
Although you manage your CRM Online users through the Office 365 portal the underlying technology for these accounts is also Azure AD. Check if you can use this existing AD tenant created as part of your subscription rather than having to create another.
If you are using CRM online you already have aan Azure Active Directory. If you haven't already done so, you can signup for an Azure subscription and import the underlying AAD into your Azure subscription. You will need a credit card, but as far is I know using the Azure AD is free.

Resources