I have set up Azure AD authentication on my SonarQube server as well as the corresponding app registration listed in Azure AD. The problem I am facing is that when I try to authenticate to the SonarQube portal using my Azure login, it logs me into the portal but doesn't place my account in the correct group!
My account is placed in the "sonar-users" default group when it should be fed into the other group which is named exactly the same as the group listed in Azure AD (as per the SQ documentation).
Has any one experienced any issues similar to this? If so, did you manage to resolve it?
Have you checked, that your APP-registration has the corresponding permissions to the AAD?
Sign in and read user profile
Read all users' basic profiles
Read directory data
https://github.com/hkamel/sonar-auth-aad Point 7
Related
I am planning to move some of my applications from AzureAD authentication to Azure B2C. I have an existing Azure AD Tenant that has a custom domain assigned and verified and I use this for all of my internal Office 365 and AzureAD authenticated applications. I do not want to change any of this as it is working well.
I then created an Azure B2C tenant using the instructions provided here https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant. That also worked and I have been able to register applications and create sample Flows.
However, I now want to assign a custom domain to the Azure B2C tenant and I would like to use the same domain that I am using for my existing applications in the AzureAD tenant. I use subdomains on my web server to separate the various applications.
I used the instructions here to create the custom domain in my Azure B2C tenant and add the TXT record to my domain registrar. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow.
However, when I try to verify my domain, I get a message stating that
This domain has been previously configured on
[Azure Domain Prefix].onmicrosoft.com using an existing Azure AD or Office 365.
To verify this domain name, you will first need to remove the domain
name from the existing directory.
I tried adding the subdomain to the Azure B2C tennant, but understandably this "domain" was not able to be found in the verification step.
Does anyone know how I can get around this? My understanding is that I can't add the B2C functionality to an existing AzureAD tenant and I really don't want to move everything from my existing AzureAD tenant, nor create a new domain.
I have now worked out why I had this problem and will post an answer to help anyone else.
The issue was that I was trying to add my top-level domain to the Azure B2C instance. However, if I followed the instructions more closely, I would have seen that I should be registering login.[my-doimain].com.au. I found the following graphic from https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow useful to understand B2C a bit better.
I have been working with the Android Management API to try and manage the policy of my company's existing enterprise. My company account has the Owner role within the organization and the roles Owner and Service Account Admin for the service account mentioned later.
I followed the Quickstart Guide to get familiar with the API and made some modifications for a more permanent solution along the way such as creating a service account with the Android Management User role via the Google Cloud Platform and generating a JSON key to acquire credentials rather than going through the OAuth2 flow like in the guide. This allowed me to authenticate properly, but when it comes time to patch the policy as such,
androidmanagement.enterprises().policies().patch(
name=policy_name,
body=policy_json
).execute()
I get the following error:
<HttpError 403 when requesting https://androidmanagement.googleapis.com/v1/enterprises/XXXXXXXXX/policies/<policy_name>?alt=json returned "Caller is not authorized to manage enterprise.". Details: "Caller is not authorized to manage enterprise.">
I have verified that the service account I am authenticating with has the Android Management User role, and thus has the androidmanagement.enterprises.manage permission.
I have also attempted to make this call with an elevated admin role in the organization.
Is there a chance that I need to have created the enterprise with my own account to manage the enterprise? The guide suggests that an organization can create multiple enterprises. In which case, would I need to create a new Google account not associated with my organization's enterprise and create a new enterprise that way?
It is advisable to use your own google account to call Android Management API since your organization account may not be compatible with the quickstart.
To access the Android Management API your service account requires the androidmanagement.enterprises.manage permission, which can be granted by the Android Management User role (or roles/androidmanagement.user). Kindly check this link for details regarding creating a service account.
Please keep in mind that the enterprise you created as part of the colab instructions can only be managed using the colab itself. To allow your cloud project to manage an organization, you will need to create one using the client configuration from your cloud project.
We have almost 16 users in our Azure DevOps Organisation. I am having the admin privilege for the azure account. I saw a few blogs regarding Active Directory Enabling method and all. But it was not clear.
How can we manage this restriction in Azure DevOps.
NB:-Our users are accessing Azure DevOps through their outlook account.For ex:-sample.orgnization#outlook.com
Depending on your setup, there are a couple of options:
Azure DevOps configured as MSA backed with AAD guests in Azure DevOps
When your Azure DevOps account is configured to be backed by Microsoft Accounts (formerly Live IDs, or Outlook.com or Hotmail.com), it can add Azure Active Directory users as guests into the account. This feature was added last autumn.
In this configuration, you can invite AAd and MSA users directly from Azure DevOps and the MSA users don't get any access to the Azure account.
Azure DevOps configured as AAD backed with MSA guests in Azure Active Directory
When your Azure DevOps account is configured to be backed by Azure Active Directory, it can only add users who are known in Azure Active Directory. However, you can invite Microsoft Accounts into your AAD as guests. You can even invite users from other AADs as federated guests.
In this configuration you can only invite users who are known by AAD into you Azure DevOps account. If they're not in AAD, you'll have to invite them into AAD first.
Switching
You can switch the account between the different association modes. To migrate existing users from one type to another (AAD->MSA, MSA->AAD) you currently need to open a support request to get all of the users mapped over. In this scenario you get an excel export from your account and you provide a mapping between the old and the new uesr account. Support will mapthem for you.
Manual process
You can also take a manual approach. This model isn't well documented. And when manually mappign you'll have to re-apply the security permissions manually as well. As such, thsi approach isn't recommended.
Once in AAD
Once your users are all in Azure Active directory, you can set policies on their access patterns, restrict IP addresses, require 2FA tokens and such. The value is questionable for external users as it won't work for all guest types. It will be valuable for your own users. You can enforce policy on users in your AAD. It's recommended to work with your federation partners to ensure that they're also using the right policies for their own users.
I think this will help you, I also faced the same problem which I mentioned, this article explained in details very clearly that how we can apply 'Conditional Access Policies' to avoid unauthorized access on Azure repositories(Code). after apply the policies on Azure portal, We need to enable the option on dev.portal Enable Conditional Access for Azure DevOps, Hope this will helps you.
I would appreciate any help that can be offered. I would like to achieve the following in Azure and having tried various tutorials using lots of different configurations I am still unable to achieve what seems quite simple.
I would like to set the default IIS homepage on an Azure VM to use Windows Authentication. I would like to Add a user or group from my local on-premise Active Directory, which is linked to an Azure Active Directory using 'Azure AD Connect'. Finally I would like to login to a client machine on my local on-premise Active Directory, and be able to browse to the Azure VM IIS default homepage without having to enter a username and password, as I am already authenticated having logged into the local Active Directory.
I am happy to try various setups and scenarios, so if you can help please shout up.
Thanks
Andy
I followed the steps as per
https://github.com/OfficeDev/O365-WebApp-MultiTenant and added the connected service. However this does not register the app under Windows Azure Active Directory Applications. I have properly linked my office 365 account into Azure. However when I add the connected service it is still empty. Is this a known issue and what is the work around?
No, this isn't a known issue. The "Add Connected Service" wizard is not generating a client ID and secret in your web.config?
As a workaround you could login to the Azure Management Portal and register the app manually, then put the client ID and secret into your web.config.
I just had the same issue and spend some hours on it. Finally it turns out that I had used a user account to log in in visual studio that was assigned to a different MS Azure account.
In my case I was using the user of production environment instead of my own developer account to log in.