I have a question about user definition in TFS. Should I create a new user account for everyone that want to work in my team in TFS Server?
In sourcesafe or subversion, it did not need to create a user on its server.
Yes, you should create account either on a server itself or in a domain this server belongs to. "By design security for Team Foundation is integrated with Windows authentication and based on users and groups," - from this MSDN reference.
By the way, it is recommended not to give permissions for a particular user, but rather assign permissions to groups and then just add users to those groups.
Related
Is there any possibility to create sub-users under a user account using one license, but taking into account they need to have full access to the main functionalities of the CRM.
No. Even by sharing a user between multiple people you would likely be breaching your licence terms.
Without understanding why you would want to do this, if the reason is cost, I would suggest investigating Power Apps and Team Member licences. They are a cheap way to access Dynamics data, although can be restrictive.
Apologies for the basic question; we're having a spring clean of the office Active Directory and plan to remove a large number of legacy users. Saying good-bye to their email is not a problem, but we have an on-premise Dynamics CRM we occasionally refer to. My question is, will there be any implications for that if I delete a user who might have entered a case?
There is no direct link between CRM on-premise 2011 & Active Directory to pull all users overnight & sync. When you create a new user in CRM by giving domain name, it will verify in AD & pull the details to store in CRM. This will happen on tab out.
So when you delete/disable an AD user it won't flow down in Dynamics. But you have to disable them manually (no delete option available). Before doing that make sure to read these best practices.
Best Practices
Make sure to Re-assign any associated records/activities to another
User or Team before disabling User. If you don’t Re-assign the records
they will still be available, but they will still be assigned to the
disabled user.
It is very important to ensure that there are no Workflows owned by
the User to be disabled. All Published Workflows need to be owned by
an administrative account, not an employee’s account.
There are situations where a User’s account only needs to be disabled
for a short period of time, so records don’t necessarily need to be
Re-assigned. (Example: the User went on vacation for a month). Take
into consideration the User’s privileges for those records. If only
the User can modify that record, then no one will be able to modify
the record, if the owner is disabled.
Read this community thread as well.
I am using LUIS to extract intent for the user utterances. I have did it through my own free Microsoft account. Now how can I get a organization subscription? Is it free like the normal Microsoft account or billing different for the organization or enterprise accounts.
The documentation was not clear about the billing. Also I am new to Azure.
If this is something you are doing for your own business, then you can convert your free account to a Pay-As-You-Go account. Instructions are available here
If you are doing this for your employer then they would need to provide the subscription information to you and grant you contributor access.
The image in your question isn't really related to subscriptions or billing. Did you intend to include it? What the image is talking about is the active directory consent. Basically, your Luis app needs certain AD permission to do stuff, and only someone logged in with the correct privileges and 'consent' to granted them. The consent framework is a pretty large and important topic. Here is a great place to get started.
I hope this helps.
I'm struggling with moving our VSTS subscription (and all projects within it) to a new MS work Azure account.
The original VSTS subscription was created on a personal account (call it a#a.com) and I want to move it to a#a.onmicrosoft.com.
When I am in the azure portal I can see the Team Service as a resource. I've unlinked it from any active directory.
Now, while it has a subscription key, I cannot seem to access the subscription. There is no link and there are zero subscriptions listed on the subscriptions list in Azure portal. it seems to be orphaned or something.
I have tried adding a#a.onmicrosoft.com as a user to the VSTS account within VSTS but it seems to add it as a personal account, so I cannot log in to it using my work account.
I have managed to change the owner in VSTS to a Gmail account, but it's still showing as a resource in my a#a.com personal Azure account.
I have tried to find up to date information on this but several pages mention adding a co administrator, but either this is no longer possible or I cannot do it because there appears to be no subscription association with the VSTS resource.
I'm desperate, please help!
In the end I had to raise a support ticket with VSTS support who performed some kind of migration that I would have been unable to do myself.
We are trying to migrate a legacy intranet ASP .NET web app from "Forms" based authentication into a "Windows" based one so that the user doesn't have to enter the credentials again after logging into the PC, we just want to read the current logged-in identity and use that for authenticating and authorizing the user in the application.
Doing windows authentication in ASP .NET is pretty straight forward, what i wanted to check though was how the user's and their groups should be managed within AD or ADAM.
The same user can have rights on multiple environments of the same application like Dev, UAT, LT, Prod etc. so the same domain account needs to be authenticated in multiple environments (different URL). Also, once authenticated into an environment the user might belong to multiple roles which decide what actions are available for the user to perform.
I was looking for some recommendations here in terms of how we set this structure up in AD, we are thinking of creating groups in AD for the different environments like App_Dev, App_UAT, App_Prod etc. and have nested groups within each of them for the different roles in the application like App_Dev\Role1, App_Dev\Role2, App_UAT\Role1 etc. for each of the environments and add the users inside it.
What do you guys think?
You have to rememeber that Authentication and Authorization are two different things. You have combined them in your logic.
For example, your authentication mechanism is AD. So yes, use AD for authentication of credentials and group membership to ensure they can authenticate with a specific instance.
However, you can still use the classic RolesProvider and use a SQL backend to store roles and user to roles assignments per instance within the database. This is easy and uses the built-in feature of ASP.NET without having to go overboard with creating groups in AD. You can do various searches on the web about ASP.NET AD Authentication and SQL Roles Provider. I think ScottGu even has an old article about how to do it.
Lastly, what you have described here is not SSO or Single Sign-On, I'll update your question to reflect this. SSO refers to creating a token that is trusted and shared amongst many applications. It doesn't seem like you need that with the example provided, but if you do, you would be investigating ADFS and the Windows Identity Foundation (WIF). Just because you use AD does NOT mean you have SSO, it simply means you have a single Authentication Provider, but you still don't have a token based system that actually only requires an initial Authentication and Authorization request to a central authentication service, usually ADFS.