azure-docs | Open source documentation of Microsoft Azure | Azure library
kandi X-RAY | azure-docs Summary
kandi X-RAY | azure-docs Summary
Open source documentation of Microsoft Azure
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of azure-docs
azure-docs Key Features
azure-docs Examples and Code Snippets
Community Discussions
Trending Discussions on azure-docs
QUESTION
I'm looking for a way to ensure that the unique_name claim value is always the user email for a specific app in AAD which is accessed via SSO. I've noticed that for users which have an AAD account, the unique_name claim value is the email address, but for external users (invited to the directory) it is prefixed by "live.com#" (e.g. live.com#email@domain.com). The application uses the OIDC protocol. I've been trying different things from Microsoft docs:
- Setting a different source for the unique_name claim https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization (I'm not sure if this applies, given the app uses OIDC, not SAML)
(By the way, that documentation is a bit out of date because I found that the "User Attributes & Claims" section is now in SSO https://docs.microsoft.com/en-us/answers/questions/248748/cant39-find-the-34user-attributes-amp-claims34-sec.html)
- Building a claim-mapping policy https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
None of these worked.
I know this would be trivial in AAD B2C with custom policies. Is it possible to override the unique_name claim with the email claim in AAD?
Update 07/01/2022
After further investigation I found that the unique_name claim is only supported in v1 tokens https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens, https://github.com/MicrosoftDocs/azure-docs/issues/62971 (the current version is v2) and it's transformed into "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" by the ADAL client. This customization I'm after is for a legacy .NET app which uses ADAL on the v1 AAD endpoint. The only way I can think of how to achieve this is via a claim-mapping policy, however I haven't been able to do make it work. Any ideas would be appreciated.
...ANSWER
Answered 2022-Jan-08 at 14:24I believe I've found an answer to my question and the conclusion is that it's not possible to override the unique_name claim, because it's a restricted claim. The closest I got was to map the mail claim to a custom claim (e.g. unique_name2). This is what I did:
https://docs.microsoft.com/en-gb/azure/active-directory/develop/active-directory-claims-mapping
I installed the Azure AD PowerShell Module public preview (I had to uninstall the AD Powershell module first because I already had a later version)
I followed the instructions on the document above to connect to AAD and view any existing claim mapping policies
Connect-AzureAD -Confirm
Get-AzureADPolicy
- I followed the instructions on https://docs.microsoft.com/en-us/answers/questions/80295/claim-transformation-in-azure-id-token-upn-data-to.html to build a claim mapping policy, although I had to adapt it because it wasn't working. I ran the following commands:
3.1 I used the search command to search for my app (called "test").
GET-AzureADServicePrincipal -SearchString Test
This outputs a table like the following:
ObjectId AppId DisplayName
3.2 I ran the following command to create a new mapping policy which maps the "mail" claim to the "unique_name2" claim. (When I tried mapping to "unique_name" it works, but the "unique_name" claim doesn't get overridden, because it's a restricted claim)
$Policy=New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"mail"},{"Source":"transformation","ID":"DataJoin","TransformationId":"JoinTheData","JwtClaimType":"unique_name2"}],"ClaimsTransformations":[{"ID":"JoinTheData","TransformationMethod":"Join","InputClaims":[{"ClaimTypeReferenceId":"mail","TransformationClaimType":"string1"}], "InputParameters": [{"ID":"string2","Value":""},{"ID":"separator","Value":""}],"OutputClaims":[{"ClaimTypeReferenceId":"DataJoin","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "MapMailToUniqueName2" -Type "ClaimsMappingPolicy"
3.3 I ran the following command to add the custom policy to my app service principal (copying the id from step 3.1). This means the policy will be applied only to that specific app.
Add-AzureADServicePrincipalPolicy -Id {my app service principal id} -RefObjectId $Policy.Id
That's all. When I tested SSO on my app, I had an additional claim "unique_name2" which contains the value of the "mail" claim. There probably is a more efficient way of creating the mapping policy in step 3.2 but the way described in the step 3 link wasn't working for me so I came up with a concatenation to a blank string.
It doesn't seem possible to override the unique_naim claim because it's a restricted claim. I later found that this is actually documented here https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/reference-claims-mapping-policy-type.md. I wish I had found this earlier.
QUESTION
I have an Azure Function (tried both Windows and Linux Consumption) using Azure App Service Authentication (Easy Auth) with a custom OpenId Connect provider to authenticate my Azure Function with an http trigger.
I configured a client in my Identity Provider (based on Duende Identity Server), acquired a token and then sent a request to the Azure Function (contains just the code that is initially created by Visual Studio when creating a Function App project).
This is the configuration I made in the Azure Portal:
When I now send the request to the Azure function endpoint I always get the following error:
...ANSWER
Answered 2021-Dec-19 at 18:10You should try using the Client ID as the scope while generating the token.
In some cases appending /.default to the scope helps. Example eda25bbe-a724-43ba-8fa3-8977aba6fb36/.default.
QUESTION
We recently deployed azure event-hub java receiver/listener client by following azure-docs.
I truly believe arrays starts with 0, but that has nothing to do with this question. So anyways, I observed the following error raised from processError & also processPartitionClose
ANSWER
Answered 2021-Nov-30 at 09:03Do azure-sdk-for-java-sdk-eventhubs reconnect on such partition lost automatically ?
Yes, the EventProcessorClient in azure-messaging-eventhubs library will reconnect on such partitions. You don't need to change anything manually.
If there are multiple instances of EventProcessorClients running and they all process events from the same Event Hub and use the same consumer group, then you see this LOST_PARTITION_OWNERSHIP error on one processor because the ownership of a partition might have been claimed by the other processor. The checkpoints are read from the checkpoint store (Storage Blob in your code sample above) and the processing resumes from the next sequence number.
Please refer to partition ownership and checkpointing for more details.
QUESTION
fellow engineers!
There is a need to transfer group owner from attribute "managedBy" (CN=%username%; part) of on-prem AD to Azure AD's "Owner" field of the same group (groups are synchronized, so it has same naming both in on-prem and Azure AD).
Issue is, that the process need to be automated, but there is not much options:
Module for AAD group management for PowerShell (but it doesn't work PowerShell ver7, because of .Net's core issue: https://github.com/MicrosoftDocs/azure-docs/issues/49896): https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-v2-cmdlets
Answer from another question on StackOverflow, but it doesn't seem to be my thing (because the need to deal with Extensions): How to add a Group Owner in Azure AD for the Group synced from on-premises active directory
Some kind of work-around with Graph API, but it isn't my choice too, since process need to be automated: https://social.msdn.microsoft.com/Forums/azure/en-US/4a293240-5ffc-45be-bd73-43f8868e5fab/graph-api-getting-quotmanaged-byquot-attribute-for-a-group-synced-with-azure-ad-connect?forum=WindowsAzureAD
So, maybe somebody stuck with same need or maybe could suggest a workaround with the PowerShell module, since there is not much of pleasure to go through more than 100 groups adding owners
...ANSWER
Answered 2021-Oct-21 at 09:14• Since, all the on-premises Active Directory groups are synced to Azure AD and all the groups have the same naming in Azure AD as that of on-premises active directory, then you can change the group owners of all the groups that are synced from on-premises AD to AAD by executing the below commands: -
QUESTION
Per an Azure Support response in an Azure Docs github issue (https://github.com/MicrosoftDocs/azure-docs/issues/75652), Consumption-tier Azure Functions on Linux don't support the General Settings tab
[I]t is by design that "General Setting" tab is not available for Linux Consumption function app.
Additionally, they don't support FTP or FTPS connections at all
When using the Consumption hosting plan, your function code and binding configuration files are stored in Azure File storage in the main storage account, not persistent file server. Actually it is not even possible to FTP to it. You will see /home folder is empty.
Finally, an Azure Advisor "High Impact" Security recommendation states
FTPS should be required in your function app
Given that there's no way to change it in the portal, how can you mitigate the recommendation?
...ANSWER
Answered 2021-Aug-27 at 13:35Disabling FTP/FTPS can be done through the Azure CLI:
az functionapp config set --ids "YOUR APP ID HERE" --ftps-state Disabled
Given that FTP/FTPS isn't useful on Azure Functions Consumption plans (per the noted support response), you can also run the following to disable FTP/FTPS on all Azure Functions:
az functionapp list | ConvertFrom-Json | ForEach-Object -Process {az functionapp config set --ids $_.id --ftps-state Disabled}
Alternatively, you can mark the Azure Advisor recommendation as Mitigated through the Azure Portal. This can be done by clicking into the recommendation, checking all the affected resources listed under "Unhealthy resources", then clicking "Exempt".
QUESTION
I have a React SPA which uses msal. I have configured Azure AD as Identity Provider for my AADB2C. I can signIn/signOut and other operations.
If my user signs out off my application, I want to also sign out of my Identity Provider. I looked a bit into this matter 1, 2, 3, 4, 5.
At this moment, I use msal's logoutRedirect method.
ANSWER
Answered 2021-Sep-17 at 19:51You are doing an RP Initiated Logout in OpenID Connect terms, meaning you need to also send the id_token_hint query parameter.
I can also confirm that sending both query string parameters logs out successfully for my Azure developer account:
QUESTION
We want to copy files from Google Storage to Azure Storage. We used following this guide: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-google-cloud
We run this command:
...ANSWER
Answered 2021-Jul-27 at 12:45The reason you're running into this issue is because the URL storage.cloud.google.com is hardcoded in the application source code for Google Cloud Storage. From this link:
QUESTION
I've followed the steps from https://docs.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
While testing receiving the error "Application registered corresponding to IssuerUri "">xyz.com/suite" in AuthRequest does not have assertion consumer service URL "">xyz.com/suite/saml/AssertionConsumer" specified in its metadata."
Using SAML tracer, I can see both my SAML Request and Response contains same AssertionConsumerServiceURL. MS document says: If you choose to configure the reply URL and logout URL in the application manifest without populating the application's metadata endpoint via the samlMetadataUrl property, Azure AD B2C will not validate the SAML request signature, nor will it encrypt the SAML response.
I can some workaround of specifying the PartnerEntity in the SP metadata URL for the Relying Party in the B2C_1A_signup_signin_saml custom policy. https://github.com/MicrosoftDocs/azure-docs/issues/61603
Unfortunately my web application security compliance does not allow to provide SP metadata endpoints. Do I need to host the SP / Appian SAML metadata file on Azure Storage account OR Is this mandatory to provide SP meta data endpoint to refer from Idp application registration manifest?
Second question, just want to make sure on the below. From MS Ref. doc: You can change the value of the IssuerUri metadata item in the SAML token issuer technical profile. This change will be reflected in the issuerUri attribute returned in the SAML response from Azure AD B2C. Your application should be configured to accept the same issuerUri during SAML response validation.
My question on the above paragraph, IssueUri example can be .onmicrosoft.com/c3bcfc1c-1234-4a3b-96e6-db0933071234 (application / client id) Is this correct?
Thanks.
...ANSWER
Answered 2021-Jul-24 at 15:27"The username or password provided in the request are invalid" - This issue has been resolved by granting "IdentityExperienceFramework" (User_impersonation - Delegated Type) API permission. I could not see this solution on MS documents guidance, however this has resolved my issue. thanks.
QUESTION
An Azure Static Web App has a notion of auth that can be used to whitelist individual users, or individual identity providers (as in this question).
Is it possible to require authentication through the particular tenant/organizational directory used to set up the resource, through Azure configuration alone, as is currently possible with the ordinary Azure Web App Service; that is, require authentication through AAD as in the above linked question, but furthermore restrict access to members of the relevant tenant? If so, what might the corresponding routes.json look like?
See also this GitHub issue.
...ANSWER
Answered 2021-Apr-23 at 09:41Functionality defined in the routes.json file is now deprecated and better implemented in the Azure Static Web Apps configuration file.
https://docs.microsoft.com/en-us/azure/static-web-apps/routes#example-route-file
Example of Azure Static Web Apps configuration file.
https://docs.microsoft.com/en-us/azure/static-web-apps/configuration#example-configuration-file
To limit access to Azure Static Web App within single Tenant, add route into configuration-file
QUESTION
I've been trying to follow the direction here and applying it to nodejs.
I'm getting the following error:
...ANSWER
Answered 2021-May-13 at 01:19Try this :
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install azure-docs
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
