Comments (8)
Hello, thank you for your feedback, and sorry but I think I don't understand what you propose.
I didn't know the AAD invitation API so I found and read this.
Can you make your point more explicit?
Do you propose that AzureCP replaces the site invitation process of SharePoint (and not only the people picker lookup)?
from entracp.
We are trying out AzureCP for our solution.
Basicaly, we want to user AzureAD for sharepoint on permises and leverage B2B as well as MSA (i.e: hotmail).
We spotted few points that we would like to be able to handle:
1/Invitation
Authorization does work correctly for the different kind of users. but every user needs an account in azure ad, right. In B2B a guest would have a shadow account.
So users needs to be first invited into azure ad before rights can be set to them in sharepoint. We are debating the use of an invitation portal that would allow to invite extern people. A example page does exist for that (https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web if i am right).
We can't avoid feeling that there should be a more sharepoint integrated solution to that.
2/Groups
We wouldn't want to recreate groups from B2B tennants to provide access so we want to use claims enrichments to collect groups from the original tenant of B2B users (provided they are in an AzureAD).
To allow management from sharepoint we decided to configure extra azuread in azurecp thus allowing picking of extra groups.
3/People Picker
So we end up with a "main" azure ad which handles user authentication as well as B2B and MSA. But in people picker both the shadow account and the real account shows up. As discussed in another issue, B2B does work with a claims modification on ADFS level (from #ext to normal upn). But this modification might not be welcome for MSA accounts.
In the end we tought possible to filter out "shadow" accounts from B2B users and only use the information form their native tenant if provided by an azure ad (i.e. main tenant emailaddress match another known tenant upn).
So:
- invitation process: we may have to look in another direction
- shadow accounts: we d'like to correlate shadow account and account from other known tenants to detect shadows and hide them.
from entracp.
hello,
thank you for the detailed description, it makes much more sense now.
Technically speaking what you describe sounds possible, but it's a big work to do.
To be honest, I have other priorities and I don't think I'm going to invest time to implement this. The most important change I'd like to make is to rely on Microsoft Graph instead of the old Azure Active Directory Graph Client Library (as described here), but even that I don't know if/when I'll have time to do.
With that said, if you have the resources and the time, you could try to implement this on your own. I think it is possible by just inheriting AzureCP, if I create an overridable method (in AzureCP class) that is called after all AAD users/groups were found, so you can add/remove the ones you want.
What do you think?
from entracp.
from entracp.
Could a simple patch doing the following be suffisient?
- when listing users
- if user is of type guest
- if signinname is in a registered tenant domain
- do not add to people picker
- if signinname is in a registered tenant domain
- if user is of type guest
from entracp.
Hello,
We installed a test sharepoint and dev tools (vs2013) to look further at customisation.
On compilation we get these errors and warning:
C:\Users\<user>\Documents\AzureCP\AzureCP\AzureCP.cs(911,37): error CS1985: Cannot await in the body of a catch clause
C:\Users\<user>\Documents\AzureCP\AzureCP\AuthenticationHelper.cs(17,42): warning CS1998: This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.
I can get rid of the error by moving the "tryAgain" flag in the begin of the method and the "if (firstAttempt && tryAgain)" to the end of the method.
For the warning, i didn't realy get the explanation (yet).
from entracp.
Hello, can you try to sync the latest commit in dev branch and start from it?
I pushed an update this afternoon and, apart from a lot of optimizations, code is also easier to understand.
With that said, I can't explain the errors you mention, compilation should succeed...
from entracp.
Compiles correctly from dev branch without signature.
If signature is enabled (with self cert), visual studio complains that Nito.AsyncEx is not strong named.
from entracp.
Related Issues (20)
- Timeout question HOT 3
- Deployment Status Question HOT 3
- EnsureUser fails in anonymous http context HOT 3
- Initializing settings without opening Central Admin HOT 7
- Token acquisition fails when connecting to azure us gov Entra HOT 23
- Issue with EntraCP in SharePoint 2016 - assembly error HOT 5
- Is ExcludeMemberUsers parameter still valid in EntraCP ? HOT 3
- Unable to map Firstname,lastname and email from Entra ID to SharePoint 2016 HOT 10
- Issue with certificates HOT 2
- Sharing failed: Couldn't resolve user HOT 4
- No users found in People Picker HOT 4
- Unable to setup Alerts in SharePoint 2016 HOT 4
- Restrict searchable users issue HOT 5
- User.ReadBasic.All Application Permission for App Registration? HOT 4
- Azure CP: Permissions are not effective while granted via Azure AD groups. Does work only in one WFE HOT 8
- An exception occurred in EntraCP claim provider when calling SPClaimProvider.FillHierarchy(): Thread was being aborted HOT 2
- Configuration of EntraCP "Yvand.EntraCP V25.0.20240503.33" HOT 7
- When installing AzureCP the step $config = [azurecp.AzureCPConfig]::GetConfiguration("AzureCPConfig") returns null HOT 5
- What syntax can be used for the UserFilter property in the AzureTenants objects HOT 3
- Site is not accessible from few Front end servers post EntraCP Installation HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from entracp.