Azure AD and Elevated Access

Today one of my colleagues contacted me around help with Authenticating his LCS project with our Azure AD. He had created his own subscription since he had no access to out top level tenant. When I went into the Azure Portal to look for the subscription I was not able to find it, which was a bit strange since I have the Global Admin Role.

Doing some research I found that there is something called Azure Elevated Access which is sort of UAC for Azure AD. This mean that even if you have Global Admin Access you will not be able to see everything you do not have specific access to. You will need to elevate your permissions in order to see everything.

This can be very useful in order or get access to subscriptions created in your Azure AD tenant that was created by someone else, maybe even someone that has left your organization.

In the Azure Portal, go to Azure AD. Select properties in the left side menu. At the bottom of the page there is a toggle switch called Azure Management for Azure Resources. While the switch is set to yes you are able to override permissions and set new ones.

Remember to set it back when you are done…

Links
Elevate access to manage all Azure subscriptions and management groups | Microsoft Docs

Adding External Users as Guest Users to Azure AD

One of my colleagues had a question today… His customer has split their company in two tenants and their Dynamics 365 for Operations was still in one of the tenant (TenantA). The users in the new tenant (TenantB) needed access and he wondered how they could do this.

The first step for doing this is to create an Azure AD guest account invitation in the Azure Portal (In Tenant A). Go to Azure Active Directory – Users – New Guest User.

The user receives an email where they can approve the invite…


When the user in Tenant B accepts the invite a “placeholder account” will be created in TenantA and this account will be linked to the users account in Tenant B. The user can not log in using his account in TenantB but will be treated as a user in TenantB and the security policies from Tenant A (MFA) will be applied. Once the user has accepted the invite we need to import the user in Dynamics. Go to System Administration – Users and select Import User. Search for the user and import it.

Finally we need to ad user roles as usual.

Creating an App Password for a Azure AD Account using the Office 365 Portal

Most organizations today are using Azure AD and the absolute recommendation is to use 2FA in as many scenarios as possible… in some that is not possible… then there is an option to use an application password (this should be uses in special cases and you should never use it on an Admin Account). To create an App Password you do the following:

  • Log in to https://portal.office.com
  • In the upper right corner click your profile picture and select “My Account”
  • Go to “Security and Privacy” and click “Create and manage app passwords”

Note: If you are not able to see the Additional Security verification you can go directly to the link: https://account.activedirectory.windowsazure.com/AppPasswords.aspx … here you can create an app password.

  • To create a new app password click create

Links:
https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords
https://community.spiceworks.com/topic/2034065-issues-with-o365-app-passwords

PowerBI breaks Workflow Editor and Report Editor

I am so sorry about the click bait title… I could not resist Smile

Todays adventure consists of troubleshooting why Report Editor and Workflow Editor stopped working in our Dynamics 365 for Operations environment. First som history:

This all started in one of our environments where we noticed that Report Designer for Management Reporter (Financial Reports) was not working… after some troubleshooting we called MS Support and did two days of troubleshooting I got the suggestion to try this in another environment (I am a little annoyed that I did not do this before) and of course it worked. Well, that did not really provida a lead to the root cause. One day later I got a request to configure PowerBI in the environment where it worked and later that day once again tested in the  “working” environment and low and behold… it did not work!!! What the_____? This got me thinking about what could have caused this… I installed PowerBI… could it be… Yes it could.

I remembered that I had read in the description of the PowerBI configuration that there was a caveat in the configuration of the Azure AD Application: 

App ID URI: This value is mandatory, but isn’t required for the workspace integration. Make sure that this App ID URI is a mock URI like https://contosoAX, since using the URL of your deployment can cause sign-in issues in other AAD applications such as the Excel Add-in.”

So I went back to Azure AD and I had unfortunately not done this…

Bildresultat för facepalm

I changed this in both environments and… Voilá… it worked.

Note: This has been changed in my original post on PowerBI Smile

Links:
http://blog.johanpersson.nu/?p=2351
https://ax.help.dynamics.com/en/wiki/configuring-powerbi-integration/

Adding users from another AAD tenant to AX7

In AX 2012 and prior it was a little tricky to add external users. You basically could not, so you needed to add an Active Directory Account to your AD and import it as a AX user. You might not want to add external users in your AD.

This is much easier in AX7 (it should be Dynamics AX but it is much harder to search for on the internets)… much, much easier… you see AX 7 does not handle identity at all…  it trusts Azure Active Directory for this. A requirement is that the external company uses Azure Active Directory.

Note (Added later): If you have set up the AX install in Azure using LCS the “default” Azure Active Directory is the one connected for your Azure tenant. These users are not treated as external users and do not need the modification below.

So, to add an external user to AX you go to System Administration – Users and click New to add a new user. The user we want to add in our example is Kalle Kula, Kalle has the email address kalle.kula@innoworks.com

image

The only thing missing is that we need to specify the Azure AD tenant in the domain field and set it to https://sts.windows.net/innoworks.com (which is not completely visible in the screenshot)

image

Save the user and add roles and we are all set!

/Johan