Assuming some web sites allow users to log in via Microsoft Login. Can we enforce that this users will only be able to use this setting only from within the Organization network in Intune? If yes, how? (Reference link)
Example: User is logging in to Bitbucket via Microsoft Login. He is unable to access Microsoft Login on his personal laptop. However, If he is using the Organization computer he should be able to access.
I believe this setting can be applied via IP Address? Or maybe there is another option.
Related
I am setting up an Amazon Workspace instance, and need to provide the user with a password to log in. The invite email only contains the registration code.
How do I set up a user password to enable the user to login into Amazon workspace only (no console access)?
I am creating an AmazonWorkspace from a custom bundle, and adding a user to Simple AD.
Individual workspaces created in Amazon WorkSpaces are assigned to, and used by, individuals who are defined in a Directory.
From Manage Directories for Amazon WorkSpaces:
Amazon WorkSpaces uses a directory to store and manage information for your WorkSpaces and users. You can use one of the following options:
AD Connector — Use your existing on-premises Microsoft Active Directory. Users can sign into their WorkSpaces using their on-premises credentials and access on-premises resources from their WorkSpaces.
Microsoft AD — Create a Microsoft Active Directory hosted on AWS.
Simple AD — Create a directory that is compatible with Microsoft Active Directory, powered by Samba 4, and hosted on AWS.
Cross trust — Create a trust relationship between your Microsoft AD directory and your on-premises domain.
If you have your own Active Directory, then use it. If you do not have Active Directory, the simplest option is to choose Simple AD, which is a Active Directory-compatible Samba service. (Charges apply)
The user is selected when the WorkSpace is created. Amazon WorkSpaces will send a registration code to the end user. The end user then uses an Amazon WorkSpaces client to connect with the service. They provide the Registration Code to configure the client (once only), then login with their AD credentials.
To set the user password for AmazonWorkspace, set user password on the WorkMail application for that user. Directory service manages users for both AmazonWorkspaces and WorkMail, and the password is shared across.
The user must exist, but can be disabled. Email address can be anything, in my case users do not use AWS email.
Users defined in IAM are not visible from AmazonWorkspaces and WorkMail. If a user has console, S3, ec2, etc.. access in addition to Workspace, they would need to be defined separately in IAM and Directory.
I am using the AspNetIdentity sample from the IdentityServer3 Samples file. When I start up the application the first page shows links for the Identity Server Welcome page and the Identity Manager User admin. When I click on the Identity manager admin link it automatically logs into the server and you can create, update etc any users, roles etc. How can this be modified to require a login? It seems obvious to me that this should not automatically log in and allow this access - am I missing something?
Identity Manager's default security is "Local Host" security. This means the caller/user is considered trusted if that caller is browsing from the same machine that is hosting Identity Manager. This is just the default, other security modes are available. Brock has a good video that explains the other modes.
I am starting to work with Dynamics 365 Portal add-on (Online, not on-prem), which I've configured to use an external authentication provider in the form of Identity Server with OpenId Connect. The problem with this is that I don't have access to the under-the-hood portal authentication process, there's just a few basic config settings and users can authenticate using the external IdP. I can't access roles, claims, or any custom info that might come back as part of the OpenId Connect user's profile (userinfo object response). I need to get at that data to customize the portal user experience. I've looked through whatever documentation I could find on the portal but can't find anything. Am I missing something or is it just not possible to access that info and customize the portal login process? Since it doesn't seem possible to do anything server-side within the portal because it's Online, can I do anything client-side within the portal to get the OpenID access token and call the UserInfo endpoint with that?
I had a case open with Microsoft and finally got an answer from them: In Dynamics CRM Online with the Online Portal add-on, there is currently no way to access anything coming back from an external identity provider. So for example, if you've configured the portal to use an external identity provider such Google, Facebook, etc, or like in my case an Identity Server instance with OpenId Connect, you can't access the claims or any other info coming back from the provider.
UPDATE:
I got another response from Microsoft support: they have confirmed their dev teams are working on making this available but don't have an ETA yet. At least it's on their radar.
Is there a way to find out if the Remote API is enabled on our Confluence installation if I do not have admin rights to our confluence
I can see the WSDSL, but while testing with this downloaded client I keep timing out on login. I can not contact my administrators without going through god knows how many channels so I'm hoping there's another way to know if the Remote API is enabled.
To check if the confluence API is enabled without admin access:
Try accessing http://<your-confluence-server>/rpc/xmlrpc
If the API is enabled, you will simply get a blank page.
If the API is disabled, you will get an error "HTTP Status 403 - Remote API is not enabled on this server. Ask a site administrator to enable it."
This is at least applicable in my Confluence 3.2 environment.
I'm in the process of pulling a classic ASP app into Mvc2. I'll be deploying to an intranet and have been asked to enable support for Windows Authentication. The network I'll be deploying to has a few AD Domains and I'll only need to integrate with one in particular. Is it possible to use Windows Authentication and only allow authentication within a particular domain?
Along those same lines, it's not uncommon for a user to have an account in multiple domains (the account names themselves are typically different) - in the event a user logs in with an "unsupported" domain I'd like to kick them to a login form. Is this possible simply using Windows Auth or am I better off looking for an alternative?
Pro Tip:
Whatever you do don't implement Windows Authentication via IIS. Have a Forms Authentication page in your MVC app but use the LDAP authentication provider. This way you avoid the differences between how browsers implement Windows Authentication (only works well in IE and that's not a great reason).
The question "Is it possible to use Windows Authentication and only allow authentication within a particular domain?" has always has one and only one answer in my consulting experience: the answer is the permissions that you set for authenticated resources.
I've rarely found a deployment where there isn't some file, folder, server, COM+ object, SQL Role or database table that can't be "locked down" to only allow access by the subset of users you're targeting (e.g. "DOMAIN\Domain Users"):
Set permissions on the ASPX files (or the folder containing them, along with inheriting to the files) that are the "front door" (and optionally, all the others) so that they're only accessible to users in the "Domain Users" group for the allowed domain
restrict logon rights on the server that hosts the web site, so that only the Domain Users group have the appropriate rights - depending on the authentication provider used, this could be "allow logon locally" or "access this computer from the network"
set permissions at some layer of Component Services
restrict the SQL Server roles so that only "Domain Users" have the ability to read & execute the necessary database objects