We have a Powershell script that creates some guest users using the New-AzureADMSInvitation cmdlet, and its return value has a handy-dandy InviteRedeemUrl property that we include in a nice welcome email to the user to get them started with setting their account up and using our application. This works fine when inviting individual or small numbers of users.
However, we'll need to do this for many users, and carefully control when the emails go out, and I can't see any other way of retrieving this URL after-the-fact... the only option seems to be the "Resend invitation" button on the guest user in AD, which sends a Microsoft-branded email from "Microsoft Invitations" with the redeem URL, which is kind of a problem... For marketing reasons we need to put the invite redeem URL in our own welcome email, so we don't want Microsoft sending out those emails.
Is there any way to retrieve or calculate that invitation URL after the guest user had already been invited? I know I could delete and recreate the invitation itself, but that's still a manual process and I'd like to be able to create guest users in bulk first, and then retrieve those URLs in bulk once we're ready to send out emails. Especially since Azure AD itself seems to be able to fetch the redeem URLs later on via the "Resend invitation" button.
Alternatively , you can think of adding you company branding in the verification and invitation mails in azure AD.
Here is something similar you can find:-
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs#how-do-i-customize-verification-emails-the-content-and-the-from-field-sent-by-azure-ad-b2c
Basically you need to change the company branding in Azure active directory to have your custom logo and text.
Hope it helps.
We ended up modifying the AD invitation script to store the InviteRedeemUrl value in our CRM as a field on the customer record. Then later on when our Marketing team wants to start their email campaigns, they could include a reference to this field in the email template just like they would any other field. This way, we got all our analytics on click/open rates and retained complete control over the emails, including where each batch was being sent from (so customers could reply to the correct support staff member for their segment).
Related
I need to create an application that sends emails by MS Graph but also I need somehow restrict it for few mailboxes who will sending email (e.x. avoid send mail as ceo). Before I used just Sytem.Net.Mail and because basic authentication is now deprecation I must find new way to sending mails.
So I registered new application AAD, I added API permission for MS Graph Mail.Send (application type). Now I want to add restricting for that Graph API (I want to limit who can send a message from this API.
I found that I must use New-ApplicationAccessPolicy cmdlet, but before that I created Mail-enabled security group.
Then via PowerSell I addes new policy:
New-ApplicationAccessPolicy -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" -PolicyScopeGroupId "SMTPOAuth2SecurityGroup#consto.onmicrosoft.com" -AccessRight RestrictAccess -Description "SMTP OAuth2 Connector"
Then I added two accounts AlexW and DiegoS - both are from Microsoft 365 Developer Program, so both were not modify by me in any way:
Test-ApplicationAccessPolicy -Identity "AlexW#consto.onmicrosoft.com" -AppId
"9e48a326-a952-42ca-882f-ff1eec699ba7"
AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7
Mailbox : AlexW
AccessCheckResult : Granted
Test-ApplicationAccessPolicy -Identity "DiegoS#consto.onmicrosoft.com" -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7"
AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7
Mailbox : DiegoS
AccessCheckResult : Granted
But now I test my application. AlexW can send mail but for DiegoS (or random person) I got erorr:
DiegoS#consto.onmicrosoft.com:Code: ErrorAccessDenied Message: Access
to OData is disabled. ClientRequestId:
909c72f7-02b7-4697-afd5-3d65a58d47a5
I try to remove and again add, wait some time and still the same problem.
So, I need to create an application that sends emails by MS Graph but aslo I need somehow restrict
According to your description, I captured these key words: use graph api to send email, allow specific user to send email, api permisssion with application type. Then let's see the necessary parameter to send an email: sender, content, receiver.
Per my understanding, since you used application type permission, then you want to use client credential flow to generate access token and calling graph api to send the email, so you have to create an azure ad application(done), then you need to specify the sender(set restriction so that only AlexW and DiegoS can do it). Receivers and content are based on the requirement so we don't need to take them into consideration.
Here's a code snippet to send email via ms graph api. The only point we need to consider is how to set the sender user principle now.
Then here're 2 scenarios. If you need to ask users to sign in first then they can send email? Or what you created is just an API so that you only need to receive a parameter(e.g. parameter is the user principle used to send email) then use it to send email?
If you want to integrate the authentication then you can restrict users to access your app, then Azure ad already provided the feature to allow specific users to sign in then the ones who are allowed to sign in can send email, since they already signed in, we can certainly get the user principle.
If you just want to provide a web api, then you may store the users who are allowed to access your api into the database to so that you can check if the incoming request is legal...
I'm quite new to SharePoint/Azure/PowerShell, so apologies if what I'm asking is a stupid question!
We currently have client SharePoint sites hosted on our O365 tenant, with access to each site to be rolled out to each of our respective clients shortly. Initially, only the senior management of each client will have access to the sites, however as time goes on it's likely we'll be adding everyone else too; To streamline the new user process and save us from having to add each individual staff member, we've been considering using a Flow to automate user access instead, with the goal of adding authenticated external users without much real input from administrators other than a simple approval/rejection process.
The overall plan is as follows:
Visio Outline<
Each Client site has a SharePoint Custom List, titled "Employee Access List". Said list will have the following columns: Request ID (Text), First Name (Text), Last Name (Text), Job Title (Text), Company (Text), Contact Number (Text), E-Mail (Text), SharePoint Access (Yes/No Boolean).
If a member of staff requires access to the SharePoint site, then their respective manager will add the staff member to the list and fill in all the above fields, setting the "SharePoint Access" item value to "Yes".
This will trigger the flow and an approval email to be sent to myself and another administrator, with said email detailing the user to be created, and who has submitted the request.
Script insertion somehow - This would then run if the request was approved, and set the user up with access.
Email notification is automatically then sent to the creator of SharePoint list item, notifying them that the user now has access.
Step 4 is where I'm a little stuck in regards to what to do if the request is approved - I've written a little PowerShell script below which nearly achieves what I'm going for, in that it creates an external user PnP Group and PnP Role Definition (If there isn't one already), pulls what's in the "E-mail" fields on the "Employee Access" list and runs Add-PnPUsertoGroup to pull the users to the PnP group, which then sends the users an email with a link to the SharePoint site, allowing them to access it. However:
The script I've written targets everyone on the SharePoint List, whereas ideally I would just want the script to target the sole user that's been newly added to the list/is listed in the approval email, and only them. I'm assuming that I'd have to pipe information from the Flow into a script, which I'm not even sure is possible, and if it is, I haven't got a clue how to do it.
I know that that Azure Functions and Azure Automation can be used to insert scripts into Flows, but I don't have experience of either so I'm not sure which is the more suitable option. Is there any guidance on how to insert PowerShell scripts with them, and how to pipe what's in a flow into said scripts?
PowerShell Script as follows:
Hope this all makes sense - Any guidance would be appreciated.
Thank you!
EDIT:
Just as a bit of extra information, here is the Flow as it currently is:
Flow Part 1
Flow Part 2
Flow Part 3
Have since found an answer to the above - whilst Azure Functions/Automation are an option, you don't necessarily need them or PowerShell scripts running from Flow, in this case my goal scenario was achieved using an MS Graph Invitation API, App Permissions and a HTTP SharePoint call instead.
See attached screenshots:
Flow Answer 1
Flow Answer 2
Flow Answer 3
Step 1: Set up an App with permissions to make calls to MS Graph - use this guide for help on how to do so - http://blogopaxio.azurewebsites.net/accessing-graph-api-from-microsoft-flow-using-application-permissions-2/
Step 2: Add HTTP to MS Graph and set parameters as in screenshot 1 of this post - this action will create guest user and invitation URL the user would need to sign in to the site.
Step 3: At this point, run the flow so that we can get the 'inviteRedeemURL' from the body of the Output for the HTTP step - you will need this particular URL to send separately in your email to the end user.
Step 4: Throw in a pause for a minute or 2 just to make sure that the information from the previous actions 'sticks' - provided it all works, at this point, the user will actually have their guest account created and you'll be able to see them under Users in your O365 admin centre, however they won't be aware of their account access yet (We'll notify them of this in our email at the end).
Step 5: Add the user to SharePoint security group with a "Send HTTP Request to SharePoint" action. Please note that the "sitegroups(19)" in the URI of this action refers to the ID number of the PnP group you're putting them in, so in my case the group ID was 19. If you're unsure of the ID of your group, connect to your SharePoint Site through PowerShell with PnP commands, then run Get-PnPGroup.
Step 6: Send the email to the invited user with the Outlook Send Email action - FYI -the "SharePoint Site" variable in my screenshot is actually the "inviteRedeemURL".
Hope this helps anyone else that's unsure of how to do this. If anyone has a better solution that achieves this by all means post it!
Thanks!
I have generated the codes with app script in order to send emails automatically if users changed some values in google spreadsheet, which is working fine.
Now I am sharing my google spreadsheet with the app script to two more person (e.g: PersonA, PersonB). Thus, I want whoever changes anything on google spreadsheet will be sending an email under his/her own account. E.g: [All of us needs to edit within the google spreadsheet itself, without going to the "current web app url", (thanks Cameron Roberts for the clarification] if PersonA changes anything, then an email will be sent out under PersonA's account, and an email will be sent out under PersonB's account if PersonB changes anything.
I did something based on the advice from user2970721 and Cameron Roberts. I adjusted "Deploy web App" as "User accessing the web app". e.g:
I also asked PersonA & PersonB to do the same under their accounts and made sure they have triggered the script at least once. e.g:
My issue is that after I have done all these mentioned above, no matter who changes anything on google spreadsheet, emails were always sent out from PersonB's account (my best guess is that I messed up something and PersonB was the last one who triggered the script).
Does the "Project version" need to be different for me, PersonA, and PersonB, or anything else I need to change? Any help would be greatly appreciated!
First, Your project versions do not need to be different for each user.
I'm assuming you are using the On Change event, rather than a web-app. If that's the case, you should disable the WebApp entirely, as it's not needed.
When PersonA creates an On Change trigger, that will be triggered anytime any user (eg PersonA or PersonB) edits the spreadsheet. When it is triggered the code will execute as PersonA , because PersonA created the trigger. As a result, the email will be sent from PersonA's account.
For the scenario you describe, where both PersonA and PersonB have created OnChange triggers and authorised the script. I would expect emails to be sent from both accounts that have created triggers.
To send only one email, from the account that did the edit, I think you would need to do a check to determine if the user who did the edit matches the user under who's authority the script is running. I've never done this before and the docs don't really make it clear if it's possible.
Try checking the User object (Eg e.user) included with the Change event, and see if that email address is reflecting the different users making the edits.
If it is, you can compare it with the effective user and send the email if they match.
https://developers.google.com/apps-script/reference/base/user
https://developers.google.com/apps-script/reference/base/session#getEffectiveUser()
Finally, it might be simpler to just include the address of the person making the edit in your email subject, and just have all the emails send from one account. That way you know who made the edit, but don't need to have every user create a trigger and do all the extra checking.
I have a project where I am using Selenium to test the Facebook auth. I created a Facebook app, created a test user inside this app and created some tests using Facebook login. Until now, it was working. But during the last two weeks something changed in Facebook and my tests are failing. It is due to interface changes in permissions dialog (I am targeting the button by his id). The second problem is that I don't get the email address from Facebook test user but a proxy email which is longer than 75 characters (my db field length is hardcoded in framework I am using).
If I log in as a regular user, it is working correctly and I get this permission box:
But when I log in as the test user I created (via 'switch to' in app's developer roles), I get this box:
I tested it ~2 weeks ago and this was yet working. Today it is changed. So my questions:
How to get back the old permissions box for test users?
How can I get the real email address and not the proxy?
Thanks!
I experienced the same problem with the Auth Dialog. I tried it with some old and new apps with various settings including March/Apr. 2013 Breaking Changes enabled/disabled, but it didn't help.
However, I guess I can help you with the email problem. When you login as a test user and go to account settings page, you will see the test user's primary email addres. By default this should be a really long one like the image I attached.
Facebook Platform returns this primary email address. If you pass the Auth Dialog with your test user account and see the privacy setting page, you will find the default primary email address is shared with the app. You have to provide a new email address for the test user and set the new one as primary email address via account setting page.
Why is the Login Dialog different with a test user?
With your test user, you can see the future of login dialogs. In fact, this isn't "not working" but this is an update which was unveiled on December 2012. Let me quote:
Our Login dialogs have undergone a redesign to make it easier to
understand permissions that apps request. We've simplified
presentation and have also updated our language for greater clarity.
“Basic info” has been renamed to “public profile and friend list,” to
reflect what what is being shared. Apps accessing your public profile
get your name, profile picture, age range, gender, language, country
and other public information.
Source: Providing People Greater Clarity and Control, developers.facebook.com/blog
The reason why you don't meet this update with a regular user, is that Facebook doesn't use to update everyone at the same time. They partially launch updates depending on the country, the type of account or some other parameters I ignore.
Example of a partial update (unified_message FQL table) dedicated to developer accounts:
We are providing early access to this API for registered developer
accounts only until the new messaging system is broadly available. You
should use the message table for production applications at the
current time.
In our case, we now know that test users can access to the update, but it is also said:
We have already launched many of these improvements as part of our
iOS6 integration and are now rolling them out more broadly.
About proxy emails
In fact, proxy emails are a way for any users to keep their real email anonymous. You have to consider proxy emails.
When joining an app, the user can choose between a real email and a proxy email:
Other thing you need to expect are users who didn't validate their account when connecting to your app, a case which is possible as described here and here.
Then, why do test users give back a proxy email? Because test users (being bots and having fake emails) didn't validate their emails.
You see that in at least 3 cases (and finally, test users are a good example), you need to handle these proxy emails. They are incidentally or accidentally met by developers and they can't be neglected. For your case, you can still try to disallow tests users who have a proxy email from accessing your app. But you should accept them and shouldn't force them to share their original e-mail addresses. A better solution is that you validate the test users emails:
Connect to the test user account that gives a proxy email
Add an email address (password needed here),
Go to the email mailbox and click on the validation link,
Set the new email address as primary,
The test user should now give his original email and not a proxy anymore!
In my physical store, I have a few tablets available in which I use to obtain shoppers' email addresses. I'll leave them up on a simple web page where they just enter their email address to join my companies email mailing list.
I would like to add the ability for these individuals to also 'Like' my company on Facebook without actually logging into Facebook. My thoughts are that they will not want to log into Facebook via a shared machine due to security concerns and also the added time to log on will deter them from even adding their email address to begin with.
Here is what i am thinking...I was hoping to send the 'Like' update to their account based on the email address that they provided without actually loggin on. Can this be achieved?
Thanks for your time.
No, the user must be logged in to send requests to facebook on their behalf