I'm trying to find a way to import Azure AD users to Dynamics 365 Finance & Operations (D365FO).
It is possible to get all system users using this endpoint (like using Postman):
/data/SystemUsers
However, not sure how the new user could be imported from Azure AD. If I go to D365FO UI I can do this using System administration -> Users -> Import users and there is an option to add users from AAD. Is there a way to do the same using API? Looking through the web was not very helpful so far.
So here is the answer if someone is looking for the same - it is not possible.
If you work with SystemUsers using API - you can only select D365FO users.
At the same time there is 'AccountType' attribute which tells D365 F&O what account type is it.
It can be Claims User, Claims Group, AD User or AD Group. Types starting with 'Claims' are pointing to Azure objects while AD are pointing to AD.
So when you create a new user and selecr 'ClaimsUser' as account type - D365F&O would know that this is Azure user and would do mapping.
That sounds a bit 'magical', however this is how it works.
Related
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
I am creating a flask app to be used internally in my company. I would like to restrict what a user can do it based on its login ID. I read a lot about using LDAP3 but I don't think I can do what want which send the login ID to the server. There I would have a table which will register which part of the system has the permition to edit. If it try to change somenthing not permited the app will retrieve a warning message.
I won't to do that to avoid having to create a separate login functionality just for this app. I read that I should use AD authentication but I am not very familiarized with that and I would also like to avoid having to ask our IT department to create user groups there for each part of my system.
I know that I can do that using ASP .NET (at least I did once).
Any guidance will be apreciated.
I think you are looking for Role-based Authorization.
In order to use this functionality you will need to implement roles on your model file per the Data-models documentation.
This will allow you to assign users a role when they are created, and you can use a decorator on your routes to 'require' the user to have the role you want them to have before they access the endpoint.
I'm trying to create an App which has a log in page where user should be authenticated using azure AD. Basically the App has a log in form where user puts his id and password from ad and django should check with ad and allow him in or not. Later on ofc would like to add permission depending on AD group.
So far I searched a lot on the internet and found nothing. Could you guys help with some example or link to documentation what I could use.
First of all, I'd like to suggest that you don't do that.
What you are asking for is ROPC flow: https://joonasw.net/view/ropc-grant-flow-in-azure-ad.
Usage of this flow is not recommended unless this is for migrating a legacy application (which is the original purpose of ROPC).
It also won't work if the user has MFA, an expired password etc.
There is usually no reason why you'd want to handle user passwords when using a federated identity provider.
We're trying to embed a GDS private report in our customer portal and we hope to filter the data using the email of the person connected to our customer portal . some of our users are no google users (they dont have an account gmail) and they're connected to this portal with an email and password form of authentification.
Our data is stored in Google Storage and we use Bigquery for querying and we use BQ connector to connect BQ and Google Data Studio.
There is any solution to do this ? parameters in GDS report URL ? Through API?
Any help will be appreciated.
Taoufiq.
The documentation states that the only sharing options are: a) Making the report public, or b) Have the user authenticate with a google account. Unfortunately, it neither has an API, nor support for parameters through URL yet.
This is possible to do using Community Connectors and some minor development work in your portal. You will need to pass a short lived unique token as a parameter for the embedded report and then have an API or some other way to tie that token to a user identity. This solution guide has instructions for this specific use case.
As described in the marketing API, I have registered an app got my app key and and id, generated a token with ads permissions, list pages permission as well. The app is not yet submitted for approval.
When I try to get the list of ad accountsz linked to 'me' it returns the array of all ad accounts.
But when I select any of the business accounts (other than my personal Facebook account) and try to retrieve the ads insights API throws exception saying:
but when I try to get the insights, using the python SDK, I get the same error, ex: (#273) This Ads API call requires the user to be admin of the ad account. User is not admin on ad account .
What is surprising is when I use the similar sample page from Facebook-Developers to get insights, it is able to retrieve the ads data for the same account, with my own login itself.
Why would my app be unable to do so?
Is there any such limitation for apps not reviewed?
Update: I seem to have admin access to the ad account as well. Here are some screenshots. (Unless its my dumb day I think something else is going on, but its my fist time with an API like this, so I cant be sure!;) )
Screenshots: GraphAPI Explrer with API call, App Settings, AdAccount Settings
Based on the discussion on question and experience I now have:
API user needs to be an admin of the ad account and of the app if you
wish to use the API.
The ad account needs to be specifically added to the app, in app settings. In developer access an app can only have access to a maximum of 5 ad accounts.
Error messages in Facebook API are misleading more often than not. Fix anything marked in yellow or red anywhere in the portal, to be
sure.
Do read about limits of every API before you use it, all API have different limits and your application design needs to take those into account.
As for the question, yes the issue was the text in red, as pointed out by #CBroe, although the error message was off by a mile and issue occurred only when using our own app.