If you want to re-register for Azure multi-factor authentication and use Authentication app on a new/existing phone, follow these steps;
Login to Azure Portal -> Active Directory -> Your user account –> Profile
Click on Authentication methods link.
Click on Access Panel Profile link. This will take you to your profile page.
Click on Additional security verification link.
Select this option to view QR coce;
You are ready to restore your credentials.
Resources;
If your organization was created with a Microsoft account, connect your organization to your Azure Azure AD. Sign in to Azure DevOps Services with the same username and password that you use with your Microsoft services. Enforce policies for accessing your team’s critical resources and key assets.
There’s no downtime during this change, but users are affected. Let them know before you begin.
Sign in to your organization https://dev.azure.com/{yourorganization}
Select Organization settings -> Users.
Compare Azure DevOPS email list with your Azure AD email list. Create an Azure AD email address entry for every user who’s in the Azure DevOPS organization and not in the Azure AD.
Connect organization to Azure AD by selecting Azure Active Directory.
Click on Connect directory;
2 out of 6 members(s) are the members that doesn’t exist in Azure AD. They are guest developers using their hotmai/gmail account. If we want to allow them to use Azure DevOPS, we need to create their accounts as Guest in Azure AD.
Sign out of Azure DevOPS.
Sign in with your Azure AD account. If you click on Organization Settings -> Azure Active Directory, you will see this page;
Clicking on Download will download your organization info, Azure DevOPS info and Owner of Azure DevOPS environment and any errors in the connect. This ensures that Azure DevOPS is connected with Azure.
Make adam@{yourorganization}.onmicrosoft.com as “Project Collection Administrators”. This role perform all kind a operations.
Test your access on Azure DevOps and Visual Studio. You will be asked to enter your credentials and approval from Microsoft Authenticator.
Resource;
When we enable client certificate on Azure web site, this is the window that pops up in the browser when user try to connect to app;
When user click on Certificate information, he get following window;
Where is this certificate? How did I got this? Our environment is not AD joined. The certificate seems to be issued by AD domain server “MS-Organization-Access”.
The problem started when one of my developer asked me that he is not able to connect to App. The browser doesn’t show any certificate and he keep getting this error;
Error 403: Forbidden: Client Certificate Required
Apple clients are getting the same error.
We are not using any code to manipulate or validate certificates. It’s merely a setting thing in Azure.
Eventually, switch the mode of incoming client certificates to Allow so that my team can connect to Apps in Azure.
What are the differences between “Allow” and “Require” for Client certificate modes in App Service general settings?
All paths should not require client certificate, just /secure one require client certificate
• Ignore: This setting does not accept client certificates if presented.
• Accept: Select this setting if you want to accept client certificates (if it’s presented) but will also continue with connections where the client doesn’t present one.
• Require: Select this option to require that certificates verify client identity.
For the exclusion path the document does mention -‘To allow certain paths to remain open for anonymous access. If we add /public to the path, anything under /public path for the application would not request a client certificate.
Compliance
There are 6 standards that are applicable to this policy:
There a few reasons you may be seeing this error, the two most common ones are:
When Storage Explorer encounters one of these “self-signed certificates”, it can no longer know if the HTTPS message it is receiving has been tampered with. If you have a copy of the self-signed certificate though, then you can tell Storage Explorer to trust it. If you are unsure of who is injecting the certificate, then you can try to find it yourself by doing the following:
s_client -showcerts -connect microsoft.com:443-----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- to a new .cer file.Open NotePad. Make sure, you are copying everything between —BEGIN CERTIFICATE— and —END CERTIFICATE— block. For example, if there are two certificates, then the file would be;
—BEGIN CERTIFICATE—
—END CERTIFICATE—
—BEGIN CERTIFICATE—
—END CERTIFICATE—
Save File as .cer on your computer.
Resource;
My friend has created the Azure subscription using this email address, foo.inc@outlook.com. Azure has created a domain fooincoutlook.onmicrosoft.com in Azure Active Directory.
Me and my friend share same subscription with same foo.inc@outlook.com email address to provision services Azure. There are occasional disruptions in my sign-in and I see a login pop up window. It asks me to type-in our shared email address to get a code and authenticate in Azure. I contact my friend and solve login issue. This is a waste of time.
To solve this issue, navigate to Active Directory -> Manage -> User and create a new user;
adam@fooincoutlook.onmicrosoft.com
Navigate to Azure subscription -> Access control (IAM) -> Add -> Add role assignment;
By using adam@fooincoutlook.onmicrosoft.com, We can share a single subscription but can use our own email accounts to provision resources.
There are other ways to manage identities but I have found this an easier and quicker fix.