Plus addressing or subaddressing is available in Exchange Online. Plus addressing is using a unique, dynamically created receive-only email addresses for mailboxes.
Basic syntax of an SMTP email address: @. Example, JohnD@domain.com
Plus addressing syntax: +@. Example, JohnD+statements@domain.com
The original email address must be valid one. The +tag value is arbitrary, although regular character restrictions for SMTP email addresses apply.
Here is a scenario, Let’s say the users’ email address is JohnD@domain.com. User can use plus addresses as unique addresses for services that you sign up for, right after the local part (JohnD) and add (string) of choice. So for instance, to receive all bank statement, the user can end up with something like this: JohnD+statements@domain.com
Plus addressing Limitations
When using plus addressing, there are a few things to keep in mind:
Plus addresses aren’t aliases in Exchange Online
Hence, it can be used only to receive messages and not send them
It does not resolve to a user’s name in Outlook clients, so it is easily identifiable in the To and CC fields
In a Hybrid environment, plus addressing won’t work for on-premises mailboxes that do not resolve in Exchange Online
Web Developers are aware of plus addresses and some online forms/services won’t accept a plus sign in the email field
Some subscription services require the user use the original email address that they subscribed with
Select Turn on plus addressing for your organization, and then select Save
Note: After the plus addressing is turned on by default in April 2022, you will see the option Turn off plus addressing for your organization if you are following the above steps. Which will be unchecked meaning it is turned on. So placing a checkmark will turn off plus addressing. See screenshot below.
Enable using Exchange Online PowerShell
Before proceeding further make sure you are connected to Exchange Online,
This setting will be effective only after plus addressing is turned on by default in all organizations starting in late April 2022. Before that happens, plus addressing can be disabled in the O365 tenant by using the AllowPlusAddressInRecipients parameter I described earlier with the value $false value. This can also be proactively set, you don’t have to wait for it to be turned on by default.
In Azure AD you can create dynamic groups based on user or device properties. Users or devices can be automatically added or removed based on the group’s definition, so you don’t have to maintain the list of users in this group manually.
Whenever any property of a user or device changes, all dynamic group rules in your Azure AD tenant are reevaluated to determine if the user or device should still remain in the group. If a user or device satisfies a rule on a group, they are added as a member and If they no longer satisfy the rule, they are removed.
Manually adding or removing users from dynamic groups is not allowed.
Why use Dynamic Groups?
Simply put, dynamic groups have query-based memberships. This helps in maintaining group membership and application access depending on the query defined. For example, A dynamic group can be defined for all Marketing department users based on the value filled in the ‘department’ attribute. The conditions can also be combined. Following the same example above, a dynamic group of all Marketing department users from New York or a dynamic group with a list of users who report to a specific manager and need access to an application.
In a scenario where you are maintaining user access to applications based on the department, location, this comes in handy.
Note: You need Azure AD P1 and above to be able to create dynamic groups.
Dynamic Groups in Azure AD
Azure AD admin center provides a rule builder to create and/or update the dynamic group rules.
In the below steps I’ll create a dynamic group in my tenant with users who are in the Marketing department,
Select Azure Active Directory –> Click on the Groups tab –> New group
In New Group:
Select Security as the group type
Enter ‘Marketing Department Users’ as the name and description for the group
Change Membership type to Dynamic User
Select Owners and in the Add Owners blade search for any desired owners. Click on the desired owners to add to the selection
Click Select to close the Add Owners blade
Click Add dynamic query in the Dynamic user members
Creating new group
On the Dynamic membership rules blade:
In the Property field, click on the existing value and select department
The Operator field as Equals
Select the Value field and type ‘Marketing Department Users’
membership rules
Azure AD now provides an option to validate dynamic group rules. On the Validate rules tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. This feature is now in public preview.
validate rules
The rule builder supports the construction of up to 5 expressions. You also need to use the text editor for setting operator precedence, and for writing more complex rules. The rule builder can’t be used to reproduce every rule.
‘Add Expression’ disabled after 5 expressions defined
If the rule builder doesn’t support the rule you want to create, the text box can be used. And below are some of the scenarios to use the text box,
Rule with more than 5 expressions
Direct reports rule
For the rule to work, make sure the Manager property is set correctly for users. If you are syncing from your on-premise AD, make sure the Manager attribute is filled
When the manager’s direct reports change in the future, the group’s membership is adjusted automatically
This rule can’t be combined with any other membership rules
Setting operator precedence
All operators are listed below in order of precedence from highest to lowest. Operators on same line are of equal precedence:
Operators can be used with or without the hyphen (-) prefix. Contains operator does partial string matches but not item in a collection matches. Following are the supported operators and their syntax for a single expression,
Syntax
Operator
-ne
Not Equals
-eq
Equals
-notStartsWith
Not Starts With
-startsWith
Starts With
-notContains
Not Contains
-contains
Contains
-notMatch
Not Match
-match
Match
-in
In
-notIn
Not In
Supported values
Values used in an expression can consist of several types, including:
Strings
Boolean = true or false
Numbers
Arrays = number array, string array
To specify a null value in a rule, you can use the null value. The -not operator can’t be used as a comparative operator for null.
Common rules in a typical environment
Below, I will go over some of the rules that are typically used in production environments
“Direct reports” rule
This rule supports only the manager’s direct reports. A group consisting of manager’s direct reports and their reports can’t be created.
Use below syntax. Object ID can be found in the user’s(in this case, the user who is the manager) profile in Azure AD.
Direct Reports for "{objectID_of_manager}"
Direct reports rule
“All users” rule
Include only members of your organization and exclude guest users.
Another interesting part I came across when I was exploring dynamic groups is, I was trying to create a dynamic group of administrators to whom I can assign an Azure AD role. And it turns out, the membership type for role-assignable groups must be Assigned and can’t be an dynamic group. This makes sense as automated population of groups could lead to unwanted access being granted.
It is important to know about the current state of your Teams rollout and this is one of those which can easily get out of control in a blink of an eye. I wanted to understand and determine the current Teams state in a tenant I manage and I had to create reports to present.
The portal does give a few options to export the data but I decided to take a look at the option the Teams PowerShell module offers. I spent some time on creating a script that will output these five reports,
All Teams data with Channel type, Channel count, Channel count with types, Teams member count and owners count
Teams users data with role information
Channel information for each Teams with Channel types
Channel user information with user information and role
Permissions on each Teams
This report can also be scheduled to run if you already use a mechanism to store your credentials securely and pass it on to your PS scripts.
I use the ImportExcel PowerShell module for this script,
Install-Module -Name ImportExcel
Before proceeding further, make sure you have the Teams PowerShell module installed. You’ll need to run this script with Teams Administrator role.
In this post I will go over the steps required to implement Azure AD SSO integration with ServiceNow. With this in place, it is easier to control access to your ServiceNow implementation and also allow your users to login with their domain credentials.
ServiceNow also supports user account provisioning which I will cover in a later post.
I’ve updated this post for ServiceNow San Diego version. The earlier versions may have different UI options but the steps behind the integration mostly remains the same.
High level implementation steps
In Azure AD add ServiceNow to Enterprise Applications
To configure this integration, first step is to add ServiceNow from the gallery to your list of managed SaaS apps. Below are the steps,
Login to Azure AD Admin Center and click on the Enterprise applications tab
To add new application, Click New application
In the Browse Azure AD gallery section, enter ServiceNow in the search box
Select ServiceNow and you can name it to differentiate from development to production instance with a prefix but in this scenario, I’ll leave it as default as in screenshot below. Click Create
It takes a few seconds for the app to be added
Search ‘ServiceNow’
add ServiceNow by clicking ‘Create’
Configure Azure AD SSO
Below steps details how to enable SSO in Azure AD portal for the ServiceNow application,
On the ServiceNow application page, select SAML-based Sign-on under the Manage section. Select SAML
Select the edit icon in the Basic SAML configuration section
Basic SAML config
Your ServiceNow administrator should know this information and if not, you can contact ServiceNow support. But in general, this information is easy to figure out. I’ve mentioned the format of these URLs below. and I have used my own instance’s URL in the screenshot.
Please follow along and I have a step below on how to determine the sys_id value from ServiceNow for the Sign on URL. Refer to Step 16. under the ‘Configure ServiceNow’ section below.
Below screenshots show values from my environment. I constructed the Sign on URL based on the sys_id information I got from ServiceNow as mentioned above
In the SAML Signing Certificate section, find Certificate (Base64). Click Download to download Certificate(Base64), and then save the certificate file to your computer.
Download Certificate(Base64)
Create ServiceNow test user
In ServiceNow portal, go to User Administration > Users
Click New, complete the properties for your new user, and click Submit
Most organizations do ‘Automated user provisioning’ and this way you won’t have to create all the users in your Azure AD domain onto ServiceNow. But to make the SSO part easier, co-ordinate with your ServiceNow administrator and create an user account in ServiceNow with the email ID of a user in your Azure AD.
Configure ServiceNow
Login on to your ServiceNow application portal as an administrator
In the left pane, search for the System Definition section from the search box, and then select Plugins
ServiceNow plugins
Search for Integration – Multiple Provider single sign-on Installer
Right-click, and select Activate/Repair
search plug-in and activate
Select Activate
Click Activate
wait till activation complete
Click Close & Refresh List
In the left pane, search for the Multi-Provider SSO, and then select Properties
Enable multiple provider SSO option is not active as in screenshot below and this is because Account Recovery is not setup. This comes in handy if something goes wrong with the SSO configuration and prevents admins from being locked out.
Enable multiple provider SSO not active
Place a checkmark next to Enable account recovery to enable it
Account recovery properties
Now back on the Customization Properties for Multiple Provider SSO page, place check mark next to below options,
Enable multiple provider SSO
Enable Auto Importing of users from all identity providers into the user table
Enable debug logging for the multiple provider SSO integration
The field on the user table that…,
email
Customization Properties for Multiple Provider SSO options
Click Save to save configuration
In the left pane, search for the Multi-Provider SSO, and then select Identity Providers
Click New
select SAML
In the Import Identity Provider Metadata, select URL
The Metadata Url can be found in the Azure AD ServiceNow application SAML Signing Certificate section
Copy the App Federation Metadata Url value
Azure AD App Federation Metadata Url
Paste the App Federation Metadata Url from Azure AD under Enter the URL and click Import
Paste the App Federation Metadata Url value
Right click on the grey bar at the top of the screen and click Copy sys_id and save this value in a notepad to construct your Sign on URL in Azure AD
The import metadata url reads the metadata and populates all the necessary information
Enter a name for your configuration. I’ve named it ‘Azure AD’
Confirm the NameID Policy is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Select Advanced. In User Field, enter email
SSO config
Scroll down to the Encryption And Signing tab and X.509 Certificate section, and select New
Open the .cer file with notepad which was downloaded from Azure AD and saved to your PC
copy the entire content and leave it in the clipboard
Azure AD certificate open using notepad
Paste the contents in PEM certificate section
Provide a Name
Select Format as PEM
Click Submit
x.509 certificate
Click Update
Click Update
Click Test Connection at the upper-right corner of the page
Sign-in using the test user account created earlier in the ‘Create ServiceNow test user’ section
Click Close
Click Activate
Click Activate
Ensure Default and Active are checked like in screenshot below
Active enabled
To ensure ServiceNow auto-redirects the users to Azure AD SSO, click on the Set as Auto Redirect IdP in the Related Links section
Set as Auto Redirect IdP
Auto Redirect IdP is enabled
Click Update to save the configuration
Test SSO
Open ServiceNow portal
Use Incognito or InPrivate mode to avoid previously saved cookies
The portal should auto-redirect to login.microsoftonline.com and prompt a sign-in
Issues you may encounter and How to fix it
Error: Ensure that the user you are trying the test connection with is present in the system. Ensure that ‘User Field’ property value corresponds to the value set in the IDP returned through ‘Subject NameID’ in the response.
Fix: I tried the SSO with a user ID that only existed in Azure AD and not in ServiceNow. The System didn’t know what to do and hence the error..duh!
Error: SAML2ValidationError: Signature cryptographic validation not successful
Fix: I imported the PEM certificate from Azure AD into ServiceNow but I forgot to save it by not clicking update
This should help you with the Azure Active Directory single (SSO) integration with ServiceNow. I believe I’ve covered everything in this process.
A Self-Service user flow defines the steps an user will follow while signing-up for an application in your tenant. These applications can be the custom built or SaaS applications. This allows users to sign-up for an app and creates a guest account in the Azure AD tenant.
These user flows cannot be used for MS apps like Teams or SharePoint.
Enable self-service sign-up
Before creating and adding self-service sign-up user flow to your applications, the feature has to be enabled. Once enabled, the necessary options become available.
In the left menu, click External Identities and then External collaboration settings
External collaboration settings
Toggle Yes to Enable guest self-service sign up via user flows
Click Save
Create user flow for self-service sign-up
Now we’re ready to create user flow for self-service sign-up and add it to an application.
Under the same External identities section in the above steps, click User flows in the left menu
Select New user flow
Enter a Name for the user flow. The name is automatically prefixed with B2X_1_
Select the Identity providers
Azure AD is the default identity provider, which means that users are able to sign up by default with an Azure AD account
Google and Facebook, Microsoft Account, and Email OTP are also options
Under User attributes, choose the attributes you want to collect from the user
For additional attributes, click on Show more
Click Create
New user flow
Select the Page Layout
We can customize the order in which the attributes are displayed on the sign-up page
Click on the user flow created
Click on Page Layouts under Customize in the left menu
For my scenario, I’ve reordered the fields and selected optional as No for the fields I consider mandatory
Click Save
Page Layout
Add Application(s) to the user flow
Now, we are ready to associate an application to the user flow,
In the left menu, under Use, select Applications
Select Add application
For my scenario, I’m adding the Salesforce application to enable users to do a self-signup
Search for the application and click Select
Add application
This concludes the steps in the Azure AD admin portal
Guest User experience
We can simply provide the application URL to the guest user for them to sign-up.
In my scenario, I’m using the Salesforce application in my environment,
Salesforce login page
When user tries to login with their own credentials, they will get an error ‘This account does not exist in this organization..‘ This means that the user who is part of a different Azure AD tenant doesn’t exist in the home tenant which the Salesforce application is part of.
Login error
User clicks on Create a new one or Create one!
Select Sign up with email. Enter Email address and password
Review and click Accept in the Permissions requested by: screen
Note: See in screenshot below, Permissions requested by: is the tenant where the application lives
Fill the necessary information and click Continue
Note: This next screen is a result of how we configured the page layout earlier.
And it redirects the user to the Salesforce landing page. I don’t have anything configured within Salesforce for this specific user
Salesforce landing page
So, there are few things to note here:
When the user goes through a self-signup process, guest account is automatically created for the user in the home tenant
Like in my example, as I don’t have user provisioning enabled with Salesforce, the user has to be created within Salesforce
I’m only know the basics on Salesforce’s inner workings but I do have the authentication part configured with Azure AD
If you are following this guide and also allowing guest users to login to Salesforce, have your Salesforce administrator setup this guest user with the user’s home tenant’s email account
Guest user’s profile
Hope this post helped you in setting up the Azure AD self-service sign-up user flow to an app.
