Cloud only user unable to manage other cloud only user?

Question

I've created new Adaxes instance (23.2) in my test environment. I've added managed domain of "cloud domain" type and connected this tenant via Microsoft 365 cloud services option in Adaxes console too. I've used app registration to authenticate and granted all requested permission/roles to it.

In my Azure tenant I have two users AADDS Test User which is set as a manager of the AADDS_TestUserinek.

But when I log using AADDS Test User credentials I am unable to change any properties of the AADDS_TestUserinek. I don't even see him under "My managed objects" section, I only see him under "My team" section.

I've modified Forms and views according the tutorial too

What am I missing?

Answer 1

Hello,

The behavior is expected as the My managed objects pain only displays the objects that have the logged on user as their owner. Owners are set via the Managed By property which users do not have.

Also, Microsoft Entra users cannot log in into Adaxes at all. You are still logged in as the on-premises AD user.

Comments

OK, so is it somehow doable to let our cloud only users to manage other cloud only resources (users, groups,..)?

I forgot to add that currently we are a hybrid environment (accounts hosted on-premises and synced to Azure), but we are planning to migrate to cloud-only scenario. But what we like to retain is Adaxes for letting our users to manage Azure groups etc.

Because Adaxes requires Active Directory domain we thought we will host it using Azure "Microsoft Entra Domain Services" (aka AD hosted in the Azure). This basically means that our cloud only users/groups/... will be synchronized to this Azure hosted AD, where also Adaxes will be installed. This way users would be able to log in to Adaxes service.

So the question is, is it possible to somehow let our future cloud only users connect to the Adaxes via their synchronized Azure-AD accounts, but manage cloud only assets at the same time?

I can imagine some sort of linkage between synced account and the original Azure-AD account that gives the user permissions over the cloud only assets where such Azure-AD account is manager?

Or what is the supported scenario for cloud-only environments that want to leverage Adaxes?

Thanks!

---

Hello,

As we mentioned in the previous post, currently, cloud accounts cannot log in into Adaxes. As such, they cannot manage anything or use any Adaxes functionality at all. The feature is in our todo list, but there is no ETA yet.

---

Thats why I've asked whether there is some other way around. For example by using local AD user that will be somehow linked to its cloud counterpart.

So I assume there isn't :(

---

Hello,

Such a link is possible, but not for cloud-only users. If you have both the on-premises user and the cloud user that are synchronized managed in Adaxes, it will work fine. Still, users would not be present in the My managed objects pane. They only have the Manager property, not the Managed By one. As an option, you can use a built-in report, Subordinates of user. By default, the report is located in container Reports\All Reports\Users\Managers and Subordinates.

---

Not sure I follow. Now you are talking about classic hybrid scenario where users are synced from AD to Entra ID. But that doesn't apply for our imaginery "cloud-only" scenario where we have Azure hosted AD only to be able to log in into the Adaxes, but the source of the users is in Azure?

So long story short, for our scenario we have to create custom commands for every action we want our users to have. Plus make some logic in our custom commands to specify who is allowed to do such action on specified object.

---

Hello,

That is not quite what we meant. Here is an example:

• You have both on-premises AD and Microsoft Entra ID domain registered in Adaxes
• There is user John Smith that is synchronized and has accounts in both on-premises AD and in Microsoft Entra ID.
• There is user Jane Doe that only exists in Microsoft Entra ID and has John Smith set as manager.
• If John signs in to Adaxes with their on-premises AD account, the Subordinates of the user report will include Jane Doe.
• John can click Jane’s account, view it and manage according to the permissions granted by Adaxes security roles.

If you face some issues, please, provide the steps you perform with screenshots and describe the desired behavior in all the possible details with live examples.

---

As I said, you are talking about classic hybrid scenario, but situation where Azure "Microsoft Entra Domain Services" (aka special kind of AD hosted in the Azure) is used, instead of on-premises AD, is a little bit different. And that is the environment I am talking about, where users are synced from Azure to Azure-hosted-AD, and such users are unfortunately unable to modify cloud only users as per my testing. Because these synced accounts used for logging to the Adaxes aren't linked to the parent (Azure) ones or something like it. Therefore don't have permissions over the cloud accounts even though manager is correctly set (to the cloud-account-version).

---

Hello,

That was just an example. Synchronization is actually not required for Adaxes to make that thing work. All it needs is to be able to match the on-premises AD account with the Microsoft Entra one. It is an Adaxes internal process not related to the synchronization. After that you only need to be able to see the corresponding accounts in Adaxes. As such, the described behavior should work just fine with Microsoft Entra Domain Services. If you do not have it working. Please, describe the configuration you have in all the possible details with screenshots. Also, please, provide screenshots of the security roles you created. You can post the screenshots here or send them to us at support@adaxes.com.

Any additional detail will be much appreciated.