Closed SB-o-matic closed 3 years ago
@SB-o-matic Thanks for your feedback! We will investigate and update as appropriate.
Any feedback?
"Now, we get an error that says you can not sign in with a personal account."
Is this the only error message you're getting? Can you provide the exact error message or screenshot that the user is seeing?
"Now that ability has been removed leaving us to have to send links tot he resource to users. "
This feature is still present and it hasn't been removed, though if a resource doesn't have a URL then the user won't be able to click on it to go to that individual resource. If we can some details about the access package or the resource that users are facing problem with it will help us investigate this issue further.
Is this the only error message you're getting? Can you provide the exact error message or screenshot that the user is seeing? Yes, it is.
This feature is still present and it hasn't been removed Yes, it has.
This screenshot shows the error I get when I try to login at myaccess.micrsoft.com with my outlook.com account. Now I am limited to copying the link of the access package and sending it to the user directly. One used to able to just login to myaccess.microsoft.com with a guest account.
These next 2 screenshots show that on expanding resources in an access package, there is no longer a link that takes you straight to the resource. The first is for a SharePoint site. . The second is for an Azure AD enterprise application. There used to be a link like "Open" under the resource. It is no longer there.
Any feedback?
Please assist with this issue. It is not intuitive the way it works at the moment.
(social accounts) We don't support social accounts right now
"One used to able to just login to myaccess.microsoft.com with a guest account." - a guest account is different from a social account; not all guest accounts are from social networks
From the limited information, it's hard to tell what you were doing before when it worked; you could have used a different kind of guest account or a different URL (with a tenant hint in the URL -- possibly even auto-populated (guessed by us)
(resource links) That feature wasn't removed; the Open links only show up from the Active tab so you might be looking in the All tab.
Thank you for your response. I will note however, that I understand that not all guest accounts are from social networks. I maintain what I stated earlier that I used to be able to sign in to MyAccess portal with a guest account created with a social identity. As it relates to a tenant hint, if that were the case, it the still bores down to signing into the myaccess portal with a guest account using a social identity.
Moving on. If you say you don't support social identity guest accounts accessing the MyAccess Portal, why do you support adding social domains as a Connected Organization in Identity Governance Entitlement Management? Or why do you allow Access Packages to be assignable to "All Guest Users" or groups that contain guest accounts? How is that supposed to work normally?
Thank you for answering the question around the "Open" links. Never noticed it was only on the Active tab.
Any help around this? We are working towards moving to prod and this is a major blocker.
PG response: We don't support social accounts sign-in in My Access today, but it is something that we are actively thinking about from product side. I have a couple follow-ups: 1/ which social domains do you expect to sign-in to My Access in your organization? , 2/ Would you expect someone who signs in using a Gmail account for example, to be part of a connected org 'Gmail'? For instance, if you allow an access package to be requested by a connected org 'Gmail', then all users with Gmail accounts will be able to request that package. It would be great to know your scenario for using social accounts in My Access. Thank you!
Hi @SB-o-matic, I'm a Program Manager on the Entitlement Management team and would like to clarify what's going on here a bit more. The MyAccess portal does support users with social email addresses (like outlook.com or live.com) but only on a tenanted URL (ex: https://myaccess.microsoft.com/@{YourTenantDomain}#/access-packages). If a social user tries to go to the root URL (https://myaccess.microsoft.com) they'll get the error message you shared because we don't know what tenant they're trying to request access to and they don't have a "home" tenant they belong to.
This is good feedback for us that this isn't necessarily an intuitive solution for customers and something we can work to improve in the future.
First of all, I appreciate you all taking the time to respond. The responses are very helpful.
My Questions
Some Suggestions for EM in General
@SB-o-matic, thank you for the additional information and feedback! Can you give us more details on the steps you're taking when you see errors using Gmail accounts on a tenanted URL? There are some factors that can change the behavior for Gmail accounts, such as whether Google federation or email one-time passcodes are enabled for the tenant you're trying to access.
Thank you for your response and apologies for the delay. We don't have Google federation enabled. We however, have OTP turned on. No special steps are taken. I construct the tenanted URL as above, enter it into a browser and hit ENTER. Get redirected to login.microsoftonline.com/xxxxxxxxxx which doesn't take a social account.
I think at this point it would be best to jump on a call and watch you go through the flow, because the steps you're describing should work. If you're interested in doing so, could you please email me at elisol@microsoft.com with some times that would work for you so we can set something up?
That works brilliantly, thank you.
I submitted these questions before but it was closed before I got a response.
We used to be able to have social accounts request access packages by signing in at myaccess.microsoft.com. Now, we get an error that says you can not sign in with a personal account. Why is this the case since it remains possible to create a domain like gmail.com or outlook.com as a connected organization in Entitlement Management? Also, after landing on the myaccess portal and expanding an access package that a user has been approved for to view its resources, it used to be able for example, to open a SharePoint site or an application directly from this view by simply clicking on the resource or clicking an open Now that ability has been removing leaving us to have to send links tot he resource to users. This degrades experience substantially. Can we have this ability returned?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.