I'm using Azure API Management and I have a user who tried to sign up but never got the "validation" email. Let's just assume the email is not recoverable. Unfortunately, I have no way to reset that user's email address. The API Management framework knows that the email already exists but I have no visibility to that user's profile until they validate the account. At that point I can manage their account but, until then, they are in-limbo.
If the user tries to re-sign up or even if I send an invite, we get an error that says. "Email already exist"
Any pointers?
The confirmation request will expire in 2 days, so if the user tries again after 2 days, the "email already exist" error should go away.
Meanwhile, we are currently working on a feature to allow Admins to delete unconfirmed users from the Management Console.
In addition to allowing admins to remove unconfirmed users we added the ability for users to re-send confirmation email.
Related
For years, I've been using the email addresses MyEmail#mydomain.com and myemail#mydomain.com as if they are identical. And most of the time this is true. However now the OAuth verification process for the project seems to be failing because Google treats these as two separate identities.
The GCP project owner is MyEmail#mydomain.com. In the OAuth consent screen, I've set mydomain.com as the sole authorized domain for my app. And I use myemail#mydomain.com as my identity in Google Search Console when verifying that I am the owner of mydomain.com.
I got an email from the "The Google Cloud Trust & Safety Team", saying that the owner of the GCP project and the identity of the owner of the authorized domain do not match! The only reason for this seems to be the case of the email names, because everything else appears set up properly.
MY QUESTION: How can I change the GCP project owner from MyEmail#mydomain.com to myemail#mydomain.com?
It seems that I need to change one or the other. I would rather change the GCP owner to myemail#mydomain.com. But I can not get that to happen. I followed the instructions in Grant or Revoke Role.
I go to IAM -> Permissions - Add. I enter the email without the caps & ignore their suggestion to use the one with caps. But in the "Select a role" dropdown, it shows "Owner" as a role "Currently used". I select it anyway and click Save. But IAM -> Permissions never get changed.
I've thought of changing the owner first to someone completely different and then to the lower case email. But that might involve billing emails changing, etc.
EDIT - As a result of trying to add myemail#mydomain.com to the project, I received an email at that address from GCP, asking me to join the project. I accepted the request, but IAM is still only showing MyEmail#mydomain.com as being on the project.
Is this really the case that myemail#mydomain.com and MyEmail#mydomain.com are separate GCP identities? Might there be a different reason for Trust & Safety to think they're not the same?
If I respond to the T&S email, describing my issue, will a real person actually read it, or will the same automated test be run again to check the issue?
Resolution: I responded to the T&S email, explaining what was going on with the upper/lower case letters in my email address.
Today I got a reply: "Request Granted. Your project is now verified for ....". That's great! But I wonder if I will forever be first rejected for the same reason on all new projects that I create. It appears that the final solution is likely finding a way to change my logon email on GCP to one without capital letters.
Since you mention that you are never asked to select a different profile when logging into your account, then it should be the exact same account using the actual same GAIA ID as mentioned by DazWilkin, so there should be no difference within the GCP console between MyEmail#mydomain.com and myemail#mydomain.com.
Google usually recognizes an email address in both forms as the same account, although there are some exceptions across their products (I have had a similar experience with email addresses from Google Groups). I think this is one of those particular exceptions.
I would strongly recommend transferring the project ownership to a totally different account within your domain, then waiting a couple of hours due to Google's "propagation time" across services, and transferring the ownership back to the account using the format myemail#mydomain.com.
Now answering to:
If I respond to the T&S email, describing my issue, will a real person actually read it, or will the same automated test be run again to check the issue?
They are actually a team of people, but they tend to use a lot of canned responses, so I would definitively recommend being very specific with your choice of words when responding to their emails otherwise, you may not get a relevant response. You may also try to explain this to them via email to see if there is an actual problem with the email address or if it is just them or the system being extremely picky when checking the email address.
I think you basically have it covered. But it is important that on new Owner's account, you will need to go to "Billing" in the "hamburger" menu and either link the project to an existing billing account or set up a new Billing account to link the project.
You may also need to delete the old project owner to avoid confusion.
I'm writing a Playwright test that starts with a Google Auth0 login. After I fill my test user and password in the UI (google login), in Firefox and Webkit the authentication passes successfully, while, on Chromium, I'm getting the Verify it's you message (with a "send sms" message).
The account does not have 2 steps authentication.
When it happened locally, I opened the browser in headful mode, and after few clicks (which I assume "told" the browser that I'm a real user) the problem disappeared (I can now run my tests in headless mode locally). But, it still happens on CI (GitHub)
I run the test with chromium flags: --disable-dev-shm-usage and --disable-web-security.
I couldn't find any data about it anywhere...
When Google determines that a user is logging in from an unknown device or a new location, they may prompt the user with an additional login challenge.
The login challenge that the user receives depends on the information that associated with the account.
Does the prompt say "Enter a phone number to get a text message" or something else like "This device isn't recognized..."
If the former I believe you can circumvent this extra prompt by having a phone number linked to the Google account in question. If the latter I believe the prompt is once per user per device.
My understanding it is basically Google trying to get a valid phone number for the account (to prevent spam etc).
-- Edit
The only other thing I can think of is that you can temporarily turn off the verify-it's-you challenge, for 10 mins, but only if the account is a member of a Google Workspace or Cloud Identity service. I am not sure this is possible for an unmanaged account - or how useful it would be. The other issue is that for "free services" Google doesn't really offer any kind of support.
Anyhow, you might try "Temporarily turn off login challenges for a user" -
https://support.google.com/a/answer/12077697
There is also so good information on this verify-it's-you challenge here.
https://workspaceupdates.googleblog.com/2018/04/more-secure-sign-in-chrome.html
It has some notes on disabling the challenge per organization via response headers, but again this is for an organization and managed accounts.
If you wish to disable the new screen for your organization, you can
use the X-GoogApps-AllowedDomains HTTP header to identify specific
domains whose users can access Google services. Users in those domains
won’t see this additional screen, as we assume those accounts are
trusted by your users. This header can be set in Chrome via the
AllowedDomainsForApps group policy.
We will occasionally get this error message:
User needs to accept terms of service
when making API calls. Replaying the calls will work later on. What does this error message mean exactly and is there a way we can avoid it?
I encountered this when a user was created (by an admin or via the API), an email was sent to the user and the user needs to confirm their email and agree to the ToS, and then I tried to impersonate that user via the API before the user agreed to the ToS.
Is there a way to create an external user account under an enterprise account silently, where there is no accept/email invite needed?
Use Case:
User becomes a member of our web site, we call API and provision grant them silently which creates an external user under our enterprise account.
Any code axample? Silently and without invite is the key thing here. Thanks!
There isn't a way to do this. The user doesn't have a password at creation time and needs to set one by going to the website via the email confirmation link.
Could you perhaps explain why you don't want the email to be sent, and what your user workflow looks like?
We're opening an US office shortly and i've added the new domain (domainus.com) to our exchange 2007 environment as an "accepted domain" and added some addresses as SMTP addresses to a few members who can receive properly - yey :).
We want to send from these addresses too but I can't figure out how to make this work, I get the error:
"You are not allowed to send this message because you are trying to send on behalf of another sender without permission to do so. Please verify that you are sending on behalf of the correct sender, or ask your system administrator to help you get the required permission. "
I'm not well versed in exchange so i'm not sure what to search for to try and figure it out. I've tried:
Adding themselves to send to "Delivery options > send on behalf" and I edited the default email address policy for the organisation (which wasn't being applied before.... so I don't think it would make any difference).
Any suggestions welcomed.
Thanks in advance.
I know it isn't much help, but I was having the same issue, and getting the same error. I ran across this page that lists 4 ways to do it. None of them are what you would expect, except for the application that you have to purchase.
I do think if you have a gmail account that you could send as the alternate email address, and all replies etc would come back to the exchange account.
On the user account, in Active Directory, under Security, under the SELF account, select the Manage Send As Permission option.