Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD Connect password sync issue

September 22, 2015, 5:45 am
$
0
0

Hi,

We have created mailbox user account in office 365 manually previously, recently we plan to setup AAD Connect for password synchronization with AD.

After successful installed of AD Connect and i plan do a pilot test by try to sync a group of users (create a new group and add few users into group) under AD Connenct "Filter users and devices". The synchronization process is successful and from office 365 i can see the user status change from "In Cloud" to "synced with Active Directory". But the problem is the AD password is not sync over to office 365. User still login their email with original password not their AD login password. I tried to run the force sync command (DirectorySyncClientCmd.exe initial) result also same.

Regards,

Leong

Search

ADMA credential change to default every time re-enable password sync.

September 22, 2015, 7:38 am
$
0
0

Good day everyone,

Just want to ask is this a correct behavior when every time i ran full password sync powershell as below:

$adConnector  = "xxx.net"
$aadConnector = "xxxxx.onmicrosoft.com - AAD"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

and then my ADMA credential will goes back to my default forest credentials when i check on miisclient. 

Thanks in advance.

Azure Active Directory instance missing from list

September 22, 2015, 3:06 am
$
0
0

When I browse the Azure portal the navigation shows "ACTIVE DIRECTORY 2" but when I open the list of directories only one directory is shown.

The account that I log on with is the administrator of the azure subscription. Is is possible that the active directory is not found because I don't have access to it?

Create Certificate Request for Windows Azure to Enable SSL on Project

May 7, 2013, 3:15 am
$
0
0
How can i Create a Service Certificate for Windows Azure project, i have reserved account but don't have access to virtual machine at window azure, Can i use local IIS to create Certificate Request 

Microsoft.Azure.ActiveDirectory.GraphClient 2.1.0 no longer works with API 1.6

September 21, 2015, 3:29 pm
$
0
0

About an hour ago, our calls to the Graph API started throwing errors. There was no change to our code-base, so I'm assuming something on the API side has changed. **This is critical**, as all of our environments, including production, are affected by this. Info:

Microsoft.Azure.ActiveDirectory.GraphClient.2.1.0

Stack trace:

System.InvalidOperationException: The response payload is a not a valid response payload. Please make sure that the top level element is a valid Atom or JSON element or belongs to 'http://schemas.microsoft.com/ado/2007/08/dataservices' namespace.
   at System.Data.Services.Client.Materialization.ODataMaterializer.CreateODataMessageReader(IODataResponseMessage responseMessage, ResponseInfo responseInfo, ODataPayloadKind& payloadKind)
   at System.Data.Services.Client.Materialization.ODataMaterializer.CreateMaterializerForMessage(IODataResponseMessage responseMessage, ResponseInfo responseInfo, Type materializerType, QueryComponents queryComponents, ProjectionPlan plan, ODataPayloadKind payloadKind)
   at System.Data.Services.Client.MaterializeAtom..ctor(ResponseInfo responseInfo, QueryComponents queryComponents, ProjectionPlan plan, IODataResponseMessage responseMessage, ODataPayloadKind payloadKind)
   at System.Data.Services.Client.QueryResult.CreateMaterializer(ProjectionPlan plan, ODataPayloadKind payloadKind)
   at System.Data.Services.Client.QueryResult.ProcessResult[TElement](ProjectionPlan plan)
   at System.Data.Services.Client.DataServiceRequest.EndExecute[TElement](Object source, DataServiceContext context, String method, IAsyncResult asyncResult)
   at System.Data.Services.Client.DataServiceQuery`1.EndExecute(IAsyncResult asyncResult)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<>c__DisplayClass26`2.<ExecuteSingleAsync>b__24(IAsyncResult i)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteSingleAsync>d__28`2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.ReadOnlyQueryableSet`2.<<ExecuteSingleAsync>b__5>d__7.MoveNext()

Replicate an extra Active Directory attribute to Azure AD

September 22, 2015, 7:15 am
$
0
0

Hi all,

My question is simple.

I have seen that there are default attributes which are replicated to Azure with ADSync or AD Connect

https://msdn.microsoft.com/en-us/library/azure/dn764938.aspx

We are using a lot of Azure applications and we use a lot of Azure AD SSO.

One of the applications use the 'EmployeeID' as a user identifier : The claim to identify the user

Because the EmployeeID is not replicated to Azure AD, we are unable to integrate this app with Azure AD SSO.

My question is how can we replicate a non default Active Directory attribute to Azure ?

We are actually using ADSync but we plan to upgrade to ADConnet of needed

Regards, Samir Farhat || Datacenter Consultant || The way to share my knowledge with the communityVisit my blog : buildwindows.wordpress.com

Azure Active Directory Connect Both Hybrid and Password Sync

September 22, 2015, 11:52 am
$
0
0

I have an Exchange Hybrid deployment set up via Azure Active Directory Connect. I would like to also have password sync set up, so I can fail over to it in the case of my ADFS box going down.

I would try a failover as documented here: http://ithinkthereforeiehlo.com/password-sync-adfs-federation-disaster-recovery/

The issue is that the option for Password Sync is gray.  I found a similar issue here: https://social.msdn.microsoft.com/Forums/azure/en-US/ce224551-d5f8-48f3-ac61-a43fc9b59b6a/azure-ad-connect-password-sync-option-greyed-out?forum=WindowsAzureAD but the difference is I am not actually trying to eliminate ADFS, I just want Password Sync as a backup.

Going off of Jen_Field_MSFT's answer from there, would it work to run

PS c:\>$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
PS c:\>$aadConnector = “<CASE SENSITIVE AAD CONNECTOR NAME>”
PS c:\> Set-ADSyncAADPasswordSyncState -ConnectorName $aadConnector –Enable $true
PS c:\> Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

without running Convert-MSOLDomainToStandard first?  Would that accomplish having both ADFS and Password Sync?

Thank you, Randy.

DirSync Password sync troubleshooting

September 22, 2015, 11:11 am
$
0
0

Hi, We have set up a dirsync with our AD to give our student a Office365 license. All the sync seems fine but a lot of student can't connect to the office 365 portal. We need to reset his AD password with the same password and after a couple of minute, he get access. Some other doesn't need to be updated like that.I don't know why some Ad account seems to not sync password for the first time but if we reset it, they can.

How can I troubleshoot it or how can I force a password sync for all user.

I try the set-fullsyncpassword and after that restert FIMsync service, I try the fullsync with set-onlinecoexistencesync -fullsync, without fullsync parameter too but nothing change. The only way to force a password sync again is by user if we reset it in the Ad tool or by himself if he change is password on the computer where is logged in.

Thanks

Search

Is it possible to have both an "Microsoft Account" and "Organisational Account" with the same email address to co-exist in the same AAD

September 22, 2015, 11:27 am
$
0
0

Hi,

I am having a brain melt down today, mainly because I am sure I've done this in the past but I am starting to think I might have dreamt it all!

Is it possible to have both an "Microsoft Account" and "Organisational Account" with the same email address to co-exist in the same AAD?  As mentioned I am sure I've had this working before but I can't get it to work now, maybe something in MS land has changed or maybe I've lost more brain cells than I first thought.

Thanks

Rob

MIM microsoft identity manager 2016 setup for multiple tenants sync

September 22, 2015, 1:55 pm
$
0
0

I am going to build out a hybrid 2013 deployment and they want multiple tenants in 0365 and use MIM to sync them filtered by OU like FIM did. Does anyone have any drawing or details on how this is accomplished for multiple tenants?

MIM 2016 does not have much out there yet to review.

What are the requirements for MIM? I know sql, SharePoint, but what AD levels are supported?

RBAC with Azure Active Directory

September 23, 2015, 6:38 am
$
0
0

I'm trying to setup Role-based access control in the Azure Preview Portal using Azure AD accounts.  In the full (non-preview) Azure Portal I have added an existing Azure AD (an Office 365 account).  I can now view the users and groups in that Azure AD from that Portal.

My understanding is that I should be able to go the Azure Preview Portal and assign access control to resources and subscriptions using the users and groups in that Azure AD.  When I try to do this, it does not find those users.  I can only assign users with Microsoft Accounts.

I've looked here: http://weblogs.asp.net/scottgu/azure-sql-databases-api-management-media-services-websites-role-based-access-control-and-more
and here: https://azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/
But I don't see any additional steps that I'm missing.

Am I missing a something?  Should this work?

Thank you,
Tony Bianucci

AD FS 2.0 and Azure AD Connect Compatibility

September 17, 2015, 8:55 am
$
0
0

Hi,

We are in the process of designing a solution around Microsoft Intune and would like to utilise Single Sign-On. In order to do this we need to use Azure AD Connect and we would like to use the SSO federated option. The on-premise infrastructure consists of an existing AD FS 2.0 farm that is running on Windows Server 2008 R2.

I've logged a case with Microsoft Support but they are unable to categorically tell me that this configuration will not work.

Is anyone able to assist with my query?

Thanks

Cormac

AD sync not removing unwanted users and groups

September 23, 2015, 8:19 am
$
0
0

I setup and Azure AD sync.

I made the mistake of following the wizard and syncing my whole AD. When I try to filter to sync only the OU I want in Azure, the erroneously synced groups and users don't go away in Azure when I try to apply a filter.

I found this locked thread https://social.technet.microsoft.com/Forums/en-US/e9cafccd-cea2-44af-b36c-13eaa0454c3c/dirsync-not-removing-nonsyncd-users?forum=windowsazureaditpro but it does not help me.

There are hundreds of unwanted users I don't want to remove them manually. someone help, or just tell me how to remove it all and start again.

CarolChi

AAD and On-Premise AD writeback sync Password reset

September 23, 2015, 5:47 am
$
0
0

Good day,

I am having an issue with azure ad write back and self password reset service. Everything is set up correctly according to MS documentantions etc(Azure writeback + Password reset service, AAD premium etc). If I create an user in AAD everything is fine (I can reset password without problem). As soon as I try to change password for an User created by our local AD I get to email verification (and code is delivered to alternate email adress). But after I click Submit new password I end up with error page that says "And unsolvable issue appeared in your account configuration." And I cant get to work over this. In Local AD I delegated the control for changing passwords by users. Even tried to install KB 2386717 update for our server but without any success. Any ideas how to make this work ?

Servicenow(calgary) Integration with Azure AD

September 23, 2015, 3:02 am
$
0
0

Hi,

I am trying to implement SSO on Servicenow(calgary) with Azure AD, The tutorial has steps listed to configure some in Servicenow page which isn't there in Servicenow .

https://msdn.microsoft.com/library/azure/dn510971.aspx

Did anyone Integrate with Servicenow Calgary verison? 

When i try to User provisioning it shows below error, but instance name and admin creds are all entered right!!

"Your ServiceNow instance name appears to be invalid. Please provide a current ServiceNow administrative user name and password along with the name of a valid ServiceNow instance."

Search

Graph API - ActiveDirectoryClient error

September 23, 2015, 4:12 am
$
0
0

Hi,

I have to query the graph API of the Azure Active Directory and get the current user's photo. I have the following code, but facing problem with it. I am able to acquire the token, but after the token is returned from AquireTokenandInvoke() method, the code just hangs. No exception is thrown not does it continue with the execution. The control doesn't return back to GetActiveDirectoryClient() function. Can anybody help on this ???

publicstaticasyncTask<string> AcquireTokenAndInvoke()

{

stringtoken = null;

try

{

AuthenticationContextauthContext = newAuthenticationContext("https://login.windows.net/tenant.com",false);

ClientCredentialclientCred = newClientCredential("clientcred","appkey");

AuthenticationResultres = awaitauthContext.AcquireTokenAsync("https://graph.windows.net/", clientCred);

if(res != null)

{

token = res.AccessToken;


}

else

{

id = "temp";

}

}

catch(Exceptione)

{

}

returntoken;

}

publicvoidGetActiveDirectoryClient()

{

try

{

UribaseServiceUri = newUri("https://graph.windows.net/tenant.com/");

ActiveDirectoryClientactiveDirectoryClient =

newActiveDirectoryClient(baseServiceUri,async() =>awaitAcquireTokenAndInvoke());

}

catch(Exceptione)

{

}

}

Unable to remove Azure AD Premium trial plan from AAD instance

September 23, 2015, 12:02 pm
$
0
0

Hi all, I've been digging around for a while now and haven't see anything that could help so I figured I would ask.  I set up a test Azure AD instance in our Azure portal and was trying out some Azure AD Premium features with a trial license plan that you can assign that instance.  The trial expired and now I'm trying to remove the Azure AD instance, but it doesn't seem to let me giving the error:

  • Directory has one or more subscriptions to Microsoft Online Services.

I suspect the trial for AAD Premium is the subscription is complaining about, but wasn't sure if there was a way to delete that license plan?  Is the only way a support ticket, or is there something I can do to delete it through AAD Powershell?

Thanks in advance...

Deleted AD Users not Deleted from AAD following Delta Sync?

July 30, 2015, 5:24 am
$
0
0
Currently, when AD users are deleted on-prem and we run our delta sync, we're noticing that users are not being deleted from AAD.However, if we run a full sync, the users get deleted. Any thoughts on why this could be? We have no made any modifications based on attribute filtering from the default. We are doing this using AAD Sync.

Grant Admin Consent for an Application in AAD using Graph API

September 15, 2015, 12:31 pm
$
0
0

We are developing an application which will go ahead and register Applications in AAD. We are successfully able to achieve that using Graph API. But, whenever a user tries to access the application then he/she is displayed a consent form. So, we searched about it and figured out that its due to non availability of Admin Consent. So, every time we register an application with AAD using our portal, a global Admin user has to manually login and edit the display name of the application, in order to facilitate Admin Consent, so that users are not displayed the Consent Form. As per the below mentioned article the facility of adding Admin Consent through Graph API has been deliberately removed, if I understand it correctly.

http://blogs.msdn.com/b/aadgraphteam/archive/2015/03/19/update-to-graph-api-consent-permissions.aspx

If I am wrong can somebody guide me to any resource which shows, how we can do it using Graph API.

If the article is correct, is there any way by which we can programmatically grant admin consent to the registered application, without the Admin physically logging in and trying to do so. We can also go the powershell route if required.

Windows 10 Enterprise setup using sign in Office 365 log in credentials

September 7, 2015, 3:44 am
$
0
0

Two clean installs, Windows 10 enterprise desktops. Both use Office 365 domain sign in credentials. At time of setup Azure security policy applied.

Issue both desktops having completed setup under (This PC, properties window) state desktops are members of a work group. Desktops use the same Office 365 sign in (same person) yet cannot share documents. Although applyeveryone full rights share and it is possible to share documents.

Where is this Azure security policy stored in the Azure portal & how can I allow specify user or groups to share, folders, drives etc. For example both desktops I sign in using an account with global administrator rights. 

Can I assume Microsoft Channel 9 Microsoft Azure Fundamentals: (09) How Do I: Manager Users, Subscriptions Roles, and Directory Roles explains how to overcome this. I've looked at Microsoft Virtual Academy as well but cannot find the right course covering this issue.  

Thank you.

Christopher Bird

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>