Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Graph API throws 404 Error when updating, after Powershell New-MsolUser (Create User)

September 23, 2015, 1:12 pm
$
0
0

Hello,

I am using PowerShell to create Azure AD (onmicrosoft.com) users profiles.

I also have to use a Graph API service because Azure AD does not have a field for employee number, so I am using an extended attribute.

Anyways, I am using [https://graph.windows.net/ ... -ContentType "application/json" ...] to invoke this rest service

My script will cruise along just fine adding users, and then all the suddent I will get a 400 error, out of the blue. I can really cut this down by adding a 30 second delay, but that really makes the script drag along.

When you use New-MsolUser create user, are you really just adding an entry to a queue, to eventually create the user?

I am going to try sitting in a loop and querying the user profile, utilizing Graph API, and then break out of the loop as soon as I get a filled response. That's just extra network traffic and noise, so I would rather not go down that path.

Is there a recommended way that I should handle waiting for the user to be ready, before invoking a Graph API service?

Notes:

Library: Microsoft.IdentityModel.Clients.ActiveDirectory.2.19.208020213\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll

API Version: [?api-version=1.6]

Thank You,

Jeff P



Search

Azure AD Connect Health Alert : Unknow cause

May 5, 2015, 8:25 am
$
0
0

Hi the AD Connect Health Community,

We implemented AD Connect Health Preview one week ago, i really like the interface and the simplicity.

I know that the this Service is actually in Preview version, so i expect issues, bugs or misbehavior. So i am asking about this only to see if we can fix it or if i can ignore it wan d wait for the GA.

The alert says that an agent is not reporting information.The fix is to restart the agents. No luck.

Any idea ?

Regards, Samir Farhat Infrastructure and Virtualization Consultant || Virtualization, Cloud, Azure ? Follow and Ask here https://buildwindows.wordpress.com

Azure AD Connect Installation - Verify Custom Domain - SSO

September 24, 2015, 8:05 am
$
0
0

I get the following error when attempting to run the AAD Connect install.

"An error occured executing Create AAD Trust task: Exception of type
'Microsoft.Online.Deployment.Types.AzureDomainNotVerifiedException' was thrown."

The log file seems to indicate that it can't find the TXT and MX records for the custom domain. I have verified from an external system (using nslookup) that the DNS records exist and are correct. We are using split DNS where the ADFS service name resolves internally to the on-premise ADFS server and externally to our WAP via a public-facing IP.  My main question is: From what perspective is the install trying to resolve the custom domain (Azure or ADFS or the Azure AD Connect (installation) machine)?  Any other insight would also be welcome.  Thanks

Assign users to custom app in Azure AD

September 24, 2015, 8:20 am
$
0
0

I'm trying to enable SSO using SAML and Azure AD for DeskPro. I've correctly configured SSO, but now I need to assign users to be able to use the app. I have an Azure AD Free or Basic subscription (I'm not sure which, I just know it isn't premium).

Is it possible to assign all users to the app somehow? The Management Portal only allows me to do it one user at a time, which is going to take AGES if I have to assign every user individually.

Thanks!

Configuring AADirectory Connect (PROBLEM during integration)

September 24, 2015, 6:47 am
$
0
0

Our current setup : FIM, ADFS, users in child domain internally. Two separate domains in cloud that are synced. Staff domain and student subdomain.

At the end of the wizard:

We encountered a problem and couldn't complete the integration.

Create AAD Trust

An error occurred executing Create AAD Trust task: An error occurred while executing the 'Update-MsolFederatedDomain' command. The switch parameter SupportMultipleDomain is required here.

"NO SPECIFIC  INFORMATION FOR THIS FAILURE IS AVAILABLE!!!!!"

Emphasis mine.

Well, yeah. No duh, we have multiple domains on our tenant. Why is this not built in? How do I fix this? Nothing on the forums, nothing on the documentation (that I can find anyway).

Get this updated or help me fix it Microsoft.

Help - Azure AD Authorization by Groups - Backend Controller

September 19, 2015, 7:30 am
$
0
0

Unless I'm not seeing this correctly - I'm hoping someone can correct me here, this has been a 3 year frustration in trying to apply Azure Active Directory to Mobile Servcies / Mobile Apps - just about at a melting down point... every project I try to implement and fail and I just don't think it can be done as advertised...

I'm having real trouble finding help, how to use Active Directory to Authorize ( not Authenticate ) User Groups to a Mobile Services ( or ideally Mobile Apps ) .Net Backend Controller.

I just want to add users to an Azure Active Directory Group and then on the Mobile Apps Backend put the attribute
[Authorize Group = "SomeGroupName"] at top of controller and that's that.

But no, we are going to have to create our own database tables of UserGroups and then assign Active Directory UserID's to groups, and then write functions to check If the authenticated User is in the Group ON EACH AND EVERY Method call... really bad in my opinion.  Makes the User Groups part of Azure Active Directory really useless for Authorization and frustrating.

otherwise ,regarding authorization, there is no point in using AD over Gmail or facebook since the usefulness of AD really is exactly the same as Gmail ... getting a userID and that's it.  Someone please correct me I know someone somewhere is using AD to Authenticate AND Authorize backend method calls...


Web App Page Restriction By AAD Group?

September 25, 2015, 3:35 am
$
0
0

I have the basic default MVC4 web app deployed to Azure from Visual Studio 2015, and login successfully authenticates against Azure Active Directory easily enough. I can't find a guide on how to restrict page access to specific groups though - i.e. Group1 denies access to certain pages, Group2 denies access to different pages, and Group3 with access to all (admin).

The varying articles I've found all illustrate using either the Graph API, Roles or Claims but methods change as Azure has evolved so I'm not sure how to go about this.

Any ideas on page restriction by group in AAD?

Thanks
Adam

Azure Active Directory Connect manual sync?

September 25, 2015, 6:09 am
$
0
0

We have just got our DirSync moved over from FIM to AAD Connect.

In FIM with DirSync you would open a powershell and do a start-onlinecoexistenc sync to do a manual sync if you didn't want to wait for the scheduled sync.

How do you do this in AAD connect?

Thanks!

Search

Will Azure Active Directory B2B collaboration allow us to create Calender Shares across Clients/Customers/Tenants?

September 24, 2015, 11:29 pm

AAD SSO Access Panel Extension for Windows 10 / MS Edge ... When?

May 24, 2015, 5:12 am
$
0
0
Why are we waiting so long for AAD SSO Access Panel Extension for Windows 10 / Microsoft Edge (Project Spartan) browser? Any ETA on this??

Luke Latham, CEO GuardRex Corporation

Reading members of a security group randomly throws IndexOutOfRangeException

September 24, 2015, 11:49 pm
$
0
0

Hi,

We are trying to read the set of members from a security group using the following code:

var foundGroupPages = await
                        _activeDirectoryClient.Groups.Where(
                            member =>
                                member.DisplayName.Equals(groupName, StringComparison.CurrentCultureIgnoreCase))
                            .ExecuteAsync();

var foundGroups = foundGroupPages.CurrentPage.ToList();

IGroupFetcher retrievedGroup = foundGroups.FirstOrDefault() as Group;

var groupMembers = await retrievedGroup.Members.ExecuteAsync();


The final line above seems to randomly throw the following exception (it works more often than not):

   at System.Array.Clear(Array array, Int32 index, Int32 length)
   at System.Collections.Generic.List`1.Clear()
   at System.Data.Services.Client.AtomMaterializerLog.MergeEntityDescriptorInfo(EntityDescriptor trackedEntityDescriptor, EntityDescriptor entityDescriptorFromMaterializer, Boolean mergeInfo, MergeOption mergeOption)
   at System.Data.Services.Client.AtomMaterializerLog.ApplyToContext()
   at System.Data.Services.Client.Materialization.ODataEntityMaterializer.ApplyLogToContext()
   at System.Data.Services.Client.MaterializeAtom.MoveNextInternal()
   at System.Data.Services.Client.MaterializeAtom.MoveNext()
   at System.Linq.Enumerable.<CastIterator>d__1`1.MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.PagedCollection`2..ctor(DataServiceContextWrapper context, QueryOperationResponse`1 qor)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<>c__DisplayClass4b`2.<ExecuteAsync>b__49(IAsyncResult r)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteAsync>d__4d`2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ActiveDirectory.GraphClient.DirectoryObjectCollection.<<ExecuteAsync>b__2>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---

We are using:

Assembly: Microsoft.Azure.ActiveDirectory.GraphClient, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Microsoft.Azure.ActiveDirectory.GraphClient.2.0.6\lib\portable-net40+wp8+win8+MonoAndroid10+MonoTouch10+WindowsPhoneApp81\Microsoft.Azure.ActiveDirectory.GraphClient.dll 

Any ideas?

Application client key limit

September 25, 2015, 10:40 am
$
0
0
We need to generate a number of client keys for an Azure AD application (for the same client id). Is there an upper limit on how many client keys you can generate? Couldn't find this information anywhere.

When will Cortana be supported?

September 26, 2015, 4:07 am
$
0
0
Is there any news as to when Azure AD will provide support for enabling Cortana when a computer is AD joined?

Authorize a AAD Service Principal for Service Managament API

September 25, 2015, 11:57 pm
$
0
0

Hi,

I am trying to create a service principal that can access Azure Resource Manager APIs and Azure Service Management REST APIs using OAuth. I followed the guide at https://github.com/Azure/azure-content/blob/master/articles/resource-group-authenticate-service-principal.md to create such a service principal. However, the created service <g class="gr_ gr_237 gr-alert gr_spell ContextualSpelling ins-del multiReplace" data-gr-id="237" id="237">pricipal</g> can only access Azure Resource Manager APIs but not the old Service Management API.

How do grant the Service Management delegated permission as in

Federated Services/365 Aborted what went wrong?

September 27, 2015, 12:55 am
$
0
0

So we decided we wanted to try using single sign-on/federated services with Office 365. We'd already been using password sync for sometime which seemed to be working pretty well with a filtered test group.

We uninstalled Azure AD connect which was configured for just password sync. Then using a new install of Azure AD Connect we went through all the steps, including selecting our test group. Wizard completed successfully and with the test group accounts we were able to sign-in and single sign on worked. The scheduled sync task on the server was running, however the portal reported that it was not syncing. We had no idea why, so working in IT I thought switch it off and switch it on again! So disabled sync from the portal, message came up about it taking 72 hours, etc, ok.

Over the next few hours users Outlooks/phones started signing out and prompting for password, current passwords were not being accepted. Users in the sync group could still sign-in to OWA, which correctly forwarded to the FS sign-in page. However users who were not in the test group were also being forwarded to the FS page, but their details were not being accepted.

In the end we had to convert the domain back to standard authentication using powershell and completely abort the federated services test.

So now what I'm trying to understand is what went wrong? My conclusions so far,

 -When Azure AD Connect converts a domain from Managed to Federated, all users on that domain have to sign-in with federated services, regardless of a filtered group.

-The filtered group is only really there for password sync

-Maybe deactivating the sync stopped users Outlooks/Phones from signing in and started the trouble?

So am I correct? Is it possible to test federated services on a live domain with only a selected test group? Would just appreciate some thoughts and advice before we make the next attempt.

So

Search

Does Azure AD Support Service Provider Initiated SAML Flows?

September 21, 2015, 5:36 am
$
0
0

I've searched these forums and the internet and cannot seem to find a definitive answer.  I have the opportunity to test some SAML SSO integration with an Oracle cloud product, but I am being asked:

"Oracle will only work in this project for Service Provider initiated SSO to be tried out with Azure. Oracle will not work on any other type of SSO support. If you are not sure whether Azure AD supports "Service Provider initiated SAML flows" you may contact Azure support to find it out."

Can someone on here confirm either way if that is supported?

When I look at this link (from Sept 2014):

http://blogs.technet.com/b/ad/archive/2014/09/03/50-saas-apps-now-support-federation-with-azure-ad.aspx

It specifically says: 

In addition to all these new apps we are also now providing support for service provider (SP) initiated authentication, which allows users to do things like visit an app's web site to sign in directly, or sign in using downloadable client apps. We support service-provider initiated authentication for all of the pre-integrated SAML-based apps that support it in our gallery. This includes the recently integrated apps, as well as existing integrations like Salesforce, Dropbox for Business, Google Apps, ServiceNow, and Box.”

This link, (as of June 2015) says it is now in preview! (Is there something special I need to do to turn on preview?):

http://blogs.technet.com/b/ad/archive/2015/06/17/bring-your-own-app-with-azure-ad-self-service-saml-configuration-gt-now-in-preview.aspx

"So today, I am happy to announce that we have turned on the preview if Self-Service SAML 2.0 configuration for Azure Active Directory. Now customers can configure Azure AD to work with any application that supports service provide initiated SAML 2.0 signin!"

Jamie

OpenIDConnectDisoveryEndpoint - Set-MsolDomainAuthentication

September 27, 2015, 9:55 am
$
0
0

Hi

Do anyone have experience with using the OpenIDConnectDisoveryEndpoint parameter inSet-MsolDomainAuthentication ?

https://msdn.microsoft.com/en-us/library/azure/dn194112.aspx

Can this parameter be used to implement logon with use of OpenId Connect from an federated identity provider?

If so - do it exist any example on how to setup this?

Br. Rune Myrhaug

Active Directory reports that it can't find an "A" record in DNS

September 21, 2015, 3:04 pm
$
0
0

From Ronald Carter 

@Ronald_Carter via Twitter

"I am able to successfully verify office 365 sso but it reports the user isn't in 365 which is expected. Unfortunately the Active Directory Connect is still reporting that it can't find a A record in DNS for the site http://fs.phps.vic.edu.au"

Over DM


Thanks,

@AzureSupport


Getting unauthorized meesage from REST Web API secured by Azure AD

September 22, 2015, 12:42 am
$
0
0

Hello,

I am working on accessing custom REST API secured by Azure AD from native client application(Console Application). Below process I followed , please suggest me if I am missing any step/configuration -

1. Created ASP.NET WEB API project(Default Visual Studio WEB API template with Authentication as School or Work Account) and published it to Azure under Web Apps.

2. Created native application (Console Application) and implemented code to get Access Token using Azure Active Directory Library for .NET.

3. I am able to get Access token from Azure AD, however after passing the same token to REST WEB API in Request Header, I am getting response status code as Unauthorized and message as  'Authorization is access denied for this request'

Can someone please help me to resolve this.

Thanks in advance.

Regards, Sagar Acharya acharya.sagar@hotmail.com

ADMA credential change to default every time re-enable password sync.

September 22, 2015, 7:38 am
$
0
0

Good day everyone,

Just want to ask is this a correct behavior when every time i ran full password sync powershell as below:

$adConnector  = "xxx.net"
$aadConnector = "xxxxx.onmicrosoft.com - AAD"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

and then my ADMA credential will goes back to my default forest credentials when i check on miisclient. 

Thanks in advance.

Viewing all 16000 articles
Browse latest View live
Search