I have a site with Single sign on through an Azure AD on the same Azure platform. It works fine when logging in as a user from AD, but if I’m logged in on my Hotmail with my windows account and tries to log in on my site, then my site will try to log me in with my windows account, and it gives the following error:

Correlation ID: 8b6b1487-6acf-45bb-90e3-2b790f4edf40

Timestamp: 2015-09-16 20:48:43Z

AADSTS50020: User account 'xxx@phmetropol.dk' from external identity provider 'https://sts.windows.net/a522aa78-7419-49dc-ab5b-d757f96c8883/' is not supported for application 'https://bygdrift.onmicrosoft.com/'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

My issue is, that I can’t help a user that gets stuck on this error page. There are no buttons the user can click to get back to my site or a redirect automation.

The site that I am testing it with, is a pure example from github:github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet

Can I do anything to redirect the user away from the errorpage?

I'm having trouble getting Azure Single Sign out (SAML) to work as stated on http://msdn.microsoft.com/en-us/library/dn195588.aspx.

Single Sign on works just fine, but Sign out gives me the following error:
"ACS75015: Saml relying party's logout endpoint Url is required to process the LogoutRequest."

I sent the following logout request:

<samlp:LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="idaa6ebe6839094fe4abc4ebd5281ec780" Version="2.0" IssueInstant="2014-01-31T07:10:49.6004822Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[Issuer matches APP ID URI in Azure Active Directory]</Issuer><NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[Valid user email]</NameID></samlp:LogoutRequest>

Like so:

https://login.windows.net/[valid id]/saml2?SAMLRequest=[SAML-Redirect encoded request]&RelayState=3b48f8f2-ae1b-49fa-bed5-7dbbc69d6d7b

I have a Federation Medatadata document (being hosted using a self-signed SSL cert if that makes a difference) that looks something like this:

<?xml version="1.0" ?><md:EntityDescriptor ID="_25ab87e1-5861-4051-aebb-2ac72b8d1f5e" entityID="[ID matches the APP URI ID in Azure Active Directory]" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_25ab87e1-5861-4051-aebb-2ac72b8d1f5e"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>
          [digest]</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>
     [signature value]</ds:SignatureValue><ds:KeyInfo><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>
            [modulus]</ds:Modulus><ds:Exponent>
            [exponent]</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature><md:IDPSSODescriptor><md:KeyDescriptor><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyValue><ds:RSAKeyValue><ds:Modulus>
              [modulus]</ds:Modulus><ds:Exponent>
              [exponent]</ds:Exponent></ds:RSAKeyValue></ds:KeyValue></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[logout url]"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[login url]"/></md:IDPSSODescriptor></md:EntityDescriptor>

Can anyone offer advice as to what ACS75015 means and how to fix it? Searching Google and Bing for info returns very little useful information.

This seems to be the logical place to ask the question

Can you use on premises security groups for delgated groups and self service in AD premium or is it just cloud based groups that can work in this fashion?

If a users wishes to give access to another user to access a file share which is based on on premises secutiy groups is that possible?

Would appreciate some link to any article which may clarify this , i had seen something which states that you cannot but needed to confirm?

Hi Team,

I am working on a requirement were I need to get a list particular users using graph API.. Can you please help if there is any filter support to get a particular list of users from Azure AD using graph API.. I see filter search were I can get a particular user using mail,userPrincipalName,etc.. But What I need to know is if there is any filter support where I can pass some 4 or 5 mails,userPrincipalName,etc to get all those matching users list from Azure AD

Hello,

I work for a small company of about 50 users. We currently have an Office 365 package in place where we assign E3 licenses to users. Also we have a Dropbox for Business license for file storage and sharing. We deploy laptops to full-time staff and temporary consultants to use when in the field. As we are a small business, we have been purchasing laptops with Windows 8 home and home premium with a few on Professional. Can Azure AD be applied to these version of windows(I assume professional would be able to)?

After a few incidents with laptops which are deploy into the field. I want to try and secure laptops by assigning user rights to make sure users are not allowed to install applications apart from the ones that are installed pre-deployment. I did try and set this up via a simple admin and standard account. Where the user would use the standard account. However, I have found this has not worked. Can Azure help with this by managing user rights via the email account they have from office 365. (So when they log into a computer they log via there Office 365 details.)

thanks

I am trying to activate Azure provisioning on an existing production Google Apps installation. I am adding a single user in Azure and want to enable the provisioning. I am concerned about how this will affect the other accounts - the ones not related to the Azure provisioning.

So my questions are as follows:

1. Can the target SaaS platform e.g. Google have users that are unaffected by Azure AD? 
2. If I configure Azure provisioning with Google, what happens to existing Google (SaaS) accounts that do not have matching accounts in AD or accounts created in the Google space that are intended to be Google only? 
3. I assume the accounts are matched by user name? 
4. Do they remain independent?

Appreciate your time.

Brian.

We have an application sitting behind a firewall, and we need to open up the ports and destination IPs that are required to connect to Azure AD.  Does anybody have this information?

Hi,

I have read the following from Microsoft

If ADFS is configured on-premises, I can use Directory Sync with Single Sign-On. Using this approach, on-prem AD password hashes wouldn't sync to Azure AD because users authenticate in on-prem environment.

Two Qeustions:

1) Will the user be able to use Azure's self service password reset feature to reset their on-prem AD password?

2) Can above approach also be setup using the latest Azure AD Connect tool? (I am assuming that by Directory Sync, Microsoft means DirSync tool)

I am trying to use my Microsoft account (which I also use to sign in to the Azure portal) to sign in to my native Azure AD Application. I successfuly get an authorization code, but I cannot redeem it for an Oauth2 access token, due to the following error. It does work with my test Azure AD account. 

{"error": "invalid_grant","error_description": "AADSTS65001: No permission to access user information is configured for '33818de2-01b3-4731-b032-9dd2b41da30a' application, or it is expired or revoked.\r\nTrace ID: 3424d13f-dff8-435f-8447-5ab3a1a05ad6\r\nCorrelation ID: c70241f5-bf88-434a-81e9-4fe276ff8cb2\r\nTimestamp: 2015-09-30 09:13:58Z","error_codes": [
    65001
  ],"timestamp": "2015-09-30 09:13:58Z","trace_id": "3424d13f-dff8-435f-8447-5ab3a1a05ad6","correlation_id": "c70241f5-bf88-434a-81e9-4fe276ff8cb2"
}

Getting Authorization Code:

https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=33818de2-01b3-4731-b032-9dd2b41da30a&resource=https%3A%2F%2Fmanagement.core.windows.net&redirect_uri=urn:ietf:wg:oauth:2.0:oob

Requesting Access Code:

POST https://login.windows.net/Common/oauth2/token

Hello,

I am using PowerShell to create Azure AD (onmicrosoft.com) users profiles.

I also have to use a Graph API service because Azure AD does not have a field for employee number, so I am using an extended attribute.

Anyways, I am using [https://graph.windows.net/ ... -ContentType "application/json" ...] to invoke this rest service

My script will cruise along just fine adding users, and then all the suddent I will get a 400 error, out of the blue. I can really cut this down by adding a 30 second delay, but that really makes the script drag along.

When you use New-MsolUser create user, are you really just adding an entry to a queue, to eventually create the user?

I am going to try sitting in a loop and querying the user profile, utilizing Graph API, and then break out of the loop as soon as I get a filled response. That's just extra network traffic and noise, so I would rather not go down that path.

Is there a recommended way that I should handle waiting for the user to be ready, before invoking a Graph API service?

Notes:

Library: Microsoft.IdentityModel.Clients.ActiveDirectory.2.19.208020213\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll

API Version: [?api-version=1.6]

Thank You,

Jeff P

Hi,

I am a co admin of one subscription and i created a directory in that subscription long back, it is handled by few others in my team. They made changes to the directory, now i would like to know how to check whether it is free version of Azure AD or Premium Azure AD.

Can some one help me out on this.

Hi Everyone,

I'm not an Azure/SharePoint expert or specialist. I was given the task to organize our SharePoint portal, but I've got some complications with what I'd call the "local AD sync to Azure"... I've seen that some (a very few) of the groups in our AD are in the Azure AD, but not all of them, just like the others didn't sync at all. I tried creating a new one but never saw it in Azure AD.

I don't know how to make the other groups to appear in Azure AD to be able to work with. I'm very confused. I also tried to change the Primary Domain, but I already know a federated domain cannot be a Primary Domain, so nothing to do with that.

I need to know how to sync the other groups and any newly created group. I'd like someone helps me out on this, please. I'd appreciate it.

Thank you all...

David Santamaria - Network Systems Engineer

Is there an API to programatically add applications to a B2C directory ?  I've only been locate https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-app-registration/and the link to integrate directly with protocols there is self-referencing.

 Thanks

We are developing an application which will go ahead and register Applications in AAD. We are successfully able to achieve that using Graph API. But, whenever a user tries to access the application then he/she is displayed a consent form. So, we searched about it and figured out that its due to non availability of Admin Consent. So, every time we register an application with AAD using our portal, a global Admin user has to manually login and edit the display name of the application, in order to facilitate Admin Consent, so that users are not displayed the Consent Form. As per the below mentioned article the facility of adding Admin Consent through Graph API has been deliberately removed, if I understand it correctly.

http://blogs.msdn.com/b/aadgraphteam/archive/2015/03/19/update-to-graph-api-consent-permissions.aspx

If I am wrong can somebody guide me to any resource which shows, how we can do it using Graph API.

If the article is correct, is there any way by which we can programmatically grant admin consent to the registered application, without the Admin physically logging in and trying to do so. We can also go the powershell route if required.

Unless I'm not seeing this correctly - I'm hoping someone can correct me here, this has been a 3 year frustration in trying to apply Azure Active Directory to Mobile Servcies / Mobile Apps - just about at a melting down point... every project I try to implement and fail and I just don't think it can be done as advertised...

I'm having real trouble finding help, how to use Active Directory to Authorize ( not Authenticate ) User Groups to a Mobile Services ( or ideally Mobile Apps ) .Net Backend Controller.

Hi,

We are trying to read the set of members from a security group using the following code:

var foundGroupPages = await
                        _activeDirectoryClient.Groups.Where(
                            member =>
                                member.DisplayName.Equals(groupName, StringComparison.CurrentCultureIgnoreCase))
                            .ExecuteAsync();

var foundGroups = foundGroupPages.CurrentPage.ToList();

IGroupFetcher retrievedGroup = foundGroups.FirstOrDefault() as Group;

var groupMembers = await retrievedGroup.Members.ExecuteAsync();

The final line above seems to randomly throw the following exception (it works more often than not):

We are using:

Assembly: Microsoft.Azure.ActiveDirectory.GraphClient, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Microsoft.Azure.ActiveDirectory.GraphClient.2.0.6\lib\portable-net40+wp8+win8+MonoAndroid10+MonoTouch10+WindowsPhoneApp81\Microsoft.Azure.ActiveDirectory.GraphClient.dll 

Any ideas?

HI,

I want to Authenticate service management rest api using the Active Directory. Can you please mention the Steps?

I have tried to authenticate using node.js module as follows it shows as the authorization error. Please let me know anything i have missed in the following

var adal=require('adal-node');
var AuthenticationContext= adal.AuthenticationContext;
var tenantID="57d091d4-4dae-41e2-9a2b-0bc0644688df";
var clientID="fd6bec69-7e92-49a0-85b1-affb20a9d7af";
var resource="https://management.azure.com/";
var authURL="https://login.windows.net/" + tenantID;
var secret="E7ZaMHCNqcO4qHzzJm6RI4X7kS7CTVUjNJ/13eCltvI=";
var context=new AuthenticationContext(authURL);

var rest=require('restler');

context.acquireTokenWithClientCredentials(resource,clientID, secret, function(err,tokenResponse) {

console.log('err:'+err);
console.log('tokenResponse:'+JSON.stringify(tokenResponse,null,2));

authHeader = tokenResponse['accessToken'];
requestURL="https://management.azure.com/subscriptions/84da9df4-cf54-4040-9743-9fbbda1903f0?api-version=2015-01-01";
rest.get(requestURL, {accessToken:authHeader}).on('complete',function(result)
{
    console.log('result:'+JSON.stringify(result,null,2));

});
});

Response:-

tokenResponse:{
  "expiresIn": 3599,
  "tokenType": "Bearer",
  "expiresOn": "2015-08-13T06:03:39.986Z",
  "resource": "https://management.azure.com/",
  "accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzU3ZDA5MWQ0LTRkYWUtNDFlMi05YTJiLTBiYzA2NDQ2ODhkZi8iLCJpY
XQiOjE0NDA2NzY5OTgsIm5iZiI6MTQ0MDY3Njk5OCwiZXhwIjoxNDQwNjgwODk4LCJ2ZXIiOiIxLjAiLCJ0aWQiOiI1N2QwOTFkNC00ZGFlLTQxZTItOWEyYi0wYmMwNjQ0Njg4ZGYiLCJvaWQiOiIyMTQ4MTBmNy02OGRiLTRlZDEtOTdjOC0wZGJlMTNkZjI1NzAiLCJzdWIiOiIyMTQ4MTBmNy02OGRiLTRlZDEtOTdjOC0wZGJlMTNkZjI1NzAiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ld
C81N2QwOTFkNC00ZGFlLTQxZTItOWEyYi0wYmMwNjQ0Njg4ZGYvIiwiYXBwaWQiOiJmZDZiZWM2OS03ZTkyLTQ5YTAtODViMS1hZmZiMjBhOWQ3YWYiLCJhcHBpZGFjciI6IjEifQ.upG8bCJKLz0pkzkiUoBGtiRBlIFLVf7DImDRq3KfbL24g7CoORV3EExl2Pio-AskofIUuP1hEFgkNve75vEv_jNIeQKfbDSeJzhM9phUj2mRR40TnUmN3mgPv72hYzGtWPH7Btlbeq93gsNjPCmLRqwZd6pdRzLOuH
P4RC8TABw_9tuqwZQB_ShzX6-0kIGno48kFqZWk61HrSjkQEV9h9quqYbafn1HkHr4i_huhQx4OxN8w8y8ab0xF0VRDkXIKysDdCHc9uaXj0eaGMc8SqZ6uDUaN6iWkpV4MR96jjbTgK5ll6TkLL3TAfuyNP_Q9fxI4ef0JwlMm10SF1ccZQ",
  "isMRRT": true,
  "_clientId": "fd6bec69-7e92-49a0-85b1-affb20a9d7af",
  "_authority": "https://login.windows.net/57d091d4-4dae-41e2-9a2b-0bc0644688df"
}
result:{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '214810f7-68db-4ed1-97c8-0dbe13df2570' with object id '214810f7-68db-4ed1-97c8-0dbe13df2570' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/84da9df4-cf54-4040-9743-9fbbda1903f0'."
  }
}

Hi,

I am trying to implement SSO on Servicenow(calgary) with Azure AD, The tutorial has steps listed to configure some in Servicenow page which isn't there in Servicenow .

https://msdn.microsoft.com/library/azure/dn510971.aspx

Did anyone Integrate with Servicenow Calgary verison? 

When i try to User provisioning it shows below error, but instance name and admin creds are all entered right!!

"Your ServiceNow instance name appears to be invalid. Please provide a current ServiceNow administrative user name and password along with the name of a valid ServiceNow instance."

I'm trying to setup Role-based access control in the Azure Preview Portal using Azure AD accounts.  In the full (non-preview) Azure Portal I have added an existing Azure AD (an Office 365 account).  I can now view the users and groups in that Azure AD from that Portal.

My understanding is that I should be able to go the Azure Preview Portal and assign access control to resources and subscriptions using the users and groups in that Azure AD.  When I try to do this, it does not find those users.  I can only assign users with Microsoft Accounts.

I've looked here: http://weblogs.asp.net/scottgu/azure-sql-databases-api-management-media-services-websites-role-based-access-control-and-more
and here: https://azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/
But I don't see any additional steps that I'm missing.

Am I missing a something?  Should this work?

Thank you,
Tony Bianucci