Hi there,
I have been following along with the lab located at http://dev.office.com/hands-on-labs/4585 - however, on step 1 of the "Issue Requests to the Unified API's REST Endpoint" section, I end up getting an error saying "Missing UPN claim." when I attempt to send a request through Fiddler to https://graph.microsoft.com/beta/me.
Has anyone else encountered this and managed to get past it?
Cheers
Hi,
I am trying to develop a AZURE AD - web app and using AZURE AD library for JS. I am facing the below issue:
If I am not logged into AZURE AD but logged in to http://portal.office.com and try to accesssign-on url for AZURE web app, it is been able to login and get auth token for the app(oauth2), but while trying to acquire app token for accessing a specific resource, in my case https://outlook.office.com, it is going into a page redirect loop to reply url before finally getting the app token.
Can anyone please help me on this.
Using Azure active directory, do my clients/users logging on to an application via our website need to have a Microsoft account and login?
I have 3 scenarios with Extended Attribute 1
It is either filled in with a specific sting value pertaining to this user's role. It can have either "Staff" or "Student". Then there are users with a blank Extended Attribute 1.
I want to create an additional rule in the Synchronization Rule Editor to filter out these users with no value filled in and not Sync them to Azure AD. I do not want to touch the default rules created by the installation.
Hope you can help.
I’m trying to integrate our on-prem AD with Azure. I installed Azure AD connect and ran the express install. During the installation it ask for the Azure AD credentials. In Azure, my work email address is a global administrator. We also have
an Office 365 account - which upon creation I had to create a user - me@blabla.onmicrosoft.com which is what I log into Office 365 admin center to administer users. When running Azure AD connect it will NOT take my work email address for the Azure credentials
- it’s looking for an @blabla.onmicrosoft.com user name. I used my Office 365 @blabla.onmicrosoft.com credentials and it worked. However....it synced all the users in Office 365 and NOT Azure. This is driving me crazy. I’ve read tons of articles,
blogs and forums. I don’t want all the users in Office 365, I want them in Azure. I don’t know how to fix this. Thought I would reach out to the forum before I HAVE to call Microsoft.
From: Murali Sarala @SaralaMurali via Twitter
When I create AD B2C I dont see Manage B2C Setting but I see normal setting page, see image:
I expect to see:
AzureSupport provide the following documentation: http://aka.ms/d720128
Thanks,
@AzureSupport
I can successfully query graph.windows.net and retrieve user data from our AD/directory. I'm using Excel's Power Query. Works awesome.
However, I need limit my REST query to filter out certain user accounts given their value in ExtensionAttribute5.
I've tried this query:
https://graph.windows.net/<MYDOMAIN>.com/users?api-version=2013-11-08&$filter=accountEnabled+eq+true+and+ExtensionAttribute5+eq+'Vendor'
I understand we are syncing these ExtensionAttributes, though this version of the API does not seem to let me use them either as a filter or retrieve their values.
I am not an Azure AD admin, nor do I have rights to edit schemas. My company will not do this for me either.
Am I doing something wrong?
Our 365 dirsync has been down all day. I called in at 6:30 this morning, and spent hours on the phone with support, and they still can't get it to work.
Dirsync 1.0.6 worked fine until a couple days ago. Then it stopped working, and the config tool threw errors. So I called it in. After waiting 2.5 hours for a callback I gave up and uninstalled then tried to reinstall. Got "Could not install SQL Express" errors. Tried the 1.0.7 version of Dirsync. Same issue. (Fully installed, removed related users and groups from local machine, deleted directories, etc. I've been through this before.)
The support guy had me try AD Connect. But THAT throws an error. Here is what I think is the relevant part of the log. It ends with a 1639 error. Anybody have any better ideas while I continue to wait for MS Support to figure it out?
[13:47:28.857] [ 6] [INFO ] Starting Sync Engine installation
[13:47:28.968] [ 6] [INFO ] SyncEngineSetup: Using custom service account <enterprise admin account>
[13:47:56.999] [ 6] [WARN ] InstallSyncEngineStage.InstallSyncEngineStage: Suppressing exception from settings activity state. Exception follows.
[13:47:57.007] [ 6] [WARN ] System.Exception: State not found
at Microsoft.Online.Deployment.Types.PersistedState.MicrosoftOnlinePersistedStateProvider.SetActivityState(Guid expectedCurrentActivityType, PersistedActivityState activityState)
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
[13:47:57.011] [ 6] [ERROR] InstallSyncEnginePageViewModel: Error occurred while installing sync engine.
[13:47:57.017] [ 4] [INFO ] Starting Telemetry Send
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service. Please see the event log for additional details. ---> Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessExecutionFailedException: Exception: Execution
failed with errorCode: 1639.
My company runs an Azure-hosted multi-tenant web app that successfully uses our company AAD to authenticate users but when the app tries to read the AD Graph for an authenticated user it reports the error "Insufficient privileges to complete the operation". The graph read attempts include users, getMemberObjects and checkMemberGroups all using api-version=1.6.
The app has the following delegated permissions in the AAD configure portal: Read all groups, Access the directory as the signed-in user, Read directory data, Sign in and read user profile. No application permissions are set.
In the web app C# server code, an authorization header is created and added to the HttpClient that makes the Graph call.
The same web app registered as multi-tenant against a development AAD with the same delegated permissions granted is able to authenticate users and then read the AD graph to retrieve user and group information. I have not been able to identify any differences in the AAD or web app configuration between production and development.
One difference between the two scenarios is that against the development AAD, the first time an admin user signed-in he was prompted to grant permissions for the app to access the AD graph but against the production AAD the admin user was never prompted.
Any suggestions on troubleshooting this, what settings to check in the production AD or how to force AAD to prompt an admin user to grant access to the AD graph?
Thanks,
Frank Rolinson
Hello,
Two users changed their passwords one week ago and still need to specify the old password when logging into Intune or Office 365.
Where do I start with this? sync status shows as successful. Which logs and tools to use?
Hi Team,
We havea situation while using the GraphClient API for creating users in Azure Active Directory. When we are simultaneously trying to create multiple new users with differentUserNames usingthe ActiveDirectoryClient we are getting an exception. Though the user is getting created intheactive directory we arestillgetting an exceptionbackas (Another object with the same value for property userPrincipalName already exists). We get this error normally when we have 2 or more concurrent users access the User Registration functionality in our web application.
Below is the code snippet we are using.
Setp:-1
private async Task CreateUser(UserModel userObj) {
ActiveDirectoryClient client = null;
client = AuthenticationHelper.GetActiveDirectoryClientAsApplication();
await client.Users.AddUserAsync(userObj);
}
Setp:-2
public static ActiveDirectoryClient GetActiveDirectoryClientAsApplication() { if (_clientAsApplication == null) { Uri servicePointUri = new Uri(ResourceUrl); Uri serviceRoot = new Uri(servicePointUri, TenantId); _clientAsApplication = new ActiveDirectoryClient(serviceRoot, async () => await AcquireTokenAsyncForApplication()); } return _clientAsApplication; }
Setp:-3
public static async Task<string> AcquireTokenAsyncForApplication() { return GetTokenForApplication(); } public static string GetTokenForApplication() { AuthenticationContext authenticationContext = new AuthenticationContext(Authority, false); // Config for OAuth client credentials ClientCredential clientCred = new ClientCredential(ClientId, AppKey); AuthenticationResult authenticationResult = authenticationContext.AcquireToken(ResourceUrl, clientCred); string token = authenticationResult.AccessToken; return token; }
Thanks a lot in advance
Manoj
Let me set the stage first:
I am an Action Pack subscriber - without really understanding what I was doing, I activated my Office 365 benefit (5 E3 seats) and manually created user accounts, etc. The directory in use for Office 365 is not synced or associated with any other on-premises directory, and it has two domains added to it, both of which I own. Let's say "example.com" and "example.net". Then I went out and created an Azure subscription, again using my Action Pack benefits to get the $100/mo credit. When I created this account, I created it using a Microsoft account. Things are running happily - my mail is flowing through Office 365 and my Azure subscription is running a couple VMs, etc. They are in no way associated. It should be noted that there is an Organizational Account in the Office 365 directory with the same account name (let's say, azure@example.com) as the Microsoft Account used to create the Azure subscription. Perhaps this is where I've screwed up.
What I want to do is associate the Office 365 directory with the Azure subscription. I've seen several places that all list the same way to handle this association. Here's an excellent link: http://blogs.c5insight.com/Home/entryid/524/how-to-add-existing-office365-users-to-an-azure-subscription but in general:
At this point, I'd expect to see two directories associated with the Azure subscription - the default directory created with the subscription, and the directory associated with my Office 365 account. But that's not what happens. The directory is never created, never associated, and I receive no error messages or failure notifications. When I log in to Azure as the account used to create my subscription (azure@example.com), I am prompted to log in as either my Microsoft account or my organizational account - if I select Microsoft account, I see all my azure objects, no problem, and if I select organizational account, I see what's basically an empty Azure subscription. If I log in as my Office 365 global admin account (gadmin@example.com), then I see that same empty Azure subscription. I've tinkered with permissions, created co-admins, etc, but nothing seems to resolve the issue.
What seemed to happen was that a brand new (and empty) Azure subscription was created, with my Office 365 global administrator account (gadmin@example.com) as the administrator, and whichisassociated with the Office 365 directory.
So, what I want is to have my Office 365 directory associated with my Azure subscription, so that I can log in to my Azure subscription with my organizational accounts. Is this not possible with the way that I originally set things up? I can't figure out any way to submit any kind of support ticket (short of paying by the incident, which I don't feel I should have to do when this appears to be a functionality issue with the product...).
Thanks in advance,
Andrew
Andrew Topp
Hello everyone
I have installed an Azure AD Connect (AAD Connect) server, and it is functioning successfully.
I am starting the process to install a second AAD Connect server as a staging server.
Is there a way to export the configuration from the first server to allow an import on the second server? When installing the staging server the usual wizard starts, and to complete the install need to enter some synchronization information, then could import the MA configurations from the other server. Is there other configuration outside of the MAs needed? That just seems a bit clunky.
On the staging server I can run the azureadconnect.exe to get the Import configuration wizard, but on the active server, the azureadconnect.exe cmd to start the wizard with the "Export Settings" (as when run on a legacy Dirsync server) just starts the usual post install wizard.
Summary: how to export the configuration of an Azure AD Connect server to allow it to be imported on a second staging server.
Thanks
Alexis
QAlexis75
I'm trying to setup dirsync but can't finish the initial config because it fails when it tries to create the MSOL_AD_sync user account. Our issue seems to be that when our domain was setup the default AD containers were renamed and OU's were created in their place with the same name. This means we no longer have a users container but we do have a users OU. The event log includes the following which seems to be my problem:
System.Management.Automation.CmdletInvocationException: There is no such object on the server.
---> System.DirectoryServices.DirectoryServicesCOMException: There is no such object on the server.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_IsContainer()
at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
Does anyone know if it is possible to install dirsync without using the Users container? Thanks
Hi,
I have installed the AAD Connect tool on an Azure VM and configured it to sync to an Azure AD.
Everything seems fine (setup and synchronization service manager) but the users are not syncing?
Wher should I look for problems?
O.
We synchronize our on-prem AD (including passwords via Password Synchronization) to Azure AD, and have remote users who primarily login to Azure AD services (i.e. Office 365) and seldom login to our on-prem AD. As described in https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-implement-password-synchronization/#password-policy-considerations , we've noticed that these users do not receive notifications in Office 365 and other Azure AD services that their passwords are about to expire - or that their passwords have expired.
Is it at all possible to implement Password Expiration in Azure AD for users synchronized from an on-prem AD environment? Considering that we have Password Synchronization implemented, I would have liked to see this implemented by default.
Is this feature planned or on the roadmap for Azure AD synchronization?
We have an API App in Azure that we have protected with AAD. If I log in with the browser, I can then access my methods, and if not logged in, I can't (as expected).
We are going to be calling this API from a Web App that we just published. The Web App is also locked down with AAD. In the same browser, I can log into the website, and into the API. I can use the site, and I can call my methods in the API. The website, however, gets the "Permissions for service "[name]" are set to public auth but no authentication was associated with the request."
The Web App and API App are both in the same resource group, and I was hoping that it would just "work." I am assuming I need to do something in code (my website is AngularJS, btw, so the requests to the API are actually coming from client javascript) where I obtain the x-zumo-auth header and forward that to the API (which works when I do it in Postman).
Also, will these two apps share the same auth token, or am I having to log them in separately?
thanks!
***** This posting is provided "AS IS" with no warranties, and confers no rights.