What permission is required for an application (without a signed in user) to set a user's password?  I have an existing app that appears to be broken.  It uses an older version of the Graph API.  I would like to just fix it, but would consider rewriting with a newer version.  But I need to know if the app-only permission for setting/resetting a user's password has been intentionally removed?

Details:

I have an application written in 2013 using version 2013-04-05.  Until recently it was able to successfully update a user's password to a generated temporary value.  This was done after a workflow that relies on external data.  This is all self service for a user who has forgotten their password so there is no user signed in.

At some recent time a change appears to have been introduced that causes this update to return "Insufficient privileges to complete the operation"

The app has "Read and Write Directory Data" permission, this hasn't changed.

I understand that this version of the API is old, but I would have expected it to be turned off or maintained, not change behavior.

For those who are curious, nearly all the users have their email forwarded to a personal account (by design) and so the reset password is sent to the org email and gets forwarded to the one that they use daily.  Further their details in AD do not include contact information (for a number of reasons) so using out of the box self service password reset from AD Premium isn't an option either. 

-Frank Long

I am trying to create a role assignment using the Azure Resource Management REST API.

https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role-assignment-id}?api-version={api-version}

I've verified that the principalID in question does in fact exist. I can also create the assignment using xplat cli and PowerShell using the same PrincipalId. Any ideas why i'm getting this error when attempting this with the REST call?

Phil Jirsa - Senior Consultant | Rackspace

Hi,

We have change password functionality which had been working till now, but all of sudden it stopped working and throwing "Insufficient Privileges Exception".

The user am trying to change the password is in "User" role in AD. and I have enabled all the Application Permission and Delegated Permission.But Still I am getting the error.Please look at the below code on How I am acquiring the token.

// Instantiate an AuthenticationContext for my directory (see authString above).               AuthenticationContext authenticationContext = new AuthenticationContext(GetConfigValue(Constants.AuthString), false);               
 // Create a ClientCredential that will be used for authentication.               // This is where the Client ID and Key/Secret from the Azure Management Portal is used.               ClientCredential clientCred = new ClientCredential(GetConfigValue(Constants.ClientID), GetConfigValue(Constants.ClientSecret));               // Acquire an access token from Azure AD to access the Azure AD Graph (the resource)              // using the Client ID and Key/Secret as credentials.               AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(GetConfigValue(Constants.ResAzureGraphAPI), clientCred);               AccessToken = authenticationResult.AccessToken;               // Return the access token.              
 return authenticationResult.AccessToken;

Hi,

We tested a few agent deployments to non-domain joined machines and we noted data populating in the cloud app portal. Now we want to test this in production and some clients are reporting the following:

[2848:2950][2015-11-18T10:29:11]i001: Burn v3.7.1224.0, Windows v6.1 (Build 7601: Service Pack 1), path: D:\Microsoft Cloud App Discovery Endpoint Agent WCG\EndpointAgentSetup.exe, cmdline: ''
[2848:2950][2015-11-18T10:29:11]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\c0730811\AppData\Local\Temp\Cloud_App_Discovery_-_Endpoint_Agent_20151118102911.log'
[2848:2950][2015-11-18T10:29:11]i000: Setting string variable 'WixBundleOriginalSource' to value 'D:\Microsoft Cloud App Discovery Endpoint Agent WCG\EndpointAgentSetup.exe'
[2848:2950][2015-11-18T10:29:11]i000: Setting string variable 'WixBundleName' to value 'Cloud App Discovery - Endpoint Agent'
[2848:2950][2015-11-18T10:29:12]i100: Detect begin, 2 packages
[2848:2950][2015-11-18T10:29:12]i101: Detected package: SerresEndpointClientSetup_32, state: Absent, cached: None
[2848:2950][2015-11-18T10:29:12]i101: Detected package: SerresEndpointClientSetup_64, state: Absent, cached: None
[2848:2950][2015-11-18T10:29:12]i199: Detect complete, result: 0x0
[2848:2950][2015-11-18T10:29:15]i200: Plan begin, 2 packages, action: Install
[2848:2950][2015-11-18T10:29:15]i052: Condition 'NOT VersionNT64' evaluates to false.
[2848:2950][2015-11-18T10:29:15]i052: Condition 'VersionNT64' evaluates to true.
[2848:2950][2015-11-18T10:29:15]i000: Setting string variable 'WixBundleRollbackLog_SerresEndpointClientSetup_64' to value 'C:\Users\c0730811\AppData\Local\Temp\Cloud_App_Discovery_-_Endpoint_Agent_20151118102911_0_SerresEndpointClientSetup_64_rollback.log'
[2848:2950][2015-11-18T10:29:15]i000: Setting string variable 'WixBundleLog_SerresEndpointClientSetup_64' to value 'C:\Users\c0730811\AppData\Local\Temp\Cloud_App_Discovery_-_Endpoint_Agent_20151118102911_0_SerresEndpointClientSetup_64.log'
[2848:2950][2015-11-18T10:29:15]i201: Planned package: SerresEndpointClientSetup_32, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[2848:2950][2015-11-18T10:29:15]i201: Planned package: SerresEndpointClientSetup_64, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[2848:2950][2015-11-18T10:29:15]i299: Plan complete, result: 0x0
[2848:2950][2015-11-18T10:29:15]i300: Apply begin
[2B20:150C][2015-11-18T10:29:32]i360: Creating a system restore point.
[2B20:150C][2015-11-18T10:29:44]i361: Created a system restore point.
[2B20:150C][2015-11-18T10:29:45]i000: Caching bundle from: 'C:\Users\c0730811\AppData\Local\Temp\{d18434a1-977f-4fc2-acf4-02cbcaba297e}\.be\EndpointAgentSetup.exe' to: 'C:\ProgramData\Package Cache\{d18434a1-977f-4fc2-acf4-02cbcaba297e}\EndpointAgentSetup.exe'
[2B20:150C][2015-11-18T10:29:45]i320: Registering bundle dependency provider: {d18434a1-977f-4fc2-acf4-02cbcaba297e}, version: 0.9.37.3
[2B20:29E8][2015-11-18T10:30:16]i305: Verified acquired payload: SerresEndpointClientSetup_64 at path: C:\ProgramData\Package Cache\.unverified\SerresEndpointClientSetup_64, moving to: C:\ProgramData\Package Cache\{EBC57BD0-9131-43DF-B300-F4E61D1956D9}v0.9.37.3\SerresEndpointClientSetup_64.msi.
[2B20:150C][2015-11-18T10:30:16]i323: Registering package dependency provider: {EBC57BD0-9131-43DF-B300-F4E61D1956D9}, version: 0.9.37.3, package: SerresEndpointClientSetup_64
[2B20:150C][2015-11-18T10:30:16]i301: Applying execute package: SerresEndpointClientSetup_64, action: Install, path: C:\ProgramData\Package Cache\{EBC57BD0-9131-43DF-B300-F4E61D1956D9}v0.9.37.3\SerresEndpointClientSetup_64.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" WIXBUNDLEORIGINALSOURCE="D:\Microsoft Cloud App Discovery Endpoint Agent WCG\EndpointAgentSetup.exe" TENANTCERTPATH=""'
[2B20:150C][2015-11-18T10:32:17]e000: Error 0x80070643: Failed to install MSI package.
[2B20:150C][2015-11-18T10:32:17]e000: Error 0x80070643: Failed to execute MSI package.
[2848:2950][2015-11-18T10:32:17]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[2848:2950][2015-11-18T10:32:17]i319: Applied execute package: SerresEndpointClientSetup_64, result: 0x80070643, restart: None
[2848:2950][2015-11-18T10:32:17]e000: Error 0x80070643: Failed to execute MSI package.
[2B20:150C][2015-11-18T10:32:17]i318: Skipped rollback of package: SerresEndpointClientSetup_64, action: Uninstall, already: Absent
[2848:2950][2015-11-18T10:32:17]i319: Applied rollback package: SerresEndpointClientSetup_64, result: 0x0, restart: None
[2B20:150C][2015-11-18T10:32:17]i329: Removed package dependency provider: {EBC57BD0-9131-43DF-B300-F4E61D1956D9}, package: SerresEndpointClientSetup_64
[2B20:150C][2015-11-18T10:32:17]i351: Removing cached package: SerresEndpointClientSetup_64, from path: C:\ProgramData\Package Cache\{EBC57BD0-9131-43DF-B300-F4E61D1956D9}v0.9.37.3\
[2B20:150C][2015-11-18T10:32:17]i329: Removed package dependency provider: {C398CD96-8984-4CDF-B7DF-78F64EBEEFA2}, package: SerresEndpointClientSetup_32
[2B20:150C][2015-11-18T10:32:17]i330: Removed bundle dependency provider: {d18434a1-977f-4fc2-acf4-02cbcaba297e}
[2B20:150C][2015-11-18T10:32:17]i352: Removing cached bundle: {d18434a1-977f-4fc2-acf4-02cbcaba297e}, from path: C:\ProgramData\Package Cache\{d18434a1-977f-4fc2-acf4-02cbcaba297e}\
[2848:2950][2015-11-18T10:32:17]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart:  No

Thys Janse van Rensburg tewis_j@hotmail.com

Hi,

We are currently experiencing a weird AZ AD Sync problem, it keeps reporting that there is a duplicate value in the form of a ProxyAddress.

• I have followed the KB mentioned with the error,
• I have searched Exchange 2013 using EAC and PowerShell
• I have searched AD using the MMC and PowerShell
• I have searched Azure AD using the Office 365 portal and PowerShell
  
• Used IdFix to find any errors (it returns none)
  

But I am unable to find the value mentioned in the error anywhere. I am clueless on how to fix this. Any ideas?

Regards,

Erik

Hey,

It is really surprising me that the User entity has no "Last Logon" date,

Is there any plans to add this property ? something like the "approximateLastLogonTimeStamp" of the Device entity.

Related post:

http://stackoverflow.com/questions/31140504/how-to-get-azure-ad-users-last-login-time/33905466#33905466

I have been testing out the new b2c AD feature, and have a sample app that I have installed which authenticates against my test AD which has been created with the b2c functionality enabled. I have this working with the local provider and the google provider, so am happy that the application works as expected.

The problem I am having lies in the scenario we have where we also want to be able to authenticate users who have been created using the b2b functionality. I have uploaded a spreadsheet containing a couple of usernames from other AAD's and it uploads with no problems. I have it referring to my sample app.

When I browse to the sample app, when I have already logged as a b2b user, the sample goes through the motions of authenticating, but because I have already logged on, I am not prompted for password, and the app runs.

When I browse to the sample app without logging on, the sample app prompts me for username and password, and it always fails.

It appears, that with the b2c enabled, there is no AAD identity Provider. I have found a reference in other posts/blogs that work accounts cannot be used if b2c is required. Given what I have found with previously authenticating letting me access the sample app, this seems to be a case of a suitable identity provider not being available.

Does anyone know if this likely to be changed in the near future? Or is this not as simple a task as it appears...

Regards

Jeff

Hi all,

        Im trying to setup Azure AD for SSO.

I have my company.onmicrosoft.com domain and have added a custom domain matching my internal AD domain name and have specified it will use single sign on.

Through the Azure AD portal, I then click verify and am directed to setup AD connect locally.

I set up AD Connect, enter all my credentials - and all works fine.... but my domain is synced into my company.onmicrosoft.com AAD, not the custom domain I have created - and for the life of me, I cant see any setting to specify which AAD domain to sync with.

Any suggestions ?

I connected our Office365 portal to the Azure AD tenant and the only history (90 day) I can view is from audit reports.  When I run all reports for User Activity and Anomalous Activity, I only see data from the date I connected to Azure. Not only do I NOT see data within the past 90 days, I can't even see any reports from the past 7 -- only from the point in time I connected to Azure tenant.  Is this by design?  Is there any way to get that history?  I would think so..  These reports look great so would be wonderful if only I could get some history!

Thank you!

PowerShell Gallery is the One-Stop-Shop for PowerShell Modules

Please publish the modules to PowerShell Gallery and eliminate msi installers of PowerShell Modules

Hello all,

I'm looking for the similar Windows Graph API to 'IsMemberOf' of Azure Graph API, in order to check membership recursively.

It's difficult to get all nested group memberships of a user with group_list_members API.

http://graph.microsoft.io/docs/api-reference/v1.0/api/group_list_members

Is there a better way to do that?

Thanks for any help.

Hello!

I am trying to set the "Authentication Email" field via powershell, but I cannot find the cmdlet nor property to set.

I've tried get-msoluser | fl but there is no property for auth email.

I definitely see the field in Azure AD, but that is not feasible for setting 1000+ users.

Hi,

I was wondering if it is possible to give the account synchronization between the on premises domain and Office 365 / Azure AD (using Azure AD Connect) an extra layer of protection using a site 2 site tunnel?

So, if I would create a virtual network for setting this tunnel up, is it possible to make sure that the account/pass sync passes through this tunnel only?

Thank you in advance.

Regards,

Laurens

Scenario -Hybrid Cloud solution:

Current setup

Onsite active directory which will remain onsite.
AD internal DNS name of madeupname.internal, external name of madeupname.co.uk through UPN
ADConnect used to sync username/password into Azure for Office365 access, users login using firstname.Secondname@madeupname.co.uk
Onsite aplication Server1 running third party software and a member of madeupname.intenal domain and a VMware Vm.

We then intend to:-
Create Virtual network in Azure
Enable ADDS and linked to AD tenant and the Virtual network with ADDS DNS name of madeupname.com
Planning to using MVMC 3.1 to convert push Server1 image into Storgae space in Azure
The to create a Virtual machine in Virtual Network and attach the disk image.
Server1 now migrated to cloud, is it? In theory?


Questions
1) When enabling ADDS why don't we call the DNS name the same as the onsite DNS name. If we'd created virual domain controller in the cloud by using DCpromo, the onsite domain would be replicated and the domain/DNS name would remain the same. Where is this new Domain/DNS name come from when ADDS is enabled? Are there back ground trust relationships being created I'm not aware of between the two domains?
2) When Server1 is provisioned on the new virtual network will it need joining to the new madeupname.com domain as the image will have been Syspreped and domain membership removed? With the original way of extending the AD into the cloud by setting up virtual DC's and replicatin the onsite AD the DNS/doamin name would have remained and membership would have been the same, even if the migrated machine had to be rejoined to the original domain.Why doesn't the server remain on the madeupname.internal / madeupmade.co.uk domain within the cloud with ADDS.
3) All the Access Control List will be based on the onsites domain name so will these all need setting up again in the newly named domain madeupname.com in the cloud?
4) What happens if the third party software on server1 is AD aware, the servers domain membership will have changed?

Hi all,

I've already asked this on Office 365 Community Forum http://community.office365.com/en-us/f/613/t/267826.aspx.

Our scenario: we have a multi-forest environment due to a recent merger, with one forest with resources and some accounts and another forest with accounts only that should be migrated to the first one during time. We're at Wave 15 on our tenant.

We're configuring AAD Sync Service, but we need to choose the attribute to use as sourceAnchor; we think that the approach suggested in http://blog.msresource.net/2014/03/10/windows-azure-active-directory-connector-part-3-immutable-id/ should work.

In short:

• if the mS-DS-ConsistencyGuid is empty, we'll generate the sourceAnchor value from objectID, then populate the mS-DS-ConsistencyGuid with the sourceAnchor value
• if the mS-DS-ConsistencyGuid is populated, use that as the sourceAnchor (so we can match a user even if it is moved from one forest to the other)

Should that work? How can we get the tool to write back the sourceAnchor value to mS-DS-ConsistencyGuid?

Thanks

Hi,

We're using the Android SDK for OAuth log in. We are logging into an app and getting a token for the discovery service. However, when we call the services method, it's returning a 401. We can't understand why this is happening.

We've tried adding every permission and this has not helped.

Could someone help, please?