Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Admin reset user password via office 365 portal and azure ad management portal is not synced back to local ad

November 18, 2015, 8:51 pm
$
0
0

This is a password synced users case

1. Admin reset user password on premise ad. User able to login to myapps portal with the new password and able to perform self service password change/reset. AAD to AD via AD premium license is valid

2. Admin reset user password using office 365 portal/azure ad management portal which replace the original user password on premise ad. User able to login to myapps portal with the new password. User requested to change password upon first login prompt to change password. User changed password successfully.

But after half an hour when user perform self service password change/reset, error user see is "make sure your entry is correct" for the current password field. We have no restriction on min password age.

At the same time, we see error from on premise ad

Error 6329 An unexpected error has occurred during a password set operation.

"BAIL: MMS(3468): ..\server.cpp(11152): 0x8023061a (The password given does not specify the user's current password.)

How do we troubleshoot this? Thanks.

Search

Azure AD Application Proxy Status code: Forbidden

December 18, 2015, 12:52 pm
$
0
0

I have added IIS Server's SPN (http/iisserver, http/iisserver.contoso.local) to the connector server and also set the Kerberos Delegation (any authentication). When the Azure Application INTERNAL AUTHENTICATION METHOD property is set Integrated Windows Authentication I am getting Forbidden error. Microsoft AAD Application Proxy Connector cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error.

I am unable to resolve the issue. Am I missing something?

Thanks,

Ram

Active Directory does not show up in new portal

December 18, 2015, 3:48 pm
$
0
0

I am new to Azure and trying to determine whether to establish my network in the older portal, or the new portal. I understand the new portal is resource based and is being encouraged for new installations.

In my testing I noticed Active Directory as a service does not show as a resource in the new portal, but it does show up in the older portal.  In addition, when I try to configure active directory to link to a virtual network, it can only "see" the networks created in the original portal.

Is there a way to get Active Directory as a service to be reflected in the new portal, or at least for Active Directory to be configured to the networks created in the new portal?  This seems like a very useful service and would eliminate the need to maintain our own virtual machines for the purpose of addressing active directory requirements within the new portal's network environment.

I would appreciate any clarification, or suggestions on the subject.

Thanks.

Azure AD auditEvents report not returning all data?

December 18, 2015, 11:43 pm
$
0
0

Seems there are some issues with the auditEvents reports. Using the Graph API returns completely different results compared to what I can see from the exported CSV file from the Azure AD Portal. It does not seem to be issue with report latency, as I can see events that took part after, plus the 8h period has already passed.

Here's what I'm using for the Graph API, no filtering configured:

"https://graph.windows.net/$tenantdomain/reports/auditEvents?api-version=beta"

It's not returning any of the DeleteUser events, UpdateUser, etc. The only AddUser event I see via the Graph API is for the Microsoft account I used to re-add the directory to my Azure tenant. Similarly, on the exported CSV file from the Azure portal I see all of the AddUser/UpdateUser/DeleteUser/etc events minus the ones related to the Microsoft account. So it seems the two methods are returning different sets of data?

On the other hand, viewing the report in Azure seems to combine both sources and display all the relevant events. Problem is when I export it, it does not show all...

“Bring your own app” with Azure AD Self-Service SAML configuration - Support for Identity provider initiated login?

October 26, 2015, 8:39 am
$
0
0

“Bring your own app” with Azure AD Self-Service SAML configuration -  Support for Identity provider initiated login?

http://blogs.technet.com/b/ad/archive/2015/06/17/bring-your-own-app-with-azure-ad-self-service-saml-configuration-gt-now-in-preview.aspx

We are looking for support for Identity provider initiated login for our App. Does anyone know when it coming or is on the RoadMap?

Regards,

Maqsood.

Event 905,DirectorySyncClientCmd - error warning.

December 16, 2015, 9:04 pm
$
0
0

Attempting to obtain Azure AD Sync Scheduler mutex.

Anyone who can shed a light about this warning error?


Permissions in Microsoft Graph API for Office365

December 17, 2015, 5:54 am
$
0
0
Hello,

I would like to perform actions on my Office 365 tenant through a Java application. 

In order to do that, I registered my application via dev.office.com and I obtained my ClientID.

This information is it sufficient to connect to my Office 365 ?

Because when I want to connect to https://login.windows.com with my clientID and my admin tenant's login, I get the following error :
"No permission to access user information is configured for '[...]' application, or it is expired or revoked.\r\nTrace ID: [...]\r\nCorrelation ID: [...] \r\nTimestamp: 2015-12-17 11:28:50Z","error":"invalid_grant"}"

Provision Room resource with no mailbox. No on-premises Exchange!

December 17, 2015, 2:32 am
$
0
0

We are preparing for Lotus Notes -> Exchange Online migration.

Currently we have appx 20k resources including rooms that have to be provisioned as i.e. Room but with no mailbox attached for co-existence during migration phase, where mailbox remains in legacy Notes system.

We will leverage mail "forwarding" functionality to keep both systems updated with calendar/booking/free-busy related events.

We have no MS Active Directory Exchange schema (not-planned due to no Exchange on-premise) therefore we cannot use legacy attributes or anything related to AADConnect synchronization.

How to create resource objects in Exchange Online with no mailbox attached.

Ps. Tried:

New-Mailbox -EnableRoomMailboxAccount $True -Room -Alias 'RES_ROM_UKLD12112' -Name 'RES_ROM_UKLD12112' -MicrosoftOnlineServicesID 'RES_ROM_UKLD12112@contoso.onmicrosoft.com' -RoomMailboxPassword (ConvertTo-SecureString -String 'RES_ROM_UKLD12112' -AsPlainText -Force)

*but the mailbox is automatically created.

New-MailUser -Name 'RES_ROM_UKLD12112' -ExternalEmailAddress 'RES_ROM_UKLD12112@contoso.com' -MicrosoftOnlineServicesID 'RES_ROM_UKLD12112@contoso.onmicrosoft.com' -Password (ConvertTo-SecureString -String 'RES_ROM_UKLD12112' -AsPlainText -Force)

*cannot change RecipientType value to Room

Thanks

Greg Spyra Sr. IAM Engineer

Search

Azure AD authentication

December 17, 2015, 12:48 am
$
0
0

Hi,

We are trying to setup an environment as outlined in diagram. We are stuck at the part marked Red. Please guide me in right direction. I would like to know if it is possible, if yes then how can we setup it?

The access token has been obtained from wrong audience or resource

December 20, 2015, 10:10 am
$
0
0

Trying to create a simple task to list all resources in Azure portal. I followed the direction in the given URL and successfully received token.

http://azure-sdk-for-python.readthedocs.org/en/latest/resourcemanagement.html#authentication

however using combination of token and superscription, I am getting following error. 

ERROR:

azure.common.AzureHttpError: {"error":{"code":"AuthenticationFailed","message":"The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.core.windows.net/','https://management.azure.com/'."}}

I have created an application in Active directory and assigned all permission to windows active directory

Following is the code to get token: 

def get_token_from_client_credentials(endpoint, client_id, client_secret):
    payload = {
'grant_type': 'client_credentials',
'client_id': client_id,
'client_secret': client_secret
# 'resource': 'https://management.core.windows.net/',
}
    response = requests.post(endpoint, data=payload).json()
return response['access_token']

auth_token = get_token_from_client_credentials(endpoint='https://login.microsoftonline.com/11111111111-1111-11111-1111-111111111111/oauth2/token',

client_id='22222222-2222-2222-2222-222222222222',
client_secret='test/one/year/secret/key',
)
Trying to consume this token in the following code :
def get_list_resource_groups(access_token, subscription_id):
    cred =SubscriptionCloudCredentials(subscription_id, access_token)
    resource_client =ResourceManagementClient(cred)
    resource_group_list = resource_client.resource_groups.list(None)
    rglist = resource_group_list.resource_groupsreturn rglist


Operations on domains (Insufficient privileges to complete the operation)

December 17, 2015, 8:46 am
$
0
0

Hi everyone,

I'm trying to create a domain with this documentation: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/domains-operations#BasicoperationsondomainspreviewCreateadomainpreview

But i'm getting this error: "Insufficient privileges to complete the operation"

Anyone knows how can assign this privileges to my app?

Thanks in advance!

Granting Access to Client to Read and Write calendar

December 17, 2015, 6:53 am
$
0
0

Our organisation uses Office 365 and I am trying to create a client application that will use the Calendar REST API 2.0 to create events in a calendar based on information in one of the scheduling systems.

I am having trouble with the OAuth based authentication.

In another project, I have haved success with OAuth based authentication with Share Point Online, but for the Calendar, it is a different story.

I have registered the application as a "Native" client in the Azure Management Portal and obtained the client id.

I have made a request to https://login.microsoftonline.com/common/oauth2/v2.0/authorize similar to a request made in the Outlook OAuth Sandbox application.

I get the following error:

error_description=AADSTS70001: Application '176fc660-1a05-484c-9611-4e8cf077bf74' is not supported for this API version.
Trace ID: 82a99f93-569b-4e23-a923-2b0ef50e8c80
Correlation ID: b9692eb5-8dcf-47c8-b1dd-8bb1b41f5746
Timestamp: 2015-12-17 14:05:22Z

I am unsure how to interpret this error. 

I would be grateful for any help.

Best regards

Michael

Azure AD B2C Calling a Web API from an iOS application: 400 bad request.

December 14, 2015, 1:44 pm
$
0
0

Hi!

I successfully built and got the Azure AD B2C Preview .net web app working. It was straight forward and I got the auth key without any problems.

iOS is another story though. After setting up and building the project I am receiving status code 400 : bad request for both the register user call and the sign in with email call. (I have not set up facebook sign in) The user does however get registered even if I get a bad request in return, but I am uable to retrieve an auth key when signing in. I've tried the Simulator with iOS 9 and also a real device with both iOS 8 and 9.

Here is the quickstart document I am following:

https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-devquickstarts-ios/

I downloaded the full preview project and only updated the settings plist to the project values.

If anyone could nudge me in the right direction it would be greatly appreciated!







Resource not found for the segment 'me'

December 21, 2015, 6:41 am
$
0
0

I'm trying to get some info on the currently logged in user, but I keep getting an error (Resource not found for the segment 'me'). I'm using the url https://graph.windows.net/<tenantid>/me

I've already come to the conclusion that the ressource is not found, but what really boggles my mind is why?

I've tried the graph explorer (https://graphexplorer.cloudapp.net/) and that seems to work with both api-version 1.6 and api-version 2013-11-08, and it doesn't care if I put in the tenant Id or not. My own app gives me back the error in any situation.

I'm using the standard php curl library, like the sample app I found somewhere in the intro tutorial to the graph api. I'm also making other calls (like get the users feed and filtering users) and that works without any hassle. 

It seems as if I'm missing something, but I can't see what it is.

Please advise :)

Not able to assign application roles while creating the users in AD.

December 20, 2015, 10:54 pm
$
0
0

I can able to create user and update the user with the application specific role with the help of sample console application code for Graph API posted here.

But when i tried to add application roles while creating the new user, its not able to assign the roles to the user.I have tried sending the same Guid for the object id and for the approles principle ID,I have tried sending null to both the objects while creating.Both the things failed to assign roles while creating the user.I can see, when I send object id while creating the user, its getting replaced with other GUID. Here is sample code from the graph API link.

 if (appObject.ObjectId != null && user != null && newServicePrincpal.ObjectId != null)
                {
                    AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
                    appRoleAssignment.Id = appRole.Id;
                    appRoleAssignment.ResourceId = Guid.Parse(newServicePrincpal.ObjectId);
                    appRoleAssignment.PrincipalType = "User";
                    appRoleAssignment.PrincipalId = Guid.Parse(user.ObjectId);
                    user.AppRoleAssignments.Add(appRoleAssignment);
                    user.UpdateAsync().Wait();
                    Console.WriteLine("User {0} is successfully assigned direct permission.", retrievedUser.DisplayName);
                }

Regards,

Hsakarp.

Search

Q: Can AAD Audit Reports show when an App Password has been used (not their AAD credentials) ?

December 20, 2015, 9:43 pm
$
0
0

I've been asked an interesting question regarding AAD Audit Reports. Is it possible to report when a User authenticates to an Application using an App Password, not their AAD credentials?

Thanks in advance!

//Adam

New Azure RMS can't open files encrypted by old Microsoft RMS

November 28, 2015, 7:06 pm
$
0
0

From Rodrigo Martensen @rcmartensen via Twitter

 

 

Need to know if Azure RMS can open protected documents encrypted by old Microsoft RMS. I have some excel files that are encrypted by old Microsoft RMS and now I am not able to open them. Seems the support has ended and the connection with the server does not complete.


 

Thanks,

@AzureSupport

renew refresh_token when using external MSA account

December 21, 2015, 8:57 am
$
0
0

I have the following situation: When a user consents my AAD application I receive an access_token and a refresh_token. Later when the access_token expires I use the refresh_token to get a new access_token. This works great. I also store the renewed refresh_token with that call so my user does not need to consent again within 90days. This works very well for Azure Active Directory accounts. When I try todo the same thing with a Microsoft Accounts which is part of an Azure Active Directory, I can refresh the access_token but I will not get a renewed refresh_token, the property is just missing in the response of the call: 

https://login.windows.net/<<tenantid>>/oauth2/token

How should I solve this problem so that my users do not need to re-consent every 12 hours? What is the right approach for an import service who is running mainly in background doing the work when the user is absent?


I cant assign users EMS licenses in Azure

December 21, 2015, 9:06 am
$
0
0

I only see my default directory and not my Dixon properties directory. I have tried adding it and for some reason its not letting me add it. Please help me.

Thanks

Angelo

How to add file permissions (or anything else) for AzureAD users on AzureAD-joined Win10 machine?

December 21, 2015, 3:42 pm
$
0
0

I'm on a Win10 workstation that's joined to AzureAD like this. How can I grant file permissions to an AzureAD user?

When I try to use the File Properties > Security > Edit > Add dialog I can't find/select any users on the AzureAD domain, including the currently logged in user. Entering `AzureAD\FirstLast` and clicking Check Names gives this (where AzureAD\JohnSmith happens to be the currently logged-in user):


There's no option to use AzureAD as the location for the Search either. 

In general this sort of thing seems to be a problem with AzureAD-joined accounts: windows appears to not know about them, e.g. when adding them to SQL Server. Or perhaps I just don't know the right way to refer to these users? 

thanks for any help!

Rory

Also posted on SuperUser

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>