I am trying to develop an MVC application which will use ACS to SSO the user. I have created an Application in my Azure Default Directory, and have given the Sign-On Url as the http:..localhost:..... and have filled up other information.

I have then configured an Identity Provider in the ACS with type WS-Federation, which is my Azure AD, and have configured a Relying Party. When I try running my web application, I get the below error.

Any help will be much appreciated.

Hello,

I'm using the RBAC built in role "Automation Operator" which is "Able to start, stop, suspend, and resume jobs"

This is working well, except the users are not able to see the results.

For example, if you drill down through Rubnooks, select the runbook, select Jobs, and select the recently completed task, instead of the Output tile, it says "No Access".

So for some reason we have access denied on the Job output, but someone with the "Owner" rights can see the Output fine.

I wonder if this is a bug, or simply a missing permission in the role ? 

Hope someone can help. Thanks!

We're trying to sync to Azure AD using Azure AD Connect, and have installed the connector on Windows Server 2012 R2. We followed all the steps in the instructions (verified our domain, etc.), but:

The connector dies at the first step under Express Settings at "Connect to Azure AD"

When try to sign on with our "username@domain.onmicrosoft.com" credentials, or with a separate "global-admin-user@ourdomain.com" we get a nebulous error: "Unable to validate credentials. An unexpected error has occurred."

Is there any way to debug this further? It's completely preventing us from adopting Azure.

From Ben Weeks (@webtechy) via Twitter who tweets:

“How do I join a VM to a domainname.onmicrosoft.com Office365 subscription domain? Do I still need a domain controller ... ?”

The customer also confirmed that he was using AzureSupport Windows 2008 R2 (tried joining to domainname.onmicrosoft.com). Clicking on Active D in Azure nav takes me to Subscription needed.”

The customer also DM’d us and confirmed the following:

“I am a contractor here at [PII removed]. The domain is [PII removed] ([PII removed].onmicrosoft.com). They have Office 365. I am unclear whether Azure provides an AD service where [PII removed] can login to all machines, and those machines can be joined to a domain and use service accounts in that domain, or whether we need to install a new machine and full AD (including DNS and domain controller) and create a new domain (e.g. [PII removed]).

If I go to "New" and find "Active Directory" the next screen shows me "No subscriptions found" (and asks me to sign up to Azure). I assume that's how you mean to enable "Azure AD domain services".

We are using a Trial subscription at the moment if that also makes any difference. So far we have created a VM (in "WORKGROUP") that is Windows 2008 R2 SP1. I then tried to join it to both [PII removed] and [PII removed].onmicrosoft.com but get "An Active Directory Domain Controller (AD Dc) for the domain [PII removed] could not be contacted".

Appreciate if you can advise the customer further on the above.

Tweet URL: https://twitter.com/webtechy/status/690187660611207168& DM
 

Thanks,
@AzureSupport

After configuring Google as a provider for ACS using the steps documented here: https://msdn.microsoft.com/en-us/library/azure/dn927169.aspx, I am getting an extremely generic HTTP Error Code: 500 response. There is no ACS Error Code, just (as an example):

An error occurred while processing your request.

When I attempt to log in, I am being re-directed to Google and re-directed back to ACS (the URL that is failing ishttps://mynamespace.accesscontrol.windows.net/v2/openid). How do I troubleshoot this further? It looks like everything is set up correctly as far as I can tell.

Things I have verified:

• My Client ID and Client secret are correct (note: the first time I was re-directed I was prompted to grant access and it correctly identified my application as the grantee).
• The URL listed above (well, the actual one), is listed as an Authorized redirect URIs in my Google API Manager Credentials section.

Anyone have any other thoughts?

Paul Haag

Hello, I have several users in "Azure Directory A" that have been created using the "User in Another Microsoft Azure AD Directory" option ( the other directory being our O365 directory). I need to map the flow of authentication for when one of these Directory A users logs into a server or app in Azure Directory A. 

Does the user hit Directory A first and then is redirected to our O365 directory? Does it then get an OAuth token from O365 directory and then is redirected back to Directory A for authentication there? Or, does Directory A contact the O365 directory on the users behalf? Please help me to understand.

Thanks.

My current installation of Azure ADConnect is failing upon configuration of the synchronization Service Account.

The error log reflects below, with the most important being, Access to Azure AD Denied. I have used the credentials provided in the 'Connect to Azure AD' portion of the wizard to connect successfully to both the Office 365 portal as well as Azure Portal and even created a user directly in Azure AD. The account does not have MFA enabled and is a global admin in Office 365 Tenant and a Service Administrator in AzureAD

Been troubleshooting for two days now and just a tad stuck.

[11:30:31.740] [ 21] [INFO ] PerformConfigurationPageViewModel.ExecuteADSyncConfiguration: Preparing to configure sync engine (WizardMode=CustomInstall).
[11:30:31.740] [ 21] [INFO ] PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore: Preparing to install sync engine (WizardMode=CustomInstall).
[11:30:31.740] [  1] [INFO ] Starting a background thread in Configuring. Background Task Id: 35.
[11:30:31.740] [ 21] [INFO ] InstallSyncEngineStage.ExecuteInstall called when Sync Engine is already installed.
[11:30:31.740] [ 21] [INFO ] PerformConfigurationPageViewModel.StartInstallation: Preparing to configure sync engine.
[11:30:31.802] [ 21] [WARN ] Failed to read AdalEnabled registry key: An error occurred while executing the 'Get-ItemProperty' command. Property AdalEnabled does not exist at path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect.
[11:30:31.802] [ 21] [VERB ] SyncDataProvider.EnableDirectorySyncFlag: Connecting to MSOL service.
[11:30:31.802] [ 21] [INFO ] ConnectMsolService: connecting using admin credentials.
[11:30:36.283] [ 21] [INFO ] PowershellHelper: DirectorySynchronizationEnabled=True
[11:30:36.283] [ 21] [INFO ] PowershellHelper: DirectorySynchronizationStatus=Enabled
[11:30:36.283] [ 21] [INFO ] PowershellHelper: lastDirectorySyncTime=null
[11:30:36.284] [ 21] [INFO ] Initializing Azure AD connector
[11:30:36.360] [ 21] [INFO ] Creating new azure service account for sync installation 6f020e58b50f4f4cbe411378f6549a5c using global tenant admin **** at ********** dot onmicrosoft dot com
Exception Data (Raw): Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException:Unable to create synchronization service account. ---> Microsoft.Online.Coexistence.ProvisionRetryException: An error occurred. Error Code: 51. Error Description: Access to Azure Active Directory has been denied. Contact Technical Support. Tracking ID: 2701914d-2234-47cf-a4a2-2254d226c042 Server Name: .
   at Microsoft.Online.Coexistence.ProvisionHelper.AdminWebServiceFaultHandler(FaultException`1 adminwebFault)
   at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel)
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.TypeDependencies.ProvisioningHelperGetServiceAccount(ProvisionHelper provisionHelper, String identifier)
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.TypeDependencies.ProvisioningHelperGetServiceAccount(ProvisionHelper provisionHelper, String identifier)
   at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetServiceAccount(String identifier)
   at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.UpdateAADConnectorCredentials(IAzureActiveDirectoryContext aadContext, IAadSyncContext aadSyncContext)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.ConfigureSyncEngineStage.StartADSyncConfigurationCore(IPersistedStateProvider persistedStateProvider, StatusChangedDelegate progressChanged)
[11:30:37.539] [ 21] [ERROR] ConfigureSyncEngineStage: Caught exception while creating azure service account.
[11:30:37.539] [ 21] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[11:46:48.683] [  1] [INFO ] Opened log file at path C:\Users\aadc\AppData\Local\AADConnect\trace-20160119-105624.log

Can anyone suggest how to Connect-MsolService in Azure AD powershell, when using an account that is MFA enforced?

I am trying to run AAD powershell, but cannot connect since there is no way to produce the credential object in the account that has MFA enforced.

Thanks

Ben

From Raúl Kripalani @raulvk via Twitter
 
Hello @AzureSupport, your API is down. Node client cannot even log in. Most unstable cloud provider ever.

[raul@~/Workbench/ecit/azure$] azure login
info:    Executing command login
|info:    To sign in, use a web browser to open the page aka.ms/devicelogin. Enter the code D53ECMV6D to authenticate.
+
error:   Cannot read property 'accessToken' of undefined
info:    Error information has been recorded to /Users/raul/.azure/azure.err

 Cannot read property 'accessToken' of undefined

https://twitter.com/raulvk/status/690167821184139264

Thanks,
@AzureSupport

Thiene Schmidt

We had installed AD-Azure Office365 sync tool installed and configured to sync select OUs in our AD to our office365 portal. this server physically crashed beyond repair and we are required to install the tool on a new machine . As a proper uninstallation did not happen in the old server, is there anything to be checked before installing the tool on a new server ? we don't want a scenario where office365 ends up with same user's account having synced twice or other issues.

Any advise in this regard is highly appreciated.

Exploring IT...

I'm new to Azure AD development, and I have asked a similar question on StackOverflow, but I don't seem to be getting anywhere.

I have an iOS native app that I'm trying to add Azure AD authentication to. This app will utilize a multi-tenant web api app service with authenticated methods.  Here is the (very) high level architecture I'm attempting to use:

iOS Native Client (ADALiOS) -> Azure AD -> Azure Web API App Service

I'm able to get everything working properly in the single tenant scenario thanks to all of the examples out there. The multi-tenant scenario, however, is giving me trouble.  Using ADAL in my iOS app, my test external tenant user (Global Admin) gets the consent screen with the permissions configured for the app and is able to confirm.  After that, ADAL returns an access token to the iOS client. I then use that token as I would in the single tenant scenario, passing it as the Bearer in the header. However, when I try to make a call to the authenticated service method with that token, I get a 401 back from the server.

The logs on the server give me the following messages (sensitive info obfuscated):

2016-01-21T16:24:44  PID[4208] Verbose     Received request: GET https://MyWebAPIAppService.azurewebsites.net/api/values
2016-01-21T16:24:44  PID[4208] Warning     JWT validation failed: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/*external tenant id*/'. Did not match: validationParameters.ValidIssuer: 'https://sts.windows.net/*internal tenant id*/' or validationParameters.ValidIssuers: 'null'..

From what I see here, it looks like I don't have the proper token issuers specified for the token. I've tried to specify these two URLs in the TokenValidationParameters ValidIssuers parameter, but Azure seems to ignore it. My latest attempt is to disable issuer validation completely - here is my authentication configuration code, currently:

// code from Startup.Auth.cs...
            app.UseWindowsAzureActiveDirectoryBearerAuthentication(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions
                {
                    Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
                        ValidateIssuer = false
                    },
                });

...and the settings from my web.config for the Web Api App Service:

<add key="webpages:Version" value="3.0.0.0" /><add key="webpages:Enabled" value="false" /><add key="ClientValidationEnabled" value="true" /><add key="UnobtrusiveJavaScriptEnabled" value="true" /><add key="ida:ClientId" value="*web api app service client ID from Azure AD setup" /><add key="ida:Tenant" value="TestAD.onmicrosoft.com" /><add key="ida:Audience" value="https://TestAD.onmicrosoft.com/MyWebApiAppService" />

I've followed the setup steps in this example: 

https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store

for most of the setup aside from one thing: the actual setup of the app servicein Azure. Most of these examples say "Coming Soon" for that bit, so I've tried to piece together a working setup. Here are the steps I took to add my site to Azure App Services:

1. In the App Services blade (new portal) I've hit the Add button, specified my project name (MyWebApiAppService), selected my company's Azure subscription, resource group, and service plan, then clicked "Create".
2. Now that I have a placeholder app service, I downloaded the publish profile from the placeholder's blade.
3. I published the site that I had configured as the "TodoListServiceMT" service in the above example.

That's it for the service. Following the directions in the example, I created site in Azure AD as specified (and marked it as Multi-Tenant). I also created a Native Client app in the same Azure AD tenant and gave it access to my Web API App Service.

The one thing I did differently from the above example was turn on App Service Authentication. I did this according to this post: 

https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/

I set the "Action to take.." to "Allow request..." and then used the Advanced tab to specify the Azure AD application I had defined previously (providing the client ID and STS URL). 

If anybody wants more details on any of this configuration, I can certainly provide it. My assumption is that this configuration is at least OK for single tenant as everything works with my test internal tenant user.

Finally, here is the code I'm using in my client (obj-c) to get the access token (all in the same view controller):

#import <ADALiOS/ADAuthenticationContext.h>
#import <ADALiOS/ADLogger.h>
.
.
.
// module level declarations
//
NSURLSession *session;
NSString* userADAccessToken;
ADAuthenticationContext* authContext;

NSString* authority = @"https://login.microsoftonline.com/common";

NSString* redirectUriString = @"https://mywebapiappservice.azurewebsites.net/.auth/login/done";
NSString* resourceUriString = @"https://testad.onmicrosoft.com/mywebapiappservice";

NSString* clientId = @"*native client ID from Azure AD*";

NSString* testAPIUriString = @"https://mywebapiappservice.azurewebsites.net/api/values";
.
.
.
// function to get access token
//
- (void)getToken : (BOOL) clearCache completionHandler:(void (^) (NSString* accessToken))completionBlock;
{
    ADAuthenticationError *error;
    authContext = [ADAuthenticationContext authenticationContextWithAuthority:authority
                                                                        error:&error];
    authContext.parentController = self;

    ADPromptBehavior promptBehavior = AD_PROMPT_AUTO;

    NSURL *redirectUri = [NSURL URLWithString:redirectUriString];

    if(clearCache){
        ADAuthenticationError *err;
        [authContext.tokenCacheStore removeAllWithError:&err];
    }

    [authContext acquireTokenWithResource:resourceUriString
                                 clientId:clientId
                              redirectUri:redirectUri
                           promptBehavior:promptBehavior
                                   userId:nil
                     extraQueryParameters:nil
                          completionBlock:^(ADAuthenticationResult *result) {

                              if (AD_SUCCEEDED != result.status){
                                  // display error on the screen
                                  dispatch_async(dispatch_get_main_queue(), ^{
                                      statusTextView.text = result.error.errorDetails;
                                  });
                              }
                              else {                                                               
completionBlock(result.accessToken);
                              }
                          }];
}
.
.
.
- (IBAction)testButtonTapped:(id)sender {
    // attempt to make a call to the specified URI

    // Create the request
    NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL: [NSURL URLWithString:testAPIUriString]];
    request.HTTPMethod = @"GET";

    if (userADAccessToken) {
        NSString *authHeader = [NSString stringWithFormat:@"Bearer %@", userADAccessToken];
        NSLog(@"%@", authHeader);
        [request addValue:authHeader forHTTPHeaderField:@"Authorization"];
    }

    [myActivityIndicator startAnimating];
    [UIApplication sharedApplication].networkActivityIndicatorVisible = YES;

    // Make the call
    NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {

        NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *)response;

        if ([httpResponse statusCode] == 200) {
            // success
            dispatch_async(dispatch_get_main_queue(), ^{
                NSString *stringData = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
                statusTextView.text = stringData;
            });
        } else {
            dispatch_async(dispatch_get_main_queue(), ^{
                statusTextView.text = [NSString stringWithFormat:@"HTTP status code: %ld", (long)httpResponse.statusCode];
            });
        }

        dispatch_async(dispatch_get_main_queue(), ^{
            [self networkActivityStop];
        });

    }];

    dispatch_async(dispatch_get_main_queue(), ^{
        [dataTask resume];
    });
}

The only thing that's not really visible here is what I do with the access token once I get it (the completion block). As this is just testing at this point, I'm simply displaying it in a test area and assigning the value to the module level "userADAccessToken" variable.

Does anything look amiss in the client or server setup or code?  How should I specify valid token issuers when it appears that my bearer authentication setup is being ignored altogether? 

Thank you for any help you can provide

Hi guys,

We're just doing a migration over this weekend and we've implemented Azure AD connect with a brand new DC with with a brand new AD user list. Everything's going great...but we got a weird issue. 

1) when a user goes to setup an outlook profile, it automatically see's the user's email address and name and tries to search for the settings. It then just sits there and searches but never finds the settings, nor times out. It's doing the same thing as if there was an exchange server on the network and it automatically goes and tries to autodiscover.

2) we are moving away from an SBS 2011 box. The SBS 2011 box is domain.LAN, new DC is domain.LOCAL. All the machines on the network are connected to the 'new' domain.LOCAL domain and all DNS is pointing to the new DC. Basically, nothing should be referencing the old SBS box. 

Unfortunately we can't turn off the SBS box just yet as the mail is still being pushed up to the cloud. 

Does anyone know what might be happening here?

Also, all the Office 365 DNS records are in there fine and autodiscover is working (tested on iphone).

Any help would be appreciated! thanks.

Accessing other users' /drive/root and /drive/root/children works fine.

But for this specific user it returns:

The user had troubles logging in and had to reset his password (administrator initiated the reset password process for him). Now he can login, but after that we started getting those errors.

Please help.

Hi,

I have set up an app with all possible app and delegated permissions for Graph API.

I use app-only token to make requests.

When I try to access mail and mailFolders for every user in organization everything works perfect.

But when I try to access drive items for every user /drive/root/children always return empty list, even when /drive/root returns {'folder': {'childCount': 4}}.

Meanwhile in the Graph Explorer I get the list of children for all users.

Is it possible to retrieve drive items for each users with app-only permissions?

Thanks

Hi,

I am trying to access drive items permissions with both app-only permissions and Graph Explorer and they seem to never return result: nor for my own user, neither for other users.

It's always empty list even though I have some folders shared with other members.

Questions:

- Is it possible to get list of permissions for each drive item of every user using user-authenticated app?

- Is it possible to get list of permissions for each drive item of every user with app-only authenticated app? (might be related to my other question https://social.msdn.microsoft.com/Forums/azure/en-US/44b500fc-47a7-4ca0-81db-6dd1bbdda061/graph-api-getting-list-of-drive-items-with-apponly-permissions?forum=windowsazurewebsitespreview)

Thanks

Hi everybody. I'm inspecting Azure AD user signing-in activities, where I find these three applications: "Universal Store Native Client", "Accounts Control UI" and "Unknown First-Party App". What do they refers to? Thanks!

Ryan

I know MS is trying to get us to use the new Resource Manager portal for all new deployments. It seems that I can only provision Active Directory services in the classic portal. Is this correct? It also seems that I can't deploy VMs in the new portal either if I want them to be able to communicate with the Active Directory since the two portals can't share VNETs.

Does MS envision a migration path for these services into the new Resource Manager at some point or will we have to re-provision? Just trying to figure out if I should hold off on this deployment or move forward. 

I am trying to use AD OAuth2 client credential grant to authorize my app against O365 Sharepoint api. I created my app on corporate Azure AD, downloaded the manifest file, updated it but I have been unable to update the file. It returns the below error message:

ParameterValidationException=Invalid parameters provided; BadRequestException=Existing credential with KeyId '<KeyId-here>' must be sent back with null value.;

When I re-download the manifest file all attributes within the "keyCredentials" is updated correctly but not the value (certificate base 64 value), the value is always "null". Any idea why it is preventing me from updating the base64 value? Thanks.

-Winston

Going Against All Odds