Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

How to migrate with AD Connect to ADFS?

February 11, 2016, 12:04 am
$
0
0

I would like to know the proper steps to take to migrate from different situations.

How to migrate with existing Azure AD accounts to ADFS?
Will it automatically convert Azure AD accounts to the ADFS / On premises AD accounts?

How to migrate with existing on premises AD accounts in Azure AD with AD Connect Sync to ADFS?
Will it automatically convert/link current on premises AD accounts in Azure AD to the ADFS / On premises AD accounts?

And in case things fail how do I go back from ADFS to Sync?

Just to make sure I don't lose any mail or other user data.


John

Search

Azure AD Roles in token don't appear immediately on account creation

February 7, 2016, 7:36 pm
$
0
0

We are using Azure AD with the free pricing tier for multiple tenants while we develop.

On each tenant, we are using Application roles to map roles to use groups.  This is provided as a convenience to our web developers so they can receive an auth token that includes a "roles" collection and thus avoid having to call Graph API to determine the groups to which a user belongs.

This has been working well but we discovered some time back that if a user attempts to authenticate within 20 seconds of account creation, the token they receive does NOT contain the "roles" collection in the claims.   After about 20 seconds, if they re-authenticate they will get a token that contains the roles collection.  The problem manifests itself because the client app tries to login in immediately after calling our API which, among other things, creates the user account and adds it to groups.  At this point they get a token without a "roles" claim.  About 20 secs later (but may be up to 50 secs) if they try again the token has the roles claim.

Is this expected behaviour?  Is it something that may go away when we go to "basic" tier pricing? 

Thanks


Strange screen when users click "can't access your account" link

August 28, 2015, 10:56 am
$
0
0

When our users click the "can't access your account" link to reset their password (screenshot below), they are presented with a weird and very unprofessional looking screen (screenshot and URL below).  Is this normal?  Why does it give you the password reset URL in plain text, why wouldn't it just automatically forward you to the appropriate page?  Something seems broken with this workflow.

https://passwordreset.microsoftonline.com/PasswordResetInstructionsPage.aspx?ru=https%3a%2f%2flogin.microsoftonline.com%2fcmdevapps.onmicrosoft.com%2freprocess%3fctx%3drQIIAY3QPU7DMBjGcbmBgS5USAysKFOlN7VjO7a7VQyICSRO8MYfNKKJoyZl4BiMHKELEhOqxB06IkYmjsBIO7OwPMN_-ukZHrKMZvk4YRmbpgxdSWkQoFUIIFAEMKqwYDBXubXSK8WXJ8PRxezm9gp_Ll_y91E5Zndrcj7v-7abTibYtpldxJWrveviYtVXsekyG-vJGyFbQr4JWQ9SKjDoghaguaAgOAbQaC04bWQhkQfKzOfg-Hq26uf5fuKyevRff8pTchpb31TOxqbxts8q18d73zwnqWWaOiYDOMMFCC0loEEOCrnXKKmVUrwmZ7Z2_mGH7rLY1JVdxi6Gfu_dJGnwQmkmGPCc7ZSFpYDoS9AiFFIZL4TyHwnZHpDN0T8O-AU1&mkt=en-US&x-client-Ver=1.0.2&username=jhoward%40app.cloudmedsolutions.com

When our application users click the 

- Jeff

relation between AD users and application entities

February 11, 2016, 2:34 pm
$
0
0
Hi  , i am a Tunisian student from Esprit. I am working on a PaaS / SaaS project named TuniSaasMall ( Mall Management ) using Azure Plateforme. 
After the UML Conception phase we faced some problems implementing the class diagram in relation with Azure Active Directory .
The big question is , How to ensure the communication between our users contained on AD and all the other entities on our project who will be created with Asp.Net  ( witch will be persisted on our Azure Database ) .


User Deleted but still showing in AD

February 12, 2016, 1:53 am
$
0
0

From Dave Small (@davesmall28) via Twitter who tweets:

How to delete Azure AD directory that says it has existing applications that need deleted but only VSTS or O365 api.”

Customer was sent the documentation on  http://blogs.msdn.com/b/ericgolpe/archive/2015/04/30/walkthrough-of-deleting-an-azure-ad-tenant.aspx however this did not help the customer.

The customer also added: “Also deleting the Azure User from the Office365 Portal breaks the link. #GoneButNotDeleted #CleanAzurePortal #SomeoneElsesMess. You can't remove or delete Azure Directory  from the portal that is attached to MSOnlineServices.”

Tweet URL: https://twitter.com/davesmall28/status/698080444710064128
 
Thanks,
@AzureSupport

Azure AD proxy unable to view internal site

February 12, 2016, 6:20 am
$
0
0

Unable to access internal Sharepoint site (on premise Sharepoint 2013) using Azure AD proxy. Licence is assgined to user and url is correct. I would appreciate it if a support specialist could assist in resolving the issue.

Kind regards,
Nitin Aggarwal

naggarwal@lifestyleit.com

Active directory webapp webapi multitenant openidconnect

February 12, 2016, 6:24 am
$
0
0

I'm trying to setup two tenants in Azure AD B2C. I have created two apps a web app and an api app. Active directory require us to add the add in each tenant then we have a set of keys per tenant to do the oauth dance. 

I'm using the UseOpenIdConnectAuthentication in the owin pipeline to hadle the oauth dance. The owin middleware require the clientId during the configuration, this is my problem. I want to get the client id using the http hosted header which is not available.

What I'm missing here?

thanks,

Tenants:
Tenant1.onmicrosoft.com
Tenant1.onmicrosoft.com

Apps:
Todo multitenant web app.
Todo multitenant web appi.

Each tenant have their own url to access the same web application. On starup 

public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            // Read host header, find client id and app key 
            // use UseOpenIdConnectAuthentication
            ConfigureAuth(app);
        }
    }


Unable to install Windows Azure AD Sync Tool 1.0.7020.0

February 11, 2016, 3:07 pm
$
0
0

Been getting "Azure AD did not register a synchronization attempt from Identity Sync tool" recently.  Ran troubleshoot on the server and one the issue was the DirSync client was too old.  Downloaded the latest one but unable to install the old version, it keeps telling me that I'm not a member of the Synchroization Engine FIMSyncAdmins group.  I verified that I'm a member of the FIMSyncAdmins group, rebooted the server, still the same message.  Help!!!

All servers in the environments are Windows 2012 R2 (virtual), and DirSync tool is installed on backup Domain Controller. 

Roget Luo

Search

Group policy in Azure AD Domain Services

February 12, 2016, 10:02 am
$
0
0

Hello,

Throughout the Azure AD Domain Services documentation, it mentions that you can configure group policy for users and computers. Can you tell me where I can access the settings of that group policy for my domain? I cannot find it anywhere. 

FYI, the goal I am trying to accomplish is setup a domain without an on-premise domain controller. The services I need are ID management (username/password), and settings management (group policy). 

Thanks, 

Trent

Error Message when attempting to re-rerun the AADSync tool

February 12, 2016, 3:44 pm
$
0
0

I cannot find any reference to a solution.

Error message 'Cannot Change Configuration' - The current user requires Admin access to the Microsoft Azure AD Sync service.

The error goes on to with this description: "What to do next:

Close the Azure AD Connect wizard. Ensure the current user is a member of either the Administrators or ADSyncAdmins group and has logged off/on since joining the group.

The issue is that there is no such service right now and there is not such group. We searched services and found nothing.

Then I figured it might be related to the database. Didn't find a database. Searched for a reference to the database in the registry and it was not there.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftAzureADConnectionTool and that does not exist.

Not sure what to do for this situation. Any suggestions?

ADFS Authentication Redirect Freezes

February 12, 2016, 4:11 pm
$
0
0


Hello, I will try to only give pertinent information.

From my mobile (iphone), native app can't redirect from Azure AD login to on-premise AD login.  

Screen shows "Redirecting..." indefinitely.

Interestingly, when on Wi-Fi, if I set up a proxy on the phone by directing the phone to Fiddler running on my pc, the mobile app login will redirect without a problem.   

Here is my setup:

I only need AAD in order to authenticate.  I am not using any web apps (sharepoint etc.)

Xamarin native app running on iphone 6.  App needs to authenticate through Azure AD synced to On-Premise AD.  App uses ADAL library for authentication.

Azure is set up with Azure AD Proxy Server (I have tried with and without the proxy server.  But it is my understanding the the proxy server is required to connect externally)

I have installed two apps in Azure mgmt portal.  My native app, and my proxy app.

Authentication is only successful if I go through the Fiddler Proxy (decrypt http must be turn on), or if I enter the URL into a browser (fiddler not needed).  The URL generated by my app looks something like this:

https://login.microsoftonline.com/0123451-5491-403d-9dde-e50cbf75e25d/oauth2/authorize?resource=https%3A%2F%2Fmobilityproxyapp-pvision365.msappproxy.net%2F&client_id=512345d-ec67-4bf3-9d55-28a8ff339df2&response_type=code&redirect_uri=https%3A%2F%2Fpvision365.onmicrosoft.com%2FmobilityDemo&client-request-id=47123453-6848-4454-a716-6c8f36acf53c&prompt=login&x-client-SKU=PCL.iOS&x-client-Ver=3.7.0.0

I have also installed 2 certificates on the phone, one generated for the Azure AD Proxy, and one for Encrypt/Decrypt.  Since the "Fiddler" solution only works with the decrypt option turned on, I thought I might need to have that Azure certificate. (even though I have read that it is optional)

Thank you, in advance, for any advice you can provide.

Inviting a user with B2B collaboration invite failed when there is a mail contact with the same email address?

January 25, 2016, 4:50 am
$
0
0

We faced a problem when trying to invite new users to tenant when there are already mail contacts in Exchange with the same SMTP address existing.

 

Steps to reproduce:

1. Create a mail contact. PS: New-MailContact -Name "Jani Holopainen" -ExternalEmailAddress "jani.holopainen@xxxxx.com"

2. Create a csv file for the invite, e.g.

Email,DisplayName,InviteAppID,InviteReplyUrl,InviteAppResources,InviteGroupResources,InviteContactUsUrl

jani.holopainen@xxxxx.com,Jani Holopainen,00000003-0000-0ff1-ce00-000000000000,https://xxxxx.sharepoint.com/,,9c35112e-5c3e-462f-be87-e631ddaa28a6,https://www.xxxxx.com/

3. Go to Azure AD/Add Users/Users in partner companies and insert csv file above

4. Invite failes with error: "Directory invite operation failed"

Download Errors show:

DisplayName,Email,InviteAppID,InviteAppResources,InviteGroupResources,InviteReplyUrl,InviteContactUsUrl,ErrorStatusMessage

Jani Holopainen,jani.holopainen@xxxxx.com,00000003-0000-0ff1-ce00-000000000000,,9c35112e-5c3e-462f-be87-e631ddaa28a6,https://xxxxxx.sharepoint.com,https://www.xxxxx.com/,Directory invite operation failed

5. Delete mail contact created in step 1

6. Do step 3

7. Invitation succeeds, status = Email delivered to the email server

8. Now I can also create the Mail Contact with PS in step 1

 

We can Share sites to external users while there is Mail Contact with same email address. Why doesn't B2B user invites work with the same way? Do we need to first remove all Mail Contacts with duplicate email addresses before inviting users? Is there a workaround for this? Or is this something that is going to get fixed in the B2B release version?

Configuring user provisioning with ServiceNow

February 13, 2016, 1:38 am
$
0
0

Hi Team,

After successfully integrating Azure AD with ServiceNow (Eureka) we were able to "Enable automatic user provisioning to ServiceNow" without any issues.

After this, we ran into the "department field" issue, which got resolved.

Now are account provisioning is not working and we get : NullPointerError

Any suggestion.

Thanks, Surinder

[ AAD ] : Any API to add new domain to the existing CSP customer?

February 8, 2016, 9:30 pm
$
0
0

Hi,

Is there any CREST or Graph API by which we can add new domain to the existing customer.

(posted the same question in Microsoft Partner Center API , redirected to post the same in AAD . please find link for details)

https://social.msdn.microsoft.com/Forums/en-US/abb284ae-fffe-49c7-9f6a-43327d00ebf4/-csp-any-api-to-add-new-domain-to-the-existing-customer?forum=partnercenterapiRegards,

BG

ACCessing Graph APIs

February 4, 2016, 5:38 am
$
0
0

Hi,

I am accessing the graph api -

"https://graph.windows.net/microsoft.com/users/?$filter=startswith(mailNickname,'"

+ loggedinuser +"')&$top="+"10"+"&api-version=1.5");

- and I am getting forbidden error 403 - but when I am trying to access the api with "me" attribute , the data is returned.And , one more thing is I am giving the credentials as

ClientCredential credentials = newClientCredential( app 1 details ), for one my apps its coming ok,,but for another application the error thrown is 403 ( for app2 details ). and I am the owner for both these apps. Is there any thing to be checked.

 

Search

unable to sync new domain to office 365

February 15, 2016, 2:21 am
$
0
0

Hi folks,

I have setup a new domain in office 365 devdomain.com. we already have primary domain syncing to office 365. The new devdomain.com is routable and already successfully added to office 365. I have added a new devdomain upn to on premise ad and created a new user with userprincipal as devdomain however i don't see the new user in office 365 environment.

we are using microsoft azure active directory sync. I seeing the following in search connector space and lineage object as normal disconnector.

https://social.technet.microsoft.com/Forums/getfile/803367

what do i need to do to get this new domain syncing to office 365.

Thanks.

Regards, Navdeep

Does Azure Have LDAP Public URL?

February 10, 2016, 7:15 pm
$
0
0

Hello! 

Azure AD customer @tamilkovan asked a question via Twitter if LDAP has a public URL to access.

"We have an Active Directory hosted in Azure. The App team wants the LDAP URL to access from the internet. Do you think Azure will have a LDAP public URL?

Twitter Conversation: https://twitter.com/tamilkovan/status/697612682589941761

Thank you for looking into the inquiry!

@AzureSupport


Is it possible to selectively grant AD premium licences to my users based on AD groups?

February 10, 2016, 3:41 am
$
0
0

Hello,

 I have an Office 365 subscription for several thousand users. Only a few hundred require the AD premium features, is it possible to select AD premium licences for some users and not others?

If so, when I enable AD Connect password write-back for some users, what happens when non AD premium users change their Azure passwords or try using SSPR?

Thanks

Custom Domain Unverified

July 21, 2015, 1:53 pm
$
0
0

Greetings.  I am attempting to verify a custom domain in AZ AD.  Using PS I can see the DNS txt record I have created matches what AZ AD has.  AD Sync is working, even ADFS has the trust setup for the custom domain, but in AZ AD/Domains it still lists the custom domain as unverified.  It has been days waiting for it to pick up the DNS record.  

Everything looks like I would expect it to, sync is working, ADFS, I am just unable to get the custom domain to verify.  I did use AAD Connect instead of AD Sync that is the only thing that would be different than doing this in the past.  

Any ideas on what I am missing?

TIA

As a Microsoft Partner, how to access Azure AD Domain Management API after sell customer Office 365 Product.

February 14, 2016, 8:42 pm
$
0
0
Hi All,
We are a Microsoft Partner/reseller to provide our customer Microsoft products, Office 365 for example.  We are using set of reseller info (App ID, Key and domain) to communicate CSP Commerce REST API (CREST API) to create customer and subscription in Microsoft Partner console.
https://msdn.microsoft.com/en-us/library/partnercenter/dn974944.aspx

Now we want to use Azure Domain Management API to help our customers to verify their domain names programmatically. 

http://blogs.msdn.com/b/aadgraphteam/archive/2015/07/24/announcing-the-preview-of-domain-management-api.aspx
After read a number of Docs,  we are still having some questions, hopefully we can get some help from forum and your guys.
1.  which set of (App ID, Key and domain) shall I use?  I tried reseller info which were used for CREST API. However, I am able to get AADtoken,  but not for other further functions.  If I shall use customer set of info, where shall I get the customer (App ID, Key and domain)?
2. From this doc, (https://azure.microsoft.com/en-us/documentation/articles/active-directory-how-subscriptions-associated-directory/#manage-the-directory-for-your-office-365-subscription-in-azure)
As completed new customers, after they purchased Office 365 product in portal, They still need sign up Azure to use Azure portal,  Do I need to "Add an application my organization is developing"  to get the customer set (App ID, Key and domain) ?
If yes, If there any API we can use to get this customer set (App ID, Key and domain) , as we are trying to automated the whole purchase and provision process, human intervention is the least thing we want to use :)
Thanks very much in advance  and attached some error from Question 1.

----------

Question 1 Error when use reseller set info to try /tenantDetails function.
-----

AADToken is OK

Request Url = https://login.microsoftonline.com/xxxxx/oauth2/token?api-version=1.0
Request Body = [grant_type=client_credentials, resource=https://graph.windows.net, client_id=exxxxx, client_secret=xxxxx]
AADToken = eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0IiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYTBlZmQyZmEtOGJhNy00NTQ4LWIxM2ItZTgwY2IxYWFjMzhkLyIsImlhdCI6MTQ1NTUwOTgwMCwibmJmIjoxNDU1NTA5ODAwLCJleHAiOjE0NTU1MTM3MDAsImFwcGlkIjoiZTEzMjU3NWQtZGY4Ny00Nzc5LWIzZDctZDA0ZjU4YWE1ZDlmIiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYTBlZmQyZmEtOGJhNy00NTQ4LWIxM2ItZTgwY2IxYWFjMzhkLyIsIm9pZCI6ImQ1MzMzOGE3LWJkODUtNGQ3OS04Njk5LWNjYmRkZWFlMGU5OCIsInJvbGVzIjpbIkRpcmVjdG9yeS5SZWFkIl0sInN1YiI6ImQ1MzMzOGE3LWJkODUtNGQ3OS04Njk5LWNjYmRkZWFlMGU5OCIsInRpZCI6ImEwZWZkMmZhLThiYTctNDU0OC1iMTNiLWU4MGNiMWFhYzM4ZCIsInZlciI6IjEuMCJ9.guYOVKRtU0WsRdb-9H-5StjMR5sVLQApS9C3p9Ke7e6Cnt6QSwjgYpfNjSv_LZJy9VLjaRAKja5zicnYS4NpQzAOpgNp21V539TZ9677mN_HmRUHfbKmPGFb41Ps5r16gPlFc5osU5RPDp4oCK6EQuyypCXE0la_Y79YmLiIa0wOwKY7DgdaaNWDDsiDEMdVCFdUHgglPtOT7WakYl3bSfoa0BmHvZJGJI4TCggrixKxJGtB3n6_fWnjaTYbipNOuFMxGz1MrfYdWV6ziNeQgq1N3w-KkoVrymjyAyXLs2pkkKGNrkVJFDa-qItTR0iZT1EMRe_UBSbujd4GHdAilQ


----------

tenantDetails function has error

input request, https://graph.windows.net/xxxxx.onmicrosoft.com/tenantDetails?api-version=1.0
org.sampleapp.exceptions.SampleAppException: The identity of the calling application could not be established.
    at org.sampleapp.services.HttpRequestHandler.handleRequest(HttpRequestHandler.java:135)
    at org.sampleapp.test.ApiTest.testgetTenantDetails(ApiTest.java:82)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:45)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:42)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
    at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:263)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:68)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:47)
    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
    at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
    at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: https://graph.windows.net/xxxxx.onmicrosoft.com/tenantDetails?api-version=1.0
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1839)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at org.sampleapp.services.HttpRequestHandler.handleRequest(HttpRequestHandler.java:82)
    ... 25 more



Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>