Hi together,

since this week my Azure VMs (Windows 2012 R2) are not able to connect to the internet anymore because the DNS lookup of host names fails. The VMs are joined to an Azure Active Directory Domain Services domain.

I set up the Domain Services as described here: https://github.com/Azure/azure-content/blob/master/articles/active-directory-domain-services/active-directory-ds-getting-started-vnet.md

In the past few weeks I used PowerShell and WinRM to connect to my VMs and install updates, download additional software and install them remotely. That worked like a charm.

In a remote desktop session I tried to ping bing.com with no success. A nslookup resulted in a timeout.

As a workaround I added two public DNS server IPs to my classic vnet configuration.

Is there any reason why the Domain Services DNS is not working the way it did before?

Kind regards

Philip

We are doing a custom configuration with multiple Domains in a single forest.  I am able to connect to the Azure AD.  When I get to the connection for the Active Directory directories, I am not able to connect to one of the child domains.  I have the the FQDN of the domain and also use the FQDN\SVC_ADAZ, but it fails to add the directory with the SVC account in that domain.  That account was also added to Domain Admins as a trouble shooting step but no difference.  From the AD AZure Connect server we have set up, we can ping the Domain and telnet to the Domain on all of the required ports https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-ports/

The logs dont reveal anything except the add was started and completed.  But it does not show added in the Connect wizard.

Any troubleshooting suggestions would be appreciated.

Briam

I have a WCF service that is currently being passed in a username and password, is there a way I can validate these credentials against my sample azure active directory user list ?

Im currently trying the following , but it just returns bad request. could someone point me in the right direction

Hi together,

I'm using aka.ms/devicelogin to authenticate my UWP app for IOT with Azuse AD. There the User has to enter the generated Code for the specific device. Could it be possible to generate a url with paramters to get the code directly filled in? For example: https://aka.ms/devicelogin#123456789 (not working!)

Edit: I also tried https://aka.ms/devicelogin?code=123456789 which results in an error:

{"Error":"true","CorrelationId":"9f72b1d4-43a8-4d7f-a8bf-b534287297a1","Timestamp":"2016-02-16 14:39:48Z"}

I would like to generate a QR-Code that the user can scan with his smartphone. So that he just needs to enter his credentials and not the code. 

Is that possible?

Best regards

Markus

Hello.

I set up a test environment with Azure AD tenant and enabled RMS subscription.

On the corporate side I have set up ADFS 3.0 server and ADFS Proxy in DMZ. I confirmed that ADFS authentication work externally, since I can log in to manage.windowsazure.com via ADFS login screen.

But, if I try to use RMS client to protect a document, I am asked for credentials and will get that error message.

There is no error messages on ADFS proxy or ADFS. I do not have access to logs "in Azure cloud" and I can't open a ticket with Azure support - it is a free trial...

Please, help me.

Slava

Hi, all.

I am the Microsoft person personally communicating with and decrypting files for those affected by the shut off.  I would like to confirm there is a process to decrypt and return files that have been left encrypted by the shutoff of this service.

To use this service, send a message to rms-team@microsoft.com requesting decryption.  Please use the subject line "Process to Decrypt RMS for LiveID Trial Files."  I will send you a response with our terms and conditions which you'll have to accept.  Then you can attach your files and, if the owner of the file (i.e., the email address of the person who encrypted the file) matches the email address of the person sending the file, I will decrypt and return the file to that address.

Note that if you password protected the file in addition to RMS encryption, we have been unable to decrypt those files.

Thank you for your patience.

Mike

Hi All,

I created a test Windows AD forest  and two new users account ,  then  setup ADFS and WAP servers all running in the Azure  , no issues here installation went smooth   Added the two users to a test sync group then installed the AD connect tool,  selected ADFS custom sync options  and chose mostly the defaults and group sync and selected sync now at the end ADC tool installation again no issue  but my two test users are not sync to AAD . I checked the sync service tool connection staus success no errors . logged into Azure portal checked AAD - Directory sync "Activated" but LAST SYNC "has never run". I  assume with the default AADC  scope sync rules   in place at least my two test users should  be syncd . What am I missing ?

 Are  there specific user account  attributes required  for sync to work and why does  AAD sync show never run?Any clues hightly appreciated

Thanks,

Hi

When i try to login to my app from the Azure AD SSO app i created, i see no http SAML response.

There is http redirect request, but it's http GET, not POST

https://account.activedirectory.windowsazure.com/applications/redirecttofederatedapplication.aspx?Operation=LinkedSignIn&applicationLinkName=myappname&applicationId=myappid HTTP/1.1

In more details, this is the sequence of calls:

1.GET https://myapps.microsoft.com/signin/myapp/appid HTTP/1.1

2. GET https://account.activedirectory.windowsazure.com/applications/signin/myapp/appid HTTP/1.1

3. GET https://account.activedirectory.windowsazure.com/applications/redirecttoapplication.aspx?Operation=LinkedSignIn&applicationLinkName=myapp&applicationId=appid HTTP/1.1

4. GET https://account.activedirectory.windowsazure.com/applications/redirecttofederatedapplication.aspx?Operation=LinkedSignIn&applicationLinkName=myapp&applicationId=appid HTTP/1.1

5. (After redirect) GET https://mySamlLoginURL HTTP/1.1

This is something new, the app was working (with SAML http POST redirect) last week. 

What happened?

Hi,

    I have an MVC application authenticated through an ACS custom login page. The home page that is rendered after the login ishttps://localhost:44302/home/index. My application generates emails with different links to each user. My requirement is that when the user clicks on the link, he should be navigated tohttps://localhost:44302/order/{parameter} after ACS custom login. The {parameter} value will be different for each user. eg:https://localhost:44302/order/10 for a user.

The link generated in the custom login page (downloaded from management portal) now is

https://btest.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=https%3a%2f%2flocalhost%3a44302%2f&reply_to=&context=&request_id=&version=1.0&callback=ShowSigninPage

I can generate this link dynamically along with the new url and the parameter, and insert it in the ACS custom login page. Where should I include the new urlhttps://localhost:44302/order/{parameter} in the above url.

When I inserted it in the in reply_to query parameter, it throws an ACS error that it is not configured as a reply to url in the management portal. When I inserted it in the context query parameter, it does not recognize the new url, it keeps on redirecting to home page.

Where should the new url be embedded in the above ACS custom login page URL to redirect it to the new page.

Thanks. 

Hi @All

We created a nice looking registration Page to allow specific users to create an account in our Azure AD which has DS enabled. The registration Page is an trusted "App" in the AAD and creates users by using the Azure Graph Libraries as described here http://justazure.com/azure-active-directory-part-5-graph-api/.

When it comes to account creation, everything works fine, expect one neat detail. Accounts created via the Azure Management Portal own the attribute "userName" which gets populated to the AAD DS, where as accounts created via the Graph API don't have such an attribute.

See the POST request to the Azure Management Portal when creating a new user, not sure if this only UI, but probably this is additional information which is user for defining the username in DS.

Compared with users create by the Graph API, the attributes synced to the AAD DS are significantly different.

Max Muster was create by using the Portal (like one one above) whereMichael Schnyder was created by the Graph API.

What i found is different

- CN
- distinguishedName
- name
- sAMAccountName

Question: How can the Graph API be called to that the AAD DS behaves the same as for users create in the Management Portal?

BTW: This editor is a too small. buggy just a shame for such a modern and forward looking company. Please update / migrate asap... How do you appreciate customer feedback when this channel is almost unusable?

Hi,

I am trying to create a service principal that can access Azure Resource Manager APIs and Azure Service Management REST APIs using OAuth. I followed the guide at https://github.com/Azure/azure-content/blob/master/articles/resource-group-authenticate-service-principal.md to create such a service principal. However, the created service pricipal can only access Azure Resource Manager APIs but not the old Service Management API.

How do grant the Service Management delegated permission as in

Hi all

The first data sync was not checked proberly and some users are on the wrong domain in AD. This has now been changed but it will not update using the AD sync tool from our AD to Azure. We have two federated domains that are working but I need all users to be on the same domain. I have run the command below to change the UPN for a user but I get a very useless error that I can not track down. Can anyone point me in the right direction?

The command is run from the Azure PS prompt

Set-executionpolicy unrestricted
y

$LiveCred = Get-Credential

Connect-MSOLservice –Credential $livecred

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

PS C:\Windows\system32> Set-msoluserprincipalname -userprincipalname USer@domain1com -newuserprincipalname user@domain2.com
Set-msoluserprincipalname : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-msoluserprincipalname -userprincipalname user@domain1.com
-newuserprin ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolUserPrincipalName
   ], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.Inter
   nalServiceException,Microsoft.Online.Administration.Automation.SetUserPrin
  cipalName

I have tried different variation of this all ending in the same error. I really don't want to delete the affected users and start again, this is the command from the MS KB so it should work

Any ideas?

Thanks

Andrew

Andrew Watts MCSE MCP BSC SSC GSC

Hi All ,

we are trying to implement SSO with SSRS reporting Service . we are using SQL Azure

Per SSRS DataSource Configuration, i would like to show and configure the report as per the user which logged in .So ideally i would like to do the authentication using Azure Active Directory 

Can anyone help on this?

Thanks

Jay

When our users click the "can't access your account" link to reset their password (screenshot below), they are presented with a weird and very unprofessional looking screen (screenshot and URL below).  Is this normal?  Why does it give you the password reset URL in plain text, why wouldn't it just automatically forward you to the appropriate page?  Something seems broken with this workflow.

https://passwordreset.microsoftonline.com/PasswordResetInstructionsPage.aspx?ru=https%3a%2f%2flogin.microsoftonline.com%2fcmdevapps.onmicrosoft.com%2freprocess%3fctx%3drQIIAY3QPU7DMBjGcbmBgS5USAysKFOlN7VjO7a7VQyICSRO8MYfNKKJoyZl4BiMHKELEhOqxB06IkYmjsBIO7OwPMN_-ukZHrKMZvk4YRmbpgxdSWkQoFUIIFAEMKqwYDBXubXSK8WXJ8PRxezm9gp_Ll_y91E5Zndrcj7v-7abTibYtpldxJWrveviYtVXsekyG-vJGyFbQr4JWQ9SKjDoghaguaAgOAbQaC04bWQhkQfKzOfg-Hq26uf5fuKyevRff8pTchpb31TOxqbxts8q18d73zwnqWWaOiYDOMMFCC0loEEOCrnXKKmVUrwmZ7Z2_mGH7rLY1JVdxi6Gfu_dJGnwQmkmGPCc7ZSFpYDoS9AiFFIZL4TyHwnZHpDN0T8O-AU1&mkt=en-US&x-client-Ver=1.0.2&username=jhoward%40app.cloudmedsolutions.com

When our application users click the 

- Jeff

I am running MS Azure Active Directory Connect tool. I goes through everything up till the SSL install during the configure phase

Error
Install ADFS Certificate
[14:12:00.882] [ 15] [ERROR] The term 'Publish-SslCertificate' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

I can't find anything on this. I have upgraded the powershell already.

Hello,

I attempted to upgrade my install of DirSync to AD Connect and received the following warning and error:

WARNING:  DirSync is configured with options that cannot be automatically upgraded to Azure AD Connect.

ERROR:  An error occurred while analyzing your current settings.  Services FIMSyncronizationService was not found on computer.

We have been running DirSync without any issues so I was anticipating a smooth upgrade.

Any thoughts or suggestions is appreciated.

Thank You

I am new to Azure Active Directory Development. We have few services which need to be accessed by web application and mobile devices(cordova based application).

• For web application we are using ADAL JS.
• For mobile application we are using Azure AD with an Apache Cordova app.

Issue

The authorization token generating with ADAL JS is authorized successfully over the web services and working as expected. But the token generating with Azure AD is throwing respective 

Authorization has been denied for this request

Workaround

We tried to get access token using user credentials in C#. We are successful in acquiring access token. Using that access token we tried to hit our services through Fiddler. Even then the same error thrown as mentioned above "Authorization has been denied for this request".

Code Samples

Cordova Code 

createContext: function () {
	AuthenticationContext.createAsync(authority)
	.then(function (context) {
		mapp.authContext = context;
		mapp.log("Created authentication context for authority URL: " + context.authority);
		mapp.acquireToken();
	}, mapp.error);
},

acquireToken: function () {
	if (mapp.authContext == null) {
		mapp.error('Authentication context isn\'t created yet. Create context first');
		return;
	}
	mapp.authContext.acquireTokenSilentAsync(resourceUrl, clientID).then(function (success) {
		console.log("INSIDESILENT");
		mapp.error("Failed to acquire token: " + success);
		console.log("DATA:::: "+success);
	}, function () {
		mapp.authContext.acquireTokenAsync(resourceUrl, clientID, redirectUrl)
		.then(function (authResult) {
			mapp.log('Acquired token successfully: ' + pre(authResult));
			console.log("DATA:::"+authResult.accessToken);
			localStorage.setItem("SSOFlag", "true");
			angular.bootstrap(document, ['keurapp']);
			userDetail = JSON.parse(localStorage.getItem("userDetails"));
		}, function (err) {
			mapp.error("Failed to acquire token: " + pre(err));
		});
	});
}

C# Code

public static string GetAccessToken()
{
	AuthenticationContext authenticationContext = new AuthenticationContext("https://login.microsoftonline.com/**tenantName**", true);
	UserCredential clientCred = new UserCredential("***USERID***", "***PASSWORD***");
	AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource: "***APP ID URI OF WEB APPLICATION***", clientId: "***CLIENT ID NATIVE APP***", userCredential: clientCred);
	token = authenticationResult.AccessToken;
	return token;
}

Service Samples

[EnableCors(origins: "*", headers: "*", methods: "*")]
[Authorize]
public class RepositoryController : ApiController
{
    //With Few methods
}

public void Configuration(IAppBuilder app)
{
    ConfigureOAuth(app);
    HttpConfiguration config = new HttpConfiguration();
    WebApiConfig.Register(config);
    app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
    app.UseWebApi(config);
}

Hello,

We have the Azure subscription which Permits us to have full functionalities in Azure.

Now we have office 365, but we are unable to use azure cause we do not have the azure subscription with office 365, we are asked to make the office 365 azure subscription to view the AD or use azure.

Since we already have the azure subscription, we wanted to transfer it to our office 365 domain so we have everything together.Office 365 AD and Azure with one Azure subscription.

After the Suggestion of the O365 community and of the responce to the ticket, we followed one tutorial.But we stucked of this step:

6) Upon successful completion, you can click ‘Sign Out Now’ which will re-direct you to the Microsoft Portal Login Page. You now need to sign back in with your ‘Microsoft Account’ to administer your Windows Azure Subscription.  Once you have signed back, click on the ‘Active Directory’ node on the left hand side and ensure that you now see 2 Active Directories.

I can't see 2 AD. I got the message that is successfull, but there are no 2 AD. I tried with another user , and again the same result. The other AD is not present.

Please help

Thanks

Cheers

Hi

I've got a user in Azure Active Directory having role User Admin. Under this user, I am able to add/remove applications to/from AD through PowerShell usingNew-AzureRmADApplication, New-AzureRmADServicePrincipal cmdlets etc.

However, I am not able to do the same on Azure Management Portal. I can see a list of existing applications, including those created through PowerShell. I can also edit application's props on its CONFIGURE tab. But all buttons at the bottom except SAVE and DISCARD are disabled, that is:

• ADD, VIEW ENDPOINTS, DELETE for the list of applications
• VIEW ENDPOINTS, UPLOAD LOGO, MANAGE MANIFEST, DELETE for a specific app

What role should a user be assigned to be able to fully edit AD applications on Management Portal? If that matters, a useris tied to Microsoft account.

Why a user should have more privileges to do the same operations on portal than through PowerShell? I see a bit of inconsistent behavior here.