Hello All,
Our Azure environment synced all groups the first time around perfectly. But now the sync is not syncing Security groups. I am new to Azure and need advice where I should start diving. I have tried to mail-enable the group, add/remove users from the group, forcing a sync and have had no luck.
Thanks in advance for your assistance.
Mike
Hi there,
I will try to explain the scenario...
We set up Azure some time ago and have two subscriptions, one for our main business (which has servers and services running on it), and another for a separate part of our business (which is much more secure and has servers, databases and apps running on it
too). These were set up using a work based Microsoft account ID.
We then started playing around with Office 365 using another account and got Non-Profit pricing, so bought licences and set it up with a few users.
We have Exchange 2013 on premises, and have a Federation Server and Federation Proxy set up on premises too.
We want to synch our AD to our main Azure Active Directory service, but also for Office 365 to be able to see thos
So, do we need to somehow combine the two accounts into one? (the main Azure features + Office 365 on same subscription), so both see the AD synched from our on premise DC.
Or is there a way for Office365 to be pointed to our main Azure AD, rather than the free Azure AD it creates with our current users in it? So that Office 365 can see our on premise AD users in Azure AD.
Any help really appreciated, thanks :-)
Hello,
I have a legacy WinForms app that I would like to integrate with Azure AD. I can get it all working, but I was wondering if anyone know of a way to be able to embed the web page that pops up for the user to enter their credentials into Azure AD somehow into my application so that the Azure AD login page appears inside of my WinForms form and not as a popup?
I'm using this sample as my template: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/
Thanks.
Hi
I'm trying to enable the Application Proxy feature for my Azure directory.
How to: https://azure.microsoft.com/da-dk/documentation/articles/active-directory-application-proxy-enable/
But the "Application Proxy" simply is not there? Is there some special prereq to make it available?
/Frederik Leed
From @Richard_gray via Twitter:
"just trying to validate sync of attribute "ipPhone" to Azure AD, but can't find it anywhere either in Web admin or powershell (tried get-msoluser and get-mailbox but attribute not listed)."
Provided documents: aka.ms/d967012,aka.ms/d9670121, aka.ms/d9670122
"I'm happy from these and what I can see that the attribute is actually synchronising which is great. The only thing is I need to show someone the attribute in Azure (via web admin, powershell, or some other way?)"
Thanks,
@AzureSupport
I'm attempting to add a certificate into Azure Active Directory using New-MsolServicePrincipalCredential. This is for the purposes of authenticating Azure VMs into Key Vault via an AAD App in order to encrypt the drives using BitLocker.
Whenever I attempt to log in using Connect-MsolService I get the below error message:
connect-msolservice : The user name or password is incorrect. Verify your user name, and then type your password again. At line:1 char:1+ connect-msolservice+ ~~~~~~~~~~~~~~~~~~~+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException+ FullyQualifiedErrorId : 0x80048821,Microsoft.Online.Administration.Automation.ConnectMsolService
The user I'm attempting to log in with is the Service Administrator on the Subscription, and Global Admin of the Directory, so I'm a little confused as to why I'm getting the error and/or which account I should be logging in with? I've tried a number of different options, all without success.
This is a Microsoft Account (i.e. not an external, federated account) and Two Factor Authentication is NOT enabled. I also have the Sign On Assistant installed on my device. I can log into the Azure portal using this account, so the password is known and correct, and the account isn't locked.
Late last night I was able to log in by manually creating a new user directly within AAD via the Management Portal, but I don't see that as a real solution as it breaks my ability to automate the whole process, which I'm certain I should be able to do as others seem capable if you read their blogs.
Thanks in advance,
Andy
From Jesus De Los Santos @santitoos via Twitter
Trying to assign EMS seats I get message: It failed to allocate license plan 'Enterprise Mobility Suite' to UserName.undefined
https://twitter.com/santitoos/status/700863018884685824
Thanks,
@AzureSupport
I'm using the sample code at https://github.com/AzureADQuickStarts/B2C-NativeClient-DotNet and I have a problem getting a valid token...
The user dialog displays for sign in and I enter my password and click ok.
I always get an error of "authentication_ui_failed" with the message
The browser based authentication dialog failed to complete. Reason: The protocol is not known and no pluggable protocols have been entered that match.
You are not supporting this stuff very well - there is no clear indication where problems should be reported, questions go unanswered for months and there is no clear guidelines on the roadmap/timelines
Paul
Hello all,
I am wanting to build a new Azure Domain services environment using my primary domain name which is already in use by Office 365, but I am finding this not as easy as I would like it to be without starting completely from scratch with O365.
The azure AD in O365 is obviously locked down so it cannot be used for this purpose, but when I create a new one I am struggling to work out how I can get them both to be in sync. I am guessing the only way to do this is to use Azure AD connect but how can I do this when I do not have any servers or virtual machines?
My intention is just so I can domain join my client PC's and use O365 in the background.
Is there an easy way that I am missing - there does not seem to be much written about this on the web so far in relation to users with existing O365 subscriptions.
The key in all this is for all users to log in using their email addresses/UPN and for this to be in Azure Domain services, with passwords synced to Office 365 if they cannot use the same Azure AD database.
Many thanks in advance
I am running MS Azure Active Directory Connect tool. I goes through everything up till the SSL install during the configure phase
Error
Install ADFS Certificate
[14:12:00.882] [ 15] [ERROR] The term 'Publish-SslCertificate' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I can't find anything on this. I have upgraded the powershell already.
Hi,
I'm using 1511, build 10586.36. I just joined Azure AD and logged in with an account from Azure. I previously had a domain account linked to my Microsoft account. Now I can't turn on Sync Settings. When I turn it on, it seems fine, but when I leave the page and return, it is off.
I am not sure what to do.
P.S. I tried reading the account in the calendar app, it said there was already such account. Checked the privacy settings also.
P.S.S. Additionally, Edge reports that "Some windows features are only available if you are using a Microsoft account or a work account". My account IS a work account.
Welcome to the zone where normal things don't happen very often
Hello Community,
I am learning Azure Key Vault, and am in the middle of exploring the use of certificates that are uploaded to Azure Active Directory applications.
My question is this: it appears that I can upload any self-signed certificate to my application, but during the authentication process, it seems as if the certificate is never verified on the server-side if it is trusted and valid.
Is my understanding of this accurate? Is there a way to verify the certificate and ensure that it is valid and trusted? Otherwise, this does seem like a security issue (if I understand this correctly, of course).
In the "keyCredentials" of the application manifest, I do see that there is a "usage" of "verify" ... it would be nice to know more about this and if this plays a role.
Thank you for any clarification/assistance,
Michael
We have Azure Ad Connect server setup just as a test scenario currently. Its occurred to us that as the relationship is one way and our passwords are being passed up to the web- what protection do we have against brute force attacks? Does the logon page itself have a logout. What if the user installed Lync 2013 and then used brute force to log in that way?
I'm guessing we probably need ADFS
I have hosted a simple data service in an azure web app, and am trying to connect to it from a simple windows console app.
My code successfully reads from the data service when there is no authentication. When I add Azure AD authentication, the code successfully acquires a security token. I then add this token to the request header (based on an example for connecting to Microsoft graph service), as shown in the code, but the request fails with "you do not have permission". The credentials are valid as they work when I connect to the service from a browser.
Am I doing something wrong in the way I am adding the request to the header?
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using SDSTest.PoseidonDataService;
using SFCT;
using SFCT.Credentials;
using System.Data.Services.Client;
using System.Net.Http.Headers;
namespace SDSTest
{
class Program
{
private static AuthenticationContext authContext = null;
private static AuthenticationResult result = null;
static void Main(string[] args)
{
// Initialize the AuthenticationContext for the AAD tenant of choice.
// Add a persistent file-based token cache.
authContext = new AuthenticationContext(AzureADLibrary.aadAuthority, new AzureFileCache());
//string dsPath = ((Uri)DataServiceLib.GetServiceUri(false, DataServiceLib.PoseidonDataServicePath)).AbsoluteUri;
string dsPath = "https://sfctdataservice.azurewebsites.net/PoseidonDataService.svc";
#region Obtain token
// first, try to get a token silently
try
{
result = authContext.AcquireTokenSilent(dsPath, DataServiceLib.ToucanIndexingLibraryClientID);
}
catch (AdalException ex)
{
// There is no token in the cache; prompt the user to sign-in.
if (ex.ErrorCode == "failed_to_acquire_token_silently")
{
UserCredential uc = new UserCredential("dnm@sfct.org.uk", "xxxxxxxxx");
try
{
result = authContext.AcquireToken(dsPath, DataServiceLib.ToucanIndexingLibraryClientID, uc);
}
catch (Exception ee)
{
ShowError(ee);
return;
}
}
else
{
// An unexpected error occurred.
ShowError(ex);
return;
}
}
DataServiceCollection<vw_PDS_Security> dsSecurity;
Uri pdsUri = new Uri("https://sfctdataservice.azurewebsites.net/PoseidonDataService.svc");
PoseidonEntities pContext = new PoseidonEntities(pdsUri);
pContext.SendingRequest2 += PContext_SendingRequest2;
dsSecurity = new DataServiceCollection<vw_PDS_Security>(pContext);
var dsQuery = from dr in pContext.vw_PDS_Security
select dr;
try
{
dsSecurity.Load(dsQuery);
Console.WriteLine("Successfully read from data service: " + dsSecurity[0].UserName);
}
catch (Exception ex)
{
ShowError(ex); // exception "You do not have permission to view this directory or page."
}
#endregion
}
private static void PContext_SendingRequest2(object sender, SendingRequest2EventArgs e)
{
AuthenticationHeaderValue header = new AuthenticationHeaderValue("Bearer", result.AccessToken);
e.RequestMessage.SetHeader("Authorization", header.ToString());
}
Hi,
I am trying to create a service principal that can access Azure Resource Manager APIs and Azure Service Management REST APIs using OAuth. I followed the guide at https://github.com/Azure/azure-content/blob/master/articles/resource-group-authenticate-service-principal.md to create such a service principal. However, the created service pricipal can only access Azure Resource Manager APIs but not the old Service Management API.
How do grant the Service Management delegated permission as in
I've followed instructions at https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-getting-started-vnet/ to set up AAD DS. AAD DS domain name is MyAADDomainName.onmicrosoft.com
I've created new AAD user account (to generate new password hash) and added this new account to the 'AAD DC Administrators' group. I can logon using this new user account and password tohttp://myapps.microsoft.com. So far so good.
User name inherits default AAD suffix and looks like: NewAADDSAdminUser@MyDefaultDomainName.onmicrosoft.com
Note that domain name in the user's name and AAD DS domain name do not match each other an this is probably where things go wrong. There is no option available to create new user withMyAADDomainName.onmicrosoft.com suffix.
Now I want to join my newly created W2k12R2 VM to the domain. The VM gets DNSs correctly and can resolve AAD Domain name (MyAADDomainName.onmicrosoft.com). But the next step fails when I provide user account with a privilege to join a computer to the domain.
I've tried both names but keep getting error (see below). What I'm doing wrong?
NewAADDSAdminUser@MyDefaultDomainName.onmicrosoft.com
and
NewAADDSAdminUser@MyAADDomainName.onmicrosoft.com
---------------------------
Computer Name/Domain Changes
---------------------------
The following error occurred attempting to join the domain "Azcontoso.onmicrosoft.com":
The user name or password is incorrect.
---------------------------
OK
---------------------------
We have two Azure AD Apps, one for authenticating users in a webapp let's call it AdApp1. that app has a delegate permission to another AD App let's call it AdApp2 which secures a back end API. both Apps are multiple tenant, AdApp2 manifest key [knownClientApplications] configured to include AdApp1 client ID.
AdApp1,AdApp2 mainfest key [oauth2AllowImplicitFlow] was set to true. both Apps are in a B2B tenant [AD directory]
The Issue is when a user authenticates in webapp using AdApp1, we get the following error.Is there any other configurations we are missing?
Error:
AADSTS65005: The application needs access to a service that your organization has not subscribed to. Please contact your Administrator to review the configuration of your service subscriptions.
I have installed the MFA on my environment and connect it with OWA its working fine with all of the method except, one-way OTP and OTP+PIN, the required field in the website dose not show up. that could case that??
regards,
Omar Nahhas
Hi,
In the Azure Active Directory, I have configured a application "Developed by my organization" for Single Sign ON.
But only assigned user can login to the Application, I want it to configure for a 'Group' so that a set of user who belongs to that group can access the application.
Please provide your valuable solution.
Regards-
Kirti