Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

OpenIDConnect ,Owin fails to pupulate the data in (System.Security.Principal.WindowsIdentity) after succesful signin against Azure AD

$
0
0

Hi,

I have used OpenIdConnect for Azure AD authentication.

My application is multitenant. I have used Azure AD for Application authentication.

    App_Start.cs
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions { });
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {   ..other fields..   }

On successful signin, after the application is built and started, it works fine. ClaimPrincipal is properly populated with the data sent by Azure AD.

It terribly fails to populate when the same application is run in different browser. App_Start gets the claims sent by Azure AD.
But, Owin fails to populate the System.Security.Principal.WindowsIdentity when, the control goes in controller Home/Index.

 AuthorizationCodeReceived = (context) =>
                        {
                      ...
                         }

Kindly suggest.

Thanks in advance,
Rahul

 


rahul mohan



How to read and write extensionAttributeXX

$
0
0
What are the options for setting and getting extension attributes on user objects? According to some older forum posts, PowerShell cannot be used. I did not see any options to view or set these attributes in the management portal. Can the REST API be used? what other API's?

AADConnect Index was outside the bounds of the array. IndexOutOfRangeException

$
0
0

Got this message when updating the AADConnect tool to the latest version released on the 18th February

Log File generated.

AADConnect doesn't start up

Thanks for any help given

[16:29:20.657] [  1] [INFO ]
[16:29:20.673] [  1] [INFO ] ================================================================================
[16:29:20.673] [  1] [INFO ] Application starting
[16:29:20.673] [  1] [INFO ] ================================================================================
[16:29:20.673] [  1] [INFO ] Start Time (Local): Mon, 22 Feb 2016 16:29:20 GMT
[16:29:20.673] [  1] [INFO ] Start Time (UTC): Mon, 22 Feb 2016 16:29:20 GMT
[16:29:20.673] [  1] [INFO ] Application Version: 1.1.105.0
[16:29:20.673] [  1] [INFO ] Application Build Date: 2016-02-11 17:14:01Z
[16:29:20.673] [  1] [INFO ] Application Build Identifier: AD-IAM-HybridSync master (8192459)
[16:29:22.926] [  1] [INFO ] App Properties/Metrics:
[16:29:22.926] [  1] [INFO ]    Runtime.Start=2016-02-22T16:29:20+00:00
[16:29:22.926] [  1] [INFO ]    Application.Version=1.1.0.0-1455210841
[16:29:22.926] [  1] [INFO ]    Application.IsDebugBuild=False
[16:29:22.926] [  1] [INFO ]    Environment.OperatingSystem.VersionString=Microsoft Windows NT 6.2.9200.0
[16:29:22.926] [  1] [INFO ]    Environment.OperatingSystem.Platform=Win32NT
[16:29:22.926] [  1] [INFO ]    Environment.OperatingSystem.ServicePack=
[16:29:22.926] [  1] [INFO ]    Environment.OperatingSystem.ProductType=Server
[16:29:22.926] [  1] [INFO ]    Environment.OperatingSystem.Sku=8
[16:29:22.926] [  1] [INFO ]    Environment.OperatingSystem.Language=0409
[16:29:22.926] [  1] [INFO ]    Environment.Computer.Make=microsoft corporation
[16:29:22.926] [  1] [INFO ]    Environment.Computer.Model=virtual machine
[16:29:22.926] [  1] [INFO ]    Environment.OperatingSystem.IsDomainJoined=True
[16:29:22.926] [  1] [INFO ]    Runtime.EncodedPageNavigationBytes=
[16:29:22.941] [ 11] [INFO ] Starting Telemetry Send
[16:29:23.082] [  1] [INFO ] Acquired sync config changes mutex: True
[16:29:23.129] [  1] [INFO ] RootPageViewModel.GetInitialPages: Beginning detection for creating initial pages.
[16:29:23.207] [  1] [INFO ] Found existing persisted state context.
[16:29:23.238] [  1] [ERROR] Caught an exception while creating the initial page set on the root page.
Exception Data (Raw): System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at Microsoft.Online.Deployment.Types.Utility.AdDomainInfoEncoder.ConvertBack(Object value, Type targetType, Object parameter, CultureInfo culture)
   at Microsoft.Online.Deployment.Types.PersistedState.PersistedStateElement.ToContext(PersistedStateContainer state, PropertyInfo propertyInfo, PersistedElementAttribute attr, Object& value)
   at Microsoft.Online.Deployment.Types.Context.LocalContextBase.LoadFromState(PersistedStateContainer state, IPowerShell powerShell)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPagesCore()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPages()
[16:30:27.121] [  1] [INFO ] Opened log file at path C:\Users\Administrator\AppData\Local\AADConnect\trace-20160222-162920.log


RCIT

DirSync in Parallel Migration

$
0
0

Hello Team,

I need someone to validate at a high level my plan for migrating off legacy DirSync server without password sync to the latest Azure AD Connect with password sync (approximate 200k objects)

1. Export configuration file from DirSync Server

2. Install AADConnect server and import config

3. Run in staging mode and look for errors

4. Address and resolve errors and issues

5. shutdown and turn off DirSync Server

6. Take AADConnect server out of staging mode

Roll back plan

1. Shutdown AADConnect server

2. Turn on DirSync Server

Thoughts?

Thanks!!


Chau

Missing Azure AD domains

$
0
0

I am not able to see all of the Azure AD domains that have been created under our subscription... Subscription id:  e37ed469-d975-4339-ac1c-28f7f24cc934

The user who created the Azure AD domains can see them, but I cannot.  I am a full administrator of the subscription, so I should be able to see/manage these domains.  My username for logging into this subscription is: jstickley@h-outcomes.com

Thanks.

miisclient missing?

$
0
0

After our upgrade to AAD, the miisclient gone.  It was removed when the DirSync was uninstalled apparently.  Doing some research, there are plenty of articles referencing utilization of the miisclient in AAD.  Is it supposed to be there still?  How do I get it installed at this point?

Thanks in advance!!

ASSPR Not working using AADSYNC in a child domain.

$
0
0

Using the following reference to configure https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-getting-started/#step-4-set-up-the-appropriate-active-directory-permissions
AZURE Self Service for Passwords. I am running AADSYNC v1.0.494.501 within a child domain "internal.consultme.com". However we are not seeing the successful registration or service changes. Am I missing something else?

Domain. Consultme.com

Child. internatl.consultme.com

Currently Password sync from onprem / adfs is all working its just i am unable to ensure this function works.

Staging installation Error- Value Cannot be null. Parameter name:value

$
0
0

Hello Azure AD forums. I'm in the process of trying to do a staged migration from Dirsync. I've exported my dirsync configuration file, copied it to my azureadc server and ran the Executable as admin with the /migrate option. After putting in credentials for MSOL, and an Enterprise admin account it runs through the set up, creating the SQL Express databases, and then begins to process the rest of the jobs. After the task 'Single Forest Dir Sync PWD Sync Root Task' finishes execution I get the lovely Eror Value cannot be Null. Param value Below is set-up log file. I would love some ideas on where to go from here. The Sync Service appears to start according to the event viewer but I can't open up the Sync Application.

I am currently using the latest version of Azure Ad Connect MSI (1.1.105.0) Looking for an older download to maybe give it a try and see if it's just a bug in this release, but I haven't been able to find one yet.

Below is the tail end of my log file for the portion where it fails. Has anyone seen this, or have any ideas how we can fix it?

Thanks!


[12:52:43.606] [ 20] [VERB ] Cleanup: Starting cleanup for task 'Deploy AAD Sync'
[12:52:43.606] [ 20] [VERB ] Task 'Deploy AAD Sync': No cleanup defined
[12:52:43.606] [ 20] [VERB ] Marking task 'Deploy AAD Health Agent' as Skipped
[12:52:43.606] [ 20] [VERB ] Marking task 'Configure Auto Upgrade Version' as Skipped
[12:52:43.607] [ 20] [VERB ] Rolling back task Check Installed Components
[12:52:43.607] [ 20] [VERB ] Task 'Check Installed Components': No rollback defined
[12:52:43.607] [ 20] [INFO ] Task 'Single Forest Dir Sync Pwd Sync Root Task' has finished execution
[12:52:43.646] [ 10] [ERROR] Value cannot be null.
Parameter name: value
Exception Data (Raw): System.ArgumentNullException: Value cannot be null.
Parameter name: value
   at System.String.IndexOf(String value, Int32 startIndex, Int32 count, StringComparison comparisonType)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.<>c__DisplayClass1a.<GetLowestPrecedenceRuleMatchingImmutableTag>b__15(SynchronizationRule r)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.GetLowestPrecedenceRuleMatchingImmutableTag(String immutableTag)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.SetRulePrecedence(SynchronizationRule rule)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.SetRulePrecedences(IEnumerable`1 desiredRules)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRuleUpgradeEngine.PersistSyncRulesForConnector(Guid connectorIdentifier, IEnumerable`1 desiredSyncRules, String pathToLogFiles, Dictionary`2 precedenceImmutableTagMappings)
   at Microsoft.Online.Deployment.Types.Providers.TemplateEngineProvider.PersistSynchronizationRules(Guid connectorID, List`1 synchronizationRules)
   at Microsoft.Online.Deployment.Types.Configuration.Utility.ConnectorUtility`1.UpdateConnector(IAdSyncConfigExecutionContext`1 executionContext, ConfigurationItem configChange, ConnectorAdapterBase connectorAdapter, IAadSyncContext syncContext, Boolean isNewConnector, Boolean forceUpdateSchema, IAadSyncConfigurationResults& results, List`1 attributeExclusions, ConnectorSpecificPolicy connectorPolicy, Boolean retryOnFailure)
   at Microsoft.Online.Deployment.Types.Configuration.AdConnectorConfigurationItem.Execute[TContext](IAdSyncConfigExecutionContext`1 executionContext, IAadSyncConfigurationResults& results)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[12:52:43.652] [ 10] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[12:52:43.715] [ 14] [INFO ] Starting Telemetry Send





 


Disable azure portal login

$
0
0

Azure AD Free subscription was enabled for an O365 tenant space, but this also enabled access for all O365 users to portal.azure.com as well.

I need to disable login access for all users to portal.azure.com, but keep access to our O365 tenant space. Obviously, setting the account to 'block' sign in disables access to both resources.

What can be done to turn off the Azure portal login access to all end users?

Domain Join Device Registration Task error

$
0
0

I configured the our Azure AD (premium) for device registration for domain joined computers per this article:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/

I have the latest AD connect, Azure configured for "All" for device registration and have set the GPO, which curiously RSOP on my local machine shows:

"Computer>Admin templates>Windows Components>Device Registration" versus the policy that is set at "Computer>Admin Templates>Windows Components>Workplace Join".  

However my Windows 10 1511 device shows the following error when the Workplace Join schedule task executes:

Task Scheduler successfully completed task "\Microsoft\Windows\Workplace Join\Automatic-Device-Join" , instance "{5ac8bea7-238b-43b9-9b07-08ea8198a5db}" , action "%SystemRoot%\System32\dsregcmd.exe" with return code 2147942401.

Anyone have any idea where else to look to troubleshoot?

Thanks!

Unable to remove a license plan with Azure Graph API

$
0
0

For quite awhile the below code would work to remove a license plan from a user.

AssignedLicense AddLicense = new AssignedLicense { SkuId = null };

IList<AssignedLicense> licensesToAdd = new[] { AddLicense };
IList<Guid> licensesToRemove = new Guid[] { (Guid)sku.SkuId };

...code...

retrievedUser.AssignLicenseAsync(licensesToAdd, licensesToRemove).Wait();

Now this is throwing an exception:

"Invalid value specified for property 'skuId' of resource 'AssignedLicense'"

If I populate the licensesToAdd with a valid SKU ID it will swap the license plan just fine. My issue is I need to be able to purely remove the service plan as well.

Refresh token issue

$
0
0

I am using 'Convergence' branch for ADALiOS authentication in my swift project. Firstly whenever I am using pod for this branch it is not able to recoginse any of  ADAL classes. So I copied all the files and added them manually into my project. WHich then had some issues with also but then Is solved it because after whole lot of studies I got to know that there is some issue with my provisioning profile only. Which I solved later on. 

 Now back to the question again. Inside support file I have added plist where all authority, client id, redirect uri etc info is saved. In addition of this I have added an entitlement file also with following content

$(AppIdentifierPrefix)com.microsoft.adalcache

Following is the code which I am writing to get access token before making any service call. As soon as my app starts, before making first web service call it asks for credentials and then inside my output log I am getting following error

ADALiOS [2015-12-17 09:50:08 - 1EC5EEC5-1205-4256-AC15-6051743A49A4] ERROR: Error raised: 11. Additional Information: Domain: ADAuthenticationErrorDomain ProtocolCode: -25243 Details: ADAL Keychain "__51-[ADKeychainTokenCacheStore addOrUpdateItem:error:]_block_invoke" operation failed with error code -25243.. ErrorCode: 11.

This clearly indicates that adal is not able to store my token cache inside my keychain. Because of above error it is not able to get new access token using refresh token hence, login page is opening before each service call. Although there I don't need to enter my credentials but yes the screen comes up again and again.

So I got this ans and I solved it using below one

I was also unable to run on device with either "Keychain Sharing Entitlements" turned on, OR the following code (as recommended above, replacing bundle with my apps bundle ID):
[[ADAuthenticationSettings sharedInstance] setSharedCacheKeychainGroup:@"<your.bundle.id.here>"];

The only thing that worked was to set the keychain group to "nil" (my code in Swift):
ADAuthenticationSettings.sharedInstance().sharedCacheKeychainGroup = nil

After all this struggle as soon as my token expires ADAL classes are not able to get new access token from refresh token.  

Following error if what I am getting in my logs

ADALiOS [2016-01-13 17:03:28 - EFB5A99A-A21E-48B9-8468-26116DBCDAED] ERROR: Error raised: 7. Additional Information: Domain: ADAuthenticationErrorDomain ProtocolCode: invalid_request Details: AADSTS50091: Passed query string length exceeds supported limit. encodedRequest="rQIIAVWTOcv1CBmG-b73Q3AGBhcGrMRCRIQcsi922deTnJM9aQ7Z9-RkPUlqf8GUlna2ooXgL7AappzSSgbEv-A72GjzFNdV3Txcn32OXMALCDyn7AL95g2-gL_9JRpHSUZEMADh7wdFEQyIIpQCQIrKqJTCICpDpp989qPf__Ev__75H_4q_a781Y-7v337r39--PD1xw_ffvzcoNelhO2hyfp_fPwZ21ZZv9B96szZ9D_qq7e3-rV89fbTIfqeXaYsn7K5XL53f3r7MpqaKLoMfVcl0zAP-XJJhu7vb18Oed5WffaIkiSb518Mz6yv0m_evvh__s3bD_5rvv706btPH3_94bsf_vmL7FCmyLtXRqXUidguAUwdoUu-DFuGrjW965Y8y33YJpWMyzW_XlmFulw6sGdTDjis_uBI9OpeAJnmjhN1ySGQzBUU86LOS6912wED1SWDXAw1Df_Oj5nJogjfPG3unvJhg8DwLQ9bbYieSS3GwiP0cWmXudSdVp4xaKd1E5Pq0Dh1rxFajSFDpvMYLON2e5KmLQT2uerlwmaBsImp5SzbA9Q92-ZfXAw4r6ZTCkQm9Gz3B81ak6uN3JMceNxex1VLyaMAnPIFKSzz2nBLS1QAAl9VcuvcDgsWNQ4ku4mdlWDPMLlVmSIgLUfavpL3sTdVSDjgjCbDeL4OtlqnGOeDZQ5PmvyoYJP3tBUqV_kQQlpMovFOBU-tue1tJDN3CXgUdkPm6YlR5_ygWP2u8RU9tEfV-cmVofk5FvlKCEdtSgnYu1mTurNQGO5CWiIj-lJxBtC6gOB0U0DwkhRdRbwa3ZS_zkPHTTW0rAfMDOWp9a1Y1iFOYbWEYsNZcTqLt8-zyzFFY6VgAtSF1QgGBMIRGBetRCrQoLBI53WU1EQGFcd7K_hueKA786DjF3mbqmyoYHUBGJQFnVlZn6iYAYWYYwicjvYM5D4TtpQ9e_TumfKr6I1ZGeCFlUyqePGbP1shomHH3atuY3VDKx2GUGBq-_exr2lLyQE5d-9KbUuNxE6iuUAWb8K6CRMS2CFTTh6G-RaWXJHuDJ5nkO8L46cpcfZQaBrmrVFyB4Fvjq8sTnZdR7zKNghjcwaBI19LFyACpYOpsJkMTHlBV7B5Trv84pVQJ5KiyNDTRm0pJC0BbEwO8o6rjD-47anDyq7dpVWFpXLcvBCeOZmq-wqQ0nL1C9_gih3RVKljWl_C--EmceJhVckppPHy_iX6HE1CAEql8_yKZxw-6OM4BWIn5Z-vDtnvg8FuzYj7XMOBr66sC5O71lNmSImIkfkuiZLQJtA6NwqRSyHYnZSfilF9JjlLBOoDBO8GvqDE3YYB9b6has3RZwHC8gCDzXbUJSYeq0UyQh4d5a3HsVIRsxF9pCRzDnKoyje9tAzp5opJzxQY7PaWnz2FLswylCPlo6XXMeLfK8nwTlIepHz36WYLhhDdvC1eofoRijPkMo0_xPUExL1lUAZPeWx6DhaHQLiBYPjAOa9OUg2zayllBZ74Eoh5a_vInlEMyWUl7HAFcD7KE75tRiQXLDz5zyQ1gaOqLbqZ2Im_74axty7fh3wbF0QhUKLZEmdEbfHVeDhOqnXWdgAkbHe9Nqvpk_R4eGTROiFwjLjTeAPdtYkGKCGop2rPxBdTWDVBJ8Hstw0YaUzd6g4N5LNSRFx6VVWUyrkxKcqr1Dn5g9Vd4taUUZiDSzzBHQv27d4VdFTLpWBKaqIz49DvQUsB6-20ASEkhZJiiuadk8l9YoTKVfwxM9JVj1LM3kLeSqFzzLrAonFoXi3PSVLocLDkPWSwUgUZEPWXnpN6MMMFqFD0qs0T-sDYkQxHFqETVj2j1kN7fsLckQRWg9pzyj76QWPGVLXnp9W014azebsvLHJYAbXvKVPdqegJrit8KjHG6fYj1HuBTR6EqHYKg3B4uS2uF8gDoJpHgTouoY-0cbeZ69A43SRDHsGpk4nX2laRrVUbeFNVieeTMQZaqlYSRoCpDCi2T4Oqtpqb85zWkCCo0zK7G7l7XaUHAMP-DOnEGmcejs5Wezyl95gagLlPI5mrt-gW319G02pL7rHXV2K6IdJJ5RmUeMZMHZQ-U79ubr1ElNgLwFVbqmy6Z3UIxxO0DFkHuNdxgQ14QgVT5lcYWVvpE8Pka4WoNa9Y0eCekmeaeBhsDiMd6nOP4PfojNelEQRWJhEsE9KHiav74udyQv8H0"

Trace ID: 8df08fb0-44eb-4d69-bccd-47cc0f8077d3

Correlation ID: efb5a99a-a21e-48b9-8468-26116dbcdaed

Timestamp: 2016-01-13 17:03:27Z. ErrorCode: 7.

Error installing Azure Active Directory Connect in Parallel deployment

$
0
0

I am trying to replace my old dirsync server with a new server running Azure Active Directory Connect. I exported the config from Dirsync but when I try to install Azure Active Directory Connect I get the following error:

Configure AAD Sync

An error occurred executing Configure AAD Sync task: user_realm_discovery_failed: User realm discovery failed

I see the following in the log:

[14:12:13.687] [ 34] [ERROR] user_realm_discovery_failed: User realm discovery failed
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: user_realm_discovery_failed: User realm discovery failed ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: user_realm_discovery_failed: User realm discovery failed
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.ValidateConfigurationParameters(Connector connector)
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateConnector(Connector connector, Boolean validate)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncConnectorCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.AddConnector(Connector connector)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnectorCore()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnector(IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.CreateConnectorWithRetry(ConnectorAdapterBase connectorAdapter, IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Configuration.Utility.ConnectorUtility`1.UpdateConnector(IAdSyncConfigExecutionContext`1 executionContext, ConfigurationItem configChange, ConnectorAdapterBase connectorAdapter, IAadSyncContext syncContext, Boolean isNewConnector, Boolean forceUpdateSchema, IAadSyncConfigurationResults& results, List`1 attributeExclusions, ConnectorSpecificPolicy connectorPolicy, Boolean retryOnFailure)
   at Microsoft.Online.Deployment.Types.Configuration.AadConnectorConfigurationItem.Execute[TContext](IAdSyncConfigExecutionContext`1 executionContext, IAadSyncConfigurationResults& results)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[14:12:13.691] [ 34] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[14:12:13.693] [  6] [INFO ] Starting Telemetry Send

Anyone know how to resolve this? Thanks

Assign App from Gallery/Custom App trough Powershell/API

$
0
0

Hi,

Is there is an API to assign a single User to an App from the Azure Active Directory Gallery? Or is the only way to purchase AAD Premium, assign a group to the app and then add Members to the group using the API?

Thanks for any help

Pirmin

AAD sync schedule

$
0
0

https://community.office365.com/en-us/f/613/p/432511/1094831

Hi above is a link to office 365 forum. Apparently the new version doesn't have sync intervals or anything in Windows Task scheduler.

Is it possible for someone to guide me how to use powershell to fix this? I am able to login to the tenant I believe, but unable to run any schedule commands.

Thanks!

Vincent


Windows 10 Settings Sync on AAD joined PC's? Tales of logins but no sync

$
0
0

We're seeing this on all PC's joined during the OOBE setting up Windows 10. You set up the machine, login with the domain/AAD account, set up the PIN, setup Office 365, login about a gazillion times with the same credentials.

When you go to the Accounts - Sync Settings you can't turn it on. We'd like to be able to have users sync settings with their AAD account. But even if you add an MSA account, sync settings is disabled. So you can't get any settings already set up and have to go through a tedious manual process for every box. Plus all their apps need setup because no sync.

Is there something that needs to be turned on to allow this, or at least allow MSA settings to sync? We're trying to move all the way to Windows 10, but a lot of this doesn't seem finished yet...

Oh, and on the logins issue--there is a lot of work to do here. You put in the credentials over and over and over and over. It seems like there should be a master login (AAD) and then feed those credentials for everything in that user session. Then if they add an MSA, just use that popup to pick which to use (but not log in over and over).

Office apps, Office web, Intune, local Win32 apps, Windows Store (for business), etc. At least use the biometrics or PIN rather than full on login. Even logging into one app goes like this

Windows: LOGIN
Me: emailaddress...tab...
WINDOWS: STOP! Microsoft Account or Work/School Account?
ME: work...
WINDOWS: STOP! let me clear what you already typed and make you retype username and password.
ME: ugh...username...password
OFFICE: STOP! do you accept the agreement?
ME: yes...
OFFICE: you need to ACTIVATE, close and reopen
Me: okay....closing and reopening, oops! I picked Word mobile instead of...
WORD MOBILE: STOP! You need to login to edit files
Me: okay....username....
WORD MOBILE: STOP! Microsoft Account or Work/School?

By now Skype for Business has started up, sitting there with a taunting 'I dare you' to log in. Oh and OneDrive for Business needs you to go login to the web and sync, and the store would like you to log in, and by the way so would all the apps because you can't sync settings....

God help me if I have two factor authentication turned on, just makes it worse.

ME: ugh I quit. I'll go make a sandwich and do this later.

It's comical how many times I put in the exact same credentials on a new corporate box (or consumer one). Users get truly confused by this, so we always remote in on their first use to walk them through all the logging in.


Curt Kessler - FLC

Azure AD Join with Windows 10 devices

$
0
0

I have few questions regarding to Azure AD Join. 

We don't have on-premise AD. We have Windows 10 devices in workgroup, Office 365, Intune and Azure AD Premium.

We want to join our Windows 10 devices to Azure AD so users can sign in with Office 365 credentials.

When I join Windows 10 device to Azure AD it succeeds but after I log in with my Office 365 credentials but I'm forced to add a pin code to my account before I can log in. We don't want this. How this can be disabled?

Also we don't want that users are joining there devices to Azure AD with their own credentials. What kind of account we should use to join all the devices to Azure AD?


Programmatically fetching all members of an Azure Subscription

$
0
0

I am trying to fetch all the members of an Azure Subscription and their email IDs. I am a Global Administrator in this subscription so access is not an issue. I am looking for anyPowerShell cmdlet or any API which can provide this information.

I have tried to run the following but it only gives me my information but no other accounts which are also co-administrators in my subscription.

Add-AzureAccount

 

Get-AzureSubscription -Id "22222aaa-2a22-2a22-a2aa-2a0525c574c3" | Select-Object Accounts

Any pointers or references will be really helpful. 

How to log in to Azure AD with MS Account?

$
0
0

I've had an MS account for a number of years @ my own domain name (eg: me@mydomain.com)

Now, I've since obtained an Azure account, so I - of course - get an Active Directory with it. I have set up the AD to manage mydomain.com, (and it's verified) which was pretty cool.

Now i'm looking in to enrolling my Windows 10 devices but I'm running in to a curious problem.

I've added my *Microsoft Account* login (me@mydomain.com) to my Azure AD (which manages the same domain) such that it looks like:

The problem I'm having now, though, is when I tell Windows 10 to enroll w/ 'me@mydomain.com' it doesn't appear to be hitting my AD and finding the user whose MS Account with that address is part of my AD. I get this:

Does *every* user whom I want to be able to enroll devices have to have a device *specific to* my AD? Can't be brought in from other ADs or Microsoft Accounts? Any suggestions on how I should solve this? If I try to create a new user 'me' @ my Azure AD (eg: me@mydomain.com), it fails unless I remove the Microsoft Account that's already part of the Azure AD.


http://bc3te.ch/brandonh

AAD Connect Health : Alerts are not automatically resolved when trust between proxy and ADFS has been restored.

$
0
0
My environment consists of all Windows 2012 R2 ADFS servers and WAP servers. All servers have the AAD Connect Health agent installed. Something went wrong during certiticate renewal between WAP and ADFS for one of the WAP servers. AAD Connect Health detected the issue and alerted me. Very nice so far. I have taken action to resolve the error state (recreated the trust relationship between proxy and ADFS). The error state in AAD Connect Health is not returning to normal. There is no way to manually reset the status, it should automagically return to the OK state, but it doesn't. The machine state is in error state since 14-2-2016. Please help me on getting this solved. The monitoring has become useless because new errors will not be reported anymore !
Viewing all 16000 articles
Browse latest View live