Question from @SKrokfors via twitter:

I configured the Chipers for SSL incorrectly in the group policy, now I cannot connect with RDP to fix it myself what to do?

Background: I have edited the cipher settings for SSL in group policy editor. After that I restarted the server.

Please assist.

Thanks,

@AzureSupport

Hi Esteemed Colleagues,

Just trying to get around a possible client scenario

MFA has been enabled on a per user basis, we have implemented Intune as well

My question, client wishes to use MFA on mobile phones so when the user access Sharepoint icon which come down when Email is provisioned on mobile phone using inherent Email on windows 8.1 phones. How can we ensure MFA is using when the user clicks on the sharepoint icon? Is this a task for app passwords , or should sharepoint support MFA now?

Hello,

I installed Windows 10 on a new laptop and signed in with my Azure AD work account, which is an administrator in the Azure AD. We have an office 365 subscription so the Azure AD is basic (not Pro).

When I prepared the laptop I did not try to join it to a domain, I assumed that because I chose "Work" option when installing Windows 10 that it would join it to our Azure AD (I think it does?).

I shipped the laptop to the middle of Australia for a new user, and they connected to the WiFi and signed in for the first time with their Azure AD account (user@domain.net.au), but now I need them to be the administrator on that laptop.

Is there a way I can make that user an administrator on their laptop now, preferably through the Azure AD portal or something similar? The user could not get TeamViewer installed for me to remote in and I was hoping I could do away with that sort of stuff now and just tick a box in AD to make them an admin on the machine. If its not possible then how do I remote in to his machine to make the change myself?

Thanks

James

Hi,

I have a WCF application hosted on Azure and a client application accessing the WCF application. WCF Application is registered as a web application in Azure and Client App as native application. Native application in Azure has delegated permission to access the WCF Application. Client Application retrieve the token for itself and access the WCF application. All this works fine. 

I've a requirement to access the Graph APi from WCF Application. In the above setup, i cannot access the graph api from WCF because the token belongs to native application. from the sample that i found so far, i need the token for the web app which has necessary access to graph api. 

So I am confused on whether i should use native application to retrieve the token or directly retrieve the token for web app ? If i use the native app to retrieve the token, how would i retrieve the token for web app to access the graph api ? It's not a good idea to force multiple consent to the user. (one for native client and one for web app). and even i cannot force second consent as WCF service is running in non UI mode. 

Looking forward for some help around this,

Thanks,
Himal

Himal Patel

I have added a Windows Accounts as a global admin of an Office 365 Active Directory. Using this account I can successfully create and manage applications using the Azure portal. When I try to use the same account to add an application in VS2015 (by setting the authentication to the AD domain for instance I get an error that the "user doesn't have the required permissions to access the domain".

I'm pretty sure this is a catch all error and not the really problem as the user definitely does have the permissions. Has anyone else run into this and found a way round it?

I have an AAD and my customer als has its own AAD. 

Until now, when I want to grant my customer access to my app, I told him to create a new application in his AAD and use my app ID Uri, sign-in url and reply url. Then he gave me the client ID, client secret and tenant ID - this way, I was able to grant access to my app for this customer.

But what about "multi-tenant"? I don't get the concept of it. Well, I read, I somehow have to use the "common" endpoint to grant access to other AADs... but how can I decide, WHICH AD is allowed to access my app? Does my customer still have to add my application to his AD?

If yes: what's the difference/advantage compared to the way I described first?

If no: Again, how can I make sure that only this customer has access to my app, but nobody else?

Hi folks,

I have setup azure ad connect and syncing users from 2 forests using option 2 (same user exists in multiple directory). I have used empID as custom attribute for match and empID as source anchor.

I would like to have some insight into password sync, if user, lets say test.user0170 exists in both foresta.com and forestb.com then which forest password would be synced to office 365. Basically I am planning for inter forest migration of users, so looking for options of leaving directory sync on until migration completely finishes and we let go the legacy forest.

Regards, Navdeep

Hi Guys,

I was trying to setup an Active Directory on my Azure VM. To do that you require a DNS and for that the IP has to be static. I set the IP to Static but then my RDP disconnected and I can't connect anymore. How can I change the setting back so that I can access the VM again

Hi,

today I wanted to set up Active Directory Resource Pool Synchronization in my cloud-only Project Server environment. But that fails.

Short explaination: One of the Project Server libraries (dlls) builds a DirectorySearcher object that uses"CN=Partitions, ..." as search root. As I am using Azure Active Directory (Domain Services) I do not have access to that AD path.

Here are the detailed results of my investigation:

1. Adding a group for Active Directory Resource Pool Synchronization using PWA Settings is not possible. When trying to save the settings this error occurs: "The People Picker field contains unresolved or local entities, please correct this."

2. Adding a group using PowerShell works: Enable-SPProjectActiveDirectoryEnterpriseResourcePoolSync -Url "..." -GroupUids ([Guid[]]"...")

3. Invoking a sync job using Invoke-SPProjectActiveDirectoryEnterpriseResourcePoolSync -Url "..." generates the following errors in the SharePoint ULS log (shortened):

Failed to determine fqdn/netbios mapping of server *****.onmicrosoft.com.  exception: System.Runtime.InteropServices.COMException (0x8007200A):
The specified directory service attribute or value does not exist.
     at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
     at System.DirectoryServices.DirectoryEntry.Bind()
     at System.DirectoryServices.DirectoryEntry.get_AdsObject()
     at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
     at Microsoft.Office.Project.Server.BusinessLayer.ActiveDirectoryUtility.DomainResolver.ResolveServer(String server)

4. Then I disassembled the Microsoft.Office.Project.Server.dll to see what happens inside ResolveServer. Here is the PowerShell equivalent of the code:

$server = "*****.onmicrosoft.com"

$entry1 = New-Object System.DirectoryServices.DirectoryEntry -ArgumentList "LDAP://$server/RootDSE"
$singleValue = $entry1.configurationNamingContext

$path = "LDAP://$server/CN=Partitions,$singleValue"
$entry2 = New-Object System.DirectoryServices.DirectoryEntry -ArgumentList $path

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList $entry2
$directorySearcher.Filter = "(&(objectCategory=crossref)(netBiosName=*)(ncName=DC=*******,DC=onmicrosoft,DC=com))"
$directorySearcher.PropertiesToLoad.Add("ncName");
$directorySearcher.PropertiesToLoad.Add("netBiosName");

$directorySearcher.FindAll()

5. Executing that script generates the same error I see in the ULS log. If I remove the part"CN=Partitions," from $path the script works.

Is there some way how to make the Active Directory Resource Pool Synchronization work with Azure Active Directory?Thanks

Philip

Hello together,

i have a problem with the setup of Azure Active Directory Connect.

I get following error:

An error occured execution Configure AAD Sync task: user_realm_discovery_failed: User realm discovery failed..

[08:33:26.208] [ 27] [VERB ] Cleanup: Starting cleanup for task 'Configure AAD Sync'
[08:33:26.208] [ 27] [VERB ] Task 'Configure AAD Sync': No cleanup defined
[08:33:26.208] [ 27] [INFO ] Task 'Deploy AAD Sync' has finished execution
[08:33:26.208] [ 18] [ERROR] Task failed without an exception
[08:33:26.208] [ 18] [VERB ] Cleanup: Starting cleanup for task 'Deploy AAD Sync'
[08:33:26.208] [ 18] [VERB ] Task 'Deploy AAD Sync': No cleanup defined
[08:33:26.208] [ 18] [VERB ] Marking task 'Deploy AAD Health Agent' as Skipped
[08:33:26.208] [ 18] [VERB ] Marking task 'Configure Auto Upgrade Version' as Skipped
[08:33:26.208] [ 18] [VERB ] Rolling back task Check Installed Components
[08:33:26.208] [ 18] [VERB ] Task 'Check Installed Components': No rollback defined
[08:33:26.208] [ 18] [VERB ] Rolling back task Configure Passthrough Authentication
[08:33:26.208] [ 18] [VERB ] Task 'Configure Passthrough Authentication': No rollback defined
[08:33:26.208] [ 18] [INFO ] Task 'Single Forest Dir Sync Pwd Sync Root Task' has finished execution
[08:33:26.208] [ 20] [ERROR] user_realm_discovery_failed: User realm discovery failed
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: user_realm_discovery_failed: User realm discovery failed ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: user_realm_discovery_failed: User realm discovery failed
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.ValidateConfigurationParameters(Connector connector)
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateConnector(Connector connector, Boolean validate)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncConnectorCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.AddConnector(Connector connector)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnectorCore()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnector(IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.CreateConnectorWithRetry(ConnectorAdapterBase connectorAdapter, IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Configuration.Utility.ConnectorUtility`1.UpdateConnector(IAdSyncConfigExecutionContext`1 executionContext, ConfigurationItem configChange, ConnectorAdapterBase connectorAdapter, IAadSyncContext syncContext, Boolean isNewConnector, Boolean forceUpdateSchema, IAadSyncConfigurationResults& results, List`1 attributeExclusions, ConnectorSpecificPolicy connectorPolicy, Boolean retryOnFailure)
   at Microsoft.Online.Deployment.Types.Configuration.AadConnectorConfigurationItem.Execute[TContext](IAdSyncConfigExecutionContext`1 executionContext, IAadSyncConfigurationResults& results)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[08:33:26.211] [ 20] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[08:33:26.219] [ 11] [INFO ] Starting Telemetry Send

[08:28:03.913] [  8] [ERROR] user_realm_discovery_failed: User realm discovery failed
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: user_realm_discovery_failed: User realm discovery failed ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: user_realm_discovery_failed: User realm discovery failed
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.ValidateConfigurationParameters(Connector connector)
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateConnector(Connector connector, Boolean validate)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncConnectorCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.AddConnector(Connector connector)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnectorCore()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnector(IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.CreateConnectorWithRetry(ConnectorAdapterBase connectorAdapter, IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Configuration.Utility.ConnectorUtility`1.UpdateConnector(IAdSyncConfigExecutionContext`1 executionContext, ConfigurationItem configChange, ConnectorAdapterBase connectorAdapter, IAadSyncContext syncContext, Boolean isNewConnector, Boolean forceUpdateSchema, IAadSyncConfigurationResults& results, List`1 attributeExclusions, ConnectorSpecificPolicy connectorPolicy, Boolean retryOnFailure)
   at Microsoft.Online.Deployment.Types.Configuration.AadConnectorConfigurationItem.Execute[TContext](IAdSyncConfigExecutionContext`1 executionContext, IAadSyncConfigurationResults& results)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()

The Proxy is opened up to allow unauthenticated traffic between on premise and *.microsoftonline.com

Can somebody help me?

Hello friends,

I administer Office 365 in a University. Recently I changed the domain from federated to standard and enabled password synchronization in AAD Connect. I also enabled  Pasword Write Back in the server with AAD Connect.

In Azure Active Directory I configured the option to allow Password Changes.

The problem comes when users try to change/reset their passwords. They are not able to do it, but they receive an error.

What steps am I missing that prevents domain users to change their passwords?

Is Azure Active Directory only global or can a customer choose for LRS or GRS?

Kind regards, Dave

if anyone installed the new azure ad connector found on the portal, you will find some challenges and i need help with those

1. how can i be 100% sure it will not sync anything except the ou i have chosen, i can see it imports a lot of objects wail working

2. i cant find how to do the matching as below in this new version

https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx

3. how can i push the sync over the command the below file is not there anymore and the scheduled task as well

C:\Program Files\Microsoft Azure AD Sync\Bin
DirectorySyncClientCmd.exe

Hi 

I just created a new custom app. I configured the SSO settings and assigned users.

Then i switched to the app's dashboard, tried copying the Single Sign-On URL and pasting it in another tab, and received this error:

Oops, this link isn’t working…
This link to MyAPP is invalid. Click the link below to see what applications you have access to. Otherwise, contact your administrator or the person who gave you this link to resolve this issue. 

Clicking on the link at the Azure portal seems to work, but i want a direct url.

What am i doing wrong?

Thanks

I'm trying to find out a way to create a User (Work Account) with specified Directory Role in Azure Active Directory Graph Api using one Ad Graph API call.

I can make 2 separate calls (1 to create the user and 1 to assign the Directory Role) but is it possible to include the role in the POST user payload and assign the role in the same call?

Aram Koukia | Blog: koukia.ca | Twitter: @aramkoukia

I'm creating a Single sign on that uses microsoft active direct as a source, to do it I get the redirect URL and I redirect my user to it. After my user signs in the active directory redirects him to the url that I sent in the sign in url, but when I it happens it returns a 403.

Details:
It only returns a 403 on post requests

It returns the data when I do a get request

It works fine if I remove the sign in step

Thanks

From @retsef82via Twitter,
 
This customer was initially trying to create the domain as a non ADFS and then realized that they needed it as an ADFS. They deleted the domain, uninstalled AD connect and rebuilt it as ADFS but it wasn't verifying. They tried fiddling with DNS settings to make sure they were right but it was claiming that it was registered with another tenant.

They tried deleting the domain again and setting it up as a non-ADFS. They setup the DNS entries and left it for an hour but they are now getting a "Could not verify the domain. Could not verify this domain because it was previously configured for your tenant or for another tenant" error message.

Any assistance for this user would be appreciated.
 
Thanks,
@AzureSupport