Hi,

I'm using the Office 365 Management Activity API to collect user activities and analyze the data. However, the AzureActiveDicretoryStsLogon activities, which are activities with RecrodType = 15, are very confusing, and I could not find any documentation on them.

Generally, there are two Operations, "Request for token(s):..." and "Issued token(s)". But from the data that I collected, I didn't find relationship between these two types of Operations. So what's the difference between them? And there are many different kinds of those two Operations, e.g. "Issued token(s):compact_ticket,sessiontoken,signinstate", "Issued token(s):sessiontoken,openidconnect.idtoken,signinstate", etc. What's the difference? Sometimes, there is no useful information to find out which user requested for the token (i.e. UserId is Unknown, ObjectId is Not Available, Target is Unknown), how could I tell whom the token was issued to? Sometimes, there is a "DisplayName" in "ExtendedProperties", however, it's impossible to use it to connect this activity to other activities, because, in other activities, they use UserId (xxx@xxx.xx), you can't tell which "DisplayName" belongs to which "UserId". 

How/Where can I find every detail of all these things?

Thanks!

From @AzureSogelabvia Twitter

Hi support, experimenting issues trying to evaluate Azure RMS. Have configured test OnPrem AD2012+ADFS, works fine. Enabled AzureRMS but cannot use it at all.

 Login-AzureRmAccount -Credential $cred [WORKS] 　 Connect-AadrmService -Credential $cred [FAILS] 　 The correlation ID is .........................

Enabled RMS from the Azure Mgmt portal as well as the Office Admin portal but no way:

-> my test users can't use RMS

-> cannot connect using the Connect-AadrmService -Credential $cred (account works fine to authenticate azure. Any clue? thanks

@Azure support provided this documentation:aka.ms/d1020634a , but it wasn't helpful.

Thanks,

@AzureSupport

Hi,

Is there Graph API available to Add user in another Microsoft Azure Active Directory ? This option is used to add users from other directories to the main Azure Active directory provided both exists in the same subscription/enrollment.

Thanks in Advance, Deep

Thanks & Regards, Deep

Hi everyone - I have a question about Azure MFA under certain conditions.  We have the Azure MFA server and mobile app portal set up and working fine, MFA is working for phone calls, texts, and mobile app.

But some users tell me that they have can't sign in on their laptop when using the in-flight WiFi on a plane.  They obviously can't receive phone calls or texts because their phone won't have cell signal.  You would think they could use the in-flight WiFi on both their phone and laptop and use the mobile app.  But they are telling me that they are only allowed to use the in-flight WiFi on one device at a time, and if they connect it on one device it will kick the other one off.  So that means they can’t receive mobile app notifications.   So when they try to sign into remote desktop or VPN on their laptop, they can’t get a notification on their phone app. 

Has anyone else run into this and can tell me what you recommend in this situation?   Maybe I can use OATH somehow, I know that the Azure mobile app can display OATH tokens, but I don't know how to make that work with VPN (which is Routing and Remote Access PPTP VPN using RADIUS) or Remote Desktop Services.  Any suggestions you can offer would be much appreciated.  Thanks!

I'm doing a fresh install of Azure AD Connect and downloaded the latest install 1.1.110. Everything appears to go well until it was configuring the service account. We're currently don't have any server 2012 DCs on the network so I supplied a domain user account yet I'm still getting this error when the install enters the "Configure" phase. 

An error occurred executing Configure Service Account task: The wizard was unable to contact a Windows 2012 or above domain controller to use Group Managed Service Account".

Could this be caused by the AD Health Agent requiring the use of a group managed service account? If that's the case is there a way to do the install without the agent?

AzureADConnect.exe Information: 0 : AdHealthWebproxy settings: security context: domain\********, HttpsProxyAddress: No Proxy, initialization status: Succeeded; Registry value did not exist; Value was not a string, No Initialization Exception
[14:12:54.473] [ 29] [INFO ] ConfigureAADHealthAgent: Successfully registered AAD Health Agent.
[14:12:54.483] [ 29] [INFO ] Task 'Configure AAD Health Agent' has finished execution
[14:12:54.483] [ 39] [INFO ] Task 'Configure AAD Health Agent' finished successfully
[14:12:54.483] [ 39] [INFO ] Task 'Deploy AAD Health Agent' has finished execution
[14:12:54.483] [  7] [INFO ] Task 'Deploy AAD Health Agent' finished successfully
[14:12:54.483] [  7] [VERB ] Executing task Create Service Account
[14:12:54.496] [ 41] [VERB ] Executing task Install Active Directory PowerShell
[14:12:55.135] [  8] [INFO ] Task 'Install Active Directory PowerShell' has finished execution
[14:12:55.136] [ 41] [INFO ] Task 'Install Active Directory PowerShell' finished successfully
[14:12:55.136] [ 41] [VERB ] Executing task Configure Service Account
[14:13:10.150] [ 16] [ERROR] ConfigureServiceAccountTask: Unable to find a Windows 2012 or above domain controller to get/add Kds Root Key.
[14:13:10.196] [ 16] [INFO ] Task 'Configure Service Account' has finished execution
[14:13:10.196] [ 41] [ERROR] Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskException: The wizard was unable to contact a Windows 2012 or above domain controller to use Group Managed Service Account.
   at Microsoft.Online.Deployment.PSModule.Tasks.ADFS.ConfigureServiceAccountTask`1.get_DomainControllerName()
   at Microsoft.Online.Deployment.PSModule.Tasks.ADFS.ConfigureServiceAccountTask`1.Preexecute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
Exception Data (Raw): Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskException: The task 'Configure Service Account' has failed. ---> Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskException: The wizard was unable to contact a Windows 2012 or above domain controller to use Group Managed Service Account.
   at Microsoft.Online.Deployment.PSModule.Tasks.ADFS.ConfigureServiceAccountTask`1.get_DomainControllerName()
   at Microsoft.Online.Deployment.PSModule.Tasks.ADFS.ConfigureServiceAccountTask`1.Preexecute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
   --- End of inner exception stack trace ---

I have uploaded two certificates to the Windows Azure Portal, a server certificate and a client certificate. In visual studio's I have configured my Azure project to have these two certificates and pointed them to the proper name and store location. My Service's web.config has the following lines in it:

Which should set my serverCertificate for my service.

The problem i'm running into is that the first time I did my deployment it worked successfully. I was able to connect to the service. However, everytime now that I have published my service again, I get the following error:

Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue 'certificatethumbprint'. Provide a more specific find value.

However as far as I know there is actually only one certificate with this thumbprint. (I have confirmed that if I go into Azure Management, I only see once instance of my client and server certificate.).

If I delete my deployment from Azure Management and deploy again, everything works. But that is a hassle to do every time. Any suggestions on what I'm doing wrong?

I have not noticed this before, but last night all users had action of "Update User" by Actor "Unknown".  How do I determine what user did the updating and what update was done?  Why "Unknown"? 

Thank you

Hi

Getting the following error when trying to upgrade Dirsync to AD Connect:

Error running the Dirysync uninstall tool C:\Program Files\Windows Azure Active Directory Sync\UninstallDirectorySync.exe, System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified
   at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)

Any help or advice would be gratefully received

Regards

Amer

I'm following the steps on the Azuse AD Salesforce tutorial (https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-salesforce-tutorial/#step-4-assign-users-to-salesforce) but I'm getting an error on "Step 3: Enable automated user provisioning" when clicking "Start test". The error is "We received an unexpected response from Salesforce.com. Please try again. If the problem persists, please contact Microsoft Azure support UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https."

If I understand the error it says that Azure is connecting to Salesforce using TLS 1.0 & Salesforce wants at least TLS 1.1. Is this something that can be configured in Azure? I don't see any such setting.

Thank you,

Patrick

Patrick Hoban
http://patrickhoban.wordpress.com

I have a method that Creates a user using Azure Graph API (User gets created successfully) and then tries to add the user to Company Administrator Group, but I get this error:

System.InvalidOperationException: The context is already tracking the entity.

Result StackTrace:
at System.Data.Services.Client.EntityTracker.AddEntityDescriptor(EntityDescriptor descriptor)
   at System.Data.Services.Client.DataServiceContext.AddObject(String entitySetName, Object entity)
   at Microsoft.Azure.ActiveDirectory.GraphClient.DirectoryObjectCollection.AddDirectoryObjectAsync(IDirectoryObject item, Boolean deferredSave)

I get the error when I hit this line:

await drrole.Members.AddDirectoryObjectAsync(usr as GraphClient.DirectoryObject);

Here is the complete body of the function:

await client.Users.AddUserAsync(graphUser);

var directoryRoles = await client.DirectoryRoles.ExecuteAsync();
var companyAdminRole = directoryRoles.CurrentPage.FirstOrDefault(m => m.DisplayName == "Company Administrator");
if (companyAdminRole != null)
{
    var drrole = client.DirectoryRoles.GetByObjectId(companyAdminRole.ObjectId);
    var usr = await client.Users.GetByObjectId(graphUser.ObjectId).ExecuteAsync();
    await drrole.Members.AddDirectoryObjectAsync(usr as GraphClient.DirectoryObject);
}

I'm using the 2.1.0 version of the SDK:

https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient/

Aram Koukia | Blog: koukia.ca | Twitter: @aramkoukia

From NEERAJ Kosliya @NeerajKosliyavia Twitter

@azuread @AzureSupport oauth token dependency takes highest time to execute which slow down my server response time.

 Twitter link: https://twitter.com/NeerajKosliya/status/710054559071084545

Thanks,

@AzureSupport

I have the Situation, that all user profile pictures from my Office 365 tennant are not syced to Azure AD.

Within O365 (Exchange / SharePoint / Skype for Business) the profile pictures are updated immediatly. And after changing the picture. I waited at least 72h before checking the changes. but no success

The Office 365 tennant is quite old (before Azure AD was used) and obviously at one point in time some years ago photos where syced to Azure AD. But now no user profile picture is updated. Even new users profile pictures are not synced to Azure AD they s how the default profile picture. Our Azure AD was never synced to a on-prem AD. All users live only in the cloud.

I opend some tickets with O365 Support but I was sent around between the O365 Support Teams. but no success.

Has anyone an idea how to solve this?

From Jurre Heesbeen (@jurreheesbeen) via Twitter who tweets:

”Are there any issues with Azure ACS at this moment that you know of?? We are suddenly experiencing login issues with webapps using ACS in two of our subscriptions"

We ran this by our engineers who confirmed that there were no known issues.

The customer later added: “We investigated further and discovered that our app suddenly (as of last night) isn't able to get the federationmetadata.xml file from ACS from within the cloud service. Running the same code locally works fine however, we did not change anything the last few days, which makes us believe an external change caused this. Thanks for looking into it.”

Tweet URL: Tweets received over DM

Appreciate if you may be able to advise the Jurre on this matter.

Thanks,
@AzureSupport

I am trying to replace my old dirsync server with a new server running Azure Active Directory Connect. I exported the config from Dirsync but when I try to install Azure Active Directory Connect I get the following error:

Configure AAD Sync

An error occurred executing Configure AAD Sync task: user_realm_discovery_failed: User realm discovery failed

I see the following in the log:

[14:12:13.687] [ 34] [ERROR] user_realm_discovery_failed: User realm discovery failed
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: user_realm_discovery_failed: User realm discovery failed ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: user_realm_discovery_failed: User realm discovery failed
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.ValidateConfigurationParameters(Connector connector)
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateConnector(Connector connector, Boolean validate)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncConnectorCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.AddConnector(Connector connector)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnectorCore()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnector(IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.CreateConnectorWithRetry(ConnectorAdapterBase connectorAdapter, IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Configuration.Utility.ConnectorUtility`1.UpdateConnector(IAdSyncConfigExecutionContext`1 executionContext, ConfigurationItem configChange, ConnectorAdapterBase connectorAdapter, IAadSyncContext syncContext, Boolean isNewConnector, Boolean forceUpdateSchema, IAadSyncConfigurationResults& results, List`1 attributeExclusions, ConnectorSpecificPolicy connectorPolicy, Boolean retryOnFailure)
   at Microsoft.Online.Deployment.Types.Configuration.AadConnectorConfigurationItem.Execute[TContext](IAdSyncConfigExecutionContext`1 executionContext, IAadSyncConfigurationResults& results)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[14:12:13.691] [ 34] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[14:12:13.693] [  6] [INFO ] Starting Telemetry Send

Anyone know how to resolve this? Thanks

We're seeing this on all PC's joined during the OOBE setting up Windows 10. You set up the machine, login with the domain/AAD account, set up the PIN, setup Office 365, login about a gazillion times with the same credentials.

When you go to the Accounts - Sync Settings you can't turn it on. We'd like to be able to have users sync settings with their AAD account. But even if you add an MSA account, sync settings is disabled. So you can't get any settings already set up and have to go through a tedious manual process for every box. Plus all their apps need setup because no sync.

Is there something that needs to be turned on to allow this, or at least allow MSA settings to sync? We're trying to move all the way to Windows 10, but a lot of this doesn't seem finished yet...

Oh, and on the logins issue--there is a lot of work to do here. You put in the credentials over and over and over and over. It seems like there should be a master login (AAD) and then feed those credentials for everything in that user session. Then if they add an MSA, just use that popup to pick which to use (but not log in over and over).

Office apps, Office web, Intune, local Win32 apps, Windows Store (for business), etc. At least use the biometrics or PIN rather than full on login. Even logging into one app goes like this

Windows: LOGIN
Me: emailaddress...tab...
WINDOWS: STOP! Microsoft Account or Work/School Account?
ME: work...
WINDOWS: STOP! let me clear what you already typed and make you retype username and password.
ME: ugh...username...password
OFFICE: STOP! do you accept the agreement?
ME: yes...
OFFICE: you need to ACTIVATE, close and reopen
Me: okay....closing and reopening, oops! I picked Word mobile instead of...
WORD MOBILE: STOP! You need to login to edit files
Me: okay....username....
WORD MOBILE: STOP! Microsoft Account or Work/School?

By now Skype for Business has started up, sitting there with a taunting 'I dare you' to log in. Oh and OneDrive for Business needs you to go login to the web and sync, and the store would like you to log in, and by the way so would all the apps because you can't sync settings....

God help me if I have two factor authentication turned on, just makes it worse.

ME: ugh I quit. I'll go make a sandwich and do this later.

It's comical how many times I put in the exact same credentials on a new corporate box (or consumer one). Users get truly confused by this, so we always remote in on their first use to walk them through all the logging in.

Curt Kessler - FLC

...the old start-onlinecoexistencesync doesn't seem to be working with the new preview.

How do you force a sync?

We are using Azure Active Directory Basic edition to manage user authentication to our Enterprise application. For Company branding, we have customized the Sign In Page Illustration and Banner Logo, these elements are getting updated on the Sign In Page.

The issue that we are facing currently is how to remove the Microsoft logo and other corresponding elements like "Don't have an account assigned by your work or school? Sign in with Microsoft account" from our login page.

Also towards the page end, Microsoft has inserted links like @2016 Microsoft, Microsoft Logo, Terms of User and Privacy & Cookies. 

We are preparing a customized login page for our enterprise application, is there some way to remove these elements through customization of Azure AD Sign In page?

Thanks & Regards, Deep

Hello!

An AAD customer is receiving the error message"

"Could not verify this domain because it was previously configured for your tenant or for another tenant."

The customer @dscoduc (via Twitter) is not aware of any previous configurations and was able to verify that no previous domain verification records were published in DNS.

We would appreciate your assistance into looking into the issue.

@AzureSupport