Previously the Graph API worked for returning the list of groups for the active connection via the me method. However this is now returning the following error :
{"odata.error":{"code":"Request_ResourceNotFound","message":{"lang":"en","value":"Resource not found for the segment 'me'."}}}
REST API URLS:
https://graph.windows.net/me?api-version=1.6
(this one was working)
https://graph.windows.net/<tenantid>/me/memberOf?api-version=1.6
When I run the graphexplorer and ask for the permissions (I am signed in with with proper AAD creds):
https://graph.windows.net/xxxxxxxxxxx/permissions?api-version=2013-11-08 I get the whole collection of permissions.
When I run c# code that does the same I get a return containing {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
Similarly for devices.
In the c# app I can get all the data for user, applications, groups etc but it fails on these two with Insufficient privileges. Any idea what is missing? I am running in a multitenant SSO app and the user has signed in with the same credentials that were used in GraphExplorer. I set up the authorization header just like in the samples:
string tenantId = ClaimsPrincipal.Current.FindFirst(TenantIdClaimType).Value;
AuthenticationContext authContext = new AuthenticationContext(String.Format(CultureInfo.InvariantCulture, LoginUrl, tenantId));
ClientCredential credential = new ClientCredential(AppPrincipalId, AppKey);
AuthenticationResult assertionCredential = authContext.AcquireToken(GraphUrl, credential);
string authHeader = assertionCredential.CreateAuthorizationHeader();
I don't know what permissions I would need to have or why I have them under GraphExplorer. Does anyone have some insight on this?
Thanks
Rig Lee
We have defined a Visual Studio Online project as application in our Azure AD. We've switched off the user assignment is required:
Previously this was sufficient to have access to this TFS project from our application. We were being redirected by the myApps portal. But now I get the message below.
The work around needed is to add a security group to the application (without changing "User assignment required ..." setting!). This is a bit weird to me. Is this a bug?
We are trying to automatically join my on-prem domain joined machines to Azure Active Directory.
According to this article this should be possible: https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-azureadjoin-devices-group-policy/
Specifications:
The critical servers have the following versions.
Forest and domain functional domain level: 2003 minimum OS 2008 R2.
Domain Controllers run Windows 2008 or Windows 2012R2
Azure AD connect version: V1.1.110.
ConfigMgr: 1602 for Microsoft passport and Windows Hello (Hybrid Intune)
Windows 10 client: V1511 10586.104.
Error message received: AAD Cloud AP Plugin initialize returned error: 0xc00484B2
My guess is the OS version of the Domain Controllers!
Can anyone help or confirm my guess.
TIA
Any questions, just ask!
Hi ,
Our scenario is
We added domain in Azure and synced our On prem AD objects with password sync .
Is it possible to join a new azure Vm to this synced domain ???
Regards,
Kalaivani
Can we please get consistent text entries across all apps? The mockup below is for a single user, I have at least four different variations...
Hello,
I edited GPO in Azure AD which I'm supposed to do per documentation but it never replicated between domain controllers.
Azure AD Free subscription was enabled for an O365 tenant space, but this also enabled access for all O365 users to portal.azure.com as well.
I need to disable login access for all users to portal.azure.com, but keep access to our O365 tenant space. Obviously, setting the account to 'block' sign in disables access to both resources.
What can be done to turn off the Azure portal login access to all end users?
Please tell me if I am in the wrong pace.
Looking to do a hybrid deployment or RMS: Azure and 2012R2.
I want on-premise for local work in case we are isoldated from the Internet (DR scenario) but Azure for external partners and mobile workers.
I have already synced the AD to Azure.
Do I deploy RMS in the local AD then in Azure of Vice-versa?
Any tips or guidelines?
CarolChi
From Paul Kempf (@PaKempf) via Twitter who tweets:
“Hello, can a PC on Windows 8 join an Azure Domain? If yes, how?”
The customer also added: “I'm trying to add a windows 8 computer to my Azure AD Domain. Can I do it or do I need to upgrade to win10 ?”
Customer was sent the documentation on https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-device-registration-overview/ however this did not help the customer. The customer also added:
“It doesn't really help, no. Is there a specific tool I'm supposed to use to register my computer on my Azure AD? The classic way of changing the domain doesn't work now.”
Appreciate if you may be able to advise on this matter.
Tweet URL:
https://twitter.com/AzureSupport/status/713387540955332610
Thanks,
@AzureSupport
Hi all,
I would really appreciate your thoughts on the following Azure AD + OAuth2 issue.
The context: We have a single tenant Azure web application (one instance per customer) and most of our corporate customers use SSO with ADFS for authenticating their users. For some of our smaller customers, we hand out accounts (that means no SSO). These separate accounts currently 'live' in our databases, but we are planning on using an Azure AD for that (one Azure AD per customer).
The issue: For testing this use case, we have created an Azure AD with a handful of ourdomain.onmicrosoft.com-accounts. We have configured an instance of our web application for OAuth2 access. The test accounts authenticate fine and we have access to the user properties using the graph API.
However, we recently did a somewhat worrying discovery, and hopefully I just misconceived the concept.
Could anyone explain this behavior, or let me know how to configure Azure AD (and a registered application) in a way that will ONLY allow accounts from the specific AD the application was registered in?
Thank you for your help.
Hi @All
We created a nice looking registration Page to allow specific users to create an account in our Azure AD which has DS enabled. The registration Page is an trusted "App" in the AAD and creates users by using the Azure Graph Libraries as described here http://justazure.com/azure-active-directory-part-5-graph-api/.
When it comes to account creation, everything works fine, expect one neat detail. Accounts created via the Azure Management Portal own the attribute "userName" which gets populated to the AAD DS, where as accounts created via the Graph API don't have such an attribute.
See the POST request to the Azure Management Portal when creating a new user, not sure if this only UI, but probably this is additional information which is user for defining the username in DS.
Compared with users create by the Graph API, the attributes synced to the AAD DS are significantly different.
Max Muster was create by using the Portal (like one one above) whereMichael Schnyder was created by the Graph API.
What i found is different
- CN
- distinguishedName
- name
- sAMAccountName
Question: How can the Graph API be called to that the AAD DS behaves the same as for users create in the Management Portal?
BTW: This editor is a too small. buggy just a shame for such a modern and forward looking company. Please update / migrate asap... How do you appreciate customer feedback when this channel is almost unusable?
Hi
Just had the honor to fix our test-environment one more time due to this nasty behavior.
MySetup: I have several accounts (administrators, service-accounts) in my Azure Active Directory. This Azure Active Directory has Domain Services enabled, so that this accounts can be used in our Virtual Machines, hosted on Azure and Domain Joined to excat this Domain Services. Some of the Accounts are service-accounts (i.e. to query the LDAP) or Administrator-Accounts to access the machines by RDP
The Issue: After 30 Days if the last password change, every accounts gets disabled in the Domain Services. Login with the accounts still works on all the web portals provided by MS (i.e. portal.office.com, portal.azure.com) but the accounts are disabled in the Domain Services! Services cant start anymore, RPD fails, Windows Integrated Web Logins fails,....
And yes i have the option "PasswordNeverExpires" enabled for all those accounts. In fact, the expiration is set to 90 days, anyway. Link: https://www.petri.com/reset-azure-active-directory-user-password-set-never-expire
This problem is also mentioned here https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11457978-azure-ad-domain-services-is-forcing-me-to-change-p
Expected: When enabling this "PasswordNeverExpires" with PowerShell-Modules, this setting should be considered when syncing the users from AAD to the Domain Services environment.
If not, an administrator is forced to remote login, and change every service-account, every 25 days! Same applies for users. Thats a clear showstopper and I'm actually thinking in migrating to the AWS solution for this. How is it possible to enable a preview feature that lasts 30days only?
Is there a workaround for that? Seems that I'm not the only one having that issue
Michael
I am new to Azure. I managed to create a domain using the old azure portal, create a classic VM and attach that VM to the domain.
The problem was i could only attach 'classic' VM's to that domain and not those created using the new Azure Portal (Resource Manager deployed). My understanding is the 'classic' objects are old and eventual will be replaced by those created in using Resource
Manager.
My question is how can i create a domain using the new Azure portal and attach them to VM's deployed using Resource manager. As i'm just starting out i want to ensure i'm building things using the latest technology and not something then will be depreciated in the future.
My goal is to create an internet facing sharepoint VM, a domain and a SQL VM. It's only the domain section i'm currently trying to understand better as i have never created a domain before.
Regards.
I want to deploy a sharepoint server using the Australian Azure servers.
To setup sharepoint we must also setup Active Directory Domain Services. When configuring this i have found that i cannot use a virtual network created in Australia. I managed to get it working using Central US. If i create a server and use the virtual network created in Central US it forces the new VM to also reside in Central US.
How can i setup Sharepoint in Australia?
Is there a way to have the Domain Services elsewhere (e.g. US) and still connect VM's in australia to that Domain without being on the US virtual network.
I am very new to Azure so any help appreciated.
I wanted to get Azure B2C sign in flow running in a Windows Phone 8.1 App with ADAL.NET v4 Experimental library but did not succeed - see StackOverflow question.
To have a better understanding how the Azure AD B2C OAuth2 flow needs to be for a WP8.1 App, I created a test app.
No matter how I put the URL parameters and the JSON body parameters for the /authorize and /token endpoints I always end up with a plain400 Bad request w/o anymore error details.
Does someone know what the error condition could be or how to get more details on the error.
Thanks
I am using ADALiOS into my app for authentication. When user signIn into the app I am getting following error:
"The argument 'cacheItem.scopes' is invalid. Value:(null)." and
"The user credentials are need to obtain access token. Please call the non-silent acquireTokenWithResource methods"
Before it was not giving this error and user was able to get the token but from last week I am getting this error, when I am trying to get token silently now. Please someone look into this.
Thanks
I am creating one Multi-Tenant Azure Application where in I would like to give access only to certain predefined tenant. To achieve same, I think i need to implement my own Issuer Validator. and I did it as below.
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = true,
// If the app needs access to the entire organization, then add the logic
// of validating the Issuer here.
// IssuerValidator
IssuerValidator = (issuer,token,validationParameters) =>
{
var strValidIssuers = ConfigurationManager.AppSettings["ValidIssuers"].Split(new char[] { ';'},StringSplitOptions.RemoveEmptyEntries);
if (strValidIssuers.Contains(issuer))
return issuer;
else
throw new System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException("Invalid issuer");
},
},For now, I'm just validating the issuers from the config file. If the issuer is listed in the config, it will allow it else it will throw the exception. My issue is that when it throws the exception, it end up displaying the standard exception with full stack trace. Even if I turn off custom errors, it would show me some exception error page. Is there any way to route the url to the login page and displaying proper error message and allow user to login again ?
Another issue with IsserValidator is that it fires the method after consent. Isn't there any event which fires right after login and before consent ?
Also, is this the right way of there is some better way of achieving what i am trying to achieve ?
Thanks,
Himal
Himal Patel