trying to grab the token for the authorization_token that is returned to my OAuthCallback endpoint for my chat bot, using Postman chrome extension to test out the call:

    POST /baad.onmicrosoft.com/oauth2/v2.0/token HTTP/1.1
    Host: login.microsoftonline.com
    Cache-Control: no-cache
    Postman-Token: 06d9d95a-4e53-0333-5f51-ede4ae354443
    Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&client_id=[snipped clientid]&scope=openid+offline_access&code=[snipped code]&redirect_uri=http%3A%2F%2Flocalhost%3A3978%2Fapi%2FOAuthCallback&p=b2c_1_sign-in

I get the [snipped code] by calling the `https://login.microsoftonline.com/baad.onmicrosoft.com/oauth2/v2.0/authorize?` after I login and the debug breakpoint stops at the `http://localhost:3978/api/OAuthCallback` on my localhost and I copy the code parameter value that is returned to the callback. Like the following

https://login.windows.net/[snipped ad tenant].onmicrosoft.com/oauth2/v2.0/authorize?response_type=code&response_mode=q‌​uery&scope=openid+offline_access&p=b2c_1_sign-in&state=[userid snipped]&client_id=[client id snipped]&redirect_uri=http%3a%2f%2flocalhost%3a3978%2fapi%2f2c1c7fa3%2OAuthCallb‌​ack this takes me to the login where I can login and it correctly takes me to the /api/OAuthCallback where I attempt to get a Token with the provided authorization_code and fails. I have also programmatically grabbed the code using AcquireTokenByAuthorizationCodeAsync method but same error. 

I've triple checked that redirect_uri and everything else is consistent. However, when I copy paste the code that is returned to my `http://localhost:3978/api/OAuthCallback` endpoint, it throws `AADSTS70000: Authentication failed: Authorization Code is malformed or invalid`

I don't understand what could be going wrong as I'm using the authorization code returned to my `/OAuthCallback` and puzzled as to why it will not work

Reference: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-oauth-code/

I created a mobile app that hits a webapi2 Azure server secured by Azure ActiveDirectory.  It will only be used by employees using their corporate email account, but needing to select "personal" instead of "work" at the AzureAD login. Obviously, this is confusing, but forced due to some I.T. complications.  Is there anything that can be done to cause the login to automatically default to personal?  Also, I'd love to pre-populate the login box since our email addresses are looong and difficult to type on a tablet. 

Any suggestions?

Hi,

We are setting up our Azure AD B2C authentication, and we have set the illustration and color scheme and logo, etc.  When we go to the Sign IN (login) page, it all looks perfect.  However, when we set up a 'Sign Up' OR 'Sign In or Sign Up' page, there is No branding at all.  Just the standard Microsoft illustration and no logo.

I know we can add a completely customized page, but I was hoping the 'branding' would work.

Any thoughts?

Thanks for your help!

-Cheryl Simpson

Hi all,

I have set up SSO between Azure and Salesforce. My users can login perfectly into salesforce, using their Azure credentials. However, when a user clicks logout on salesforce, they get this error:

We received a bad request.

AADSTS75005: The request is not a valid Saml2 protocol message. azure salesforce integration

Please reply ASAP, it is urgent to fix this.

Thanks

Nishtha Bhasin

Nishtha Bhasin

Hi all,

I would like to know if it is possible to add B2B user in a security group.

I added B2B user with this tuto : https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview and I specified Email,DisplayName, InviteContactUsUrl to generate the request with the CSV file. I can see this user in my Office 365 tenant (nameofuser1#EXT@contoso.onmicrosoft.com), I can see this same user on Azure with the right UPN (nameofuser1@compagny.com).

I can not see this user when I want to add him in a security group on Office 365. On my apps.microsoft.com, I can see this user when I want to add him in the list "Add member" on the group, but I have this message :

An unexpected error has occurred. Please reload the page and try again.

Same thing if I try again. So I must make an other CSV file for this user with InviteGroupResources parameter?

Thanks all!

Hi, I'm wondering if any O365 admins have any experience configuring the Integrated Apps settings beyond just "On" or "Off". As I understand it turning this on would allow any user in our tenant to give any app that asked permission access to all of their data. As I work at a University obviously we cannot turn this on since we are responsible for data integrity of thousands of students. But, by just leaving this set to off we are missing out on integrations with lots of useful things; one great example is the OneNote web clipper which is used a lot by students and faculty for collecting research.

According to MS Help articles there is a way for admins to register specific apps for the entire org (from the article Turning Integrated Apps on or Off"): If an admin registers an app for all users in their organization, he or she is asked for permission to let that app access information and resources in their organization. After this, when other users in the organization use that app, they won’t be asked for permission. When an admin registers an app, that admin must make sure that they trust that app's publisher.


However looking at the more detailed help article, it seems to that something needs to be done in Azure AD to register the app but I'm getting lost trying to figure out exactly what. Ideally we'd like to be able to leave the ability for users to consent to give random apps access off, but grant universal access to specific apps we trust such as OneNote web clipper. Can anyone point me in the right direction or tell me if this is possible? Thanks!

Hi,

I have set up an app with all possible app and delegated permissions for Graph API.

I use app-only token to make requests.

When I try to access mail and mailFolders for every user in organization everything works perfect.

But when I try to access drive items for every user /drive/root/children always return empty list, even when /drive/root returns {'folder': {'childCount': 4}}.

Meanwhile in the Graph Explorer I get the list of children for all users.

Is it possible to retrieve drive items for each users with app-only permissions?

Thanks

Hi,

I gave a first try at using AD Connect with ADFS. The Microsoft account that owns the Azure AD subscriptions doesn't work (ie invalid credentials).

I'm using me@mycompany.com (ie this is the same name than my professional account).

If using me@somewhere.onmicrosoft.com which is an Office 365 account I own for some other purpose, it does work (but doesn't find the domain as this is not the subscription I want to use).

Not sure why it doesn't work with option #1. Could ie be because I'm a subscription owner but I'm not the super big administrator of the whole Azure subscription or could it be because of the @mycompany.com domain which is not recognized as a Microsoft account?

For now I don't get why it doesn't work with the account I do want to use (ie me@company.com) but works with another test account (me@somewhere.onmicrosoft.com).

Please always mark whatever response solved your issue so that the thread is properly marked as "Answered".

Hello

When trying to authenticate with a multi-tenant application, using a Global Administrator user I get the error:

AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

Interestingly, this happens even before the user even inserts its password - the moment the user id is filled - the window automatically redirects to the error page containing this error.

Any help would be greatly appreciated.

Thanks,

Nadav

Hi All,

I would Like to add Object Identifier claim for Windows Live ID authentication, what should be Input claim type and what should be Output claim types so that I get Object Details.

Any help would be highly appreciated.

Regards,

Pavan.G

Hi,

I want to use my own Sign IN page for azure AD login and SSO, how can i achieve this? in ADFS 3.0 we can change css and javascript of Sign In page, is this possible in cloud also ? 

From @jeremy_schiefer via Twitter:

What happened to Azure AD Connect? The page can't be foundhttps://www.microsoft.com/library/errorpages/smarterror.aspx

Thanks!

From @AzureSupport

Hello,

I have developed an application and for single sign on which works fine for my demo account in bot multi-tenant and single-tenant modes. On the other hand when my customers tries to login with his account I get an "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID \'f706fdc4-62ba-48dc-9d62-04280138344d\'. Send an interactive authorization request for this use
r and resource.\\r\\nTrace ID: 7cfc3b17-1b3a-4dac-88e0-8234d2bf466e\\r\\nCorrelation ID: 53130bbc-6837-4b3d-8bf7-2d960707f8d8\\r\\nTimestamp: 2016-04-18 08:32:15Z","error_codes":[65001],"timestamp":"2016-04-18 08:32:15Z","trace_id"
:"7cfc3b17-1b3a-4dac-88e0-8234d2bf466e","correlation_id":"53130bbc-6837-4b3d-8bf7-2d960707f8d8"}". The most weird thing is that in the multitenant configuration, he is prompt to accept the permission granting to my application but again the consent is not given even if he explicitly accepts the permissions.

Kind Regards,
Nikos

Configured Azure AD Connect and everything is working well. But i have a question about the metaverse designer. From what i understand the schema of the connected source, in this case AD, is imported into the metaverse (sql database) right? But you can't delete an attribute from a connected source AD schema in the metaverse designer? 

The best option to remove, for example a telephone number, is to deselect the attribute on the AD connector and create a new inbound synchronisation rule and set a value to 'AuthoritativeNull'.

So when do you start using the metaverse designer? The default attributes can't be deleted but you can add new ones? However the schema that's imported should contain all the attributes, so i'm confused?

We are having a bit of fun with this solution. We have the Lenovo Carbon X1 that we are trying to deploy to field users that will use Azure AD Join. When we read the documentation for Azure AD Join and Bitlocker it suggests that the device has to be InstantGo compatible.

When we check the sleep states on the device using Powercfg.exe /a we get a message that the sleep state S0 has the result "The system firmware does not support this standby state". The latest firmware does not seem to fix the issue and I cannot see what I could change in the BIOS that would help this power management situation. Fast Startup is supported and  we have some literature from Lenovo saying the device is capable of InstantGo.

We looked in the EventLog Application Logs and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider we can see errors indicating that Bitlocker is not enabled. Below are the errors we are seeing:

Log Name:      Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Source:        Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider Date:          6/8/2016 4:37:19 PM Event ID:      820 Task Category: None Level:         Error Keywords:      User:          SYSTEM Computer:      MININT-DTFPAGP Description: MDM PolicyManager: Set policy precheck precheck call. Policy: (Security), Area: (RequireDeviceEncryption), int value: (0x1) Result:(0x80310020) The operating system drive is not protected by BitLocker Drive Encryption.. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">   <System>     <Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3DA494E4-0FE2-415C-B895-FB5265C5C83B}" />     <EventID>820</EventID>     <Version>0</Version>     <Level>2</Level>     <Task>0</Task>    <Opcode>0</Opcode>     <Keywords>0x8000000000000000</Keywords>     <TimeCreated SystemTime="2016-06-08T23:37:19.845507100Z" />     <EventRecordID>496</EventRecordID>    <Correlation />     <Execution ProcessID="3116" ThreadID="3112" />     <Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>    <Computer>MININT-DTFPAGP</Computer>     <Security UserID="S-1-5-18" />   </System>   <EventData>     <Data Name="Message1">Security</Data>    <Data Name="Message2">RequireDeviceEncryption</Data>     <Data Name="HexInt1">0x1</Data>     <Data Name="HexInt2">0x80310020</Data>    <Data Name="HRESULT">0x80310020</Data>   </EventData> </Event>

________________________________________________________________________

Log Name:      Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Source:        Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider Date:          6/8/2016 4:37:19 PM Event ID:      809 Task Category: None Level:         Error Keywords:      User:          SYSTEM Computer:      MININT-DTFPAGP Description: MDM PolicyManager: Set policy int, Policy: (RequireDeviceEncryption), Area: (Security), EnrollmentID requesting set: (5F918C52-4343-4E0B-B454-5B97E00FECA2), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80310020) The operating system drive is not protected by BitLocker Drive Encryption.. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  <System>     <Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3DA494E4-0FE2-415C-B895-FB5265C5C83B}" />     <EventID>809</EventID>    <Version>0</Version>     <Level>2</Level>     <Task>0</Task>     <Opcode>0</Opcode>     <Keywords>0x8000000000000000</Keywords>    <TimeCreated SystemTime="2016-06-08T23:37:19.845511000Z" />     <EventRecordID>497</EventRecordID>     <Correlation />     <Execution ProcessID="3116" ThreadID="3112" />     <Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>     <Computer>MININT-DTFPAGP</Computer>     <Security UserID="S-1-5-18" />   </System>   <EventData>     <Data Name="Message1">RequireDeviceEncryption</Data>     <Data Name="Message2">Security</Data>     <Data Name="Message3">5F918C52-4343-4E0B-B454-5B97E00FECA2</Data>    <Data Name="Message4">Device</Data>     <Data Name="HexInt1">0x1</Data>     <Data Name="HexInt2">0x6</Data>     <Data Name="HexInt3">0x0</Data>    <Data Name="HexInt4">0x80310020</Data>     <Data Name="HexInt5">0x80310020</Data>   </EventData> </Event>

_________________________________________________________________________

Log Name:      Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Source:        Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider Date:          6/8/2016 4:37:19 PM Event ID:      400 Task Category: None Level:         Error Keywords:      User:          SYSTEM Computer:      MININT-DTFPAGP Description: MDM ConfigurationManager: Command failure status. Configuration Source ID: (5F918C52-4343-4E0B-B454-5B97E00FECA2), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (CmdType_Add), CSP URI: (./Vendor/MSFT/Policy/Config/Security), Result: (The operating system drive is not protected by BitLocker Drive Encryption.). Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  <System>     <Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3DA494E4-0FE2-415C-B895-FB5265C5C83B}" />     <EventID>400</EventID>    <Version>0</Version>     <Level>2</Level>     <Task>0</Task>     <Opcode>0</Opcode>     <Keywords>0x8000000000000000</Keywords>    <TimeCreated SystemTime="2016-06-08T23:37:19.845767800Z" />     <EventRecordID>498</EventRecordID>     <Correlation />     <Execution ProcessID="3116" ThreadID="3112" />     <Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>     <Computer>MININT-DTFPAGP</Computer>     <Security UserID="S-1-5-18" />   </System>   <EventData>     <Data Name="Message1">5F918C52-4343-4E0B-B454-5B97E00FECA2</Data>     <Data Name="Message2">MDMDeviceWithAAD</Data>    <Data Name="Message3">Policy</Data>     <Data Name="Message4">CmdType_Add</Data>     <Data Name="Message5">./Vendor/MSFT/Policy/Config/Security</Data>    <Data Name="HexInt1">0x80310020</Data>   </EventData> </Event>

We have tried turning on Bitlocker manually and putting the recovery key in the cloud with success but obviously we do not want the end user doing this in case they do not select the correct option for storing their recovery key. Does anyone have any suggestions as to how we could troubleshoot this further?

www.bighatgroup.com

Hi!!!

Hi,

Is it possible and supported to rename the AAD-Connect database on a remote SQL - server. The reason for my question is, our customer wants to have the databases from two AAD-Connect servers installed on the same SQL-Server.

The second point is, I wasn't able to connet to the sql server form the AAD-Connect installation wizard using the virtual sql server name. Only the pysical worked for me.

Thanks for any information on that

Peter

Hello Forum

We are using the Premium Azure AD, and we love the self-service portal especially in security groups. However, I am posting here to ask: Assume that an owner of certain Azure AD Security Group added me as a member into his group. How I as a member can see/know the other members of that particular group which I am in?

I tried this scenario where I asked a group owner e.g.(EditorsGroup) to add me as a member, and now using the self-service portal (https://account.activedirectory.windowsazure.com/n/#/groups/member) I can see that group under my membership, But, When I click on it, I can NOT see any of its members.

Is there any settings to be configured to allow showing/displaying groups members to the members themselves?