Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

B2C Newbie Questions

June 7, 2016, 12:29 am
$
0
0

Hi, we are evaluating B2C as an option for our brand sites.

So we have bunch of white-label sites that share a common functionality. The difference is really the view pages where there is some UI customization to suite the different brands.

I have some questions please:

Initially when I looked at this, I thought I can create a single B2C directory for all the sites and a separate application for each brand. Then I found out that the UI customization is for the entire B2C directory and not per app.  If correct, then the only option is to create a B2C directory for each site which seems to be a little overwhelming.

Speaking of customization, this article says that the local account sign-in pages can be customized using the company branding feature and not the mechanism described in the article. This is confusing...u mean I can't use the policies customization feature?

In addition, can I customize the email templates? The ones that are sent to clients to verify password for example.

Regards

Khaled Hikmat

Search

AADDS cloud-only tenant - kerberos credential hash is not generated

May 17, 2016, 5:49 am
$
0
0

I am following the article

https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-getting-started-password-sync/ Enable NTLM and Kerberos credential hash generation for a cloud-only Azure AD directory

 

As this is a cloud-only Azure AD directory

I only need to reset the user account password via https://account.activedirectory.windowsazure.com/ChangePassword.aspx

 

However, when I try to look up via LDAP, the password hash never created and it has shown in LDAP attribute pwdlastset = 0

Only a small handful of them has the date set (hence they can login)

It have definitely more than 2 hours  

Windows 10 / Azure AD SSO with Smart Card

June 8, 2016, 11:37 pm
$
0
0

Hi

I have Azure / O365 SSO working on W10 Enterprise computers which are AD DS and Azure AD joined. The AD DS domain is federated with Azure AD.

I have found that the SSO only works if the user signs in with username and password. SSO doesn't work if the user signs in to windows with their AD CS smart card. The smart card SAN includes the UPN which matches that of AD DS and Azure AD.

Does anyone know if this should work / is it a supported scenario?

Thanks

Douks

Customizing B2C SignIn page and email templates

June 8, 2016, 11:57 pm
$
0
0

Hello,

We are currently looking into Azure AD B2C. We want to use it for a new portal for our customers.

It's important for us that we can completely customize the SignIn page to have the same look and feel as the portal. We also want to customize the acitivation emails to have the look and feel of our customer.

Currently this is only partial possible with the branding feature and it is impossible to get the look and feel we need.

The product is in preview starting from 10-2015 and it is still lacking these important features.
Is there an indication when customization will be available for the SignIn page and email templates.

Kind Regards,

Jan Boersma

404 on https://login.microsoftonline.com/PostToIDP.srf?..

June 9, 2016, 10:31 am
$
0
0

Hello,

I'm looking for some information about the fact, that https://login.microsoftonline.com/PostToIDP.srf is not accessible.I've used it as SmartLink to start IdP-Initiated SSO into Office365. But it doesn't work from yesterday.

Did I miss something? Are there any replacements for my purposes?

Encrypting file using RMS powershell modules deleting file

June 1, 2016, 8:29 am
$
0
0

From @Orodeon via Twitter:

The RMS client is deleting the unencrypted temp file before the app can open it.I'm opening a file I encrypted with the RMS powershell modules using a text editor and before the file is opened by the text editor it is deleted.It works fine when I open the file using ISE and I'm using the powershell modules to encrypt the file.  RMS supports encrypting any file type with powershell, dos it not?When I open the file I see the temporary file being created and deleted the client is doing everything it should except that it is deleting the temporary file before my text editor has a chance to open the file.I can open the file just fine if I associate the ps1 extension with with ISE but not if I associate it with powergui.  Also I can see the RMS client creating the temporary file no matter which app I have associated with the extension it just deletes the temporary file before powergui has a chance to open the file.

Thanks!

@Azuresupport

SSO Identifier field forcing https:// or urn: before entity ID

June 9, 2016, 12:04 pm
$
0
0

Hello everyone!

I'm trying to get a custom SSO app working but running into an issue with the Identifer field in Azure's SSO config. The entity ID that was provided to me by the service provider does not have a protocol prefix (ex: hello.goodbye.com) but Azure is forcing me to add "https://" or "urn:" in front before the actual entity ID.

I first tried https://hello.goodbye.com as the identifier but this just caused an SSO error on the service provider's side saying that it's not a valid entity ID. As a result, I figured I need to make the Identifier in Azure match exactly to what's provided by the service provider.

Anyone know how I can put in hello.goodbye.com as the Identifier without attaching an "https://" or "urn:" in front?

Thanks!



How to update Azure AD Connect Health after moving to federation and disabling password sync

June 9, 2016, 3:22 am
$
0
0

Morning all,

I'm playing with Azure AD Connect health in my lab environment. When first configured this use password synchronisation and then moved to federation with password sync disabled. However, the Azure AD Connect Health portal is raising alerts for password sync not updating. How can I change the agent / portal to stop reporting alerts?

Paul

Search

MSAL sign out does not appear to clear cache

April 19, 2016, 7:42 pm
$
0
0

I'm exploring the Active Directory B2C Xamarin Native sample from the Azure team.  It uses MSAL, the new Microsoft Authentication Library.  The sample's README says to use this to sign out:

App.PCApplication.UserTokenCache.Clear(App.PCApplication.ClientId);

That code is executed in TasksPage.xaml.cs.

I ran the sample, signed in, and then signed out.  I then clicked the sign in button again, and the app found my user in the cache.  I was signed in without entering my credentials again.

After signing out, I would expect the app to clear its cache and require users to provide credentials when signing in again.  This doesn't appear to happen, unless I restart the app.

Is this behavior by design?

Number limit on how many delegated permissions for Native app?

June 18, 2015, 3:36 pm
$
0
0

Hi,

We're developing a native application which requires more than 10 delegated permissions to be added, but it seems there's a number limit on that. If we added more than 10, below error was shown.

Thanks,

Tian

Back to progress operations
Please try again. If the problem persists, contact support.

What is the limit of the number of applications in an AD tenant?

June 9, 2016, 4:55 pm
$
0
0

Hi -- when registering a custom application in an Azure AD tenant (as per the "Integrating Applications with Azure Active Directory" page at azure.microsoft.com), what is the maximum number of applications that one can make?

5? 10? 100? 1000? Unlimited?

Obviously most people won't need more than a few, but I'm wondering what the limit is.

Thanks!


Getting error in client credential flow to working with office365 service management API

June 9, 2016, 11:46 pm
$
0
0

Hi,

I want to integrate office365 management service api for collecting events based on client credential and with the use of Oauth 2.0 grant flow, for client credential I am getting response but when I am trying to use that credential to get the token then it give me following error,

{      

"error":"invalid_client",

"error_description":"AADSTS50048: Subject must match Issuer claim in the client assertion.\r\nTrace ID: 1ad7acd8-3945-4fe0-a313-07638eb76e42\r\nCorrelation ID: a6c3a3c9-b737-4bfc-894f-3086c3ce8dfa\r\nTimestamp: 2016-06-09 07:20:15Z",

"error_codes":[50048],

"timestamp":"2016-06-09 07:20:15Z",

"trace_id":"1ad7acd8-3945-4fe0-a313-07638eb76e42",

"correlation_id":"a6c3a3c9-b737-4bfc-894f-3086c3ce8dfa"

}

Can you please help me for solving this problem.

For reference,

see the topic for Requesting an access token by using client credentials


Azure Active Directory ACS Authentication

June 7, 2016, 12:10 am
$
0
0

I am trying to authenticate users that have registered in a specific Active Directory through some providers (Google + Microsoft accounts) . I need to do it in Xamarin Forms. Msal library is in Alpha stage and has no documentation yet. So i tried to authenticate registered users via OAuth Wrap protocol -Password token requests

I would like to ask a few questions. First of all, can i authenticate users with http requests via wrap protocol  ?? Or is this auth method available only for administrators ?? What url do i have to place in post request ? Because  

https://namespace.accesscontrol.windows.net

authenticates only administrator. 

My goal is to take the authentication token for each registered user.


Install fails!

June 10, 2016, 4:01 am
$
0
0
When trying to install Azure, the installer hangs! The log file shows Admin rights required,  login in as system admin and have tried running as admin too..  Any Help... 

Azure AD Connect Health AD FS Agent, FileVersion: 2.6.232.0 registration fails

June 10, 2016, 4:23 am
$
0
0

I am unable to register and install the services for Azure AD Connect Health (AD FS Agent). 

The following error is received during the install. It seems to be related to the new version 2.6.232.0.
I have successfully installted version 2.6.224.0 on other machines but I do not have access to the installation file for that version anymore.

2016-06-10 10:52:36.461 ProductName: Azure AD Connect Health AD FS Agent, FileVersion: 2.6.232.0, Current UTC Time: 2016-06-10 10:52:36Z


2016-06-10 10:52:36.477 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService
/

2016-06-10 10:52:36.477 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

2016-06-10 10:52:37.899 AHealthServiceApiVersion: 2014-01-01

2016-06-10 10:52:50.152 Detecting AdFederationService roles...

2016-06-10 10:52:50.215 Detected the following role(s) for adfs.domain.com:

2016-06-10 10:52:50.215         AD FS 2012 R2 Federation Service Proxy

2016-06-10 10:52:52.356 Aquiring Monitoring Service certificate using tenant.cert


Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Identity.Health.Common.ETWTraceListener.Write(Object entry)
   at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String message)
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogEvent(Int32 eventId, EventLogEntryType eventType, String
keyword, String messageFormat, Object[] arguments)
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogError(Int32 eventId, String keyword, String messageFormat
, Object[] arguments)
   at Microsoft.Online.Reporting.MonitoringAgent.Startup.Program.Main(String[] args)

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Identity.Health.Common.ETWTraceListener.Write(Object entry)
   at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String message)
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogEvent(Int32 eventId, EventLogEntryType eventType, String
keyword, String messageFormat, Object[] arguments)
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogError(Int32 eventId, String keyword, String messageFormat
, Object[] arguments)
   at Microsoft.Online.Reporting.MonitoringAgent.Startup.Program.Main(String[] args)

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Identity.Health.Common.ETWTraceListener.Write(Object entry)
   at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String message)
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogEvent(Int32 eventId, EventLogEntryType eventType, String
keyword, String messageFormat, Object[] arguments)
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogError(Int32 eventId, String keyword, String messageFormat
, Object[] arguments)
   at Microsoft.Online.Reporting.MonitoringAgent.Startup.Program.Main(String[] args)

Configuration Failed

To retry configuration, type:
Register-AzureADConnectHealthADFSAgent

Monitoring will not start until configuration is successful.

To review installation steps and requirements, please visit:
http://go.microsoft.com/fwlink/?LinkID=518643

Detailed log file created in temporary directory:
C:\Users\AppData\Local\Temp\AdHealthAdfsAgentConfiguration.2016-06-10_12-52-36.log

Register-AzureADConnectHealthADFSAgent : Failed configuring Monitoring Service using command: C:\Program Files\Azure Ad
 Connect Health Adfs Agent\Monitor\Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe sourcePath="C:\Program Fi
les\Azure Ad Connect Health Adfs Agent\tenant.cert" version="2.6.232.0"
At line:1 char:1
+ Register-AzureADConnectHealthADFSAgent
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Register-AzureADConnectHealthADFSAgent], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.Health.Adfs.PowerShell.Configuration
   Module.RegisterADHealthAdfsAgent
Search

Azure AD Connector - UPN Filter

May 23, 2016, 12:10 pm
$
0
0

Hi,

how i can configure UPN filter in Azure AD Connector?
I need to sync from on-premise AD to Office 365. Is it Outbound or Inbound rule?

is it correct settings?

Problems with Azure AD password reset service

May 13, 2016, 6:14 am
$
0
0

We have Office 365 and Azure AD Premium. I'm trying to configure Azure AD password reset service for our users. We have Azure AD Connect with password sync and password writeback configured. 

When trying to change password for a user through self-service portal I get a message: Your request could not be processed

I thought it's a permission issue at on premises so I temporary added the Azure AD Connect service account to domain admins group but it didn't help either. When trying to reset password I get these errors in eventviewer at Azure AD Connect server:

Event 6330

An error occured while calling EndConnectionToServer for a password operation. This has no effect on whether the password operation completed successfully or not.

 

ErrorCode: 0x80230808

ErrorString: (The management agent run was terminated as there were unspecified management agent errors.)

Event 6329

An unexpected error has occurred during a password set operation.

 "BAIL: MMS(4944): adma.cpp(2827): 0x800704bc (The format of the specified domain name is invalid.)

BAIL: MMS(4944): adma.cpp(1710): 0x800704bc (The format of the specified domain name is invalid.)

BAIL: MMS(4944): adnc.cpp(355): 0x800704bc (The format of the specified domain name is invalid.)

BAIL: MMS(4944): LDAPMAExportCore.cpp(566): 0x800704bc (The format of the specified domain name is invalid.): Error binding to partition {97E23AB1-83D2-4144-B3C3-0B6FB92FD669} (foreign DN DC=domain,DC=com): 800704bcBAIL: MMS(4944): ..\exportpassword.cpp(451): 0x80230015 (The specified partition identifier is not present in the partition data.)

BAIL: MMS(4944): ..\ma.cpp(7777): 0x80230015 (The specified partition identifier is not present in the partition data.)

BAIL: MMS(4944): LDAPMAExportCore.cpp(648): 0x80230808 (The management agent run was terminated as there were unspecified management agent errors.): EndExportSession called before export session was initialized

ERR_: MMS(4944): ..\exportpassword.cpp(71): EndConnectionToServer failed with hr=0x80230808

BAIL: MMS(4944): ..\ma.cpp(8223): 0x80230015 (The specified partition identifier is not present in the partition data.)

Azure AD Sync 1.1.180.0"

Event 33001

TrackingId: 987f394e-ccdf-45bf-95ec-02701828fc27, Reason: Synchronization Engine returned an error hr=80230015, message=The specified partition identifier is not present in the partition data., Context: cloudAnchor: User_b5c3278f-6108-4356-b30a-3138981cc9c7, SourceAnchorValue: ATscDru1YUKtZcCere29Vg==, UserPrincipalName: username@domain.com, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230015, message=The specified partition identifier is not present in the partition data.

   at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)

   at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount)

   at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String passwordResetXmlRequestString, Boolean unlockUser)

Any ideas what could be wrong? 

B2C Security Logs

June 10, 2016, 8:19 am
$
0
0
Hello, is there any security logging for the Azure AD B2C service and if so how can access them? We are looking to capture events on things failed logins, account lockouts, concurrent logins etc, thanks

A question about Azure AD Connect and AD FS

June 10, 2016, 5:20 am
$
0
0

Hello

I want to do the following, can someone please tell me if this is possible.

I have an on premises LAB setup running Windows Server 2012 R2 AD DS

I have an MSDN Subscription which comes with a certain amount of Azure dollar spend per month

I want to download and setup Azure AD Connect to sync my on-premise AD with Azure AD (all straight forward so far) 

I also want one or more AD FS Servers with Public facing IP Addresses I can use to learn/test SSO scenarios with third parties like Sales Force. In addition I also want to create my own custom AD FS Claims Rules and to set up  additional Relying Party (and possible Claim Provider) trusts. Basically I want to be able to get at, create, modify and delete AD FS Claims etc. (As if the AD FS Server was running in my on premise LAB)

I see when you are going through the initial setup of Azure AD Connect you can opt to Federate the accounts too (e.g. setup or integrate with AD FS) so you do not have to set these up manually (if you prefer not to).

The thing is if I do select to allow AD Connect to setup the federation as part of the installation does it effectively mean I cannot get at and configure the these AD FS Server/s running this federation.

If control is taken away from me later on to these AD FS Server when using this installation method; as an alternative can I still setup my own AD FS VMs in my azure subscription and get these federated with my namespace on Azure AD? (to take advantage of the fact my on-premise accounts are already synced to Azure AD). in other words if I create a couple of VM member Servers can I then join them to a domain e.g. my Azure AD Domain as member Servers?

if not I assume I will have to dping up a VM Domain Controller and AD FS Servers as VMs under my subscription.

Please advise

Thanks

Ernie

 

Azure AD Connect error during install: E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY

November 19, 2015, 1:14 am
$
0
0

During the installation of Azure AD Connect i get this error message: E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY

In eventlog:

ADSync 6309The server encountered an unexpected error while performing an operation for a management agent."BAIL: MMS(12040): ..\parser.cpp(2295): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)BAIL: MMS(12040): ..\parser.cpp(2200): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)BAIL: MMS(12040): ..\parser.cpp(2076): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)BAIL: MMS(12040): ..\schema.cpp(89): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)ERR_: MMS(12040): ..\mastate.cpp(15668): Error creating MA schema object: 0x80230910BAIL: MMS(12040): ..\mastate.cpp(15866): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)BAIL: MMS(12040): ..\mastate.cpp(5741): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)BAIL: MMS(12040): ..\ma.cpp(672): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)BAIL: MMS(12040): ..\ma.cpp(954): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)Azure AD Sync 1.0.9125.0"

Found on internet a similar issue with Sharepoint 2010 User Profile Sync which is also based on FIM technology:

https://social.technet.microsoft.com/Forums/en-US/b0f3d2b7-736f-432c-bc68-783648454cb3/error-6306-and-unable-to-process-create-message-when-trying-to-create-a-ad-connection?forum=sharepointadminprevious

A Microsoft employee 'Cyrtiac' from Microsoft France is answering that topic. The problem was a custom AD schema extension, a auxiliary class was made as subclass of "person". He says auxiliary should always subclass of top.

In our Active Directory we also made a auxiliary subclass of "person". I can't delete this subclass because the attributes are still used in our environment.

Why is it not allowed to create a auxiliary class as subclass of any other than 'top' ? I cannot find any documentation on this.

How can we install Azure AD connect and leave this subclass intact?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>