Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

What data is synced between DCs duing automatic Active Directory synchronization

June 14, 2016, 7:51 am
$
0
0

Hi,

When there is more than 1 domain controller (DC) in an Active Directory (AD) domain, by default they are usually configured to sync every 5 to 15 minutes. My understanding was that they sync all AD data, however we recently found different last login details for users between 2 DCs.

When we looked into this we found an MS article 

“lastLogon is not synced across the domain so the code above will only give you the last time the user connected to the random domain controller that answers the query rather than the last time the user connected to any controller in the domain” (from article title Determining a User's Last Logon Time from technet.microsoft)

However I can't find what data is and is not sync'd between DCs. Is there a defined list available?

Thanks in advance,

Jonny


Search

Access Control Service : Relying Party Application failed while creation

June 14, 2016, 7:58 am
$
0
0

Hi,

While I am trying to create Relying Party Application, it fails with error message, as shown by below image.

I am not sure how to continue ahead and the causes of issue.

High CPU Usage

June 14, 2016, 8:35 am
$
0
0

Hi, 

We have Azure AD Sync installed on one of our Domain Controllers, but the service: Microsoft.Online.reporting.monitoringagent.startup keeps on going to high CPU usage and then low then high, it keeps on doing this all day. 

Any ideas of what it could be but also how to stop it from doing it?

Thank you 

Ashley 

Configuring SAML between Azure and Sharefile

January 18, 2016, 5:27 am
$
0
0

I am trying to configure sso between ShareFile and Azure which is failing. The document followed is located at:

https://azure.microsoft.com/en-gb/documentation/articles/active-directory-saas-citrix-sharefile-tutorial/

The error is:

Sorry, but we’re having trouble signing you in. 

We received a bad request.

Additional technical information:

Correlation ID: 8de323b5-3bce-4706-b2b9-906e2e10db87

Timestamp: 2016-01-14 13:28:52Z

AADSTS90011: SAML authentication request's RequestedAuthenticationContext's Comparison value must be "exact"

Any help troubleshooting the issue would be really appreciated.

Thanks


Azure AD Synchronization hasn't occurred in over 54 hours

January 11, 2016, 2:03 pm
$
0
0

One of our clients received an email over the weekend that their Azure AD Synchronization hasn't occurred in over 54 hours. When troubleshooting the issue on the directory synchronization server (OS - Server 2012, R2) we found that the "SQL Server (SQLEXPRESS)" and "Microsoft Azure AD Sync" services were stopped and they will not start.

The "SQL Server (EXPRESS)" service comes back with "Windows could not start the SQL Server (SQLEXPRESS) on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 3023."

The "Microsoft Azure AD Sync" service comes back with "Windows could not stat the Microsoft Azure AD Sync on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 2145188790."

When trying to start Azure AD Connect we get the following error message...

"The current user requires Admin access to the Microsoft Azure AD Sync service.

Azure Active Directory Connect cannot proceed further as configuration changes cannot be made at

this time.

 

What to do next:

Close the Azure AD Connect wizard. Ensure the current user is a member of either the Administrators or

ADSyncAdmins group and has logged off/on since joining the group."

The account that we are logged in with is a member of both of those accounts.  We upgraded from Windows Azure Active Directory Sync to Azure AD Connect back in the middle of December.  Everything had been synchronizing fine until over the weekend. The local account used for the Azure AD Connect service is not locked out and the password is set to not expire (default).

Any help would be greatly appreciated...

Web Proxy for Azure AD Connect

June 14, 2016, 4:16 am
$
0
0

Hi Team,

I am new to Azure AD. I have a requirement to install Azure AD connect tool for one of our customer. We will go for Custom Installation with ADFS. Can someone tell me why do we need Web proxy and what is the need for it? Also for ADFS, can we use an internally generated Certificate (SSL)?

Thanks for help!

AAD Connect sync password doens't work

June 14, 2016, 6:27 am
$
0
0

Hi,

Password Synchronization doesn’t work between my local active directory and Azure Active Directory. I’m using AAD 1.1.130.0.

When the user change his password in Active Directory is never becomes active in Office 365 (also not after 3 hours).

Operations check:
- I notice one update in de local import.
- The sync is processed.
- I notice one update in de AAD export.
- Review the update: I notice ‘lastPasswordChangedTimestamp’ to be changed.

The local environment contains one W2K8 SBS and one W2K12r2 domain controller. The W2K12r2 machine is de PDC Emulator and has the AAD software installed. In the Event Viewer (application log) I notice Event ID Error’s: 6900 and 652.

Event ID 6900, source: ADSync, message:
The server encountered an unexpected error while processing a password change notification:

 

 "multiple_matching_tokens_detected: The cache contains multiple tokens satisfying the requirements. Call AcquireToken again providing more requirements (e.g. UserId)

  at TargetExtensionManager.ExportPasswords(TargetExtensionManager* , ECMAInformation* ecmaInformation, DynamicArray<ActiveDirectoryPasswordChange \*>* targetPasswordChanges, Char* forestInfo)

InnerException=>

none

"

Event ID 652, source: Directory Synchronization, message:
The server encountered an unexpected error while processing a password change notification:

 

 "multiple_matching_tokens_detected: The cache contains multiple tokens satisfying the requirements. Call AcquireToken again providing more requirements (e.g. UserId)

  at TargetExtensionManager.ExportPasswords(TargetExtensionManager* , ECMAInformation* ecmaInformation, DynamicArray<ActiveDirectoryPasswordChange \*>* targetPasswordChanges, Char* forestInfo)

InnerException=>

none

"

However the lead. I don’t know which steps I should take to resolve this issue.

Further:
- I deleted the Connector Space & Full Sync without resolving the solution.
- The users passwords are set via Office 365 Portal, to provide a login.
- When I create a new user, Sync, the user is available in the Office 365 Portal
and I’m able to assign a license. But I’m unable to logon, message: “We don't
recognize this user ID or password”.

My goal is to get password synchronization available for my users.

Thanks in advance,
Yuri

AADSTS90093:Calling principal cannot consent due to lack of permissions

June 14, 2016, 3:11 am
$
0
0

I have created native app on my organization's azure portal and access it with ADAL for SharePoint Hosted App. It is working for our organization but when It comes to external user it fails to get access the token. External user is not able to get sufficient permission.

Also got the other error as

This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

If the consent of an administrator was not given and a non-administrator user tries to use the application, he will receive the above error message.

Is it mandatory that the parson who is trusting the app for the first time must be administrator for his tenant?

How can we fixed this so that other users can also get access without admin consent

Search

MFA Not working at all

June 14, 2016, 3:12 pm
$
0
0

I configured AD Sync, and installed MFA on a standalone server. I followed the procedures HERE and whenever I try to log into an RDP session, I don't get prompted for the second form of authentication.  I've configured and enabled MFA for RDP sessions before, using the same exact process with the exception of having AD Sync in the mix. Before, I had everything in Azure. 

Is there some special consideration? 

I can get out to the website listed in the link above, so I don't see an issue there either. 

Any suggestions?

Azure AD B2B New Invites No longer logging in

June 6, 2016, 6:10 pm
$
0
0

I've been using Azure AD B2B for a while now, it's worked pretty well.

In the last few days though, new invites I've sent out don't seem to be getting created properly. I decided to test myself and send an invite to my personal domain. I went through the signup process, got my access code and entered it.

When getting back to the logging in properly for the first time stage, it indicates there is no account at all. 

The error is below. The account appears valid and listed in our Azure AD, but even trying to reset the password indicates it's not a known ID:

We don't recognize this user ID or password

Be sure to type the password for your work or school account.



What data is synced between DCs during automatic Active Directory synchronization [Thread Moved to Appropriate Forum]

June 14, 2016, 7:51 am
$
0
0

Hi,

When there is more than 1 domain controller (DC) in an Active Directory (AD) domain, by default they are usually configured to sync every 5 to 15 minutes. My understanding was that they sync all AD data, however we recently found different last login details for users between 2 DCs.

When we looked into this we found an MS article 

“lastLogon is not synced across the domain so the code above will only give you the last time the user connected to the random domain controller that answers the query rather than the last time the user connected to any controller in the domain” (from article title Determining a User's Last Logon Time from technet.microsoft)

However I can't find what data is and is not sync'd between DCs. Is there a defined list available?

Thanks in advance,

Jonny

[UPDATE - Thread moved to Windows Server Forum: https://social.technet.microsoft.com/Forums/windowsserver/en-US/16ebd63b-6dcb-437b-b02a-8c0355f6c2eb/what-data-is-synced-between-dcs-during-automatic-active-directory-synchronization?forum=winserverDS ]

Having an error with Azure Password based SSO

June 14, 2016, 10:42 pm
$
0
0

From @oscar_ramos via Twitter

"I am trying to use Azure AD with an appusing the password based SSO. When I try to access from teh myapps pannel I receive the error you can see in the image

Error code:0"

Error Message: There was a problem processing your request

Over DM

Thanks,

@AzureSupport

AAD Connect Tool wasn't able to configure

June 15, 2016, 5:27 am
$
0
0

Hi Team,

i have installed AAD connect tool however unble to configure while doing custom configuration getting error like "unable to install the MS SQL server Express Local DB, please see the event log"

any thoughts please assist.

thanks in advance.

vinay

Read extension attribute value for Ad Azure user object using PowerShell

August 3, 2015, 5:09 pm
$
0
0

Hi Guys,

I need help to read extentionAttribute value for user object in AD Azure cloud using PowerShell.

I tried below command:

$extAttrib = (Get-MsolUser -UserPrincipalName "abc123@xyz.com" | Select-Object -Property *).ExtensionData

$extAttrib is showing as System.Runtime.Serialization.ExtensionDataObject type.

How will I fetch extentionAttribute values from $extAttrib variable?

Or Do you have any other method to fetch extenstionAttribute values using PowerShell command.

Thanks!!

Sujit


Okta Migration to Azure AD

June 15, 2016, 8:38 am
$
0
0

Hello

I have a customer that is evaluating the possibility to decommission Okta and move to Azure AD.

I haven't found any guidance or best practice about how to migrate from another identity management providers to Azure AD.

One specific customer question is related to users and groups that have been provisioned in SaaS applications such as Box, once  Box is integrated with Azure AD will be able to recognized and managed the users and  groups that were provisioned by Okta?.

Thanks

 

Search

Azure AD Connect: Password Sync with Samba using LDAP Connector

June 14, 2016, 11:15 pm
$
0
0

Dear community,

we have a bit of a tricky situation: We started with SBS2011 with a .local domain (not interrnet-routable). Changing this would be too much of a risk. Additionally we want to ditch the SBS sooner or later. For the local authentication services we established a Samba-Server as replication of the SBS.

Now we want to connect Office365 to this Samba-Server with user- and password-synchronization. So we established an Azure-hosted Windows Server running Azure AD Connect. As we have a not-routable domain as forest name, we cannot use the AD-Connector used by the wizard of Azure AD Connect. We managed to test-deploy these tools also on another local Windows Server to copy the rules and connectors created by the wizard. As the Windows Server (2008 R2) is only for test purposes where we don't need the CALs this can't be the final solution. But by using the rules and connectors we managed to sync the users from Samba to Office365 using the LDAP Connector for the Samba where we can specify the target server (AD Connetor can only specify the forest name which is not routable). When creating the LDAP connector we were able to specify the attribute for password synchronization. Also the description of the LDAP connector states that password sync would be possible.

Our problem now is: The password sync isn't working. I found information on the internet stating that password sync has to be configured using powershell with command

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector Samba -TargetConnector Office365 -Enable $true

This command however requires an AD-Connector and doesn't accept an Extensible-Connector (what the LDAP-Connector basically is).

Does anyone have a solution for this? Is it supported at all? I also tried changing the password attrribute from userPassword to unicodePwd which the Windows Server we are replicating from uses.

Thank in advance

Michael Biber

SSO For Custom Application In Azure Active Directory Free Trial

June 15, 2016, 3:34 am
$
0
0

Hi Guys,

I have free trial account and i am  trying to achieve SSO for custom apps in azure active directory  but it's not working for me ,can anyone suggest me how to do in free trial

Retrieve all the attributes synced for a user from on premises AD to Azure AD

June 15, 2016, 4:24 am
$
0
0


Hi Friends, 

I enabled directory extension attribute sync option while configuring the AAD connect in Onpremises to snc the custom attributes over to the Azure AD (Attributes like medicare Number, Activation Pin)

The synchronization was successful. I can see the users were synced to my Azure AD directory. 

Now my question is where can I see the custom attributes in Azure AD directory ?  I am not able to view the custom attributes in GUI user properties and the powershell 
command Get-msoluser 

Please assist.

Bulk Azure AD join

June 15, 2016, 12:55 pm
$
0
0

Hi,

With Intune we have an "enrollment manager" account that is capable of joining multiple devices to Intune (30+).

Does this function also exist in Azure AD, so that i'm capable to bulk join multiple devices to Azure AD?

I could only find the option maximum devices per user, but thats not what i want.

I want 1 account that will be capable to bulk join devices to Azure AD.

ADFS with new Azure AD Domain Services

June 15, 2016, 2:18 am
$
0
0

Hi,

We currently use on-premises ADFS for the SSO of Office365 and applications.

I wonder whether I can move the on-premises ADFS server to Azure VM which will use the new Azure AD Domain services for SSO?

Thanks

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>