Hello everyone, 

I am having issues connecting my Box instance to Azure AD. There are a couple issues that remain that I cannot figure out on the Azure side. 

Setup: AD on Prem <--> Azure AD Premium <--> Box Application

Issues

1. After un-assigning the Box license, the user still shows Active in Box. (Makes me believe it is not syncing properly)

2. When making an AD group Inactive in Azure it remains active in Box and does not update... however, when I push a new Box group to Box (Manually) the new groups push to Box as active but do not reflect the changes made to the group I want to make INACTIVE?

3. The members of the group are not populating in Box properly. However they are showing in the group, but the Box instance is not reflecting the number of users in that group. For example, there are three users in a Box group - all three members are assigned to that group via Active directory but the group shows 0 members versus "3".....

Has anyone had similar issues? How did you resolve them? I'm thinking it could be a scoping or attribute issue but I don't know.... any help would be appreciated. 

Thanks! 

I cant seem to add new users to a resource group, it says invite sent but no email

Thanks,

@AzureSupport

Hi, on my trial subscription I have 2 users with microsoft account and 2 with AAD account. Today I try to add new users with existing microsoft account but Azure tell me that account does not exists (but they do, one hotmail.com and the other another domain).

Is there a limit to trial subscription or is there a bug ?

Thank you

I am trying to set up device join for my Windows 10 computers using the howto below.  I am currently testing Windows 10 Enterprise build 14366.

https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/

I have ADFS 3.0 farm setup with Azure AD Connect (latest version).  SSO is working correctly with ADFS.  I have a hybrid email setup with email to a subdomain handled by Office 365/Exchange online, and email to the main domain handled on premises.

Every time the machine tries to join to Azure AD, I get event id 304 and 305, which includes the error:

AdalErrorDesc: AADSTS50107: Requested federation realm object ‘http://my-adfs-farm/adfs/services/trust’ does not exist.

If you enter the url it is looking for into a browser, it gives HTTP Error 503. The service is unavailable.

If I run dsregcmd /status, I get AzureAdJoined : No and EnterpriseJoined : No.

The instructions are vague and I am not sure if I should be registering to the ADFS farm or to Azure AD directly.  The article says nothing about setting up an enterpriseregistration DNS record (for domain and subdomain), but other articles say that this, and other steps, are prerequisites.  I have pointed these records at my local ADFS farm and at enterpriseregistration.windows.net but it doesn't change the results.  I have enabled the adfs/services/trust/13/windowstransport endpoint.

What is wrong?

All,

I registered a web API https://dev.office.com/app-registration. I kept sign URL : http://localhost:8000 and RedirectURI as http://localhost:8000.

After this, I created a console application to access the graph API. Here is the code. But it doesnt work. I get the error "access denied".

Am I missing anything here?  

One more thing, I checked the access_token and I dont see any user information there. 

Guys,

When trying to add a w10 pro to my azure ad, i get an error 80004005 that is telling me soething went wrong, i need to contact the admin and check my credentials.

So i emailed myself, but myself doenst know what is going wroing.

error can be seen here:

http://pho.to/A8Tdp

anyone who can help me with this?

thanks.

Hi,

I am getting following error while trying to start using Microsoft Azure AD B2C Services.

"The Microsoft Azure Portal encountered an error while trying to access your subscription."

I have attached the respective screenshots which shows the whole process that I am trying to use..

From @oscar_ramos via Twitter

"I am trying to use Azure AD with an appusing the password based SSO. When I try to access from teh myapps pannel I receive the error you can see in the image

Error code:0"

Error Message: There was a problem processing your request

Over DM

Thanks,

@AzureSupport

Hi

For the last 17 days I have been trying to create a support request to the Azure AD team. I have an Office 365 and EMS (which includes Azure AD Premium) subscription.

I created a support request on https://portal.office.com. The reply I got was to use https://portal.azure.com to get Azure AD support.

When trying to create a support request on https://portal.azure.com I get the message that I do not have a subscription. The only request possible is support for subscription issues. I created a subscription support request asking my original Azure AD question and also if the message on https://portal.azure.com is to be expected.

The reply I got was that I should ask for Azure AD support on https://portal.office.com and that it is as designed that I can not create support requests on https://portal.azure.com.

Now I have two support engineers telling me to create Azure AD support requests on the other portal since they don't do Azure AD support. And both of them are unable to transfer my support request to the Azure AD team.

Do anybody on this forum know how to create Azure AD support requests when I have an Office 365 and EMS subscription and no other Azure subscriptions?

Any info is appreciated.

Jesper

HI All:

Batch Execution Service multithreaded operations of different files, always an error: “ Number of selected cloumns in the input dataset does not equal to 1”

How do I deal with?

Hi Team,

i have installed AAD connect tool however unble to configure while doing custom configuration getting error like "unable to install the MS SQL server Express Local DB, please see the event log"

any thoughts please assist.

thanks in advance.

vinay

From Deji ogundele @techdeee via Twitter

Hello support, I am currently trying to remove my default active directory on azure. But I have been unsuccessful.

We have some documentation we think might help: aka.ms/d1213783a , aka.ms/d1213783 and aka.ms/f1213783 ^AL

Thanks for your prompt response. But the documentations still do not address my needs - I want to remove this default directory from this subscription as we need to use it in our production environment

Thanks @AzureSupport

In the final stages of the Azure AD Connect tool doing the configuration and I get this:

Getting "ServiceType" from ConfigurationManager: FAIL.
AzureADConnect.exe Information: 0 : AdHealthWebproxy settings: security context: ASPEN\svc_azure_ad_connect, HttpsProxyAddress: No Proxy, initialization status: Succeeded; Registry value did not exist; Value was not a string, No Initialization Exception
[12:33:57.344] [ 33] [WARN ] ConfigureAADHealthAgent: Caught exception while configuring AAD Health Agent. Exception: System.Management.Automation.CmdletInvocationException: Failed configuring Monitoring Service using command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version="2.6.107.0" ---> System.InvalidOperationException: Failed configuring Monitoring Service using command: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\tenant.cert" version="2.6.107.0"
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.<>c__DisplayClassf.<StoreMonitoringServiceCertificateAndConfig>b__e()
   at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.<>c__DisplayClass1.<ExecuteAction>b__0()
   at Microsoft.Practices.EnterpriseLibrary.TransientFaultHandling.RetryPolicy.ExecuteAction[TResult](Func`1 func)
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.FetchAndStoreAgentCredentials(String tenantId, String serviceName, String serviceMemberId, String serviceId)
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.ProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellHelper.InvokeAndThrow(IPowerShell powerShell, Command command, Boolean throwExceptionOnError)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADHealth.ConfigureAADHealthAgent`1.Execute()
[12:33:57.345] [ 33] [INFO ] Task 'Configure AAD Health Agent' has finished execution
[12:33:57.347] [ 34] [INFO ] Task 'Configure AAD Health Agent' finished successfully
[12:33:57.347] [ 34] [INFO ] Task 'Deploy AAD Health Agent' has finished execution
[12:33:57.348] [ 20] [INFO ] Task 'Deploy AAD Health Agent' finished successfully
[12:33:57.349] [ 20] [VERB ] Executing task Configure Auto Upgrade Version

I found this post detailing a similar problem, but the solution is irrelevent as we don't have Azure AD Premium and the PS cmdlet mentioned is part of that. So why is this configuration tool getting its knickers in a twist over it?

How do we proceed past this bug?

Thanks

From @Orodeon via Twitter:

The RMS client is deleting the unencrypted temp file before the app can open it.I'm opening a file I encrypted with the RMS powershell modules using a text editor and before the file is opened by the text editor it is deleted.It works fine when I open the file using ISE and I'm using the powershell modules to encrypt the file.  RMS supports encrypting any file type with powershell, dos it not?When I open the file I see the temporary file being created and deleted the client is doing everything it should except that it is deleting the temporary file before my text editor has a chance to open the file.I can open the file just fine if I associate the ps1 extension with with ISE but not if I associate it with powergui.  Also I can see the RMS client creating the temporary file no matter which app I have associated with the extension it just deletes the temporary file before powergui has a chance to open the file.

Thanks!

@Azuresupport

From NEERAJ Kosliya @NeerajKosliya via Twitter

Facing issue on azure AD B2C + API app. Plz help me out. Details below:

Environment:

• Web Api 2

• Azure Active directory B2C

• Deployed on Azure API app

Web Api is protected with azure active directory B2C and is deployed on azure API app. It works fine, however sometimes api app start returning 500 - The request timed out.
Few hours later or re-starting the server, api app starts responding again. It happens only with Authorize endpoints.

After hours of logging and analysis I found that it is Azure AD that is causing the problem. Here is the server log.

2016-06-20T10:02:54  PID[3872] Warning     JWT validation failed: IDX10500: c. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
    )
',
token: '{"typ":"JWT","alg":"RS256","kid":"IdTokenSigningKeyContainer.v2"}.{"exp":1466420186,"nbf":1466416586,"ver":"1.0","iss":"https://login.microsoftonline.com/47e7d095-0860-410b-a9df-ed6992458ba0/v2.0/","acr":"b2c_1_peoplesignin","sub":"Not supported currently. Use oid claim.","aud":"953584ba-f0da-4cd7-aa95-2274b673061f","nonce":"defaultNonce","iat":1466416586,"auth_time":1466416586,"oid":"9e44b22e-558c-4286-a4c7-e742c03687dc","name":"Neeraj Kumar","emails":["Er.neerajyadav@gmail.com"]}

Here is the ConfigureAuth() method of web api.

privatevoid ConfigureAuth(IAppBuilder app)
        {
            TokenValidationParameters tvps = new TokenValidationParameters
            {// This is where you specify that your API only accepts tokens from its own clients
                ValidAudience = clientId,
            };

            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
            {// This SecurityTokenProvider fetches the Azure AD B2C metadata & signing keys from the OpenIDConnect metadata endpoint
                AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider(String.Format(aadInstance, tenant, "v2.0", discoverySuffix, commonPolicy))),

                Provider = new OAuthBearerAuthenticationProvider()
                {
                    OnValidateIdentity = async (context) =>
                    {string userObjectId = context.Ticket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;var graphClient = new ADGraphClient();var roles = await graphClient.GetUsersGroups(userObjectId);// add a role claim for every membership foundforeach (var r in roles)
                            context.Ticket.Identity.AddClaim(new Claim(ClaimTypes.Role, r.ToString()));
                    }
                }
            });
        }

Thanks

@AzureSupport

Hi,

Setting up Azure AD connect for office 365 and getting following error. Checked the firewall and no drops. DirSync server has got direct connection to internet and port 443 is allowed.

[12:35:28.278] [ 29] [INFO ] SyncRuleUpgradeEngine.MergeSyncRules: Rule:In from AAD - Group Exchange Hybrid, Precedence:0, PrecedenceAfter:0b165b38-19d0-4186-86ee-c7cffdba006d, PrecedenceBefore:00000000-0000-0000-0000-000000000000
[12:35:28.278] [ 29] [INFO ] SyncRuleUpgradeEngine.MergeSyncRules: Rule:In from AAD - User Exchange Hybrid, Precedence:0, PrecedenceAfter:7f7e3fab-9a0b-42d7-9951-d993949975b0, PrecedenceBefore:00000000-0000-0000-0000-000000000000
[12:35:28.278] [ 29] [INFO ] SyncRuleUpgradeEngine.MergeSyncRules: Rule:Out to AAD - Device Join SOAInAD, Precedence:0, PrecedenceAfter:e20a09a3-990f-4768-a1d1-0f2bbef215e8, PrecedenceBefore:00000000-0000-0000-0000-000000000000
[12:35:28.278] [ 29] [VERB ] SyncRuleUpgradeEngine.MergeSyncRules: Exit
[12:35:28.278] [ 29] [VERB ] SynchronizationRuleTemplateEngine.GetObjectClassInclusionListForSynchronizationRules: Enter
[12:35:28.278] [ 29] [VERB ] SynchronizationRuleTemplateEngine.GetObjectClassInclusionListForSynchronizationRules: Exit
[12:35:28.278] [ 29] [VERB ] SynchronizationRuleTemplateEngine.GetAttributeInclusionListForSynchronizationRules: Enter
[12:35:28.293] [ 29] [VERB ] SynchronizationRuleTemplateEngine.GetAttributeInclusionListForSynchronizationRules: Exit
[12:35:28.294] [ 29] [INFO ] Configuring Windows Azure Active Directory Sync: Updating run profiles and attribute inclusion lists for connector (tenent.onmicrosoft.com - AAD)
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: user_realm_discovery_failed: User realm discovery failed ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: user_realm_discovery_failed: User realm discovery failed
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.ValidateConfigurationParameters(Connector connector)
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateConnector(Connector connector, Boolean validate)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncConnectorCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()

Thanks

Merwin

I've synchronized by on premise Active Directory to Azure using AD Connect.

I have two global admin accounts, my user and an online account I've set up in the Azure AD.

Following upgrading to the latest AD Connect, I cannot login under my account anymore - it says it does not exist; it works fine on premise and I can see the account in the Azure AD

Any suggestions

Paul

Hi friends,

I have few questions,

Assume I have configured AAD connect in on premises to syn only the password to the Azure AD and replicated the users.

1. If user account is locked in On premises AD will it replicate the status to Azure AD and block the user sign-in to to Azure portal?

2. If user password is expired in on premises AD will it replicate the status to Azure AD and block the user sign-in to the Azure portal?

I did tried in lab and confused about this Appreciate your quick response..

we are  using Azure AD DRS service to register devices ( laptops and mobiles phones)  into azure AD which then gets writes back to on prem AD. This has been done to restrict access and allow only to registered users

For restricting access only to registered users with device, we have created authorization claim rule on ADFS O365 relying party

This rules specifies that if value of http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser = TRUE , then , allow access.

On android phone , devices are getting registered , through company portal app

Issue –

The issue seems to be occurring on Android outlook app when updating password for outlook. While updating password , it goes through company portal and then to ADFS page where it gives authorization error.

From logs it seems  it’s not sending http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser claim to ADFS and hence ADFS conditional access claim rule is not getting applied on it.

Although while mobile device registration , the client certificate gets installed on device and it should sent registered user/device details through certificate. Doesn't Exchange app on Android sends ISREGISTEREDUSER claim ?

Note –

1. We are not using ADFS DRS service.
2. We are not leveraging Intune or MDM for device compliance and conditional access.
3. No issue with laptops.