From @anthonypants via Twitter:
"I can sync users in our domain's "OU=Test,DC=domain,DC=local" container, but not from a "OU=Cityname Employees,OU=Companyname Employees,DC=domain,DC=local" container. why is that?"
"No errors, nothing in event viewer, loging the Export profile on the AAD connector generates a four-line XML file with a blank <directory-entries> element."
Thanks,
@AzureSupport
hi folks,
i am doing an install of a new instance of azure ad connect. is there a way for me to backup/restore the settings in azure ad connect from one instance to another?
thanks
From @aeglesol via Twitter
We are facing issue when we integration workday with azure ad for inbound sync, the scope filter is not saving, during saving we are having following error:
An error occurred that was our fault.
We should already be investigating, but you may also use the feedback button below to send us a report of the mishap.
Thanks,
@AzureSupport
Guys,
When trying to add a w10 pro to my azure ad, i get an error 80004005 that is telling me soething went wrong, i need to contact the admin and check my credentials.
So i emailed myself, but myself doenst know what is going wroing.
error can be seen here:
http://pho.to/A8Tdp
anyone who can help me with this?
thanks.
Hi,
I have my Windows 10 surface pro 3 azure ad joined and use my Azure AD credential to login. This has been working fine until yesterday when my local PIN became unavailable and I could not login with my Azure AD username and password. I can login to office 365 successfully via a browser so there doesn't seem to be anything wrong with the account. I have logged in with an alternate local account on my surface and found errors in the AAD log:
1104 - AAD Cloud AP plugin call SignDataWithCert returned error: 0x80090030
1084 - Http transport error. Status: The device that is required by this cryptographic provider is not ready for use. Correlation ID: CE1DC064-9AC7-440C-A33D-339016D8CC3A
1085 - Logon failure. Status: 0xC0090030 Correlation ID: CE1DC064-9AC7-440C-A33D-339016D8CC3A
1104 - AAD Cloud AP plugin call Get token returned error: 0xC0090030
XML detail below:
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 24/06/2016 6:45:52 AM
Event ID: 1104
Task Category: AadCloudAPPlugin Operation
Level: Error
Keywords: Operational,Error
User: SYSTEM
Computer: DESKTOP-4ATB5SE
Description:
AAD Cloud AP plugin call SignDataWithCert returned error: 0x80090030
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-AAD" Guid="{4DE9BC9C-B27A-43C9-8994-0915F1A5E24F}" />
<EventID>1104</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000012</Keywords>
<TimeCreated SystemTime="2016-06-23T20:45:52.470729600Z" />
<EventRecordID>1269</EventRecordID>
<Correlation ActivityID="{241ADF6D-CD48-0002-FD3D-1B2448CDD101}" />
<Execution ProcessID="788" ThreadID="3652" />
<Channel>Microsoft-Windows-AAD/Operational</Channel>
<Computer>DESKTOP-4ATB5SE</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="API">SignDataWithCert</Data>
<Data Name="Result">2148073520</Data>
</EventData>
< /Event>
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 24/06/2016 6:45:52 AM
Event ID: 1084
Task Category: AadCloudAPPlugin Operation
Level: Error
Keywords: Operational,Error
User: SYSTEM
Computer: DESKTOP-4ATB5SE
Description:
Http transport error. Status: The device that is required by this cryptographic provider is not ready for use. Correlation ID: CE1DC064-9AC7-440C-A33D-339016D8CC3A
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-AAD" Guid="{4DE9BC9C-B27A-43C9-8994-0915F1A5E24F}" />
<EventID>1084</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000012</Keywords>
<TimeCreated SystemTime="2016-06-23T20:45:52.470840300Z" />
<EventRecordID>1270</EventRecordID>
<Correlation ActivityID="{241ADF6D-CD48-0002-FD3D-1B2448CDD101}" />
<Execution ProcessID="788" ThreadID="3652" />
<Channel>Microsoft-Windows-AAD/Operational</Channel>
<Computer>DESKTOP-4ATB5SE</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Result">-2146893776</Data>
<Data Name="Target">CE1DC064-9AC7-440C-A33D-339016D8CC3A</Data>
</EventData>
< /Event>
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 24/06/2016 6:45:52 AM
Event ID: 1085
Task Category: AadCloudAPPlugin Operation
Level: Error
Keywords: Operational,Error
User: SYSTEM
Computer: DESKTOP-4ATB5SE
Description:
Logon failure. Status: 0xC0090030 Correlation ID: CE1DC064-9AC7-440C-A33D-339016D8CC3A
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-AAD" Guid="{4DE9BC9C-B27A-43C9-8994-0915F1A5E24F}" />
<EventID>1085</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000012</Keywords>
<TimeCreated SystemTime="2016-06-23T20:45:52.470865800Z" />
<EventRecordID>1271</EventRecordID>
<Correlation ActivityID="{241ADF6D-CD48-0002-FD3D-1B2448CDD101}" />
<Execution ProcessID="788" ThreadID="3652" />
<Channel>Microsoft-Windows-AAD/Operational</Channel>
<Computer>DESKTOP-4ATB5SE</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Status">0xc0090030</Data>
<Data Name="CorrelationID">CE1DC064-9AC7-440C-A33D-339016D8CC3A</Data>
</EventData>
< /Event>
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 24/06/2016 6:45:52 AM
Event ID: 1104
Task Category: AadCloudAPPlugin Operation
Level: Error
Keywords: Operational,Error
User: SYSTEM
Computer: DESKTOP-4ATB5SE
Description:
AAD Cloud AP plugin call Get token returned error: 0xC0090030
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-AAD" Guid="{4DE9BC9C-B27A-43C9-8994-0915F1A5E24F}" />
<EventID>1104</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000012</Keywords>
<TimeCreated SystemTime="2016-06-23T20:45:52.471011700Z" />
<EventRecordID>1272</EventRecordID>
<Correlation ActivityID="{241ADF6D-CD48-0002-FD3D-1B2448CDD101}" />
<Execution ProcessID="788" ThreadID="3652" />
<Channel>Microsoft-Windows-AAD/Operational</Channel>
<Computer>DESKTOP-4ATB5SE</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="API">Get token</Data>
<Data Name="Result">3221815344</Data>
</EventData>
< /Event>
Hoping someone can assist.
Thank You
I am looking for any case studies of companies (big companies preferred) who adopted Azure AD for their identity management. Please share if there is any paper that discusses it.
Thank you.
Hi,
I've just run the migration from DirSync to Azure AD Connect and it failed with the following error:
"Unable to communicate with Azure AD to get custom sync interval because sign in client service is not running. Service Name MSOIDSVC"
On then manually starting the "msoidsvc" service the error was replaced with:
"Error running the Dirysync uninstall tool C:\Program Files\UninstallDirectorySync.exe, System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified"
I then existing and restarted the installation tool, and then it reports:
"It appears that you are resuming a scenario which was not completed previously during installation. Please uninstall and try again"
As DirSync has now been removed what is my best way forward to ensure that my sync configuration is migrated?
Many thanks
Mike
Hi,
I have created a virtual machine in Azure (a Windows Server 2012 R2). I also created a federation and domain in that server.
At home I have a local Windows Server 2012 R2 with a domain that 5 computers are joined to that domain. It is easy to join a local computer to my local Server and its domain.
However I have another computer at home running Windows 10 Professional that is not part of any domain. How can I join this computer to the domain that I have created in my Windows Server 2012 R2 inside Azure?!
Regards / F
l
Situation:
We have an existent Forest which holds our Users (Forest A). Within this forest our Lync Infrastructure is installed. We are in the process of migrating all the Users to a new User Forest (Forest B). We have setup Azure AD Connect as outlined on this TechNet Article:
https://technet.microsoft.com/en-us/library/mt603995.aspx
We also have used the recommendation on this webpage, to make sure, that the Attributes of the new User Forest (Forest B) will precedence over the old user forest (Forest A):
https://dirteam.com/dave/2015/04/15/azure-active-directory-synchronization-object-matching/
In my understanding, when I know change the Office Attribute of the user within the new User Forest (Forest B), this value should be used to sync up to Azure Active Directory, even if the Attribute has not changed in Forest A, and it may differs afterwards.
Issue:
Azure AD Connect always takes the Attribute of Old Forest A, rather than new Forest B. Which means we have to change the Attributes in both Domains. I know that we should have an IM Solution in place to take care of the Attributes between the Domains, but because we want to eliminate Forest A, we don't want to build up an IM solution.
I think that Azure AD Connect precedence Accounts that do longer exists when merging. In our case, the user Accounts within the old Forest A may exist since years, where the Account in the new Forest B only exists for some weeks.
Someone else ran in this topic and may have some information? Thanks a lot
Hi All,
I am developing an application which will use Azure Management API to show details about the VM's, Start, stop the VM and so on.
I am able to authenticate the user, but once i try to get information about the vm it shows,
user not authorized to perform Microsoft.Compute/virtualMachines/read
But i am the admin on my azure account, and it has owner+reader permission. I am able to do same thing using powershell but not by application.
I referred this link for development:
https://azure.microsoft.com/en-in/documentation/articles/virtual-machines-windows-csharp-manage/
My sample code is below:
static void Main(string[] args)
Please help me out.
Hello ,
i have an issue while trying to Sync from a Specific OU\Security Group the members that are included on AD On Premises to Azure AD . We have one forest, many OUs and more than 11.000 objects. We do not want to move users from other OUs to the new one which we are going to use for AD Connect , because users will lose their credentials and policies that already have.On new OU we made a Security Group and we added members in there. While Sync is completed we can see new group on AZURE AD with no members included.
For you information this is the only way tranfering/sync users from OnPremises to office365/Azure AD : OU\Secutiry Group\Members I read from technet that nested member can not
tranfer/synv on AZURE AD. Thanks in advance.
I am trying to SSO from my system to Office 365 using SAML 2.0 Previously, I can do that before but now its broken with following error:
What might have go wrong? there is not change in setup of my system.
Rahul Mondal Sr. Software Eng. ensim.com
Hi Friends,
I have a little problem and i hope that you will help, In my company we were using a Team Foundation Server and we were giving access to people using Microsoft active directory (users and groups) when a new person joins our team we add him to a group which have access to specific project then directly the new member will have access to that specific project. Now we have moved to VSTS and VSTS can use only Azure Active Directory we were able to synchronize Users and add them to VSTS, but the problem is that we do not find a way to synchronize the groups that we already have in Microsoft AD to AAD (Azure Active Directory) to be able to use them in VSTS and not create new VSTS groups. If you have an idea please do not hesitate :) Thanks.
Hi
I am using Microsoft CSP test console application containing different scenarios about the usage of the
Partner Center SDK
I was getting this error "AADSTS90014: The request body must contain the following parameter: 'client_secret
or client_assertion".
I found a solution in this
link. But the problem is that when I sign in to manage.windowsazure.com using my Sandbox account to
create a native client application in Azure AD and setting up delegation permission for the Partner Center Application I see the message "No Subscriptions Found."
Please guide. Thanks.
Rizwan Ahmed. Software Engineer - Microsoft Lync | Exchange | SharePoint | Blackberry Enterprise Server | .NET
Hi,
I have deployed a couple of instances of Azure AD inside my EA subscription, but I was never prompted to choose the version Free or Basic and I can't find anywere in the portal with that information.
Is there any way to know in which version I am running each instance?
Kr,
Carles
Hi all,
I have a requirement from a customer and I do not know if this is even possible. I hope somebody can shed some light on this topic.
My customer wants to have delegated administration over the Azure AD Applications. This means that they want to have an Azure AD Applications administrator with permissions for performing tasks related to the Azure AD Applications administration, like:
I have checked on Azure Role-Based Access Control feature (https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/), as it enables fine-grained control over who can manage what on all Azure services. However, there does not seem to be specific permissions for Azure AD (I guess because it is not migrated to the new resource group model yet).
I have also checked the Privileged Identity Management feature, but it does not provide what we are looking for.
Does anybody know if this is possible? If not, is this in the EMS roadmap?
Regards,
Simon
We are using Office 365 and Azure AD Connect 1.1.180.0. We've observed that when we disable some users in local AD and do a sync (full or delta), the metaverse object property "accountEnabled" remains set to true, and the Office 365 sign-in status remains set to "allowed". However, when we change other properties for these same user accounts (such as phone number, for example), the update is processed and synced to Azure AD/Office 365 as expected.
This is not affecting all user accounts; it is happening consistently with new user accounts and also accounts that were created in the last few months. Older user accounts seem to be unaffected, that is, if we disable them and run a sync, the "accountEnabled" property is set to false and their sign-in status in Office 365 gets set to blocked.
Any ideas about how to troubleshoot this?
I created a service principal on my Azure account using this guide: https://docs.microsoft.com/en-us/rights-management/develop/how-to-use-file-api-with-aadrm-cloud
When I try to test the newly created credentials using the Unprotect-RMSFile or the Get-RMSServer powershell command, I get the error "The operation being request was not performed because the user has not been authenticated. HRESULT: 0x800704DC"
Thanks for your help!