I upgraded from Azure AD Sync to Azure AD Connect. We have a Hybrid Office 365 (E3) setup with windows 2012 Active Directory. We do a directory sync w/ password.
I want to be able to check the status of the Sync but I don't see any tools for doing this. When I look online everything is about Azure AD Connect Health - which requires Azure AD Premium.
So how do those of us who do not have Azure AD Premium monitor our Azure AD Connect sync status.
Fred Zilz
From @jaspoorvia Twitter
group provisioning fails but no error msg, users work. Can you help?
I am trying to implement SCIM to setup provisioning next to a working Azure AD SSO setup with our expense management application. For now Azure succesfully managed to GET users, POST new ones and PATCH a few properties. It also managed to POST two groups (Logistics and Leasecars), however now it seems stuck. If I hit "restart provisioning" in Azure, it starts of GET'ing Users, which are up-to-date so it finishes without issue and then starts GET'ing Groups, which are _not_ up to date so should be PATCH'ed. Somehow it stops there and in the provision error report it shows no error message, but just a code "SystemForCrossDomainIdentityManagementBadResponse". My logs say that each request responded in a 200 OK.
referring to following documentation: azure.microsoft.com/en-us/document…
Thanks,
@AzureSupport
Hi All,
I am working on OpenIDconnect azure authentication application using .NET MVC. when i published the project in local IIS and try to run the application , it is coming to microsoft online account page where i am giving my organization emailId and password for authentication and after authenticated from there i should come to the redirect URL that i have given , but it is not coming back to the redirect URL.
nonce cookie is keep on generating and it's appending to the URL and finally i am having 400- Bad Request Error.
But when i run the project in IIS Express, everything is working fine and i am redirecting back to my redirect url.
can anyone please help why it is not working when i published my code to local IIS.
Here is the code in my startup.auth.cs class inside the app_start folder :-
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Globalization;
using System.Linq;
using System.Web;
using Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
namespace WabtecSharedService
{
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
private static string authority = aadInstance + tenantId;
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri
});
}
}
}Hi Friends,
I have a little problem and i hope that you will help, In my company we were using a Team Foundation Server and we were giving access to people using Microsoft active directory (users and groups) when a new person joins our team we add him to a group which have access to specific project then directly the new member will have access to that specific project. Now we have moved to VSTS and VSTS can use only Azure Active Directory we were able to synchronize Users and add them to VSTS, but the problem is that we do not find a way to synchronize the groups that we already have in Microsoft AD to AAD (Azure Active Directory) to be able to use them in VSTS and not create new VSTS groups. If you have an idea please do not hesitate :) Thanks.
Desired state:
I want to be able to Azure AD Join a box and have it auto enrolled in Intune.
Where I'm at:
I did this last week and it worked fine on my desktop (with my account) but now it's failing. I have configured the Intune app in Azure AD and set it to "All". I also tried this with "Group" and I get the same error. When I set it to "None" the Azure AD Join works but the device will never end up in Intune (which is the goal). So I know it's specific to the Intune enrollment. I have tired this with a brand new user and new device with the same error. I found a few pointers to it being a licensing issue but I checked that this user has EMS. For good measure I used the same account (mine) that worked last and that I know has a good EMS license and it still fails with the same error. I know this is in preview, is there a widespread issue?
Error:
Intune Config:
License:
Hi,
Just received an email about a change of a certificate in MS Azure :
https://azure.microsoft.com/en-us/blog/upcoming-azure-active-directory-certificate-rollover-august-15-2016/
I have a ADFS 3.0 server with the auto-certificate renewal in manual (not auto for some developer issues we had in the past). This should affect those manual ADFS servers?
Thanks in advance!
Hi,
While I am trying to create Relying Party Application, it fails with error message, as shown by below image.
I am not sure how to continue ahead and the causes of issue.
Good morning!
I'm trying to implement password writeback; everything is in place, but when attempting a password change, I get a 'unrecoverable error' and the 'request could not be processed'.
It has to do with permissions for the MSOL account that manages AD DS. I know it does, it's the only thing that is complex about configuring this thing. From 'Review Your Solution' in Azure Active Directory Connect:
I followed the directions as best I could, but: (i) I only have Windows Server 2008 R2, so the permissions screen looks different; (ii) I noticed that myAzure AD Connect v.1.1 account that was provisioned by myEnterprise Admin does not have all the permissions that the one in the screen captures from the directions has.
I was wondering if anyone had a full list of what permissions this account should have?
This is a test domain, that is otherwise just totally vanilla - it was created for this very test. There are no GPOs other than the default ones. Everything about the setup went flawlessly.
Thanks for any advice or guidance!
Joe
Hi, J. Decker describe the nice userexperience for joining a win10Mobile Device to Azure AD with all the benefits
https://technet.microsoft.com/en-us/itpro/windows/manage/join-windows-10-mobile-to-azure-active-directory
Sounds very good, but my problem is the Strong or Multifactor Authentication during the Setup in the OOB Phase.
After Login with the Work or School Account i will prompted for this second factor, but at this time the Phone isnt ready because the SIM-Card is locked.
So i means the user needs a second Device/Phone to verify this process, isn't?
J. Decker means also
"If you are taken to your organization's sign-in page, you may be required to provide a second factor of authentication"
Does it mean it can be disabled?
There is an option in Azure AD for Device Registration called: "<label class="ad-directoryconfigure-labels clearfix">Require Multi-factor Auth to join devices"</label> but this settings is turned off but the Strong Factor
is still appearing.
So how can i disabled the second factor to solve my issue?
Hi,
I have created a virtual machine in Azure (a Windows Server 2012 R2). I also created a federation and domain in that server.
At home I have a local Windows Server 2012 R2 with a domain that 5 computers are joined to that domain. It is easy to join a local computer to my local Server and its domain.
However I have another computer at home running Windows 10 Professional that is not part of any domain. How can I join this computer to the domain that I have created in my Windows Server 2012 R2 inside Azure?!
Regards / F
l
Hi there.
We have connected our datacenter trhough a gateway VPN to Azure and Office 365. On Azure, we have Azure AD and 2 VMs with ADFS for SSO and ADFS Proxy. When the on premises DCs go offline or we have a VPN issue, the users that connect to SharePoint Online, Exchange Online or other cloud services cannot authenticate. They can connect to the ADFS portal, but it gives a password or user ID error.
We tought that enabling password sync feature in Azure AD will solve this issue, but we still have problems. Can you help us?
Hi,
We started getting the following error in the last few hours (worked fine before that) when trying to get an OAuth user token by executing a POST to: https://login.microsoftonline.com/common/oauth2/token.
We are sending all the required information to the endpoint, and we're getting the consent from the user seconds before invoking this endpoint.
Could this be related to a recent deployment?
The error:
correlation_id: 1778d767-93f7-41ef-b428-3d590d380273
error: invalid_grant
error_codes: [65001]
timestamp: 2016-07-26 22:44:35Z
trace_id: f81aa9ae-85b8-443f-b929-c688c33d9de1
errro_description:
AADSTS65001: The user or administrator has not consented to use the application with ID [Application ID]. Send an interactive authorization request for this user and resource.
Trace ID: f81aa9ae-85b8-443f-b929-c688c33d9de1
Correlation ID: 1778d767-93f7-41ef-b428-3d590d380273
Timestamp: 2016-07-26 22:44:35Z
Receiving this error when running this Azure sync, any ideas?
Thanks
Curt
We're looking to upgrade to AzureAD Premium and Multifactor Auth and just need to first find out if the custom apps we created for SSO (by creating a new App from the Gallary and then choosing Custom) will work with Multifactor?
Hi,
we have a requirement to restrict users other than "microsoft.com". do we have any option to specify that it should not take any other accounts like live.com or hotmail.com etc.
we have below code implemented in our MVC web api.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
ExpireTimeSpan = new TimeSpan(1, 0, 0)
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ConfigurationManager.AppSettings["ida:ClientID"],
Authority = String.Format(CultureInfo.InvariantCulture, ConfigurationManager.AppSettings["ida:AADInstance"], ConfigurationManager.AppSettings["ida:Tenant"]),
});
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true, ValidAudience = ConfigurationManager.AppSettings["ida:Audience"] }
});
please let me know for any more info.
Thanks in advance.
Regards,
Sravan kumar.
Hello,
I am in the process of activating the Directory sync with Azure but encountered the following error after choosing the 'Refresh Schema' option.
After looking through the log files, I encountered an error that told me that I was using the wrong credentials even though I used the same credentials in the window before running the integration wizard.
Does Azure AD Connect depend on two seperate passwords or is there something else going on that I missed out on?
Note: I can put the information of the log files here if that may help.
I am using the new AzureADPreview PowerShell module and want to assign an Office 365 license with either New-AzureADUser or Set-AzureADUserLicense.
My problem is that I don't know how to create the needed parameter value for the AssignedLicenses parameter.
This is what I have tried so far:
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
# $License.SkuId = "3a9405b0-5588-4568-add1-99614e613b69"
$User = Get-AzureADUser -Filter "UserPrincipalName eq 'user@tenant.onmicrosoft.com'"
$UserId = $User.ObjectId
Set-AzureADUserLicense -AssignedLicenses $Licenses -ObjectId $UserId
The problem is that I cannot assign the SkuId because the property is read only.
How can I create the Licenses object needed for the AssignedLicenses parameter?
Regards,
Peter