Why do I get this when I try to configure AAD sync tool?
AADSTS70002: Error validating credentials. AADSTS50057: User account is disabled
And what account does it mean? The log filer don't say much more.
↧
User account is disabled whn I configure AAD Sync
↧
Stop syncing user with Azure AD Connect
So I'm in the midst of testing Azure AD Connect. So far I've been able to get my local AD test account sourced from my Local Active Directory through SMTP-matching.
My question is, how do I move the source of authority back to Azure AD if I want to discontinue with syncing this account from Local Active Directory?
↧
↧
Convert Users from synced to cloud only and remove AADSYNC
Hi All,
Is there a way to take convert users that have been synced from AD on-perm using AADSYNC to cloud only users, and to actually cease the AADSYNC altogether.
I appreciate that this is a strange question but the reasons for asking are client / politically driven, rather than technical - I will try to explain below....
Unfortunately, a client we support (750-100 seats) that uses a simple, straightforward on-prem exchange have been brought by a parent company that wants to move them to o365. Sadly, further to this, they want them to be migrated to their existing tenancy, where they have already set up directory syncing with another forest, plus have several of other smaller organisations already on boarded as cloud only users.
The organisation that we are tasked with migrating are substantially larger that anything they have already on boarded onto to tenancy.
Obviously, we would want our client to be synced from on-prem due to their size and best practice guidance from Microsoft - this is impossible to achieve given that there is already a AADSYNC in place.
We need to get to a point where we can begin a "Multiple forests, single Azure AD directory topology" with o365, as described here https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect-topologies/
In order to do this we need a "neutral" AADSYNC server with access to all of the forests that may need to be synced - which means removing the existing one and creating a new one?
Any advice greatly appreciated.
Ben
↧
Assigning a Office 365 license with PowerShell and New-AzureADUser/Set-AzureADUserLicense
I am using the new AzureADPreview PowerShell module and want to assign an Office 365 license with either New-AzureADUser or Set-AzureADUserLicense.
My problem is that I don't know how to create the needed parameter value for the AssignedLicenses parameter.
This is what I have tried so far:
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
# $License.SkuId = "3a9405b0-5588-4568-add1-99614e613b69"
$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$Licenses.AddLicenses = $License
$Licenses.AddLicenses = $License
$User = Get-AzureADUser -Filter "UserPrincipalName eq 'user@tenant.onmicrosoft.com'"
$UserId = $User.ObjectId
Set-AzureADUserLicense -AssignedLicenses $Licenses -ObjectId $UserId
The problem is that I cannot assign the SkuId because the property is read only.
How can I create the Licenses object needed for the AssignedLicenses parameter?
Regards,
Peter
↧
MIM to work with multi-factor authentication
Hi All,
I am trying to integrate the MIM SSPR with the Azure MFA. I created a new MFA service providers and downloaded the SDK file to get the LICENSE_KEY, GROUP_KEY, CERT_PASSWORD.
I performed all the steps given in the below link
https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-self-service-password-reset
But still during the OTP gate OTP is not sent and I am getting the following error in the event logs Azure MFA: Authentication Failed. Call Status='', ErrorID='0'. Any idea on this error?
↧
↧
Could not remove a domain from an AAD
After having removed every active object and all activity from a domain, I still am unable to remove a domain from an AAD. This is the reaction I Always gat (even aftere waiting considerable time) :
Please try again. If the problem persists, contact support.
Any solution / suggestions?
Peter
"Every misfortune is a new challenge"
↧
AADSTS65005 - Consent validation failed
Dear all,
This might not be the right forum, but i have registered my application in the 'Application Registration Portal' : https://apps.dev.microsoft.com/#/appList
I have the client id/app id & the client secret, and previously this was working using the following account : admin@XXXXX.onmicrosoft.com, the 'Consent Request Pops-up' and i am able to give consent.
However, recently i am trying via another account, i.e. user3@XXXXX.onmicrosoft.com, this redirects to my registered URL without the 'Consent screen'.
Below is the error message returned,
error=access_denied&error_description=AADSTS65005%3a+Consent+validation+failed%3a%0d%0aTrace+ID%3a+be71ab23-b45c-47a9-8932-50a24ce86505%0d%0aCorrelation+ID%3a+a49121b9-5bc2-4bd3-934d-551eaa68261b%0d%0aTimestamp%3a+2015-10-26+08%3a28%3a02Z
Any hints would be great!
Thanks
William Man
↧
Multiple AD Accounts - One SSO Login Options?
From Corey Kime @coreykime via Twitter.
"can you have multiple active directory accounts feed in to one SSO login? Doing some research...thanks!"
"just discovered its multiple AD accounts, but not on Azure. Would this doc still apply? Or something different?"
Thanks,
@AzureSupport
↧
Remove Azure AD Application from my companies Office 365 App Launcher
Hi, We need to remove or hide most azure ad application from our companies office 365 app launcher.
The default action when you ASSIGN a user to an 'Azure AD App' the Custom App appears on all ASSIGNED Users Office 365 Launcher, under 'view all my apps'
We don’t want this to happen automatically, or alternately we want to remove/hide the apps completely for the company! How can we remove it for the whole company, not just individual users?
Reference: http://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_manage/remove-custom-app-from-launcher/8427ed74-50ae-4ef8-9b36-958629af60c9?rtAction=1470927861478
Regards,
↧
↧
User sign in issue to office365 portal
User not able to login to 0365 portal
getting below error:
Sorry we are haiving troubole signin you
we received a bad request
correlation id: 37740dab-bc37-4448-8570-8dca594d067d
aadsts90019:no tenant-identifying information found in either the request or implied by any provided credentials
Did test in remote connectivity analyser :
SSO failed
The Microsoft Connectivity Analyzer is analyzing the security token for required elements.
Problems were found while analyzing the security token.
Additional Details
The NameIdentifier element wasn't found in the AuthenticationStatement section of the security token.
Elapsed Time: 1 ms
↧
Authentication_MissingOrMalformed. Access Token missing or malformed. Creating user in Azure AD via Graph API using Ajax call.
Error Occurred:
<error xmlns="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<code>Authentication_MissingOrMalformed</code>
<message xml:lang="en">Access Token missing or malformed.</message>
</error>
Ajax Call:
function homeController($scope, $timeout, $http, adalService, $location, dashboardServices) {
$scope.signup = function () {
var $jq = jQuery.noConflict();
var data = {
"accountEnabled": true,
"creationType": "LocalAccount",
"displayName": "TestUser",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"signInNames": [
{
"type": "userName",
"value": "TestUser"
},
{
"type": "emailAddress",
"value": "testuser@singlepane.com"
}
]
};
var cachedtoken= adalService.acquireToken('https://graph.windows.net');
$jq.ajax({
url: 'https://graph.windows.net/dreynoldscomputeblocks.onmicrosoft.com/users?api-version=1.6',
headers: {'Authorization': 'Bearer '+adalService.acquireToken('https://graph.windows.net')},
type: 'POST',
data: data,
contentType: "application/json"
})
.done(function (data) {
alert("success");
})
.fail(function (data) {
alert("error");
});
}
}
↧
How can i report on who currently has permissions to azuread? 0365 roles/permissions
hi folks,
is there a way for me to report and export who is a memeber of what roles across my azure ad tenants and also O365 applications
also can i report and export who is a member of what security group in azure ad?
thanks
↧
Azure Marketplace Application Publisher
Hello,
Recently, one of my users noticed that there was an Active Directory (AD) integration published on the Microsoft Azure marketplace for my company's web application to allow Single sign-on (SSO) with AD. My Company's application does not support SSO and we do not have anyone working on Azure development right now.
Would you please tell me how I can find out who the publisher of a given application is, and is there a phone number that I can use to contact Azure support?
Thanks,
Suved
↧
↧
Rights Management Service Application API returns 0x800704DC
I created a service principal on my Azure account using this guide: https://docs.microsoft.com/en-us/rights-management/develop/how-to-use-file-api-with-aadrm-cloud
When I try to test the newly created credentials using the Unprotect-RMSFile or the Get-RMSServer powershell command, I get the error "The operation being request was not performed because the user has not been authenticated. HRESULT: 0x800704DC"
Thanks for your help!
↧
Microsoft Graph 501 & 404 Errors - Getting Emails
I have authenticated with Azure & OAuth to receive an access token. Now I want to read their Outlook emails through a Microsoft Graph endpoint from a native WPF desktop app using c#. However my request to get the emails, of the currently signed in user,
fails with a 501 error. The delegated permissions my app has are:
- View users' email address
- Access user's data anytime
- Sign users in
- Read user mail
- Sign in and read user profile
Here is my network trace when attempting to sign in as a non-admin: https://drive.google.com/file/d/0B9w2-YCX6qYva01ia0cxZU1kYkE/view?usp=sharing
When I try to sign in and access emails as admin, I get a 404: https://drive.google.com/file/d/0B1qj83MVw-PZbEpxTklfS215eDQ/view?usp=sharing
↧
outlook oauth error AADSTS70001
Hi,
probably need to register my clent-id somewhere but I am getting AADSTS70001 during and oauth authorization step
The CorrelationId is Correlation+ID%3a+9aa94199-c4c2-4733-b1c5-0c9f00571142%0d%0a
Any help tried at dev.outlook.com/AppRegistration but it gives a AADSTS65001 admin not consented but the client-id referred in the error is not my client-id ??
Any ideas
↧
Application Proxy issues
Hi All,
I have non-claims-aware web site hosted in IIS and configured for ONLY Windows Integrated Authentication. I'm attempting to publish the site externally using Azure Application proxy but am having issues.
I have successfully registered my connector in Azure and my app config looks fine to me:
My web site uses a host header so I have published an SPN into my local AD for the http service of the web server using the following:
setSPN -A http/hostheaderName webServerName
That SPN value matches what I have set up in the Azure portal and I can query the SPN successfully in my local AD using setSPN -L webserverName.
I have also added the SPN to the delegation of my connecter server in my local AD.
As far as I can see everything looks good but when I attempt to browse to the external URL I get a status of "Bad Gateway" and the following error from Azure AppProxy "Incorrect Kerberos constrained delegation configuration in your on-premises Active Directory."
Any ideas?
↧
↧
Application Proxy Incorrect Kerberos constrained delegation
I'm trying out the application proxy (AP).
Setup everything according to the guide. SSO works internally from workstations. When I login through the AP I get the error message "Incorrect Kerberos constrained delegation configuration in your on-premises Active Directory.".
The event viewer on the connector-server show:
- Warning 13019 which states "Microsoft AAD Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package" and
- Error 12027 which states "Web Application Proxy encountered an unexpected error while processing the request.
Error: No credentials are available in the security package".
Both event log entries list "Preauthentication Flow: PassThrough" under details. In the Azure AD settings page I have chosen Azure AD as Preauthentication Method.
Any hints on how to troubleshoot?
↧
AADSTS50012: Invalid client secret is provided
I am trying to get the on behalf of flow going in order to have a deamon authenticate on behalf of a user (service account) to a web application. I have setup two applications in my tenant one web application and one native application. I have added the web application in the permissions to other applications in my native application.
Step 1 a user calls the authorize endpoint on the deamon service:
Step 2 the service redirect the user to the login of the native application
var url = context.GetAuthorizationRequestUrlAsync(
resource,
clientid,
new Uri(redirect),
UserIdentifier.AnyUser,
null);
return Response.AsRedirect(url.Result.ToString(), RedirectResponse.RedirectType.Temporary);
Step 3. The user logs in and is redirected to the authorized endpoint of the deamon service with a ?code=... query string by azure ad.
Step 4. The deamon service tries to aquire a token based on the authorization code in the querystring
var code = this.Request.Query["code"];
var credential = new ClientCredential(clientid, "<removed>");
Uri uri = new Uri(redirect);
var result = context.AcquireTokenByAuthorizationCodeAsync(code,uri,credential,resource).Result;
return result;
this throws the following exception
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
Trace ID: ddb98c11-e112-456c-8718-1ca55ca21ecc
Correlation ID: 8f3e39c8-0e08-40dd-919b-961e6b4f5b6e
Timestamp: 2016-08-12 10:23:44Z ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpClientWrapper.<getresponseasync>d__29.MoveNext()
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.<getresponseasync>d__21`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient.<getresponseasync>d__20`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<sendhttpmessageasync>d__68.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<sendtokenrequestasync>d__65.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<runasync>d__55.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<acquiretokenbyauthorizationcodecommonasync>d__48.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<acquiretokenbyauthorizationcodeasync>d__30.MoveNext()</acquiretokenbyauthorizationcodeasync></acquiretokenbyauthorizationcodecommonasync></runasync></sendtokenrequestasync></sendhttpmessageasync></getresponseasync></getresponseasync></getresponseasync>
<getresponseasync><getresponseasync><getresponseasync><sendhttpmessageasync><sendtokenrequestasync><runasync><acquiretokenbyauthorizationcodecommonasync><acquiretokenbyauthorizationcodeasync>I am probably doing something wrong but I can't figure out what exactly.</acquiretokenbyauthorizationcodeasync></acquiretokenbyauthorizationcodecommonasync></runasync></sendtokenrequestasync></sendhttpmessageasync></getresponseasync></getresponseasync></getresponseasync>
<getresponseasync><getresponseasync><getresponseasync><sendhttpmessageasync><sendtokenrequestasync><runasync><acquiretokenbyauthorizationcodecommonasync><acquiretokenbyauthorizationcodeasync>
</acquiretokenbyauthorizationcodeasync></acquiretokenbyauthorizationcodecommonasync></runasync></sendtokenrequestasync></sendhttpmessageasync></getresponseasync></getresponseasync></getresponseasync>
↧
Enrolment failure with 3rd party MDM and Join Azure AD (error code 80004005)
Trying to enrol a device via "Join Azure AD" with my 3rd party MDM server.
Device fails to enrol when I use "Join Azure AD" on the device. The error is "Something went wrong. Confirm that you are using the correct sign-in information and that your organisation uses this feature. You can try to do this again or contact with administrator with the error code 80004005."
- MDM server is custom made by my company
- Device is able to enrol when InTune is used as the MDM server (by adding the InTune application to my Azure AD)
- I added this MDM server as an "On Premise" MDM server to my Azure AD account
- Can't find any relevant event logs within "User Device Registration" or "DeviceManagement-Enterprise-Diagnostics-Provider"
- MDM DISCOVERY URL & MDM TERMS OF USE URL are correctly set and accessible over the Internet
Please help me identify what is wrong.
Regards
↧