I'm writing a WebAPI 2 application using the Azure B2C to provide OAuth 2 authentication, but I need to add some custom claims from the database so that the controllers have sufficient context to decide whether to allow access.

However, I'm having trouble finding an appropriate place to put this logic, I've tried

1. Adding an OWIN middleware component - issue is that the when this executes the context is not yet authenticated, so no use, can't see how I can control where in the pipeline I sit

2. Assigning a delegate to OpenIdConnectAuthenticationNotifications.SecurityTokenValidated - issue here is that although the ClaimsIdentity has been created and shows as authenticated, none of the claims have been assigned; also this seems to run once per authentication rather than request

There seems to be very little up to date documentation on this stuff

Paul

I am trying to delete the Azure AD directory. I have:
1>Deleted all the applications.
2>Deleted all the users (Except the microsoft account that created the directory)
3>No Subscription associated with this directory.

When i was trying to delete the directory using Azure portal, i was getting error

Directory has one or more applications that were added by a user or administrator.

so i followed the article here to delete the directory using powershell

and now when i try to delete directory using Azure Portal i get error

Could not validate this directory for deletion

what is difference if we use EMS and Office in terms of Azure AD both uses premium licenses?

Hi,

What is the best way to prevent users accessing the Azure portal?

We don't have O365, SP Online, Exchange Online, only Azure at the moment. 

We have synchronised our local AD OU that contains users.

In Azure AD, there is the option "Allow the user to sign in and access services". Setting this to "Block" prevent the user logging into the portal. I am sure there is a PS script to do this, but what I would really like to do is have all users blocked unless they are in a local AD security group that is tied to a role for a resource. For instance:

1. Member of no group = No access

2. Member of "GG_Azure_ResourceX_Reader" = Reader access to ResourceX

3. Member of "GG_Azure_ResourceY_Owner" = Owner access to ResourceY

I have set "Allow the user to sign in and access services" to Block and made sure the user is a member of local AD "GG_Azure_ResourceX_Reader", that the group has synchronised, but the user cannot log in. Therefore that method doesn't work.

When I ran the setup for Azure AD Connect, I didn't specify a security group, and I really don't want to go through the whole setup again, especially as our users are now in Azure AD. Removing them seems a painful process.

I can't create and move user that should have access into a specific OU as this will break other things.

This seems simple, but either it is so simple I'm missing the trick or Google is broken. My guess is that I will have to wait until Azure AD is updated to work in the new "resource" (RBAC-style) portal.

Any pointer? 

Many thanks

W.

Hi,

I noticed in the AAD portal, under each user, that one is able to view "Device syncing and enterprise app settings" (preview). For all my users it states "Devices in your organization can't sync settings and enterprise app data. The feature is turned off."

There doesn't seem to be a settings within AAD Configuration to enable this either, at least not in an obvious fashion.

Any pointers? How I ended up with this was that I was investingating why two AAD joined laptops could not synchronize Edge's Reading List (both seem to have their own copies and no way to figure out why they do not sync)

Thanks.

Hi

I added an YouTube app to Azure AD Applications from the application gallery, configured it to use Password Single Sign-On, assigned the app to a user account and added YouTube credentials (google account email address and password).

App is found from users Office 365 My Apps. It's just that when user clicks the link, it goes to YouTube.com as expected, writes the youtube user account email address but not the password. User is not able to login to YouTube because YouTube login asks the user for a password.

We tried this using Internet Explorer on Win 10 and Chrome for Mac. In both cases we installed the Access Panel Extension.

Why is the YouTube link asking for a password from user when it should not do that?

I have an asp.net web application configured in the Azure AD. We assigned all the delegated permissions to access Azure AD to get the signed-in user AD groups info. But I am still receiving the permissions issue.

I am suspecting the "Access the directory as the signed-in user - Directory.AccessAsUser.All". Since the signed-in user may or may not have privileges to query the AD. But any thoughts on this are welcomed.

Hello Experts,

We have a Third Party Multi Tenant web application, since it is third party it ask user to sign up the consent form.

once user signup for consent, the app gets added into App list in the AAD.

we are retiring our application soon and we want to know is there a way to remove our app from customer's app list ?

The Problem is when you view the app detail in App List (by right clicking on it) it shows our Organization name and we don't want to keep or org name in customer's AAD.

Please let me know if there is a way to remove the app from app list.

Thanks in Advance,

Ritesh

I'm researching the use of AAD B2C for a consumer-facing app.  Each user needs a unique handle, just like the MSDN forums or Twitter have unique usernames for everyone.  The AD Display Name seems like a good choice.  Can AAD B2C enforce unique Display Names?

If not, can AAD B2C be used to enforce a unique handle at all?  Perhaps I'll need to combine B2C for authentication with my own database of unique handles.

Hi,

I have a a Office 365 tenant and an on-premise AD Forest with multiple domains.

I need to do a GAL segmentation based on domain NetBIOS name or FQDN NetBIOS DOmain Name so all object synced from a specific domain within the same forest can be in a separate GAL that will be used only by users synced from this domain.

my need, if we can synchronize or transform an attrribute to DomainNetBIOS Name in Azure Active Directory

I can use Customattribute, but if I can Use the attributes listed above, it can be helpfull to meet our need.

Thansk

Lourh

Hi all im trying to install for the 1st time the Microsoft Active Directory synch tool, and I got this

[10:21:43.119] [ 24] [INFO ] Starting Sync Engine installation
[10:22:23.384] [ 21] [INFO ] Starting Telemetry Send
[10:22:23.387] [ 24] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.ComponentModel.Win32Exception: Only part of a ReadProcessMemory or WriteProcessMemory request was completed
   at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.TypeDependencies.ProcessStartBeginOutputReadAndWaitForExit(Process process, ProcessOutputListener listener, String& processOutput)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String& processOutput, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit, Boolean traceArguments)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapterCallerBase.TypeDependencies.StartBackgroundProcessAndWaitForExit(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.CreateInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.InitializeSharedInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass13.<InitializeSqlSharedInstance>b__11()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass13.<InitializeSqlSharedInstance>b__12()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InitializeSqlSharedInstance(String sqlLocalDbInstanceOwnerSid, NetworkCredential sqlLocalDbInstanceOwnerCredential, SetupConfig config)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   at Microsoft.Online.Deployment.OneADWizard.Providers.EngineSetupProvider.SetupSyncEngine(String setupFilesPath, String installationPath, String sqlServerName, String sqlInstanceName, String serviceAccountName, String serviceAccountDomain, String serviceAccountPassword, String groupAdmins, String groupBrowse, String groupOperators, String groupPasswordSet, Int32 numberOfServiceInstances, ProgressChangedEventHandler progressChanged, NetworkCredential& serviceAccountCredential, SecurityIdentifier& serviceAccountSid)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)
[10:23:03.336] [  1] [INFO ] Opened log file at path C:\Users\Jort3g4\AppData\Local\AADConnect\trace-20160831-101518.log
[10:36:20.086] [  1] [INFO ] Opened log file at path C:\Users\Jort3g4\AppData\Local\AADConnect\trace-20160831-101518.log

In event viewer the event is 905 and the text is :

InitializeSqlSharedInstance: Error while attempting to remove stale local db instance. This may be expected. Details: System.ComponentModel.Win32Exception (0x80004005): Only part of a ReadProcessMemory or WriteProcessMemory request was completed
   at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.TypeDependencies.ProcessStartBeginOutputReadAndWaitForExit(Process process, ProcessOutputListener listener, String& processOutput)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String& processOutput, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit, Boolean traceArguments)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapterCallerBase.TypeDependencies.StartBackgroundProcessAndWaitForExit(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.StopInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.StopAndDeleteInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass16.<RemoveSqlLocalDbInstance>b__15()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass13.<InitializeSqlSharedInstance>b__11()

Hi,

I'm getting the following error when getting the token.

AdalSilentTokenAcquisitionException: Failed to acquire token silently. Call method AcquireToken.

I associated my office 365 developer account with azure AD by following the instructions given in below link,

https://msdn.microsoft.com/en-us/office/office365/howto/setup-development-environment#bk_CreateAzureSubscription

In vs 2015, I configured AD and office 365. When i build the project, i was able to sign in with my office 365 login. But to get the files from office 365 using the API, i'm getting the above error. Below is the code I used ( which i took from the demo by Jeremy Thake).

List<MyFiles> myFiles = new List<MyFiles>();
            var signInUserId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
            var userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
            string userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;

            AuthenticationContext authContext = new AuthenticationContext(SettingsHelper.Authority, new ADALTokenCache(signInUserId));
            UserIdentifier userIdentifier = new UserIdentifier(userName, UserIdentifierType.OptionalDisplayableId);
            DiscoveryClient discClient = new DiscoveryClient(SettingsHelper.DiscoveryServiceEndpointUri,
               async () =>
               {
                   // var authResult = await authContext.AcquireToken(SettingsHelper.DiscoveryServiceEndpointUri, new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey));
                   var authResult = await authContext.AcquireTokenSilentAsync(SettingsHelper.DiscoveryServiceResourceId, new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey), userIdentifier);

                   return authResult.AccessToken;
               });

            var dcr = await discClient.DiscoverCapabilityAsync("MyFiles");

            SharePointClient spClient = new SharePointClient(dcr.ServiceEndpointUri,
                async () =>
                {
                    var authResult = await authContext.AcquireTokenSilentAsync(dcr.ServiceResourceId, new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey), new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));

                    return authResult.AccessToken;
                });

            var myFilesResult = await spClient.Files.ExecuteAsync();
            do
            {
                var files = myFilesResult.CurrentPage;
                foreach (var file in files)
                {
                    myFiles.Add(new MyFiles { Name = file.Name });
                }
                myFilesResult = await myFilesResult.GetNextPageAsync();


            } while (myFilesResult != null);
            return View(myFiles);

Thanks

Shiraz

I like the fact that there appears to be a new Powershell command to assign Azure AD SaaS Apps to AAD users. Problem is the V2 release documentation is still catching up.

Can anyone provide an example of how to use the New-AzureADUserAppRoleAssignment command?

The tricky parameters appears to be ObjectID, ID & ResourceID.

Hi,

My boss has created an Azure subscription for our company. He is the administrator of the company. He created the Azure AD for the @mycompany.com domain and added me in. He is however connected with a Microsoft account, created with his @mycompany.com mail address.

I was able to successfully join my computer and log on to it, but he couldn't. I tried joining the domain with my account on his computer, which worked, but he still can't connect to it. The message states that the login or password is incorrect, without any helpful information. How can we do?

Regards,

Jérémy VIGNELLES

Here is the error from the trace log.  If have done this before but I am seeing this error in a lab environment that I am trying to configure.

[21:34:52.573] [ 22] [VERB ] SynchronizationRuleTemplateEngine.GetAttributeInclusionListForSynchronizationRules: Exit
[21:34:52.575] [ 22] [INFO ] Configuring Windows Azure Active Directory Sync: Updating run profiles and attribute inclusion lists for connector (<redacted>.onmicrosoft.com - AAD)
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Element 'ma-run-data' was not found. Line 1, position 2. ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Element 'ma-run-data' was not found. Line 1, position 2.
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateEmptyRunProfile(RunProfile runProfile)
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateRunProfile(RunProfile runProfile)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRunProfileCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.RunProfileConfigAdapter.AddRunProfile(RunProfile runProfile)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateRunProfiles()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnector(IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)
   at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.CreateConnectorWithRetry(ConnectorAdapterBase connectorAdapter, IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, ParameterKeyedCollection connectorGlobalParameters, Boolean createRunProfile)

Frank Postle

We get weekly Azure AD reports for Identity protection.

This week we had an alert under the vulnerabilities section. On trying to get more information beyond this digest the Azure portal does not provide any further information. Just a wee raincloud.

How can I see this report?