Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD password complexity

September 7, 2016, 1:54 am
$
0
0

Hi there, 


So one of our customers has dropped the on-premises infrastructure and only wants to use the cloud identity, sharepoint etc. I found that, now the users only reside in the cloud, they are being forced to change their password due to the limited password restrictions for Cloud Only users. Here's a link detailing the restrictions. 

Are there any ways around this or is there a roadmap available which would show Microsoft is planning changes for this? Spaces and passwords longer than 16 characters seem such a no brainer for security, however Microsoft's cloud platform does not seem to support it yet. 

Many thanks in advance and kind regards,

Sander

Search

Notification on Creating Resource Group

September 12, 2016, 2:29 am
$
0
0

Hello,

We have a subscription that we call the "sandpit" where anyone on the team can create a resource when ever they want. Recently we started using tags to put information on each resource group such as who created the resource group. I was wondering is their a way we find out when a new resource group is made, maybe getting a notification with the users name (or just the email address) and the name of the resource group.

If that not possible, can you guys suggest a way? If you guys cant suggest any ideas? Currently I can find how the number of resourceses made using powershell, and if there are more then expected, I can track it down, but then I have to track the person that has created the resource group which can take a while.

how to disable notifications "Identity synchronization Object Deletion Limit Reached: Friday, 09 September 2016 10:14:58 GMT"

September 12, 2016, 2:52 am
$
0
0


We have signed up for Microsoft Azure "Free subscription" and have started exploring Azure
by creating dummy apps, resource groups and couple of AD users in the default domain.

Since last 3-4 days, our admin account has started receiving notifications related to
"Identity synchronization Object Deletion Limit Reached: Friday, 09 September 2016 10:14:58 GMT"
So far admin has received almost 60 such error messages. We have not really triggered any directory sync activity, nor have we initiated any user delete operations.

Please let us know what is triggering this user deletion activity.
Also let us know how can we disable these notifications. Can we change email address for these notifications?

Thanks a lot!

PKCE enhancement for v2.0 Protocols - OAuth 2.0 Authorization Code Flow

September 1, 2016, 8:25 am
$
0
0

Hi There,

Just wondering is it planned to extend the implementation of the Authorization Code Flow implementation to add the PKCE enhancement for security of native app implementations using the grant type?

If so, when is this planned?

kind regards,

Frank

Account provisioning errors - google apps

August 18, 2016, 6:07 pm
$
0
0

We've had a google apps subscription linked with Azure AD for some time. The authentication component works wonderfully, however recently we've been getting emails periodically telling us that there was an error provisioning users due to credentials being invalid.

I've completely removed and reset all SAML and provisioning settings at both ends and still have the issue. I've created a new account at Google, same issue. I've changed the pasword for the account I'd been using, same issue. I'm able to login just fine with any account but the Azure service will not verify most of the time that the account is correct - very occassionally though, it will succeed. I am 100% certain that I have the correct credentials.

I've also removed the Google Apps app from Azure and recreated it, to no effect.

The setup screen on provisioning page gives me this error when I click on 'test connection':
Your Google Apps credentials appear to be invalid. Please provide a current administrative user name and password for the Google Apps domain to which you wish to provision your users.

It succeeded for me just one time, after which I immediately restarted provisioning - which subsequently failed and I received this message via email.

Is anybody else experiencing this issue? Does anybody have any hints as to how else I can try to resolve this issue? Provisioning has been working perfectly until recently.


Invites not sent out for Azure AD for "Users in partner companies"

September 12, 2016, 11:35 pm
$
0
0

Hi,

In order to let customers log in to one of our own web applications, as well as in house users, we are looking into using the Azure AD for login / SSO.

Looking at the options, inviting customers as "Users in partner companies" looks as the best option.

We uploaded CSV files with the user details, and the invitation summary says they was processed without error.

But no invitation email was ever received, does not seem stuck in spam inboxes. Any ideas what might be causing this?

Also, if there are better ways to give customers access to applications using Azure AD for credentials, any hints or directions would be much appreciated.

Best regards,

Johan

Creating an Azure AD Application Programmatically

October 2, 2015, 12:43 pm
$
0
0

I am trying to write some code that will create 2 Azure AD applications. The first is a web/web api application and the second is Cilent application. When complete, the client application should have access to the Web API. 

I used the console app up on GitHub as a starting point and got it working in my test tenant. In the Oauth "Create an application section of the code, I added the following code.


            Application appObject = new Application { DisplayName = "Test-Demo App" +   Helper.GetRandomString(8) };
            appObject.IdentifierUris.Add("https://localhost/demo/" + Guid.NewGuid());
            appObject.ReplyUrls.Add("https://localhost/demo");

            RequiredResourceAccess resource = new RequiredResourceAccess();
            resource.ResourceAppId = "05648d91-c798-4703-a369-b82ef1d9c055";
            appObject.RequiredResourceAccess.Add(resource);

When I run this code and try to add the application, I get an exception that says "

"{\"odata.error\":{\"code\":\"Request_BadRequest\",\"message\":{\"lang\":\"en\",\"value\":\"Property requiredResourceAccess.resourceAccess value is required but is empty or missing.\"},\"values\":[{\"item\":\"PropertyName\",\"value\":\"
requiredResourceAccess.resourceAccess\"},{\"item\":\"PropertyErrorCode\",\"value\":\"PropertyRequired\"}]}}"

I would like to know how to add a required resource to an Azure AD Application.

Andy Schneider http://get-powershell.com

Azure Active Directory B2C Password SelfService and the alternate Mail address

September 8, 2016, 12:32 am
$
0
0

I'm evaluate Azure AD B2C. I downloaded the sample web app from github and now I have configured Azure B2C with SignIn, SignUp, SelfService policies. The web app is up with Signup, SignIn, SelfService and social login. All policies can be triggered from web app and running very well. Additionally I have enabled password reset with "alternate mail address" (until now the only possible option). The question is: How the user can fill this attribute by SelfService pages? The attribute is not built-in within the B2C configuration options (see screenshot below).

This means it isn't available to SelfService policies. If I go to classic portal as admin I'm able to set the alternate mail address and the user is able to reset the password. But the goal is to enable the user to setup his alternate mail address. How can I do this.

Kind regards

Denis 

 
Search

SSO SAML - Directory extensions and using those attributes

September 13, 2016, 3:56 pm
$
0
0

Hi Everyone,

I'm looking into adding some additional AD Attributes to the Azure AD COnnect setup by way of directory extensions (e.g. EmployeeNumber, EmployeeID).

Currently we utilise ADFS on prem for some applications and use these attributes as the Name ID.

I have been reviewing the following URL.

http://social.technet.microsoft.com/wiki/contents/articles/31257.azure-active-directory-customizing-claims-issued-in-the-saml-token-for-pre-integrated-apps.aspx?wa=wsignin1.0

My question is, once you add more attributes to your sync via Directory Extensions in Azure AD Connect, are you then able to utilise these attributes in SAML claims in Azure AD?

This may be a show stopper for me if this is not possible for certain applications.

Cheers,
Simon

B2C - CheckBoxMultiSelect not checked for selected values

September 7, 2016, 6:31 am
$
0
0

Hi,

I'm using the CheckBoxMultiSelect to store comma separated, multiple value, custom property for the user. When we select the values by checking the checkbox, it get stored as part of the user profile. But when we try to edit the values, it doesn't show the checkbox as checked for previously selected value. 

Thanks.

Is it possible to provide a link to redirect SharePoint Online site and auto login via Azure AD? C#?

July 21, 2016, 12:14 pm
$
0
0
  • We have an externally facing website, to which we would like to add a link to a SharePoint Online site, but we want to pass through the login page, so the Sharepoint site seamlessly loads.

Is that possible?

I tried hijackingSharePointOnlineCredentialsRequest/response to redirect, but that does not work.

Is there any sample code for cookies or response redirect headers that would allow this?

Unable to protect content with Azure RMS. Error code 0x800704DC

February 2, 2016, 7:00 am
$
0
0

Hello.

I set up a test environment with Azure AD tenant and enabled RMS subscription.

On the corporate side I have set up ADFS 3.0 server and ADFS Proxy in DMZ. I confirmed that ADFS authentication work externally, since I can log in to manage.windowsazure.com via ADFS login screen.

But, if I try to use RMS client to protect a document, I am asked for credentials and will get that error message.

unablr to protect content

There is no error messages on ADFS proxy or ADFS. I do not have access to logs "in Azure cloud" and I can't open a ticket with Azure support - it is a free trial...

Please, help me.

Slava

User sync failing due to "The dimage has an anchor that is different than the image"

March 13, 2015, 6:11 am
$
0
0

I have one user failing to sync between AAD and AD. The error is "sync-generic-failure". The stack trace error is a bit more detailed: "The dimage has an anchor that is different than the image".

The user in question existed in AAD as a manually created user before AD Sync was set up.

The user account was then deleted from AAD, and I think that started this behavior.

Can I remove the link between the AD user and the AAD user completely, so the AAD user can be deleted, and the AD user can be synchronized to AAD?

AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials(while trying to connect azure subscriptions from visual studio 2015)

September 13, 2016, 9:18 am
$
0
0

AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials(while trying to connect azure subscriptions from visual studio 2015)

I am able to connect to azure subscription through visual studio 2013.

Regards

Rajeshwar

Managing multiple subscription and billing

September 14, 2016, 3:55 am
$
0
0

Hi all, 

As I understand, when you create a subscription in Azure you have create a tenant, right ? 

I'm new to azure and here is the story/problem that i have:

We are using Crayon as our licensing and we are managing stuff from there. We have Office365 too. So we start with Azure and we are in the middle on how to manage the licencing and the subscriptions so we can have clear picture of the billing. So we have 3-5 subscriptions (Our Company) for our self, but now we don't know how to handle if we have new customers. If we go via Crayon, we can put new subscription for Customer1, he will get an Account on Azure with subscription. This subscription we can't see it. Is there any possible way to to see the subscription with the Account that we have from Crayon ( or our Azure Account ). Like if im log in with my account Azzure, i can see our 3-5 Subscriptions. But i can't see the Custmer1 subscription. In that way i have to log out and log in with the account of Customer1 and see that subscription. Solution ?

And is there any different way to do this stuff and what is the best practices to deal with subscriptions ? And how can i manage the billing for different customers, what is the easy and beautiful way to do it :) 

Kind regards

Ivan

Search

Provisioning Attributes - looking at Provisioning attributes gives an error

September 6, 2016, 2:24 am
$
0
0

We are trying an integration With Facebook at work.

Everything worked fine before the summer, and we have since imported more users into AD.

Now we would like to provision more users toward facebook, but now it seems the provisioning is no longer working.

Account Provisioning Status
Last time accounts were fully synchronized in the directory was was at 21.06.2016 22:16 GMT+2
Last attempt started at 21.06.2016 22:16 GMT+2 and ended at 21.06.2016 22:16 GMT+2
Status: Successful
Total provisioned accounts: 5

When I test the Connection, it Works fine.

I have also tried restarting the provisioning. This seem to restart, but it does not provision.

I have set some specific provisioning attributes to prevent all our domain users from being invited.

When I now try to look at these, under attributes - Provisioning I get this error:

 

An error occurred that was our fault. 

We should already be investigating, but you may also use the feedback button below to send us a report of the mishap.

Could you please advice on what to do? If I revert the attributes that prevent all users from getting provisioned, I will have a ton of users provisioned that are not supposed to be provisioned tofacebook@work.. So I do not see this as a good solution...

Removing old AAD directory

September 14, 2016, 5:47 am
$
0
0
Hi everyone,

Looking for some tips on getting rid of an old AAD domain.

Setup:

-Initial directory created using admin account microsoft@xxx.com - Directory A
-A totally separate 365 subscription created with microsoft@xxx.com - Directory B

Merged the 365 into Azure, so now have 2 directories, A and B.

The microsoft@xxx.com account is the owner and is a user that exists in both Directory A and B. (the microsoft@ user in both directories lists as being sourced from Microsoft Account)

There are no other accounts in Directory A, nor are any apps connected to it, however I am not able to completely remove Directory A. I get an error "Directory has one or more applications that were added by a user or administrator"

I have googled it and went through a series of azure powershell commands that were meant to fix this, but I cannot get rid of the directory.

Any help or pointers would be greatly appreciated.

Thank you!

B2C: WebApi 2 claims transformation

September 9, 2016, 3:33 am
$
0
0

I'm writing a WebAPI 2 application using the Azure B2C to provide OAuth 2 authentication, but I need to add some custom claims from the database so that the controllers have sufficient context to decide whether to allow access.

However, I'm having trouble finding an appropriate place to put this logic, I've tried

1. Adding an OWIN middleware component - issue is that the when this executes the context is not yet authenticated, so no use, can't see how I can control where in the pipeline I sit

2. Assigning a delegate to OpenIdConnectAuthenticationNotifications.SecurityTokenValidated - issue here is that although the ClaimsIdentity has been created and shows as authenticated, none of the claims have been assigned; also this seems to run once per authentication rather than request

There seems to be very little up to date documentation on this stuff

Paul

Unable to create Azure Subscription from partnercenter sandbox

September 14, 2016, 6:38 am
$
0
0

Hi

we are unable to create azure subscription in sandbox is there any issue..

for some of our accounts we created subscriptions earlier and launched VMs those subscriptions are also not showing up in partnercenter

This issue we are facing from past 2 days..

Any help appriciated :)

Thanks

Old Certificates Appear as Default in the Address Book

September 14, 2016, 6:46 am
$
0
0

First off, I originally posted this question in an Exchange forum and received a reply from the moderator that leads me to think this might be an Active Directory issue.

Second, I am not an AD administrator.  When I have posed this question to our AD administator, I have gotten the brush off.  I am posting this message in the hopes of receiving some objective opinions.

Finally, I am not trying to solve an existing technical issue.  I am simply trying to collect more information so that I can gain a better understanding of email encryption issues.

Recently, I have seen three cases were a user was having email encryption problems, and in all three cases the issue was caused by an expired default certificate in the address book.  In all three cases:

  • The user had one valid certificate listed in AD.
  • I opened MMC on the client machine and added the Certificates snap-in, and found only one certificate installed on the machine, and it matched the certificate listed in AD.
  • I looked up the user in the address book, did a right-click > Add to Contacts > Certificates button on the ribbon, and found that the default certificate listed for the user was expired.

In one case, the default certificate listed in the address book expired in 2012.  If that expired certificate is not in AD, and it's not installed on the client machine, then where is it coming from?  It has to be coming from somewhere. 

Is it possible that AD is holding on to old certificate information in a location that is not visible through ADUC?  If so, is it possible to clear out old certificate information?

Thanks in advance for any help that you can offer!

--Tom

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>