Hello,
I've moved my organizations AD Sync server to a new server, uninstall all of the AD sync tools from the old server, but I cannot get Azure Active Directory Connect Health to stop listing the server as a Sync server with alerts. It is showing as "Unhealth" but I can't find anywhere to remove that specific server as it is no longer synching anything.
Thanks!
I am trying to connect a Windows Server 2012 R2 Azure Server to a Directory Services enabled Azure Domain, When I attempt to Join this Server to the Azure Domain. I get below error-
Invalid Username/Password.
When I ping the Domain or the IP I get responses.
I have created the "AAD DC Administrators" group and added a Service admin user and the Azure Subscription Admin account to. I am unable to join using either of there Credentials.
This is also a [name].onmicrosoft.com Domain.
Any ideas would be great.
EDIT. I have followed the same step I did in my master azure tenant, in a "Free Trial" Tenant and I had no issue with a Basic and Custom Domain
Hi All,
I am using Azure Resource Manager where subscription type is "pay-as-you-go".
I wanted to automatate this cloud using Python. But to do this there is needed to create AD aplication and service pricipal.
I tried the steps from here: (azure microsoft com /en-us/documentation/articles/resource-group-create-service-principal-portal)
But there is no possible to assign application to role (to Resource Group or Subscription).
This is because of subscription type.
Do you know any workarund whithout changing the subscription or what subscription change is needed?
Thanks.
I've just refreshed my Windows 10 (Anniversary update installed), Installed the Office from the Office365 portal.
Problem is, I cannot seem to get my Outlook profile going. It keeps asking me for my password, which I'm a 100% sure that is correct (testing it in the Portal). Username is comes back with (DOMAIN\email@address.com), even if I change the username to the email address only, it will not take my password.
If I than try to configure the profile manually for an Exchange server, using outlook.office365.com, then I get the message that the password is wrong. (Again the password is 100% correct, tested tested tested).
Other Office 365 accounts (another tenant), can be added (added two others), works perfectly. But I cannot add the mailbox of the Account that joined the machine to Azure AD, and is signed in on the machine.
Please help.
Regards,
Ronald van Ackooij
Hello,
Not sure this is the best forum but I'm trying to call the REST API for Windows Store for Business, I'm following this guide:
https://msdn.microsoft.com/en-us/library/windows/hardware/mt608307(v=vs.85).aspx
I've come to the point where I call to the API operation "Get Inventory" is done but the only response I get is:
UnauthorizedThe guide mentions this sample as a starting point wich I've used:
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console
The sample works fine up to the actual code that does the Get Inventory call (that I added), that looks like this:
static async Task RunAsync()
{
Console.WriteLine("\nGet Inventory");
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AuthenticationHelper.TokenForUser);
//https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25
client.BaseAddress = new Uri("https://bspmts.mp.microsoft.com/");
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
// HTTP GET
HttpResponseMessage response = await client.GetAsync("V1/Inventory?licenseTypes=offline&maxResults=25");
if (response.IsSuccessStatusCode)
{
Console.WriteLine(response.StatusCode);
}
else
{
Console.WriteLine(response.StatusCode); //Unauthorized here
Console.WriteLine(await response.Content.ReadAsStringAsync());
}
}
}The TokenForUser wich I use in the AuthenticationHeader looks legit, should I authenticate some other way? Unfortunately the guide doesn't show any specific code examples for the API.
Hi,
I'm getting the following error when getting the token.
AdalSilentTokenAcquisitionException: Failed to acquire token silently. Call method AcquireToken.
I associated my office 365 developer account with azure AD by following the instructions given in below link,
https://msdn.microsoft.com/en-us/office/office365/howto/setup-development-environment#bk_CreateAzureSubscription
In vs 2015, I configured AD and office 365. When i build the project, i was able to sign in with my office 365 login. But to get the files from office 365 using the API, i'm getting the above error. Below is the code I used ( which i took from the demo by Jeremy Thake).
List<MyFiles> myFiles = new List<MyFiles>();
var signInUserId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
var userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
string userName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn) != null ? ClaimsPrincipal.Current.FindFirst(ClaimTypes.Upn).Value : ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
AuthenticationContext authContext = new AuthenticationContext(SettingsHelper.Authority, new ADALTokenCache(signInUserId));
UserIdentifier userIdentifier = new UserIdentifier(userName, UserIdentifierType.OptionalDisplayableId);
DiscoveryClient discClient = new DiscoveryClient(SettingsHelper.DiscoveryServiceEndpointUri,
async () =>
{
// var authResult = await authContext.AcquireToken(SettingsHelper.DiscoveryServiceEndpointUri, new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey));
var authResult = await authContext.AcquireTokenSilentAsync(SettingsHelper.DiscoveryServiceResourceId, new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey), userIdentifier);
return authResult.AccessToken;
});
var dcr = await discClient.DiscoverCapabilityAsync("MyFiles");
SharePointClient spClient = new SharePointClient(dcr.ServiceEndpointUri,
async () =>
{
var authResult = await authContext.AcquireTokenSilentAsync(dcr.ServiceResourceId, new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey), new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
return authResult.AccessToken;
});
var myFilesResult = await spClient.Files.ExecuteAsync();
do
{
var files = myFilesResult.CurrentPage;
foreach (var file in files)
{
myFiles.Add(new MyFiles { Name = file.Name });
}
myFilesResult = await myFilesResult.GetNextPageAsync();
} while (myFilesResult != null);
return View(myFiles);
Thanks
Shiraz
Good Morning,
We are evaluating the implementation of synchronized Azure Active Directory with Windows Server 2012 R2 Local server.
With the option of Basic licensing we know that you can make the Local- Cloud ( Azure ) synchronization.
My question is this:
Thank you very much in advance.
Greetings.
We even have backups and geographycal replication ... looks like they are only names for you to charge us.
Our clients are on the verge of cancelling their accounts. We demand answers now!!!!
I have a ASP.NET MVC application that I am attempting to use to call the Microsoft Graph API. What delegated permissions are required to call me.CheckMemberGroups using the Microsoft Graph Client SDK. I have tried assinging"Sign in and read user profile" and "Read all groups" but I still get an error - "Insufficient privileges to complete the operation."
I am retrieving the access token via a call to AcquireTokenByAuthorizationCodeAsync() and then using that to call the Graph API:
var groups = await graphClient.Me.CheckMemberGroups(groupIds).Request().PostAsync();
Thanks,
Sean
I try to get Windows Hello for Business up and running, but for some reason i've got the following AzureAD errors on every LOGON on the (Win10 1607 14905.1000) clients, and WH4B does not work:
1) AadTokenBrokerPlugin Operation Warning 1097
Error:0x4AA50081An applicaiton specific account is loading in cloud joined session.Logged at clientcache.cpp, line:151, method:ClientCache::LoadPrimaryAccount.
2) AadTokenBrokerPlugin Operation Error 1098
Error:0xCAA20003Authorization grant failed forthis assertion.Code: invalid_grantDescription: AADSTS70002:Error validating credentials. AADSTS70008:The refresh token has expired due to inactivity.The token was issued on 2015-11-23T07:18:56.9867097Zand was inactive for14.00:00:00.Trace ID:5e72cda1-ad1f-46cc-a2a1-60bed635f559Correlation ID: ae7b7368-bdb2-4839-9989-c28a045357d1Timestamp:2016-08-2511:45:53ZTokenEndpoint: https://login.microsoftonline.com/common/oauth2/tokenLogged at oauthtokenrequestbase.cpp, line:352, method:OAuthTokenRequestBase::ProcessOAuthResponse.Request: authority: https://login.microsoftonline.com/common, client: [....]
3) AadTokenBrokerPlugin Operation Warning 1097
Error:0xCAA90056Renew token by the primary refresh token failed.Logged at refreshtokenrequest.cpp, line:85, method:RefreshTokenRequest::AcquireToken.Request: authority: https://login.microsoftonline.com/common
Everything else i can think of is working pretty well. The following logs are clean (no errors or warnings):
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Microsoft-Windows-User Device Registration/Admin
As this is a rather new feature, i really hope you can help me.
Gregor Stefka
Azure health was working initially but stopped working 08/18. We did not get alert for this. Restarted service per website suggestion with no luck and firewall rule in place for outbound connectivity. The ADFS servers are all fine but the ADFS Proxy Servers are all showing the same thing. They both have same firewall rule. Any help is appreciated or troubleshooting.
PS C:\Users\e01> Test-AzureADConnectHealthConnectivity -Role adfs -ShowResultHello,
When I am trying to fetch direct reports for any user using graph explorer, API could fetch the result. But when I try to do the same using code, I get 403. Is it expected?
https://graph.windows.net/microsoft.com/users/{user oid}/directReports?api-version=1.6
We wish to have a Cloud only Domain as most of our employee's work from home. We want the computer/laptops to authenticate to a Cloud only Domain Controller.
Currently, we do have an on premise domain controller for the 6 office employee's we have but desire to fully decommission it and use only the Cloud Domain Controller.
Is this possible? If so, how?
Thank you for any and all assistance & guidance.
We've had a google apps subscription linked with Azure AD for some time. The authentication component works wonderfully, however recently we've been getting emails periodically telling us that there was an error provisioning users due to credentials being invalid.
I've completely removed and reset all SAML and provisioning settings at both ends and still have the issue. I've created a new account at Google, same issue. I've changed the pasword for the account I'd been using, same issue. I'm able to login just fine with any account but the Azure service will not verify most of the time that the account is correct - very occassionally though, it will succeed. I am 100% certain that I have the correct credentials.
I've also removed the Google Apps app from Azure and recreated it, to no effect.
The setup screen on provisioning page gives me this error when I click on 'test connection':
Your Google Apps credentials appear to be invalid. Please provide a current administrative user name and password for the Google Apps domain to which you wish to provision your users.
It succeeded for me just one time, after which I immediately restarted provisioning - which subsequently failed and I received this message via email.
Is anybody else experiencing this issue? Does anybody have any hints as to how else I can try to resolve this issue? Provisioning has been working perfectly until recently.
I've have wasted an entire day trying to diagnose an apparent spontaneous inability to login to my Azure AD today. Windows kept claiming my creds were wrong (which they were NOT). From much fiddling around I found the ONLY way I could get Azure AD logins working again was to disconnect my device from the domain, and then reconnect it. The side effect of this is that the state of the PC for the azure account was reset, including all my apps and settings. My files continued to exist on the local drive but in the original users folder. Not what I wanted.
Details are covered here:
http://serverfault.com/questions/801993/azure-ad-user-suddenly-unable-to-login-to-pc/802023#802023
With this error, the instructions on screen in the Azure portal say:
If outbound connectivity is not blocked, restart the following services on each server:
The services on a 2008 R2 and 2012 box are actually called:
Azure AD Connect Health AD DS Insights Service
Azure AD Connect Health AD DS Monitoring Service
Can't find one for the 'Diagnostics' part.
Anyway, I have a 2008 R2 box reporting that the health service data is not up to date. I can't work out why, I've tried reboots and restarting services with no luck.
Our 6 other boxes behind the same firewall are reporting through fine.
What can I do next to continue troubleshooting this?
Hi.
I'm trying to configure the agent for Azure AD Connect Health for AD DS on a Windows Server 2012 R2 (Server-Core) Read-Only Domain Controller but the configuration fails.
I wondering if the preview of Azure AD Connect Health for AD DS supports RODC's?
See errorlog below:
Test-AzureADConnectHealthConnectivity's execution in details are as follows:Hi,
Firstly, apologies if I give the insufficient information in this post, this is my first post ever in any forum.
I'm trying to grant access to our SharePoint (365) site to a user in another organisation. I've uploaded the csv file into Azure as per instructions on how to add users in partner companies. Azure successfully processes the file, and adds the user, but never sends the invite, giving an "Directory invitation failed - Application was not properly configured" error. I've double checked the application and group IDs are correct. Is the problem with SharePoint? Does anyone have any ideas please?
Thanks!
Hi all,
My team and I are having issues with an application published via the AADAP. It is a web application that authenticates to our ADFS servers, published via AADAP with MFA enabled. Basically, everything works fine. You need to supply your credentials, get the MFA prompt, and then work. All functionality is available, except that you get a message after exactly 60 minutes, with the error that the connection has been lost.
This is not due to inactivity, as it happens even when using the application actively. The same issue does not happen when the application is accessed directly or with another reverse proxy in between the user and the server.
I've checked the server logs and on the application side it only shows that the connection timed out about a minute after the connection drops. On the connector side, nothing can be found in the admin or session logs. Almost completely clean.
The settings are as follows:
Properties
Multi-factor authentication
Device based access rules
Self-service access to application
If someone has an idea, or pointers on where to look, I would really appreciate it.
Kind regards,
Tony
Hi,
We're running the latest release (as at 22 June 2016) of Azure AD Connect, and all seems to be working fine. Directory sync is working as we'd expect and authentication is being handled fine by internal ADFS infrastructure.
We've been experimenting with password write back, and appears to be working fine too, but since we enabled password writeback in Azure AD Connect we've started seeing two warnings similar to the following being logged in the Application event log every minute:
TrackingId: 38d587ad-9dcf-4f50-abff-777818f75157, Listener for Namespace: ssprsbsas5prodncu, Endpoint: b8bf6691-79c5-45c2-bbf8-f1ad82331cf2_c2247017-e958-4ae4-9c5e-44c34733e6d4 lost Connection. Reconnecting Event. Last error encountered System.ServiceModel.CommunicationException: The connection to the connect service was lost. ---> Microsoft.ServiceBus.ConnectionLostException: The connection to the connect service was lost.
--- End of inner exception stack trace ---, Details: Version: 5.0.0.686
If we disable Password Write Back in AD Connect the errors go away.
While it all appears to be working as expected, and password writeback/reset is functioning when we enable it I'd like to get to the bottom of the errors in case there's some other underlying problem.
Have trawled the internet but turned up nothing to shed any light. Any help would be appreciated...
Jamie