Good Morning,

I am rolling out the Microsoft office 365 password reset service to the end users. The local users are able to register and reset their passwords successfully. 

The issue is with the oversees users [Asia & central America] are able to register their accounts and request a new password, however, after verifying their account via email or text message, the users provide a new password that meets the domain groups policy, the users receive an error message:

We're sorry, but we cannot reset your password at this time. This is due to a temporary connectivity issue, so if you try again later, resetting your password may succeed. If the issue persists, please contact your admin to reset your password for you.

All 3 domains [local, other 2 domains [Asia & central America] are part of the same forest: Windows 2008R R2 Forest.

The remote users have different email address domain. All email domains are part of the same Exchange environment. Each user email account is configured with more than one email alias. 

The users have the proper office 365 “Azure Active Directory Premium” licenses.

Thank You 

Raed

I hope someone can help me.

I've created an Azure WebProxy to direct traffic to our on-premise SharePoint 2010 Server.

The error I am receving on the AppProxy Connector server is...

<quote>Microsoft AAD Application Proxy Connector cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error.

Details:
Transaction ID: {80d1cc48-050f-4194-8662-6a650381eac4}
Session ID: {80d1cc48-050f-4194-8662-6a650381eac4}
Published Application Name:
Published Application ID:
Published Application External URL: https://sharepoint-tenant.msappproxy.net/
Published Backend URL: http://sharepoint.internaldomain.local/
User: username@domainname.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36 ManagedBrowser/1609.05
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://sharepoint-tenant.msappproxy.net/
Backend Request URL: http://sharepoint.internaldomain.local/
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: WIA
State Machine State: BEHeadersReading
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: 401
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: GET
Client Request Http Verb: GET</quote>

Please note that I have removed some information for security purposes.

The message I receive on the mobile device is...

<quote>Authorization failed.  Make sure the user has permissions to the internal application.

The user is 'authorised' because the user (me) uses it on the internal network.

Does anyone have any ideas?

Kind regards,

Lee

We are trying to implement conditional access with AAZ/Intune.  We have a mixed OS guest environment: 95+% Win7 and a handful of Win10.  The next step, or at least where we are currently, is needing to sync our devices/COMPUTERS container with AAZ.

Because the process is extremely new, so it seems, Win10 anniversary is the only OS which works seamlessly, so before we begin I wanted to speak with an engineer & looking to work via Webex with an engineer to step thru process.

Here is the link and wanted to have some guidance/chat about implementing:

(Sorry for breaking up the link, can not submit a link for some reason.)

Thanks

Rob

Hi all im trying to install for the 1st time the Microsoft Active Directory synch tool, and I got this

[10:21:43.119] [ 24] [INFO ] Starting Sync Engine installation
[10:22:23.384] [ 21] [INFO ] Starting Telemetry Send
[10:22:23.387] [ 24] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.ComponentModel.Win32Exception: Only part of a ReadProcessMemory or WriteProcessMemory request was completed
   at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.TypeDependencies.ProcessStartBeginOutputReadAndWaitForExit(Process process, ProcessOutputListener listener, String& processOutput)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String& processOutput, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit, Boolean traceArguments)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapterCallerBase.TypeDependencies.StartBackgroundProcessAndWaitForExit(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.CreateInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.InitializeSharedInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass13.<InitializeSqlSharedInstance>b__11()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass13.<InitializeSqlSharedInstance>b__12()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InitializeSqlSharedInstance(String sqlLocalDbInstanceOwnerSid, NetworkCredential sqlLocalDbInstanceOwnerCredential, SetupConfig config)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   at Microsoft.Online.Deployment.OneADWizard.Providers.EngineSetupProvider.SetupSyncEngine(String setupFilesPath, String installationPath, String sqlServerName, String sqlInstanceName, String serviceAccountName, String serviceAccountDomain, String serviceAccountPassword, String groupAdmins, String groupBrowse, String groupOperators, String groupPasswordSet, Int32 numberOfServiceInstances, ProgressChangedEventHandler progressChanged, NetworkCredential& serviceAccountCredential, SecurityIdentifier& serviceAccountSid)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)
[10:23:03.336] [  1] [INFO ] Opened log file at path C:\Users\Jort3g4\AppData\Local\AADConnect\trace-20160831-101518.log
[10:36:20.086] [  1] [INFO ] Opened log file at path C:\Users\Jort3g4\AppData\Local\AADConnect\trace-20160831-101518.log

In event viewer the event is 905 and the text is :

InitializeSqlSharedInstance: Error while attempting to remove stale local db instance. This may be expected. Details: System.ComponentModel.Win32Exception (0x80004005): Only part of a ReadProcessMemory or WriteProcessMemory request was completed
   at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.TypeDependencies.ProcessStartBeginOutputReadAndWaitForExit(Process process, ProcessOutputListener listener, String& processOutput)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String& processOutput, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit, Boolean traceArguments)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapterCallerBase.TypeDependencies.StartBackgroundProcessAndWaitForExit(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.StopInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlLocalDbAdapter.StopAndDeleteInstance(String instanceName, NetworkCredential ownerCredential)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass16.<RemoveSqlLocalDbInstance>b__15()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass13.<InitializeSqlSharedInstance>b__11()

tech analyst

Hi,

I followed the Build service and daemon apps in Office 365 and Performing app-only operations on SharePoint Online through Azure AD document to create a windows console application to communicate to SPO using Azure AD App-only token approach and got the above error message. the following is my steps:

1. Created a Azure AD application and specified the following settings:
   1. Name: sharepointappidtest
   2. Type: Web application and/or Web API
   3. Sign-On URL: https://xyz.sharepoint.com
   4. App ID URI: https://xyz.sharepoint.com
2. Configure this Azure AD application’s “permission to other applications” as the following:  
   1. Windows Azure Active Directory: “Read Directory data” [Application permission]
   2. Office 365 SharePoint Online: “Have Full control of all site collections” [Application permission] and “Read and write managed metadata” [Application permission].
3. Created a self-signed certificate and run the PS from those two documents to get key, and thumbnail key
4. Downloaded manigest.json, updated “keyCredentials” value and uploaded it back.
5. Created a windows console application. Added Microsoft.IdentityModel.Clients.ActiveDirectory and Newtonsoft.Json libraries.
6. The following is my code:

        static void Main(string[] args)
        {
            doStuffInOffice3651().Wait();
        }

        private async static Task doStuffInOffice3651()
        {
            string clientId = "[Azure AD application client id]";
            string key = "xxxx"; //certificate password
            //set the authentication context
            //you can do multi-tenant app-only, but you cannot use /common for authority…must get tenant ID
            //string authority = "https://login.microsoftonline.com/[tenant].onmicrosoft.com/oauth2/authorize";
            string authority = "https://login.windows.net/[tenant].onmicrosoft.com";
            AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);

            //read the certificate private key from the executing location
            //NOTE: This is a hack…Azure Key Vault is best approach
            var certPath = System.Reflection.Assembly.GetExecutingAssembly().Location;
            //certPath = certPath.Substring(0, certPath.LastIndexOf('\\')) + "\\O365AppOnly_private.pfx";
            certPath = @"C:\OfficeDevPnP.PartnerPack.SiteProvisioning\Certs\OfficeDevPnPCert.pfx";
            var certfile = System.IO.File.OpenRead(certPath);
            var certificateBytes = new byte[certfile.Length];
            certfile.Read(certificateBytes, 0, (int)certfile.Length);
            X509Certificate2 cert = new X509Certificate2(certPath, key, X509KeyStorageFlags.MachineKeySet);
            //var cert = new X509Certificate2(
            //    certificateBytes,
            //    key,
            //    X509KeyStorageFlags.Exportable |
            //    X509KeyStorageFlags.MachineKeySet |
            //    X509KeyStorageFlags.PersistKeySet); //switchest are important to work in webjob
            ClientAssertionCertificate cac = new ClientAssertionCertificate(clientId, cert);

            //get the access token to SharePoint using the ClientAssertionCertificate
            Console.WriteLine("Getting app - only access token to SharePoint Online");
            var authenticationResult = await authenticationContext.AcquireTokenAsync("https://xyz.sharepoint.com/", cac);
            var token = authenticationResult.AccessToken;
            Console.WriteLine("App - only access token retreived");

            //perform a post using the app-only access token to add SharePoint list item in Attendee list
            HttpClient client = new HttpClient();
            client.DefaultRequestHeaders.Add("Authorization", "Bearer " + token);
            client.DefaultRequestHeaders.Add("Accept", "application/json; odata = verbose");
            string url = "https://xyz.sharepoint.com/_api/web/Lists/getbytitle('TestLog')";
            using (HttpResponseMessage response = await client.GetAsync(url))
            {
                if (!response.IsSuccessStatusCode)
                    Console.WriteLine("ERROR: SharePoint ListItem Creation Failed!");
                else
                    Console.WriteLine("SharePoint ListItem Created!");
            }
            Console.ReadLine();
        }

I was able to get token without any problems. But no matter how I did, I always got the following 401 error message for REST API call:

{StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{x-ms-diagnostics: 3001000;reason="There has been an error authenticating the request.";category="invalid_client"
  SPRequestGuid: 25eb839d-0020-3000-0b4e-92f6dca2b3aa
  request-id: 25eb839d-0020-3000-0b4e-92f6dca2b3aa
  Strict-Transport-Security: max-age=31536000
  X-FRAME-OPTIONS: SAMEORIGIN
  SPRequestDuration: 212
  SPIisLatency: 3
  MicrosoftSharePointTeamServices: 16.0.0.5326
  X-Content-Type-Options: nosniff
  X-MS-InvokeApp: 1; RequireReadOnly
  Date: Tue, 07 Jun 2016 20:19:53 GMT
  P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
  Server: Microsoft-IIS/8.5
  WWW-Authenticate: Bearer realm="6f423eb7-7932-4e19-ae14-fa375038681b",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000001-0000-0000-c000-000000000000@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b",authorization_uri="https://login.windows.net/common/oauth2/authorize"
  X-Powered-By: ASP.NET
  Content-Length: 453
}}

Unable to get downloaded tutorial to work with my configured AD B2C. Followed example to the letter. Downloaded application works with example AD B2C; not with mine. Started new project, entered example code. That project works with the example AD B2C but not mine. My AD B2C configuration is the only variable

I believe AD B2C would be a great solution for my College employer as well as my personal business. I can not pitch what I cannot configure and present. I believe it works; just not for me and I'm sure I am doing something wrong. Spent a week on this; it would be nice to know and resolve, what I am sure is, my configuration error.

Hi All,

My Azure AD connect SQL database Is running out of space and I just wanted to know what Is the best way to move it to an SQL Server ?

I was thinking to uninstall Azure AD connect and Install it again using the custom settings, will it work ?

Question Is, If I re-sync after Install will I end with duplicate identities or is it smart enough to know that they are the same ?

Is there a documented procedure to do this ?

Many thanks,

We have had Azure Active Directory sign-in on our API management page before, but I just noticed that the option is now gone. I've tried following this guide: https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-aad/ 

but the tab called identities doesn't have an item called Azure Active Directory.

How do I enable Azure Active Directory sign-in again?

Error: 400 - Bad Request     
See Response Headers for details.   
{"odata.error" : {"code" : "Request_UnsupportedQuery","message" : {"lang" : "en","value" : "Invalid previous page search request."
		}
	}
}

Hi,

I have an infant school customer who wants to use simple passwords to sign in to Office 365/ AAD joined Windows 10 laptops. I have set StrongPasswordRequired to false for the users, but the requirements \re still fairly complex.

Can someone point me to an official MS document that discusses states what the password requirements are when StrongPasswordRequired is set to True and False?

Many thanks,

Si

My new Windows 10 computer is joined to an Azure Active Directory without my permission.  I did not actively join an Azure AD on the settings/accounts/access work or school account page or on the System/About page. When I go to any of these settings pages there is not option to join or leave an Azure AD.  I also found a provisioning package being applied to the computer at logon. Presumably coming from the Azure AD that the computer is linked to.  How do I disconnect my computer from whatever AD it is joined to?

I noticed another post in the active directory forum that poses a similar question.  How to block a computer from becoming a tenant of an azure active directory when the computer is not and should not be associated with that AD.  

I agree with the earlier prior post, this appear to be a serious security threat.   I have purchased several computers over the past month.  Each time I setup a new computer and complete the windows 10 anniversary updates the computer becomes attached to an Azure Active Directory.  What is this directory and why does it keep attaching to my computers?  I do not want to be part of some unknown organization's computer network.  Please help!

Hi

Just had the honor to fix our test-environment one more time due to this nasty behavior.

MySetup: I have several accounts (administrators, service-accounts) in my Azure Active Directory. This Azure Active Directory has Domain Services enabled, so that this accounts can be used in our Virtual Machines, hosted on Azure and Domain Joined to excat this Domain Services. Some of the Accounts are service-accounts (i.e. to query the LDAP) or Administrator-Accounts to access the machines by RDP

The Issue: After 30 Days if the last password change, every accounts gets disabled in the Domain Services. Login with the accounts still works on all the web portals provided by MS (i.e. portal.office.com, portal.azure.com) but the accounts are disabled in the Domain Services! Services cant start anymore, RPD fails, Windows Integrated Web Logins fails,....

And yes i have the option "PasswordNeverExpires" enabled for all those accounts. In fact, the expiration is set to 90 days, anyway. Link: https://www.petri.com/reset-azure-active-directory-user-password-set-never-expire 

This problem is also mentioned here https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/11457978-azure-ad-domain-services-is-forcing-me-to-change-p

Expected: When enabling this "PasswordNeverExpires" with PowerShell-Modules, this setting should be considered when syncing the users from AAD to the Domain Services environment.

If not, an administrator is forced to remote login, and change every service-account, every 25 days! Same applies for users. Thats a clear showstopper and I'm actually thinking in migrating to the AWS solution for this. How is it possible to enable a preview feature that lasts 30days only?

Is there a workaround for that? Seems that I'm not the only one having that issue

Michael

Ok, so this seems to be a popular question but I've got a wrinkle with the solution. We just replaced DirSync with Azure ADConnect, and everything went well. However, AAD Connect does not seem to automatically sync over the msExchHideFromAddressLists attribute, and you have to create a custom transformation to sync this from on-prem AD. We have a number of AD users with this value set to True so they are hidden from the GAL. I followed the instructions here to create the transformation:

https://community.office365.com/en-us/f/148/t/280163

This seemed to fix the problem at first, but I found that I still have a small percentage of mailboxes that did not get this attribute synced over. I've tried forcing it by flipping the value to False and running a sync, then flipping it back to True and syncing again, but this did not work. Is there something I am missing?

Hi

I added an YouTube app to Azure AD Applications from the application gallery, configured it to use Password Single Sign-On, assigned the app to a user account and added YouTube credentials (google account email address and password).

App is found from users Office 365 My Apps. It's just that when user clicks the link, it goes to YouTube.com as expected, writes the youtube user account email address but not the password. User is not able to login to YouTube because YouTube login asks the user for a password.

We tried this using Internet Explorer on Win 10 and Chrome for Mac. In both cases we installed the Access Panel Extension.

Why is the YouTube link asking for a password from user when it should not do that?

Azure health was working initially but stopped working 08/18. We did not get alert for this. Restarted service per website suggestion with no luck and firewall rule in place for outbound connectivity. The ADFS servers are all fine but the ADFS Proxy Servers are all showing the same thing. They both have same firewall rule. Any help is appreciated or troubleshooting.