Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Move from "on-prem" AD to Azure AD with Domain Services

September 20, 2016, 3:27 pm
$
0
0

I currently have a domain controller running in Azure that is intended to provide group policy for password policies for all our users - both Azure users and Office365.  That's the only purpose of this server.  

I would like to remove this domain controller server, and have AAD be the master over the users, and with domain services, it appears as though I can control password policies.  Having the ability join servers in Azure will be an added plus.

First - is this idea going to work?  Second, I do have domain services up and running in the AAD, but I'm not sure how to migrate from my "local active directory" to AAD.

Can someone assist?

Search

Need help transforming incoming claim and i would assume outgoing claim as well.

September 20, 2016, 6:24 pm
$
0
0

Have on prem user with upn user@prod.contoso.com.

His upn is being transformed to user@contoso.com as it is being sync'd via ad connect to the verified domain in the cloud showing up as user@contoso.com

SourceAnchor is the objectGUID

I have setup AD FS pretty standard, server 2012 r2 with all patches, wap server as well.

When I try to authenticate to either office 365 or the azure portal with the user account user@contoso.com (yet being logged in my client computer as user@prod.contoso.com), SSO obviously doesn't work, I get access denied as invalid username or password because the user's UPN on prem in AD is user@prod.contoso.com and not user@contoso.com

I need to add two claim rules, i'm assuming one for the incoming claim (to transform it from user@contoso.com back to user@prod.contoso.com) and the other is when the claim is sent as well (to submit user@contoso.com and not user@prod.contoso.com).

basically I would like to use AD FS claim rule to make the upn match (user@prod.contoso.com <-> user@contoso.com) and in order to do this, I believe I need to add a claim rule, need help and where to put it and what it would look like,

here is a quick drawing of what I need, if it helps, it's in mspaint,

thanks for your help!!

http://imgur.com/a/WyvhT



Provisioning Attributes - looking at Provisioning attributes gives an error

September 6, 2016, 2:24 am
$
0
0

We are trying an integration With Facebook at work.

Everything worked fine before the summer, and we have since imported more users into AD.

Now we would like to provision more users toward facebook, but now it seems the provisioning is no longer working.

Account Provisioning Status
Last time accounts were fully synchronized in the directory was was at 21.06.2016 22:16 GMT+2
Last attempt started at 21.06.2016 22:16 GMT+2 and ended at 21.06.2016 22:16 GMT+2
Status: Successful
Total provisioned accounts: 5

When I test the Connection, it Works fine.

I have also tried restarting the provisioning. This seem to restart, but it does not provision.

I have set some specific provisioning attributes to prevent all our domain users from being invited.

When I now try to look at these, under attributes - Provisioning I get this error:

 

An error occurred that was our fault. 

We should already be investigating, but you may also use the feedback button below to send us a report of the mishap.

Could you please advice on what to do? If I revert the attributes that prevent all users from getting provisioned, I will have a ton of users provisioned that are not supposed to be provisioned tofacebook@work.. So I do not see this as a good solution...

Login to Azure Active Directory programmatically and display files from office365.

September 21, 2016, 4:58 am
$
0
0

Hi,

I want to get files from office 365. What I want to achieve is by not promoting the user to login via https://login.microsoftonline.com/.

I wrote the below code to get the  token by providing the username. 

List<MyFiles> myFiles = new List<MyFiles>();

            string userName = "xxxx@xxxxxx.onmicrosoft.com";

            AuthenticationContext authContext = new AuthenticationContext(SettingsHelper.Authority,false);
            UserIdentifier userIdentifier = new UserIdentifier(userName, UserIdentifierType.OptionalDisplayableId);

            ClientCredential clientCred = new ClientCredential(clientId, appKey);

            DiscoveryClient discClient = new DiscoveryClient(SettingsHelper.DiscoveryServiceEndpointUri,
                async () =>
                {
                     var authResult = await authContext.AcquireTokenSilentAsync(SettingsHelper.DiscoveryServiceResourceId, new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey), userIdentifier);

                    return authResult.AccessToken;
                });
            try
            {
                var dcr = await discClient.DiscoverCapabilityAsync("MyFiles");


            }
            catch (Exception ex)
            {
            }

 Im getting error message "Failed to acquire token silently. Call method AcquireToken" when executing,

var dcr = await discClient.DiscoverCapabilityAsync("MyFiles");

Is there a way to get the token with username or providing anything else? I know you can pass username and password for native app (UserCredentials). but mine is a web app.

Regard

Nashaq

Azure Active Directory B2C Password SelfService and the alternate Mail address

September 8, 2016, 12:32 am
$
0
0

I'm evaluate Azure AD B2C. I downloaded the sample web app from github and now I have configured Azure B2C with SignIn, SignUp, SelfService policies. The web app is up with Signup, SignIn, SelfService and social login. All policies can be triggered from web app and running very well. Additionally I have enabled password reset with "alternate mail address" (until now the only possible option). The question is: How the user can fill this attribute by SelfService pages? The attribute is not built-in within the B2C configuration options (see screenshot below).

This means it isn't available to SelfService policies. If I go to classic portal as admin I'm able to set the alternate mail address and the user is able to reset the password. But the goal is to enable the user to setup his alternate mail address. How can I do this.

Kind regards

Denis 

 

How to authenticat Microsoft Dynamic CRM from office 365 login user in azure hosted web api

September 21, 2016, 5:32 am
$
0
0

I have created WebApi and hosted it to azure server, now i want to get data from Microsoft Dynamic CRM into this api with loged in Office 365 users credentials.

So when i call the WebApi from office 365 it takes office 365 loged in user's credentials and get data from CRM of same user.

How to determine Microsoft Account / Azure account when AD joined

August 29, 2016, 8:17 am
$
0
0

I was wondering if anyone knows how to programmatically (with Powershell for example) determine, from the user's context, what the user's Azure logon name is in Windows 10 when the device is Azure AD joined. The $Env variable just contains a local name, not the full UPN.

I didn't find any reliable registry keys under HKCU either, any clues?

SSO SAML - Directory extensions and using those attributes

September 13, 2016, 3:56 pm
$
0
0

Hi Everyone,

I'm looking into adding some additional AD Attributes to the Azure AD COnnect setup by way of directory extensions (e.g. EmployeeNumber, EmployeeID).

Currently we utilise ADFS on prem for some applications and use these attributes as the Name ID.

I have been reviewing the following URL.

http://social.technet.microsoft.com/wiki/contents/articles/31257.azure-active-directory-customizing-claims-issued-in-the-saml-token-for-pre-integrated-apps.aspx?wa=wsignin1.0

My question is, once you add more attributes to your sync via Directory Extensions in Azure AD Connect, are you then able to utilise these attributes in SAML claims in Azure AD?

This may be a show stopper for me if this is not possible for certain applications.

Cheers,
Simon

Search

Azure AD B2B collaboration preview - Directory invitation failed - Group was not properly configured

September 21, 2016, 8:51 am
$
0
0

Hi All,

I am creating users with CSV and granting group access to a existing security group.  Getting as below error, but users are created without any issues, they are not added as member of the group, invitation is also not sent.

Directory invitation failed - Group was not properly configured

Thanks, 

Your response will be much appreciated..

B2B and security group

October 8, 2015, 1:21 pm
$
0
0

Hi all,

I would like to know if it is possible to add B2B user in a security group.

I added B2B user with this tuto : https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview and I specified Email,DisplayName, InviteContactUsUrl to generate the request with the CSV file. I can see this user in my Office 365 tenant (nameofuser1#EXT@contoso.onmicrosoft.com), I can see this same user on Azure with the right UPN (nameofuser1@compagny.com).

I can not see this user when I want to add him in a security group on Office 365. On my apps.microsoft.com, I can see this user when I want to add him in the list "Add member" on the group, but I have this message :

An unexpected error has occurred. Please reload the page and try again.

Same thing if I try again. So I must make an other CSV file for this user with InviteGroupResources parameter?

Thanks all!

Azure AD Service Administrator Privileges

September 21, 2016, 10:06 am
$
0
0

We have an Azure AD account set up for our users. I am currently a Co-Administrator for our AD, and monitor/make changes when needed. The service admin is able to access the Configure tab and all of the resources to make changes to the AD. As a Co-Administrator, when I access the configure tab, and some other sections I get this message.



Is there a way to have two service administrators for an AD or give access to the co-admin for these resources? 


Configuring LDAP Certificate on Azure AD

September 20, 2016, 2:02 pm
$
0
0

Hi, I followed the instructions provided by Microsoft. (https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-admin-guide-configure-secure-ldap/)

However, when I try to configure the LDAP certificate, I get an error "Failed to upload the certificate for secure LDAP." and the description says "There is an operation being performed for this tenant. Please try again later."

Thanks in advance!

Microsoft Graph API Me.CheckMemberGroups Required Permissions

September 14, 2016, 2:17 pm
$
0
0

I have a ASP.NET MVC application that I am attempting to use to call the Microsoft Graph API.  What delegated permissions are required to call me.CheckMemberGroups using the Microsoft Graph Client SDK.  I have tried assinging"Sign in and read user profile" and "Read all groups" but I still get an error - "Insufficient privileges to complete the operation."

I am retrieving the access token via a call to AcquireTokenByAuthorizationCodeAsync() and then using that to call the Graph API:

var groups = await graphClient.Me.CheckMemberGroups(groupIds).Request().PostAsync();

Thanks,

Sean

Azure Active Directory Domain Service - how to join to AAD DS domain?

February 21, 2016, 5:14 pm
$
0
0

I've followed instructions at https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-getting-started-vnet/ to set up AAD DS. AAD DS domain name is MyAADDomainName.onmicrosoft.com

I've created new AAD user account (to generate new password hash) and added this new account to the 'AAD DC Administrators' group. I can logon using this new user account and password tohttp://myapps.microsoft.com. So far so good.

User name inherits default AAD suffix and looks like: NewAADDSAdminUser@MyDefaultDomainName.onmicrosoft.com

Note that domain name in the user's name and AAD DS domain name do not match each other an this is probably where things go wrong. There is no option available to create new user withMyAADDomainName.onmicrosoft.com suffix.

Now I want to join my newly created W2k12R2 VM to the domain. The VM gets DNSs correctly and can resolve AAD Domain name (MyAADDomainName.onmicrosoft.com). But the next step fails when I provide user account with a privilege to join a computer to the domain.

I've tried both names but keep getting error (see below). What I'm doing wrong?

NewAADDSAdminUser@MyDefaultDomainName.onmicrosoft.com 

and

NewAADDSAdminUser@MyAADDomainName.onmicrosoft.com

---------------------------

Computer Name/Domain Changes

---------------------------

The following error occurred attempting to join the domain "Azcontoso.onmicrosoft.com":

The user name or password is incorrect.

---------------------------

OK  

---------------------------


How to configure Azure AD B2C account to work with downloaded tutorial

September 17, 2016, 10:34 am
$
0
0

Unable to get downloaded tutorial to work with my configured AD B2C. Followed example to the letter. Downloaded application works with example AD B2C; not with mine. Started new project, entered example code. That project works with the example AD B2C but not mine. My AD B2C configuration is the only variable

I believe AD B2C would be a great solution for my College employer as well as my personal business. I can not pitch what I cannot configure and present. I believe it works; just not for me and I'm sure I am doing something wrong. Spent a week on this; it would be nice to know and resolve, what I am sure is, my configuration error.

Search

Azure AD Domain Services

October 22, 2015, 5:58 am
$
0
0

It seems that Azure AD Domains Services only supports Vnet (classic).
Is it possible or when will Domain Services support Resource Manager and the new Vnet model?
We dont use Classic model for deployment of resources to Azure, and most people are moving to Resource Manager, so why is Domain Services first implemented in Classic model?

Any work around to be able to tie domain services to a vnet created by resource manager ?

//Jonas

Release date of Azure Active Directory Domain Services.

September 21, 2016, 12:35 pm
$
0
0

We are planning on using Azure ADDS to automatically authenticate some users to the WIFI network using LDAPS with our Wireless lan controllers. We will create the Domain only in the cloud and we will configure the Wireless Lan Controllers to authenticate users with the Azure ADDS through LDAPS.

This setup doesn't work with Azure Active Directory because of the lack of the LDAPS authentication (we don't want to install a local machine).

This is why we are waiting anxiously for Azure AD Domain Services to be release because it will allow us to perform this without a local machine.

Any one has an idea on when it will be released?

Thanks


Azure AD join for the administrator's microsoft account

August 30, 2016, 4:43 am
$
0
0

Hi,

My boss has created an Azure subscription for our company. He is the administrator of the company. He created the Azure AD for the @mycompany.com domain and added me in. He is however connected with a Microsoft account, created with his @mycompany.com mail address.

I was able to successfully join my computer and log on to it, but he couldn't. I tried joining the domain with my account on his computer, which worked, but he still can't connect to it. The message states that the login or password is incorrect, without any helpful information. How can we do?

Regards,

Jérémy VIGNELLES

B2C: WebApi 2 claims transformation

September 9, 2016, 3:33 am
$
0
0

I'm writing a WebAPI 2 application using the Azure B2C to provide OAuth 2 authentication, but I need to add some custom claims from the database so that the controllers have sufficient context to decide whether to allow access.

However, I'm having trouble finding an appropriate place to put this logic, I've tried

1. Adding an OWIN middleware component - issue is that the when this executes the context is not yet authenticated, so no use, can't see how I can control where in the pipeline I sit

2. Assigning a delegate to OpenIdConnectAuthenticationNotifications.SecurityTokenValidated - issue here is that although the ClaimsIdentity has been created and shows as authenticated, none of the claims have been assigned; also this seems to run once per authentication rather than request

There seems to be very little up to date documentation on this stuff

Paul

Unable to Azure WebProxy to on-premise SharePoint 2010 Server

September 16, 2016, 7:14 am
$
0
0

I hope someone can help me.

I've created an Azure WebProxy to direct traffic to our on-premise SharePoint 2010 Server.

The error I am receving on the AppProxy Connector server is...

<quote>Microsoft AAD Application Proxy Connector cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error.

Details:
Transaction ID: {80d1cc48-050f-4194-8662-6a650381eac4}
Session ID: {80d1cc48-050f-4194-8662-6a650381eac4}
Published Application Name:
Published Application ID:
Published Application External URL: https://sharepoint-tenant.msappproxy.net/
Published Backend URL: http://sharepoint.internaldomain.local/
User: username@domainname.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36 ManagedBrowser/1609.05
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://sharepoint-tenant.msappproxy.net/
Backend Request URL: http://sharepoint.internaldomain.local/
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: WIA
State Machine State: BEHeadersReading
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: 401
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: GET
Client Request Http Verb: GET</quote>

Please note that I have removed some information for security purposes.

The message I receive on the mobile device is...

<quote>Authorization failed.  Make sure the user has permissions to the internal application.

The user is 'authorised' because the user (me) uses it on the internal network.

Does anyone have any ideas?

Kind regards,

Lee

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>