Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

register with powerbi error in reporting configuration tool of sql server 2016

January 9, 2017, 3:17 am
$
0
0
I am not able to integrate with powerbi in reporting configuration tool of sql server 2016.getting error like register with power bi.
Search

Filter after upgrade from DirSync to AADConnect

December 20, 2016, 4:21 am
$
0
0

Hello,

I have a situation on an upgrade of DirSync to AADConnect


I have some object filtering in my DirSync but I cannot view them on the AADconnect

I follow the documentation :

I have exported the configuration from DirSync

Then I imported the configuration in AADConnect

I should see my filter in the synchronization rule editor, no? or a tab on the AADConnect (view configuration)

Thanks,

AD Connect hangs synchronizing local AD to Azure AD

December 29, 2016, 4:10 am
$
0
0

We are using latest Azure AD Connect tool (1.1.371.0) on WS2012R2 server (2CPU, 2GB RAM, Hyper-V virtual machine). In a few months synchronization has hanged 3-4 times. I usually reboot whole server to fix this. Today i have found such error (at the same time AD Connect Sync Status tool was showing in-progress state):

The management agent controller encountered an unexpected error. "ERR_: MMS(2084): ..\memutils.cpp(7965): Unusual error code reported 0x80004005
Azure AD Sync 1.1.371.0" The management agent "ourdomain.onmicrosoft.com - AAD" failed on run profile "Delta Synchronization" because the server encountered errors.

Azure AD Connect

December 20, 2016, 11:13 am
$
0
0

Currently:

We used to have exchange On-Prem. Then i migrated everything over to O365, but it was a clean O365 setup. No Hybrid scenario.

Exchange On-Prem has been decommissioned and uninstalled. All email are in O365.

No AD connect utility running.

What i want to do:

Enable AD Connect for password and user synchronization of On-Prem users to O365.

Hesitations/Questions:

Will enabling AD Connect disable O365 admin features and will i need to use powershell as i keep reading online even though these are two separate instances and there are no dependencies of O365 to onprem. 


Activating Active Directory Premium Basic for Educational purposes

January 9, 2017, 4:34 am
$
0
0

Hi Everyone,

Please, i have a question about how to activate Azure Active Directory Premium Basic for an Educational Institution.

We contacted before our Microsoft vendor and they told us that we need juste to activate the free licences and we do not need to purchase the basic licences for the education plans.

My question is : how to find those free licences for basic AADP ?

Regards,

Said ALLAMI

LDAPS Over Internet - Client Authentication

December 22, 2016, 7:15 pm
$
0
0

Hello - I am trying to connect to the azure director over internet on the LDAPS but I can't get it to authenticate when I try to bind it...am I missing something? I've followed all steps on the azure LDAPS setup and have my user as part of the AAD AD Admin group, is there another group that I need for this? Says invalid credentials or can't authenticate LDAP Server...any help would be great!

-Thank you

Check when and if Initial sync ran sucessfully

December 18, 2016, 11:23 pm
$
0
0

Hi,

I am finding it hard to understand where does sync service reports that an Initial sync was initiated.

I have scanned through event viewer with events 904 and all event points to a delta sync.

Is there an event thats generated when you start an initial sync?

Is there any other way to indentify when in past somoeone initiated an initial sync?

Sync service version : 1.1.343.0

Azure Active Directory LDAP support

April 5, 2016, 12:54 pm
$
0
0

From @BCAlpine via Twitter:

"Is there a method of exposing azure active directory from office365 as an LDAP service so that we can connect our NAS to it?"

Thanks,

@AzureSupport

Search

Getting error for Azure AD sync

December 17, 2016, 4:16 am
$
0
0
Hello,

I have configured Azure AD sync in my environment, but getting errors while sync the local AD with Azure AD as follows. Seeking for the solution, but not fortunate to resolve the same.
========================
Error Name: ObjectTypeMismatch 
Error Detail: An object with the same proxy address already exists in Azure Active Directory but is of an incompatible object type (object classes: contact, group, or user). Correct this issue in the local directory services or in Azure Active Directory and try again.

An object with the same proxy address already exists in Azure Active Directory but is of an incompatible object type (object classes: contact, group, or user). Correct this issue in the local directory services or in Azure Active Directory and try again.
Tracking Id: ef0f884c-aa21-4e45-93de-8632767f9b38
ExtraErrorDetails:
[{"Key":"ObjectIdInConflict","Value":["0c230b34-2282-48b1-b31b-05052c235f0b"]}]

The term 'Get-ADSyncRule' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again
========================
I have tried below links, but no success. Seeking for help in this issue.

http://aka.ms/d1602836 & http://aka.ms/d16028361

Thanks,
Onkar

Problem with AAD Connect Sync after on prem mail migrated

December 16, 2016, 4:03 am
$
0
0

Hi,

We have moved ~5000 users on premise from an Exchange in our old AD to and an Exchange in our new AD.

Users were already created in the new AD, and that AD is synced with AzureAD.

During this migration, we received the error-messages from the sync saying that "### numbers of objects is sent to deletion". We haven't deleted any objects - only changes users from "CrossForestMailContacts" to "LinkedMailUsers".
When I check "Synchronization Service Manager" it shows status "stopped-server-down".
https://i.imgur.com/5sgW2Hq.png

Anybody can give a clue, why AzureAD thinks we're deleting objects?

I know about the "Disable-ADSyncExportDeletionThreshold"-option, but I don't get why it should be need to disable (or change) that threshold.

Cheers
Anders



Azure AD does not show User Consent page and returns AADSTS65001 on login, only for some AD tenants

December 23, 2016, 12:57 pm
$
0
0

We have two different unrelated AD organizations (tenants). And an AngularJS website which wants to login users via their AD account (OAuth, same as sign in with Facebook or Google flow), or register with some pre-filled information from their basic profile. We use adal.js library, without adal-angular.js. 

Each tenant has its own single-tenant app created in the "App registration" section. 

Problem

Both login and register works perfectly with the first tenant's app. User signs in at `login.microsoftonline.com/{tenant-id}` (let's call it "MS page" for brevity), sees the "User Consent" page, accepts giving permission, MS page redirects back to our website with id_token in the url, our app sends request for access_token and receives it successfully.

But for the second tenant's app it receives AADSTS65001: 

#/error=interaction_required&error_description=AADSTS65001:+The+user+or+administrator+has+not+consented+to+use+the+application+with+ID+'ff1bb76e-7823-45a1-9950-b38fe8d3d0b4'.+Send+an+interactive+authorization+request+for+this+user+and+resource.&Trace+ID=... 
   

when trying to get access_token after they signed in. But "User Consent" page is not shown, and there is no error message before this.

All interaction happens on the MS page, and it works differently in two different apps in two different AD organizations/tenants, which is a bit confusing.


Same things in both apps:

- our website code is the same in both cases (except for tenant id and client id ofc), it is deployed to the same url
- configuration of both apps is the same (cannot guarantee it, but we had a "shared screen" call, where we checked that manifest and all settings and permissions we know of have the same values)
- both apps were created from scratch in the new Azure portal, and we set only `oauth2AllowImplicitFlow: true` in manifest and Reply URLs, we did not change other settings
- both apps have only one permission set in Required permissions: Windows Azure Active Directory - "Sign in and read user profile" delegated permission

Our adal config is the following:

    var adAccessTokenResource: = 'https://graph.windows.net'     var adalOptions = {          tenant: tenantId,          clientId: clientId,          resource: adAccessTokenResource,          endpoints: { graphApiUri: adAccessTokenResource },          //popUp: true // does not work the same way for both true and false    }


Different things:

One possible difference is that we have our website at `subdomain.{org-name}.com` where {org-name} is the same as the tenant-which-works name, so users have accounts `username@{org-name}.com` there. Can this be the reason?

In addition, for some accounts of the second tenant, `login.microsoftonline.com` redirects to the org-specific page to sign in the user. But for other accounts it does not, and error and behavior is the same in both cases. 

After debugging with Fiddler we discovered that in both cases MS page sends the same `POST https://login.microsoftonline.com/{tenant-id}/login` request. But for the working app it returns 200 response with the User Consent page. If user agrees - the second request `POST /{tenant-id}/Consent/Grant` is sent, which returns 302 with id_token and redirects to our app, meaning that user has logged in. Our app asks for the access token on the redirect and this request works. 

For the non-working app `POST https://login.microsoftonline.com/{tenant-id}/login` returns 302 redirect with id_token right away, without showing the "User Consent" page. So, we get a redirect after the first request. Our app asks for the access token and gets an error that consent was not given.


Question

What can be possible cases for the differences in the behavior?

Or should only multi tenant app be used? We wanted to make it work with single tenant app at first.

I am new to Azure AD. Any help will be greatly appreciated.

How to Configure PostMan OAuth 2.0 flows for REST API Management Calls

January 9, 2017, 6:06 am
$
0
0

I know how to use Postman to make REST calls to API Management dealing with manually getting and updating tokens every time I get started and then every 30 minutes. I recently discovered that Postman supports OAuth 2.0 flows which should allow us to not have to deal with the manual token update process.

I've spent a few hours trying to get this working with no luck. The Azure terminology does not align well with the OAuth 2 terminologies and I'm no expert in this arena. How can I configure AAD and Postman so that I can make API Management calls and not have to deal with manually updating tokens all the time?

Azure AD Connect - no such host is known when configuring proxy

April 11, 2016, 8:44 am
$
0
0

Hi,

We have an internal Exchange environment which we want to federate with O365. Initially we do not want mail flow to go to O365 - at this moment, I simply want to configure federation and will setup the MX and SPF records for Office 365 at a later date.

Our environment is as follows:

ADFS (internal server)

WAP (DMZ)

O365 subscription 

Port 443 is allowed from ADFS to Office 365 and the WAP. The WAP is allowed to communicate with the internal ADFS server using 443. I've installed AD Connect and entered my enterprise admin and O365 credentials, then chosen the option to configure ADFS using AD Connect. I hit an error with the "ADFS Farm\Proxy Servers" as I receive an error stating that "No such host is known". I have a few questions:

1. How can I get AD Connect to configure ADFS O365 federation ? Presumably I need to open management ports up between the WAP and AD Connect server?
2. Given that I don't want to configure mail flow for O365, are there any adverse results from selecting the hybrid configuration in AD Connect (I'm aware that certain Exchange attributes are written back on premise and that's fine).

Thanks

  

IT Support/Everything

AADSTS65005 error when setting up SSO for Box

January 6, 2017, 10:50 am
$
0
0

Hi there,

I'm getting the following error when trying to use Azure SSO with the Box application from the app gallery:

Correlation ID: 5f32087c-f4e9-4f43-b517-e947a98e1218
Timestamp: 2017-01-06 18:10:13Z
AADSTS65005: The client application has requested access to resource '00000002-0000-0000-c000-000000000000'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.


I followed the instructions exactly as specified here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-box-tutorial

The Box team has completed their side of the connection.

I did notice that there is an "Identifier" field that is being asked for that wasn't part of the setup guide. I'm not sure if that might be causing the error.

Automatic User Provisioning SCIM RESTful PATCH Payload issue

December 3, 2016, 6:24 pm
$
0
0

This is regarding the Automatic User Provisioning using SCIM feature of Azure Active Directory as described in this article (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-scim-provisioning).

After assigning or un-assigning user to/from custom apps, as expected, Azure sent out a RESTful PATCH request to change to “active” attribute of the user resource, a singular-valued attribute, to True or False.  

The issue is that the HTTP body payload seems to be incorrect.  The “value” specified by Azure somehow was an array and somehow looked like a value for multi-valued attribute, which seems incorrect, as the user “active” attribute is a singular-valued attribute.

{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations": [
    {"op":"Replace","Path":"active","Value": [
        {"$ref":null,"value":"True"}
      ]
    }
  ]
}

I believe the payload should look something like this:

{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations": [
    {"op":"Replace","Path":"active","Value": "True"
    }
  ]
}

Can someone in Azure Engineering team take a look at this issue?

Thanks a lot!

Search

Embedding access panel in a web page?

January 5, 2017, 7:27 pm
$
0
0
I'm wondering if it is possible to embed the access panel into a web page.  I'm thinking of making the panel the centerpiece of a web dashboard for my school and surrounding it with other content sources.

Azure B2B with Azure Government

January 9, 2017, 1:00 pm
$
0
0
Is there any support or future plans to make Azure B2B available in the government version of Azure? I see that B2C isn't supported, but doesn't say anything about B2B. However when I go to add another user I only have the option "New user in your organization". Wasn't sure if there was something I don't have enabled or just not possible in Azure Gov.

Azure AD B2B users not seeing tenant branding

January 5, 2017, 7:23 am
$
0
0

I have a multi-tenant application where I added external B2B users via the graph (https://graph.microsoft.com/beta/invitations). The tenant in which the application belongs is branded with the customer's branding. When logging in as one of these external users the branding disappears. The external users log into the application just fine, we're just having issues with the branding.

I'm guessing that it has to do with the tenant discovery because if I modify the OWIN not to use the LoginHint property the branding appears until I add the external user's email address into the user field. I have tried setting the DomainHint property to the domain with the branding with no luck.

Is there any way I can override the tenant discovery to show the branding?

Any help would be appreciated.

Thanks

B2C - self-service password reset not working

November 22, 2016, 12:00 pm
$
0
0

Hello,

I'm setting up a POC for use of B2C following the quickstart for an ASP.NET MVC app described at https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet-susi

Sign-up and sign-in policies are flowing nicely in my sample app but I am not able to see the self-service password reset functionality working.  I have followed the steps described https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-sspr

I receive the error message "The user ID you entered does not exist. Please check that you have typed your user ID correctly" when attempting with users from both Microsoft Account as well as the target AAD.  I am certain that I am not mis-typing the user id value, and I have verified that the accounts have an alternate email address.  And, I am able to successfully reset password for the AAD account if I enter the flow via https://login.microsoftonline.com.


Has anybody had success with B2C password reset?  Any suggestions as to why the B2C password reset is not working in my case?

Thanks!
Chris

B2C logout with multiple policies

December 26, 2016, 10:23 pm
$
0
0

Hi,

I have two B2C instances set up similar: one with 1 policy (signin), the other with 3 policies (signin, signout and profile edit). Both use local accounts. Utilizing the same client side code, the logout for the 1 policy B2C works as expected. The logout for the B2C instance with 3 policies does not actually sign the user out. is there any difference between logout with one or multiple policies?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>