Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

How to unlock an Azure AD user account?

December 19, 2014, 9:13 pm
$
0
0

Hi Team,

We have Azure AD hosted on Azure and we want to test the security of our Aazure AD. The requirement is if at all any intruder enters 10 times wrong password & "10 successful Captcha & Wrong password combination" with azure AD user; The azure ad user account shall be lockedout. So if it is locked out what is the idle duration to auto unlock. And is there any way to unlock the account on demand through Azure Management portal or powershell? If it is doable through either of these; how we can unlock the account; I couldn't find any answers.

Your faster response is much appreciated in extending our business onto Azure. Thank You.

Regards,

Subhash

Regards, Subhash Konduru

Search

Need Suggestion for settingup AD server on azure cloud with out having onprime AD server

January 9, 2017, 9:35 pm
$
0
0

By creating AD on just Azure VM'S with out having on-premises AD.Is it possible to join our client computers to domain.

If is there any additional configuration required please provide more details.

Ours is a startup and we want to use only cloud AD for our organization.

Our goal is when ever any users connects to our office network their devices should be with in our domain please provide how can we achieve this by installing AD only on Azure VMs with out on prime AD server

AD Connect - Synced an OU it shouldnt have.

December 23, 2016, 9:00 am
$
0
0

So the story goes like this. I setup an OU a few days ago and dropped some security groups in there to sync to 365 so we could get ready for a client cutover. Those synced fine as we built out their sharepoint. I have filtering set to just this OU and that is it.

Today however, I create a BRAND NEW OU in AD that is separate from the one I setup from a few days ago and created all the users and group that were necessary and made no changes to the AD Connect application and suddenly I am getting calls that users passwords are changing and they are not able to login to their 365 email. What the heck?

Any ideas what is going on? I cant understand why any new additions to a completely separate OU would be synced automatically.


The access token is from the wrong issuer - Azure REST API call

June 12, 2016, 2:46 am
$
0
0

Hi,

I have multiple subscriptions as co-Administrator, to get clientid and secret code for token I have created an application in new Azure active directory and

From the below code I got the access token

string authContextURL = "https://login.windows.net/" + TenantId;
var authenticationContext = new AuthenticationContext(authContextURL);
var credential = new ClientCredential(ClientId, ClientSecret);
var result = authenticationContext.AcquireToken(resource: "https://management.azure.com/", clientCredential: credential);
string token = result.AccessToken;

Am trying to get list of subscription ids from the below code

async private static Task<List<string>> GetSubscriptionsAsync(string token)

{

 var client = new HttpClient();
 client.BaseAddress = new Uri("https://management.azure.com/");
 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
 client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var response = await client.GetAsync("https://management.azure.com/subscriptions/ce6ce064-d6ee-4f42-8c49-131ebc398b68/resourceGroups?api-version=2015-01-01");           
var jsonResponse = response.Content.AsString();
var subscriptionIds = new List<string>();           
dynamic json = JsonConvert.DeserializeObject(jsonResponse);
for (int i = 0; i < json.value.Count; i++)           
{               
subscriptionIds.Add(json.value[i].subscriptionId.Value);           
}
return subscriptionIds;
}

Am getting below error when GetSubscriptionsAsync method called

The access token is from the wrong issuer 'https://sts.windows.net/*******/'. It must match the tenant 'https://sts.windows.net/*******//' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/*******/to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.

No sure what wrong am I doing here.


computers object sync from azure ad to on premise ad

January 10, 2017, 7:22 am
$
0
0

We are currently having on premise AD and have branches those are connected and access our application via vpn, Head office system are joined on on premises AD through LAN.<o:p></o:p>

Branch Broadband systems are joined in workgroup.<o:p></o:p>

We have plan to enable the azure ad and join those broadband systems on azure ad. I think this is possible.<o:p></o:p>

Please confirm is there is any possibility to sync computers objects from azure AD to on premise ad, <o:p></o:p>

the purpose of the requirement is view the both computers (broadband azure domain join and on premises domain join ) systems in single view.<o:p></o:p>


Thanks, Mariappan Shanmugavel

Can't Delete B2C Directory - Can't Delete Last App Registration

December 17, 2016, 11:12 am
$
0
0

I have an MSDN sub.  I can't log a subscription complaint unless I pay.

I can't delete the B2C subscription because of an app registration.  Directory has one or more applications that were added by a user or administrator.

I am the administrator.  I can only see the app registration in the Classic Portal.  No delete option exists for that app.

I have to delete the B2C directory because apparently the cost is going up.

What can I do?



Read the emails from office365.

January 9, 2017, 2:44 am
$
0
0

Hi,

As per our requirement, We need to retrieve the emails from office365 email id using C#.

Note:

1. We have purchased the Office365 for few user and we created the users as well. I'm trying to connect the one of the user email id which is created in Office365 user id.

2. When i am trying to getting the error "Calling principal cannot consent due to lack of permissions".

3. After that i googled got an solution to assign the permission for that email id(user id) in https://manage.windowsazure.com. when i am trying to login with email id(user id) am getting the error "No Subscription found".

Please help me on this.

Regards,

Suresh Shanmugam.


Graph API Differential query for group

May 17, 2015, 1:27 pm
$
0
0

Hi There,

I am using Azure Graph APIs for querying Groups and its member for a tenant.

But, when I try for all the groups I get the response, but not for individual group and group members.

Can you please help me by providing information about the differential query for the following situations or provide me any alternative for it :

https://graph.windows.net/kirtibali92gmail.onmicrosoft.com/groups/8482cb4c-4a8b-4fc7-8d8f-0ea6bd917a33?api-version=2013-04-05

https://graph.windows.net/kirtibali92gmail.onmicrosoft.com/groups/8482cb4c-4a8b-4fc7-8d8f-0ea6bd917a33/members?api-version=2013-04-05

Thanks,

Kirti

Search

Azure AD Portal Bug - Azure AD app permission to Built-In Role "Directory Writers" Add/Remove

January 4, 2017, 2:13 am
$
0
0
It looks like when you add application permission "Windows Azure Active directory" as Read and write directory data on your app from Classic Azure AD Portals, Azure Ad portal adds application servicePrincipal in Built-In  Role "Directory Writers" in background, and When removing the same permissions "Read and write directory data", Azure Ad portal  does not remove application servicePrincipal from Directory Writers role.   Leaving inconstancy and potentially a security hole! 

Enable Single Sign On - Greyed out

January 10, 2017, 4:02 pm
$
0
0

Hi all,

I have installed AADC and changed domain authentication to managed with password synchronisation. Users are able to log in and everything has gone smoothly.

However, when I attempted to turn on single sign on the box is greyed out and displays the error message "Unable to retrieve single sign on status". Has anyone come across this before?

To get to this stage I ran:

-Set-MSOLDomainAuthentication -Authentication Managed -DomainName <domain>
-Get-MsolUser -all | Convert-MsolFederatedUser
-Forced a password sync

Any hints would be much appreciated!

Thanks

Paul Kew

Join Azure AD error 80180008 when inTune enrollment is active

May 10, 2016, 6:04 am
$
0
0

Hi,

I am trying to Azure AD join some windows 10 enterprise.

However AAD join works perfectly only when inTune enrollement is disabled but when enabled, I got a 80180008 error.


I tried to disable then reenable these two settings :

- intune console, configure tab -> manage device from users (all)

- AAD console, configure tab -> allow users to add their devices (all)

Note sure about exact translation because my portals are in french.

But I got the same problem after.

If anybody has ideas...

Regards,

Azure AD Connect: how can I remove a synchronized attribute?

January 11, 2017, 2:02 am
$
0
0

Hi,

in my organizastion we have AD on-premises synchronizes with O365.
We want remove one attribute from synchronization, in particular "telephoneNumber".

How can we remove this attribute?

Thanks,
Andrea


Azure AD with local domain

January 11, 2017, 3:23 am
$
0
0

Hi,

I'm pretty new in the World of Warc.. Azure so maybe I have misunderstood some things.

- We're currently using a corporate O365 throw MPN (domain nolme.com).
- nolme.com webiste is hosted in OVH Datacenter.
- nolme.com emails are under Exchange Online.
- I've installed a local Win 2K16 Std server from scratch.
- I've installed ActiveDirectory on the server using a new forest with name 'nolme.com' (In the past I was using 'nolme.local' but I had a warning message).
- I ran Azure AD Connect using the default configuration.
- I followed this article to correct the 'Initialize-ADSyncDomainJoinedComputerSync' message:

https://markparris.co.uk/2015/11/19/azure-ad-connect-adsyncprepinitialize-adsyncdomainjoinedcomputersync/
- I ran IdFix but no error (https://www.microsoft.com/en-ca/download/confirmation.aspx?id=36832)
11/01/2017 11:54:57 Initialized - IdFix version 1.09
11/01/2017 11:55:18 Loading TopLevelDomain List
11/01/2017 11:55:18 Ready
11/01/2017 11:55:52 Query
11/01/2017 11:55:52 RULES:Multi-Tenant SERVER:nolme.com PORT:3268 FILTER:(|(objectCategory=Person)(objectCategory=Group))
11/01/2017 11:55:52 Please wait while the LDAP Connection is established.
11/01/2017 11:55:52 Query Count: 61  Error Count: 0  Duplicate Check Count: 3
11/01/2017 11:55:52 Elapsed Time: Query - 00:00:00.1718775
11/01/2017 11:55:52 Write split files
11/01/2017 11:55:52 Merge split files
11/01/2017 11:55:52 Count duplicates
11/01/2017 11:55:52 No duplicate values in file
11/01/2017 11:55:52 Elapsed Time: Duplicate Checks - 00:00:00.1250006
11/01/2017 11:55:52 Populating DataGrid
11/01/2017 11:55:52 Elapsed Time: Populate DataGridView - 00:00:00.0312431
11/01/2017 11:55:52 Query Count: 61  Error Count: 0
11/01/2017 11:56:35 Export File
- I ran these PowerShell commands on the local server :
Connect-MsolService
Get-MsolDirSyncFeatures -Feature DuplicateUPNResiliency
Get-MsolDirSyncFeatures -Feature DuplicateProxyAddressResiliency

Problems :- I'm still receiving an email from 'MSOnlineServicesTeam@MicrosoftOnline.com' dealing about synchronization problem with accounts :

ADSyncBrowse, ADSyncOperators, ADSyncAdmins, ADSyncPasswordSet, Administrateurs DHCP, Utilisateurs DHCP, DnsUpdateProxy, DnsAdmins

- On the server, I don't see my users (from O365). So what's wrong ?

Thanks,

Vincent

Revoked Directory permissions for application, but the Graph API still reads data

January 11, 2017, 3:23 am
$
0
0

I have defined a (single-tenant) app in my Azure Active Directory over a year ago, and back then, I played around with the required permissions until everything seemed to work.

From back then until a few minutes ago, that app had two permissions on "Windows Azure Active Directory" visible in the portal at https://manage.windowsazure.com: "Read Directory Data" and "Sign in and read user profile".

But then I revoked them and clicked "Save":

I gave the AAD a few minutes for synchronization, before logging into Graph API again with that app's ClientID and Key and the corresponding TenantID, but I found that I could still read directory data.

Originally, I was debugging the opposite issue in another single-tenant app. The other app was created today and is configured the same as this one, with the same permissions ("Read Directory Data" and "Sign in and read user profile"), but when using that app's ClientID and app key to read directory data, it always throws the error

System.Data.Services.Client.DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

If any of the login information is wrong, the error returned is different (400 Bad Request or 401 Not Authorized), so login works, but it seems that the app doesn't have the required permissions to read the directory data.

While browsing the web I found that an app may need more permissions to be able to read directory data.

I cannot preclude that my first app once had these other permissions set and "revoked" again, so I had to think the unthinkable: Could it be that permissions to an app, once granted, are never really revoked again?

Further testing revealed: No, it's not as easy as that. Not only are they not revoked, for new apps, they are not set either. Even if I check all permissions on the new app, the "Insufficient privileges" error is still there:

Is this an issue in Azure, or what exactly am I doing wrong there?





Adding Service Principal to Azure AD Directory Role

January 4, 2017, 12:16 pm
$
0
0

Hello,

The Azure AD Add-MSRoleMember cmdlet (https://docs.microsoft.com/en-us/powershell/msonline/v1/add-msolrolemember) specifies that we can add a service principal to a Azure AD Directory Role and I'm able to perform the action. Can anyone tell me what is the use of adding a service principal to a role ? 

Thanks

Search

AADSTS90093: This operation can only be performed by an administrator - But user is a Global Admin

June 8, 2016, 12:52 pm
$
0
0

Hello

When trying to authenticate with a multi-tenant application, using a Global Administrator user I get the error:

AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

Interestingly, this happens even before the user even inserts its password - the moment the user id is filled - the window automatically redirects to the error page containing this error.

Any help would be greatly appreciated.

Thanks,

Nadav

Application assignment failed

January 3, 2017, 1:48 pm
$
0
0

Hi all,

I have a problem with one of the applications in Azure. SSO for the application works fine - users are able to login with their AD credentials. However, the users provisioning feature doesn't work anymore. When I try to assign an application to a user, Azure gives me an error:

TITLE
 
Application assignment failed
DESCRIPTION
 
Assignment failed for 1 user & 0 groups
STATUS
 
Error
TIMESTAMP
 
Wed Jan 04 2017 07:55:31 GMT+1030 (Cen. Australia Daylight Time)
UTC TIMESTAMP
 
Tue, 03 Jan 2017 21:25:31 GMT
CORRELATION IDS
 
clientNotification-cf98cda9-80d0-4bee-b274-2de9489da05d

User provisioning definitely worked before and I haven't made any changes to the application is Azure.

When I go to the old Azure portal and open Users and Groups tab under the problematic application it says "Application roles have not yet been imported from the application. Please check back later." So I can't select any users and groups to assign in the old portal. 

I've checked the connectivity between Azure and the app - works ok and as I mentioned users who have been provisioned before are able to login using SSO.

I really appreciate any help

Thank you

Using B2B functionality inside B2C

January 11, 2017, 6:38 am
$
0
0

Has anyone seen anything about using B2B functionality inside B2C, kind of like a hybrid version?

If I have a use case which sits across functionality offered by both B2C and B2B, then can I setup B2C directory, but also use it for other purposes e.g. inviting B2B users and syncing internal users via Azure AD Connect. 

Unable to Acess Azure API AppService using Active Directory

January 11, 2017, 8:14 am
$
0
0

I'm new to Azure API App Service. I want to consume the Azure API Service in my WPF application. I'm unable to access my API. I get the error called "{"AADSTS65005: The client application has requested access to resource 'https://officepointapisengineering.azurewebsites.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.\r\nTrace ID: 3dc7c968-1179-4386-892a-9f36ad257597\r\nCorrelation ID: 2bdc0e3d-e98a-409b-a4cf-9f015f4cfecd\r\nTimestamp: 2017-01-11 16:13:08Z"}"Can you please help me to resolve the error?

Azure Ad -Sales Force App User Provisioning

March 18, 2014, 11:31 am
$
0
0

Hi

I have setup userprovisioning between sales forcen and azure Activer directory ( is a Dirsync between on-premise ad ).

After de asssignment when the user are provisioning to sales force i get the following error in the the provisioning report

ErrorCode: REQUIRED_FIELD_MISSING ErrorMessage: Required fields are missing: [ProfileId]

I can not find the difference between the users succeded an not succeded.

Which field is missing ?

Can somebody help me ?


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>