Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

msExchHideFromAddressLists attribute isnt syncing across to Azure

January 20, 2015, 3:09 pm
$
0
0

We were using dirsync before and upgraded to AD Azure Sync.  Before the upgrade, the attribute "MsExchHideFromAddressLists" was syncing across.  After the upgrade, it is no longer syncing.  What I'm curious of - do I need to check the box for Hybrid Exchange in the Directory Sync Config tool for that attribute to sync? We aren't using exchange on premise anymore, but haven't retired it yet until mid march to make sure everyone was successfully migrated to O365.

Any help would be greatly appreciated! Microsoft support has been scratching their head at the first level for the last 4 days..

Thanks!

Search

Can we replace Azure VMs running AD with Azure Active Directory Domain Services?

January 11, 2017, 4:12 pm
$
0
0

A client has an Azure subscription that uses VMs to provide a Windows domain environment for a couple of application servers and DirSync services to their Office 365 (E3) subscription.

Would it be possible to replace their Domain Controller VM with the new Active Directory Domain Services feature?

I understand that it doesn't support features like Group Policy but they could live without that.

If it is possible can it be configured to literally replace the current DC or would the member servers have to be "joined" to the new Azure AD DS?

Cheers for now

Russell

Azure AD integration

January 11, 2017, 5:48 pm
$
0
0
Hi ,

Our application integrate with Azure AD and we have a problem here ,as you may know to after customer input user name/password in Office 365 login page,customer  need to consent our Azure AD App for the first time, but the consent might fail due to the account didn't have insufficient permission, when the consent fail it will not come back and stay at Office 365 login page, we would like to know:
1. Is there a way that if the consent fail it will come back to our Application?
2. Is it possible that we check the Office 365 user permission before customer consent if the permission is not sufficient, we can alert customer to user another account or adjust his user permission?
3. Is the Office 365 login page can be customized to display some formation if necessary ?

Thanks in advance.

Enforce unique Display Names in AD B2C?

April 2, 2016, 9:58 pm
$
0
0

I'm researching the use of AAD B2C for a consumer-facing app.  Each user needs a unique handle, just like the MSDN forums or Twitter have unique usernames for everyone.  The AD Display Name seems like a good choice.  Can AAD B2C enforce unique Display Names?

If not, can AAD B2C be used to enforce a unique handle at all?  Perhaps I'll need to combine B2C for authentication with my own database of unique handles.


User.Identity.Name adds "live.com#" to AAD users

July 29, 2016, 5:45 pm
$
0
0

I've got an API protected by AAD. I manually give users access by adding their Microsoft accounts to the relevant tenant as a user, and I use User.Identity.Name to save identifiers for owners rows on the database. This works great for my own accounts, but when adding an external MS account like me@outlook.com, User.Identity.Name returns "live.com#me@outlook.com" which looks pretty ugly in the GUI. I could strip it off of course, but I'd like to know why this is happening, and whether all external MS accounts will be displayed using the same system (so I can strip off left of first #, or something like that).

TIA

Dennis

 

Connect with Azure without Active Directory

January 12, 2017, 3:23 am
$
0
0

Hello,

How connect with Azure without Active Directory?

upgrade from dirsync to adconnect failure - FIMSyncAdmins group missing

July 6, 2016, 12:50 pm
$
0
0

I am in the process of upgrading from dirsync to adconnect and got a failure in the middle of the upgrade. The error log mentions this error:

Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.DirectoryServices.AccountManagement.NoMatchingPrincipalException: Group 'FIMSyncAdmins' was not found.

I do not see that group at all locally on the server (other FIM groups are local on that server apparently), and I do not see it listed in AD either.  I do see MIISAdmins group, but not sure that is the same thing or not.  I tried running AD Connect install again and it said to post a question to the MSDN forum. 

Thanks!

AADSTS70001: Application with identifier was not found in the directory

January 4, 2017, 8:03 am
$
0
0

I am trying to open a web app which i created for office dev PnP and getting the below:

Could you please help me with the error.

thanks

Additional technical information:
Correlation ID: e43fb670-c0e2-4323-9e7b-8a55d2d7abb7
Timestamp: 2017-01-04 15:54:21Z
AADSTS70001: Application with identifier '<keyname>' was not found in the directory cb6ee44c-cbb2-4f75-ad9b-a8536969c396
Search

No users synchronized

January 6, 2017, 2:58 am
$
0
0

Greetings all,

I'm new to Azure AD, and have tried to set up "Azure AD Connect" (v1.1.380.0) to be ready for deployment of a new application on our organization.

My challenge is that Azure AD Connect installed and ran without errors (after opening the required ports in the firewall), but no Users are being synchronized to Azure AD.

I've configured AD Connect with PWD SYNC. - no additional options - and to filter on OU and a Security Group, in order to test deployment with a few users initially.

The Synchronization Service Manager is not showing any errors, and status for both connectors are: success
And Statistics are showing '0' for all fields.

What do I do to troubleshoot this? :)

UlleTheBulle

Turn off synchronization

January 12, 2017, 6:14 am
$
0
0
We added users in an on-prem AD to an Office365 Enterprise E3 account verified private domain through DirSync. Now we want to make the AAD authoritative. Using Azure AD Connect we disabled synchronization. That was 36 hours ago. Documentation says it could take up to 72 hours for all the changes to propagate through AAD depending on size of AD. This one only has about 200 users. Should it take this long to complete or has something gone wrong?

Azure AD Premium, on-premises ADFS and signout process

January 12, 2017, 7:34 am
$
0
0

I hope I have the right forum here.  Please point me in the right direction if I don't.

First, our configuration.  We are configuring SSO for Workday using Azure AD Premium.  We use Azure AD Connect to sync our accounts without passwords.  We have on-premises 2012 R2 ADFS servers.

Now, the problem.  When logging out of Workday, we get an Azure AD logout page, then a logout page from our on-premises ADFS servers, then a final page from Azure.  I _think_ this makes sense given our configuration, but the project manager would like to get rid of this and have a single logout page displayed.  He has discovered that if he modifies Workday to use our ADFS server logout URL instead of the Azure URL, this results in a single logout page.  I'm worried that there are security implications of this or that it may break something else.  We use Office 365 and I don't know what the consequences of that are.

I hope this makes sense.

Thanks.

ADFS Trust possible with Azure ADDS

January 12, 2017, 7:12 am
$
0
0

Hello


Is it possible to setup an ADFS trust with a partner company if my company is only using Azure ADDS P1 plan?  

My understanding is Azure ADDS is not the same as an on premise AD, and some features you cannot get.  Azure ADDS allows you to manage accounts for clouds apps like O365, but you can't use that directory for non-cloud application like a local Web app with a SQL DB.  


Issue with ADFS on Azure VM

January 5, 2017, 6:54 am
$
0
0

I have created a VM on Azure and configured ADFS however its not working as expected?

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/5/2017 1:42:12 PM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          SWIFTTECHGURU\Nandanlogin$
Computer:      NandanDC.Swifttechguru.com
Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
 

Relying Party:
 

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2017-01-05T13:42:12.982533000Z" />
    <EventRecordID>186</EventRecordID>
    <Correlation ActivityID="{00000000-0000-0000-0E00-0080030000E4}" />
    <Execution ProcessID="8916" ThreadID="9284" />
    <Channel>AD FS/Admin</Channel>
    <Computer>NandanDC.Swifttechguru.com</Computer>
    <Security UserID="S-1-5-21-1385843326-1862533792-2074266587-4607" />
  </System>
  <UserData>
    <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext&amp; protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext&amp; protocolContext, PassiveProtocolHandler&amp; protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

AADSTS90093: This operation can only be performed by an administrator - But user is a Global Admin

June 8, 2016, 12:52 pm
$
0
0

Hello

When trying to authenticate with a multi-tenant application, using a Global Administrator user I get the error:

AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

Interestingly, this happens even before the user even inserts its password - the moment the user id is filled - the window automatically redirects to the error page containing this error.

Any help would be greatly appreciated.

Thanks,

Nadav

Block Portal Login for Azure

January 12, 2017, 8:49 am
$
0
0

We have a Test Azure Active Directory which we have created to manage our external users.

We have noticed that when we add a native user to the active directory, that they can login to the Azure Portal. They have an organizational role of user. 

https://portal.azure.com

We didn't expect that when they log into the portal that they have the permission's to create new users and groups. And that they can see all of the other users within the active directory.

We have seen that he pattern put forward to deal with external user's is B2B. If we want to add a corporate user email then the process seems to be that this will create a Microsoft account to facilitate their login. We have read that Corporate Admin's should be careful about using their corporate email address for Microsoft accounts because it could cause issues later if they wanted to use AAD.

We thought giving them a native account in the AAD was a viable alternative but not if we can't control their access rights. We really don't want them to be able to see other users and perform any actions within the AAD. 

Search

Azure AD Portal Bug - Azure AD app permission to Built-In Role "Directory Writers" Add/Remove

January 4, 2017, 2:13 am
$
0
0
It looks like when you add application permission "Windows Azure Active directory" as Read and write directory data on your app from Classic Azure AD Portals, Azure Ad portal adds application servicePrincipal in Built-In  Role "Directory Writers" in background, and When removing the same permissions "Read and write directory data", Azure Ad portal  does not remove application servicePrincipal from Directory Writers role.   Leaving inconstancy and potentially a security hole! 

Active Directory Authentication Library and Access Token Expiration

January 12, 2017, 9:19 am
$
0
0

Hello,

I am very new to Azure Active Directory and Authentication. We have a native windows application which needs to be authenticated via AAD. So to educate myself, after reading multiple articles and blogs, got a basic sample application up and running.

The sample application is in C# and uses Active Directory Authentication Library (ADAL) version 3.13.8. The application uses AuthenticationContext class methods to acquire token and extended TokenCache class to have persistent storage of the token.

When I run the application, the application asks for the user name and password and returns token successfully. I am using AcquireTokenAsync() and the token data is saved in a file as I expected.

When I browse the authentication results returned by AcquireTokenAsync method, data for Access token expiration is ALWAYS 6 hours away from the time I accessed the token.

All the documents I read states, by default access token expires in 1 hour. So why am I getting a 6 hour timeframe? Is this something that is configurable via application registration process, which I don't see either.

Can someone help me understand this?

Thank you in advance!

K










AuthenticationContext and

okenCache class to .

How to Add cloud users to group after disabling DirSync?

January 12, 2017, 10:41 am
$
0
0

I have decommisioned my on-prem exchange 2007 server and want to manage users and groups via cloud admin console.

I followed guidance from "How and when to decommission your on-premises Exchange servers in a hybrid deployment:-"

I disable Dirsync by PS command Set-MsolDirSyncEnabled -EnableDirsync $False.

After the 72 hour waiting period for the disabling of DirSync, will I be able to add users to existing cloud groups that were created via Dirsync? or is there a command that needs to be run on the group itself to ensure that the group properties are not restrict editing to DirSync ?

AAD SSO with Salesforce not working

January 12, 2017, 12:34 pm
$
0
0

I'm testing Azure AD SSO with Salesforce (dev). Users are synchronized with AAD and AAD Connect w/ SSO Preview is working as expected for Microsoft sites, e.g. outlook.office365.com.

With Salesforce, I'm seeing:

We can't log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single Sign-On Settings) or check the login history for failed logins.

The Username in SalesForce matches the UPN in AAD. Salesforce User Provisioning is working correctly. SalesForce SAML validator passes. It does show the last login which indicates no mapping occurred.

Subject: username@domain.com
Unable to map the subject to a Salesforce.com user

When I look at the specific user, the Salesforce username and email address both match the UPN/email address of the user from Azure AD. In Azure AD, the Salesforce connector is configured to use user:userprincipalname as the mapping. The sign on URL is the URL of the Salesforce dev tenant.

Ideas from what I might be missing, or any other information that might be helpful?


Trevor Seward

Office Servers and Services MVP



Author, Deploying SharePoint 2016

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Azure AD Connect Tool installation Error for Pass-Through Authenication

January 12, 2017, 1:24 pm
$
0
0

Attempted to install the Azure AD Connect Tool on a Windows 2016 Domain Controller and configure Pass-Through Authentication. Received the following error..

Passthrough authentication enable - failed. Error NoRegisteredPtaConnectors
[21:13:23.307] [ 36] [ERROR] Unable to enable passthrough authentication. Error: NoRegisteredPtaConnectors
[21:13:23.308] [ 36] [ERROR] Failed to enable pass-through authentication. Error: Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthException: NoRegisteredPtaConnectors
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.ConfigurePassthroughAuth`1.Execute()

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>