Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD Connect

December 20, 2016, 11:13 am
$
0
0

Currently:

We used to have exchange On-Prem. Then i migrated everything over to O365, but it was a clean O365 setup. No Hybrid scenario.

Exchange On-Prem has been decommissioned and uninstalled. All email are in O365.

No AD connect utility running.

What i want to do:

Enable AD Connect for password and user synchronization of On-Prem users to O365.

Hesitations/Questions:

Will enabling AD Connect disable O365 admin features and will i need to use powershell as i keep reading online even though these are two separate instances and there are no dependencies of O365 to onprem. 


Search

Password writeback doesnt work

June 29, 2016, 5:48 am
$
0
0

Hi!

I'm trying to enable password writeback from Azure AD to my local AD but it doesn't work:

The option for password writeback is enabled in Azure AD Connect

But when i check the "pwdLastSet" from a User where i changed the PWD i can only see an old Date.

In the event viewer there's the evend id "31019" but i can't find the id "31005" which should be there when the pwd is changed and written back.

I've tried to set the permissions for change pwd, reset pwd, lockoutTime write and pwdLastSet write for the MSOL...... Account in local AD - but changes dont take effect.

Does anyone know what i'm doing wrong?!

THANKS!

Tom


Azure AD Connect password writeback is not working

January 17, 2017, 1:16 pm
$
0
0

Hi,

We have been testing Azure AD for a few weeks now, and seem to be stuck trying to get password writebacks to work.

We have enabled self-service password reset on the Azure portal, and have installed (and configured) AD Connect on the same server where we have our local AD tenant. Users synch from our local tenant to Azure fine, but when a user resets his password (using https://passwordreset.microsoftonline.com ), the password is updated successfully on the Azure environment, but it doesn't get sent to our on-premise AD.

On the Event Viewer, we do see event 31005 after enabling password write back using Powershell (we never got it when using the Configuration Wizard), but we never get event 31002. Our firewall seems to be correctly set, and the admin synch password seems to have all the necessary rights as described on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-getting-started#step-4-set-up-the-appropriate-active-directory-permissions.

We do see that, while all of our users are assigned to our local domain, on Azure's new portal, if we click on Azure AD Connect Health, the Azure Active Directory Connect (Sync) displays the .onmicrosoft.com domain, and not our custom one. Could this be causing the issue? If so, how can we add our custom domain, or replace the .onmicrosoft.com domain with out custom one?

Thanks for your help,

Daniel


Who will be crowned the First Azure Guru of 2017!!

January 17, 2017, 3:48 pm
$
0
0

Time for a fresh start!

[The Guru is the means of realisation. "There is no knowledge without a teacher."]

We're looking for the first Gurus of 2017!!

All you have to do is add an article to TechNet Wiki from the field of your interest. Something that fits into one of the categories listed on the submissions page. Copy in your own blog post, a forum solution, a white paper, or just something you had to solve for your own day’s work today.

A snippet you share can make you a January 2017 TechNet Wiki Guru in your favorite category and this is official Microsoft TechNet recognition!

HOW TO WIN 

Please copy over your Microsoft technical solutions and revelations to TechNet Wiki.

Add a link to it on THIS WIKI COMPETITION PAGE (so we know you’ve contributed).

Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favorite technology will help us learn the active members in each community. 

Feel free to ask any questions below.

More about TechNet Guru Awards.

Thanks!

Ed Price, Azure Development Customer Program Manager (Blog,Small Basic, Wiki Ninjas, Wiki)

Answer an interesting question? Create a wiki article about it!

Unable to get client_credentials for app

January 17, 2017, 11:19 pm
$
0
0

I keep getting a 401 Unauthorized response with the following body

{"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 160b1fe8-b296-46bf-aad2-7c2e23d1c467\r\nCorrelation ID: 134e1d4c-a58d-4fec-aa18-98ca71ee6a1d\r\nTimestamp: 2017-01-18 07:14:45Z","error_codes":[
      70002,
      50012
   ],"timestamp":"2017-01-18 07:14:45Z","trace_id":"160b1fe8-b296-46bf-aad2-7c2e23d1c467","correlation_id":"134e1d4c-a58d-4fec-aa18-98ca71ee6a1d"
}
I've validated the secret a million times, even tried in c# instead of java, but still the same error message

Getting into Azure Resource Explorer without having AAD User

January 18, 2017, 12:15 am
$
0
0

Hi,

I'm trying to get into Azure Resource Explorer of one of mine AppServices with HTTP Request from C# application. The problem is, my IT Department can't (or just doesn't want to) add AD User for this AppService (or even for our azure portal/user). Is there another way to consume resources (ofc. including generating bearer token and obtaining JSONs) with HTTP Requests without having Azure AD User?

B2B Invitation API confusion

January 16, 2017, 3:31 am
$
0
0

Can you please advise on the latest B2B Support Story for consumer email address? Whenever you try and use the csv upload feature it does not work with consumer email addresses (gmail etc).  Although there is no list of what exactly is a consumer email address and we have a large variety so it’s impossible for us to come up with numbers around what will and won’t work. However and importantly consumer email addresses seem to work when you use the B2B Invitation Graph API i.e. it allows consumer email addresses which will not work via CSV. In fact the example posted here (azuread-b2b-invitation-api-is-now-in-public-preview ) even uses a gmail email address adding more confusion. Can you please advise what is the status support around this?

The majority of the 50,000 external users which our client wants to migrate will be from consumer email addresses so again this is very important.  For info B2C is not possible or appropriate in our use case as these external users are small partner organisations and there needs to be a greater level of control.  Based on POC we did using B2B invitation API this seems to work fine for consumer email address which fail via the csv upload. I posted a comment here - (active-directory-b2b-collaboration-overview) to seek clarity but I have not got any feedback. We are extremely keen to speak to Microsoft and get some direction on this as it is key to making are decision.

Azure AD Premium Pricing - External Guest Accounts (free or not)

January 16, 2017, 3:33 am
$
0
0

Our client wants to migration 50,000 external users (guest accounts - Microsoft accounts) into its Azure AD directory. They already have about 300 internal users (sourced from local AD) in the directory using Office 365. They would really like to brand the login pages for a good external users sign-in experience however this seems to be an Azure AD premium (basic edition) feature. As there will be 50k external users i.e. Microsoft Accounts (guest accounts) in the directory their is a big concern over the price around this. E.g. £0.74p x 50000 = £37,000 per month. This seems crazy and we were thinking surely can't be right? Is it possible to provide some guidance clarity this.

Search

Avoiding the personal vs work account popup?

June 7, 2016, 4:31 pm
$
0
0

I created a mobile app that hits a webapi2 Azure server secured by Azure ActiveDirectory.  It will only be used by employees using their corporate email account, but needing to select "personal" instead of "work" at the AzureAD login. Obviously, this is confusing, but forced due to some I.T. complications.  Is there anything that can be done to cause the login to automatically default to personal?  Also, I'd love to pre-populate the login box since our email addresses are looong and difficult to type on a tablet. 

Any suggestions?


Azure AD - Authentication Issue (AADSTS90009)

January 18, 2017, 5:05 am
$
0
0

Hello All,

Does somebody know what the AdalException AADSTS90009 means?

I get this exception when I'm trying to get authentication code to my multitenant Azure WebApp. Few weeks ago everything was worked correctly and I was able to authenticate.

Error details:

AADSTS90009: Application 'https://mydomain.onmicrosoft.com/96e16ee3-dcd6-4684-af76-a38d53135195' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
Trace ID: dea9b2b4-ee01-45e2-9db5-0dcd2f269e42
Correlation ID: 1e941dc1-6f08-4a3f-905b-214efcceec73
Timestamp: 2017-01-18 12:40:33Z 

The request Url is as follow:
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={my_webApp_AppId}&resource=https://mydomain.onmicrosoft.com/96e16ee3-dcd6-4684-af76-a38d53135195&redirect_uri=http://localhost/AzureLogonHandler&prompt=admin_consent

Please, help...

Normal Users can view Users and Groups In Azure AD

January 18, 2017, 5:05 am
$
0
0

Users who have not been granted rights in Azure and are standard users both in O365 and Azure AD can view all accounts, Security groups and who is part of what security group from portal.azure.com

This was never the case previously and used to indicate to the user that they have no subscriptions.

Please can this be rectified.

Convert Microsoft Account to an Azure AD sourced account

January 18, 2017, 6:01 am
$
0
0

I have several users in my active directory that already had a Microsoft account on their corporate email before I created an Azure AD. Among those is my email address on which the azure subscription is registered.

I'm having trouble upgrading my Azure AD to the basic version because I can't login using the business signin. That's why I'd like to convert my account in the Azure AD from a 'Microsoft account' to a 'Microsoft Azure Active Directory' account as listed in the 'Sourced from' column for users. Is this possible?

MIISERVER.EXE using partial credentials

May 19, 2016, 7:06 am
$
0
0

Over a period of several months I have noticed many daily failed authentications coming from MIISERVER.EXE, which is associated with Azure AD Connect.

The strange part is that the user and domain that it is showing is:

User: a

Domain: t

We obviously do not have our domain named "T" nor do we have any accounts named "A".

Has anyone ever seen something like this?

Account type of user signed in

January 18, 2017, 7:58 am
$
0
0

We are developing Windows app and using Auth 2.0 endpoint. This app should support OneDrive and be able to work with both Work/School (created at portal.office.com) and Personal (created at live.com) accounts. So, it should support OneDrive and OneDrive for Business.

According to the documentation:

https://dev.onedrive.com/auth/aad_oauth.htm#sign-into-onedrive-for-business

we navigate the WebBrowser control to this page:

GET https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}

Then the user signes in and passes the consent screen, and at this point it's important to know the account type of user - Work/School or Personal. So, this is the question - how do check it?


Thanks.

Unable to set up a PIN for Azure Active Directory in build 15007.

January 18, 2017, 7:52 am
$
0
0

We weren't able to set up your PIN. Sometimes it helps to try again or you can skip for now and do this later.

Error code: 0x801c044f


Search

Upgrade from DIRSYNC to AD CONNECT..

December 14, 2016, 3:55 am
$
0
0

Hi, we have a simple setup that currently uses an on-premise Server 2012 R2 AD and we have DIRSYNC connecting it to OFFICE365..

Mission is to upgrade to AZURE AD CONNECT

Users currently login as DOMAINNAME\username

The upgrade procedure seems quite straight forward, but when we run it we get the message "Users will not be able to sign in with on premise credentials" if we continue...

All we want is for the upgrade to run thru cleanly and everything stay exactly as it is...

I'm guessing that the upgrade is saying users will now logon with username@mydomain.com ?

With a 120 users I don't want any problems and I don't want their login to change... Could anyone advise as to how we can keep everything as it is for the logins..., or have I read the upgrade message incorrectly..?

Kind Regards to all

Newly created native tenant application using AzureAD powershell requires consent

January 12, 2017, 2:47 pm
$
0
0

I have created the native console application using below code and also  created the service principal. However not able to generate the token unless I modify the application from new/old azure portal.

        $app = New-AzureADApplication `
            -AvailableToOtherTenants 1 `
            -DisplayName $NativeAppName `
            -HomePage $NativeAppIdentifierUri `
            -IdentifierUris $UiIdentifierUri `
            -PublicClient 1 `
            -ReplyUrls $replyUrls `
            -RequiredResourceAccess $requiredResources

        $app_principal = New-AzureADServicePrincipal -AppId $app.AppId -Tags @($NativeAppName + ' Principal')

Seems like issue with consenting the application. Why does application doesn't get consented? Does native application needs to be consented with tenant itself?

Can't save changes to my native client app in my AD B2C

January 16, 2017, 3:32 pm
$
0
0
I'm in the classic portal. I select my B2C item then select "Applications my company owns", then select my native app. On the "Configure" screen, if I change anything, and hit save, I just get a generic error that says "Could not update the application 'MyApp'". When I click on details, there's nothing useful. It just simply says "Please try again. If the problem persists, contact support." This has been going on for about a week now. I've tried Firefox, Chrome, Edge and Opera. What's the deal? Why can't I save anything? What I originally wanted to do on this page was to edit my "Permissions to other applications". That gave the same error when I tried saving. So I tried setting the redirect URI (w/out modifying permissions) and got the same exact error. It doesn't look like there's a way to edit permissions to other applications in the new portal (if there is please tell me where) so I'm forced to use the classic interface.

Azure Active Directory V2 PowerShell set Password Expiry to Disable the expiry

January 18, 2017, 5:01 pm
$
0
0

Hi All,

Our Automation Account password expired which meant the azure network did not shut down over the weekend wasting hundreds of dollars. I don't ever want this to happen again.

I went to change the expiry and found this nice command.

Set-MsolUser -UserPrincipalName <user ID> -PasswordNeverExpires $true

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-set-expiration-policy

However I saw MS are pushing the use of Azure Active Directory V2 PowerShell. So i downloaded and installed it.

https://docs.microsoft.com/en-us/powershell/msonline/v1/azureactivedirectory

So now how do I do the equivalent with AzureAD cmdlets?

(I did already figure out I had to connect with an admin account created in the Azure AD!)

Should I just ignore the push and install and use the MSOL cmdlets?

Also to mention I did try and get Operations going but can't Log Search for the automation accounts so I probably screwed it up somewhere.


Unable to verify domain name...

January 18, 2017, 5:14 pm
$
0
0

We've been trying to verify our domain, but no mater what we do, we get the same error.

Both the TXT and the MX records are present and this was confirmed using an external nslookup/dig.

From the "new" Azure portal, the error we see when we click "Verify" is:

Unable to verify domain name. Ensure you have added the record above at the registrar 'xxxxxxxxxxxxxx', and try again in a little while.

We've read through other posts and have tried their recommendations, but nothing.  Whether adding/removing the domain, etc..

If we try to use the Confirm-AzureADDomain PowerShell command, we get the following:

Confirm-AzureADDomain : Error occurred while executing ConfirmDomain
StatusCode: BadRequest
ErrorCode: Request_BadRequest
Message: Domain verification failed with the following error: 'VerifyDomain. cannot verify an email-verified domain
with a non-whitelisted service plan. paramName: NonWhitelistedServicePlan, paramValue:
50e68c76-46c6-4674-81f9-75456511b170, objectType: '.
At line:1 char:1
+ Confirm-AzureADDomain -name xxxxxxxxxxxxxxxxx
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Confirm-AzureADDomain], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.ConfirmDomain

If we call the Get-AzureADDomain, it appears with an empty "AvailabilityStatus" and a "AutehnticationType" of "Managed"

What are the next steps?  We really want to finish our migration but this is preventing our next steps.

Stéphane


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>