Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Security Question are not visible while signing up users in Azure AD B2C

January 18, 2017, 9:53 pm
$
0
0

Hi,

I have used Azure AD B2C sign-in and sign-up policy for user login and signup process with Multi factor Authentication. Also set password resetting policy.

Everything is working fine with Phone factor (MFA).

Now client wants to add security questions while signing up a user and password resetting.

I have enabled security question and selected 5 questions however, its not visible while signing up a user and password resetting.

I am not able to understand what is the exact problem?

Could you please help me? Its very urgent.

Thanks in advance!

Hema

Search

Unable to get tokens for app using code from azure ad graph api

January 17, 2017, 12:41 am
$
0
0

I have created an app in http://apps.dev.microsoft.com/ and tried to connect from my web application Here is my code:

  $data = array ('code'=> $code,'client_secret'=>'C2A32632155A3270220244A5774431C58126F9B5','client_id'=>'49c1c823-b423-4673-af57-7be1ab39e386','grant_type'=>'authorization_code','redirect_uri'=>'http://localhost/crm/contacts/connectOffice','scope'=>'offline_access Contacts.ReadWrite');
    $url ='https://login.microsoftonline.com/common/oauth2/v2.0/token';
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST,0);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,0);
    curl_setopt($curl, CURLOPT_POST,true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
    $result = curl_exec($curl);

I get the response :

[error] => invalid_client [error_description] => AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided. Trace ID: 47f5eaa3-2ea0-45bc-9bfa-8457395ae354 Correlation ID: 3007e67d-120d-4cf1-a0e6-1863d202b233 Timestamp: 2017-01-12 13:12:28Z [error_codes] => Array ( [0] => 70002 [1] => 50012 )

[timestamp]=>2017-01-1213:12:28Z[trace_id]=>47f5eaa3-2ea0-45bc-9bfa-8457395ae354[correlation_id]=>3007e67d-120d-4cf1-a0e6-1863d202b233

I am quite sure that I have provided the correct client secret and client Id in the request but still I get this error all the time . Can anyone suggest where I may be going wrong or what more do I need to do to correct this ?

Can we replace Azure VMs running AD with Azure Active Directory Domain Services?

January 11, 2017, 4:12 pm
$
0
0

A client has an Azure subscription that uses VMs to provide a Windows domain environment for a couple of application servers and DirSync services to their Office 365 (E3) subscription.

Would it be possible to replace their Domain Controller VM with the new Active Directory Domain Services feature?

I understand that it doesn't support features like Group Policy but they could live without that.

If it is possible can it be configured to literally replace the current DC or would the member servers have to be "joined" to the new Azure AD DS?

Cheers for now

Russell

What credentials should I use to connect to LDAP in Azure AD?

January 19, 2017, 5:08 am
$
0
0

I'm trying to query the LDAP service of our Azure AD. I followed the official guide to setup LDAP and everything seems fine in the configure tab of Azure AD in the old Azure management center. Unfortunately I can't sign in. 

What should I use as username, username@example.com or something like CN=username,DC=example,DC=com?

Should I create a specific group in Azure AD for administrator rights? I already created "AAD DC Administrators" and added myself.

User claims are dropped for secondary users?

January 12, 2017, 6:30 pm
$
0
0

In case it matters: I have a student/free Azure subscription.

I'm working on an app which using active directory to log in. The app uses claims to ensure the user doesn't access any restricted areas in conjunction with Policies (using .NET Core).

In my AD, I added a new user, so I can have users with different permissions. So, I have my @Hotmail account, and my @tenant.onmicrosoft.com account within the AD.

When I log in with my personal, @Hotmail email, and I add the claims to the user at login time, everything works as it should. Subsequent requests will still have all the claims on the user that were added at login time. The same is not true for the @tenant... account: the claims are added, and after the login, when it redirects to the homepage, the claims are still there. However, any subsequent requests only have the default claims.

Is this a limitation of the free version of Azure? Is there something I need to add to my AD that allows the claims to persist? I know it's not my code, as it works fine with my personal @Hotmail account.

Also, on a similar note, the @tenant account doesn't come with an email address claim (the email address is in the Name claim). I'm guessing the reason might be related to the actual question?

Thanks!

A Tale of Two Tenants

January 19, 2017, 11:06 am
$
0
0
While working through this issue, Visual Studio 2015 Add Account, with Chris Mann at Microsoft, it became known that I am a member of two active directory tenants. However, my user is disabled in the INTEGRIS tenant. Logical as I no longer work with them. So I have the Visual Studio Enterprise: BizSpark (active) and Visual Studio Ultimate with MSDN (canceled/disabled?) accounts tied to my Live account. I can't find a way to move or remove the other thing.

After filter users not being deleted.

January 19, 2017, 2:01 pm
$
0
0

When we first synched we got a bunch of non-user accounts like service accounts etc. According to this article we can apply a filter in AD Connect, re-synch, and all of the users that fall outside of the filter should get deleted. It is not happening. I have waited days, re-checked the filter, and it is not happening.

Any help appreciated.

Don't sweat the hard stuff."

Payment processing in Azure webApplications

January 19, 2017, 3:42 pm
$
0
0

Hi,

We are a small team and are in process of developing a web Application for selling products online. We are considering Azure to host the application.

But, we have challenges finding information about options we have for accepting payments (by Credit card) through our website hosted on Azure. Could you please help us regarding this.

Any direction is appreciated. Thank you so much.

Regards

Harish

Search

Optimize call to get the Azure AD directory object name

November 26, 2016, 1:55 am
$
0
0
I am trying to get the Azure AD directory object name from object Id. Currently, I have the below code which uses the Graph Client library. However, it involves atleast 2 calls to Graph API. Is it possible to optimize it to 1 call?

string objectName;
ActiveDirectoryClient client = GetActiveDirectoryClient();
IDirectoryObject dirObj = await client.DirectoryObjects.GetByObjectId(objectId).ExecuteAsync();

// IDirectoryObject does not have a Name property so having to check the object type and make a second call
if (dirObj.ObjectType == "User")
{
    IUser user = await client.Users.GetByObjectId(objectId).ExecuteAsync();
    objectName = user.UserPrincipalName;
}
else if (dirObj.ObjectType == "ServicePrincipal")
{
    IServicePrincipal principal = await client.ServicePrincipals.GetByObjectId(objectId).ExecuteAsync();
    objectName =  principal.DisplayName;
}

Get Azure AD app owner(s) via powershell/API

January 19, 2017, 4:17 pm
$
0
0
Can someone help me with a way to fetch the owners for an Azure AD app via powershell/API?

Azure AD Connect password writeback is not working

January 17, 2017, 1:16 pm
$
0
0

Hi,

We have been testing Azure AD for a few weeks now, and seem to be stuck trying to get password writebacks to work.

We have enabled self-service password reset on the Azure portal, and have installed (and configured) AD Connect on the same server where we have our local AD tenant. Users synch from our local tenant to Azure fine, but when a user resets his password (using https://passwordreset.microsoftonline.com ), the password is updated successfully on the Azure environment, but it doesn't get sent to our on-premise AD.

On the Event Viewer, we do see event 31005 after enabling password write back using Powershell (we never got it when using the Configuration Wizard), but we never get event 31002. Our firewall seems to be correctly set, and the admin synch password seems to have all the necessary rights as described on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-getting-started#step-4-set-up-the-appropriate-active-directory-permissions.

We do see that, while all of our users are assigned to our local domain, on Azure's new portal, if we click on Azure AD Connect Health, the Azure Active Directory Connect (Sync) displays the .onmicrosoft.com domain, and not our custom one. Could this be causing the issue? If so, how can we add our custom domain, or replace the .onmicrosoft.com domain with out custom one?

Thanks for your help,

Daniel


Cant join Azure AD Error 80090031

January 20, 2017, 2:30 am
$
0
0

I have a computer which was previously in AzureAD. It was then taken out of AzureAD and I'm trying to get it back there.

Every time I try to add it I get the error 80090031. I googled and found a topic that I would need to reset the TPM but the options are grayed out. Also I dont have the password for the TPM and the computer doesnt have BitLocker enabled, nor it has ever had it enabled. I also checked on AzureAD that under the previous user, there was no Bitlocker recovery key put in.

The computer might have the mother board changed at one point, not sure. But could this have something related to this problem?

Any help?

Local Azure AD Connect installed SQL server and TLS1.2

January 20, 2017, 3:25 am
$
0
0

Hello,

We locked down our server to TLS 1.2. Since then, Azure AD connect can't connect to it's own installed local SQL server. We changed the schannel registry edits like stated in the procedure https://support.microsoft.com/nl-be/help/3135244/tls-1.2-support-for-microsoft-sql-server.

We also enabled TLS 1.2 in the registry for .NET 4.0xxxxx. I'm out of ideas since all information is for the full SQL Server (2012,2014). 

Can someone advise what steps we need to take to make Azure AD Connect to it's own installed local SQL server with TLS 1.2? 

Windows Server 2012 R2 fully updated. 

Greetings Shane


audit Azure Administrative changes

January 20, 2017, 4:20 am
$
0
0

Hi All

Is there a report or option can be enabled to  audit  all administrative changes to features list  in AAD under my federated domain TAB?

Thanks in advance

Unable to Acess Azure API AppService using Active Directory

January 11, 2017, 8:14 am
$
0
0

I'm new to Azure API App Service. I want to consume the Azure API Service in my WPF application. I'm unable to access my API. I get the error called "{"AADSTS65005: The client application has requested access to resource 'https://officepointapisengineering.azurewebsites.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.\r\nTrace ID: 3dc7c968-1179-4386-892a-9f36ad257597\r\nCorrelation ID: 2bdc0e3d-e98a-409b-a4cf-9f015f4cfecd\r\nTimestamp: 2017-01-11 16:13:08Z"}"Can you please help me to resolve the error?

Search

Does Active Directory Authentication library work for android 7.1.1?

January 20, 2017, 9:33 pm
$
0
0

Hi 

I try to run my android app using the ADAL in the Android Google Pixel which runs on Android version 7.1.1. And also I tried to run it on the Android version 7.0. In Android version 7.0 it works fine while in the android Nougat 7.1.1 it gives the following error. I Don't know whether the ADAL supports 7.1.1. Somebody, please help me out. Thanks in advance

The error in the android nougat 7.1.1 is as follows

com.microsoft.aad.adal.authenticationException:code:-11 primary error: 5 certificate: issued to:CN=sercure.aadcdn.microsoftonline-p.com,O=Microsoft</g> corporation, L=redmond, ST=Washington, C=US;
Issued by: CN=Symantec Trust Network, O=Symantec Corporation, C=US;
on URL:https://secure.aadcdn.microsoftonline-p.com/ests/2.1.5364.5/content/cnbundles/jquery.1.11.min.js correlationId:6dc07a37-b7e8-4ea9-9e8e-92d62ed2c0b1 

Can't save changes to my native client app in my AD B2C

January 16, 2017, 3:32 pm
$
0
0
I'm in the classic portal. I select my B2C item then select "Applications my company owns", then select my native app. On the "Configure" screen, if I change anything, and hit save, I just get a generic error that says "Could not update the application 'MyApp'". When I click on details, there's nothing useful. It just simply says "Please try again. If the problem persists, contact support." This has been going on for about a week now. I've tried Firefox, Chrome, Edge and Opera. What's the deal? Why can't I save anything? What I originally wanted to do on this page was to edit my "Permissions to other applications". That gave the same error when I tried saving. So I tried setting the redirect URI (w/out modifying permissions) and got the same exact error. It doesn't look like there's a way to edit permissions to other applications in the new portal (if there is please tell me where) so I'm forced to use the classic interface.

Can we use Azure AD DS with the Azure subscription in one Region and the O365 subscription in Another?

January 21, 2017, 3:37 am
$
0
0

A client currently has an Azure and O365 subscription in West Europe but they aren't "linked" correctly for Azure AD DS to work properly. If we create a new Azure subscription in a different region would we be able to link to O365 that will stay in West Europe?

I'm under the impression that the Azure and O365 subscriptions must reside in the same Region but I just wanted to confirm or deny this?

Cheers for now

Russell

AAD Sync errors in Hybrid Exchange involving SystemMailbox{GUID}@ad.contoso.com (4 of them) and Discovery Mailbox

January 21, 2017, 10:46 pm
$
0
0

I had installed AAD Sync with a fresh AD install.  Only Exchange Online was in use.  Had issues with SMTP primary addresses and Mail Enabled security groups, so decided to install local Exchange in the domain and go to a Hybrid Mode.

Once Exchange is installed the AAD sync tools sends me emails (below).

Seems that the AAD sync tool should be excluding these user objects.  Can anyone give any advice on how to fix this?

The following errors occurred during synchronization:


Identity Error Description
SystemMailbox{1f05a927-0359-4c28-a2d7-07c79cb8f25d} @ ad.domain.com Unable to update this object in Azure Active Directory, because the attribute [Username], is not valid. Update the value in your local directory services. O1SZt7gIgkK1W8MPzs/z6g==
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} @ ad.domain.com Unable to update this object in Azure Active Directory, because the attribute [Username], is not valid. Update the value in your local directory services. LBd/6h89vkuCj3Khc3q+gg==
DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} @ ad.domain.com Unable to update this object in Azure Active Directory, because the attribute [Username], is not valid. Update the value in your local directory services. vzW7VW424UW3QU7FKZjljw==
SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} @ ad.domain.com Unable to update this object in Azure Active Directory, because the attribute [Username], is not valid. Update the value in your local directory services. OZb8m890zkmkYvQ0fxYi8w==
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} @ ad.domain.com Unable to update this object in Azure Active Directory, because the attribute [Username], is not valid. Update the value in your local directory services. dOTNnOcZekGtN7q0Hb2ksQ==

 Tracking ID: 60e38d03-7566-4156-abe4-368b61b41d86

Graph API: AADSTS70000: The provided value for the 'redirect_uri' is not valid

January 22, 2017, 9:28 am
$
0
0

I'm trying to authenticate my client via Graph API, but with the need of a RefreshToken, which I can store, so the SDKs vor e.g. UWP are not useful.

So I build the Login-Link with:

string url = $"https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize" +
                $"?client_id={ClientId}&response_type=code" +
                $"&redirect_url={WebUtility.UrlEncode(RedirectUrl)}" +
                $"&scope={WebUtility.UrlEncode(Scopes)}";

And open this in a WebViewer inside the UWP and match on NavigationCompleted if the current Uri matches my RedirectUri and if so, I extract the Code for using to get the Tokens. Until this point everything is working well, but when I try to get the tokens with this way:

List<KeyValuePair<string, string>> values = new List<KeyValuePair<string, string>>()
{
        new KeyValuePair<string, string>("grant_type", "authorization_code"),
        new KeyValuePair<string, string>("redirect_uri", RedirectUrl),
        new KeyValuePair<string, string>("client_id", ClientId),
        new KeyValuePair<string, string>("client_secret", ClientSecret),
        new KeyValuePair<string, string>("code", code),
};

HttpClient client = new HttpClient();

FormUrlEncodedContent queryContent = new FormUrlEncodedContent(values);

var response = await client.PostAsync("https://login.microsoftonline.com/consumers/oauth2/v2.0/token", queryContent);
string responseContent = await response.Content.ReadAsStringAsync();

All I get is:

{"error":"invalid_grant","error_description":"AADSTS70000: The provided value for the 'redirect_uri' is not valid. The value must exactly match the redirect URI used to obtain the authorization code.
	                     Trace ID: b85f6e60-53de-48d3-b373-0a0a71736a71
						 Correlation ID: c1972daa-8e59-447a-8574-1cba608ce64b
						 Timestamp: 2017-01-22 17:08:28Z","error_codes":[70000],"timestamp":"2017-01-22 17:08:28Z","trace_id":"b85f6e60-53de-48d3-b373-0a0a71736a71","correlation_id":"c1972daa-8e59-447a-8574-1cba608ce64b"
}

But the RedirectUri's cant be unequal though its the same Variable which is referenced and its still the same in the App Portal.

And I googled around, and tried that with the trailing slash at the end of the uri and I'm getting still the same error.

Does anyone have an idea?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>