Hello,

Is there an easy way to convert my install from using the AAD_ account to the MSOL_ Account without having to reinstall?

Thanks!

Shawn

Hi,

I'm trying to enable Enterprise State Roaming on my tenant, I have Azure AD Premium and enabled the feature within the Azure portal.

The change looked to save correctly and going back into this setting page the feature is still enabled.  However if I go to a user that has been assigned a AD Premium license and click on "Devices syncing settings and enterprise app data" I get the following message:

Any thoughts?

Thanks

Rob

I have a javascript web application accessing a WebAPI using XMLHttpRequest (AJAX). The WebAPI (but not the HTML/JS) is secured with OAuth against a specific Office 365 Tenant.

The OAuth authentication code is as follows:

string clientId =GetSetting("ida:ClientId");string aadInstance =GetSetting("ida:AADInstance");string tenantId =GetSetting("ida:TenantId");string authority =String.Format(CultureInfo.InvariantCulture, aadInstance, tenantId);

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(newCookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(newOpenIdConnectAuthenticationOptions{ClientId= clientId,Authority= authority,PostLogoutRedirectUri="https://www.microsoft.com/",Notifications=newOpenIdConnectAuthenticationNotifications{AuthenticationFailed= context =>{
                context.HandleResponse();
                context.Response.Redirect("/Error?message="+ context.Exception.Message);returnTask.FromResult(0);}}});

In all my tests in the test tenant, if I access the app without a valid token, the XHR send throws an error in my browser, which I catch and change the browser window content to a controller, like this:

try{
    xhr.send(null);catch(ex){
    window.location = APIURI+'OAuthLogin';}

The OAuthLogin controller will only assure the user's logged in, otherwise forward to the login page, and once logged in, just redirects to the javascript application:

publicclassOAuthLoginController:ApiController{[HttpGet]publicHttpResponseMessageLogin(){var baseUri =HttpContext.Current.Request.Url.CutAtAPI();var query =HttpContext.Current.Request.Url.Query;var response =Request.CreateResponse(HttpStatusCode.Moved);
        response.Headers.Location=newUri(baseUri +"/"+ query);return response;}}

In my test tenant, this works completely as expected:

• I call the controller via XHR.
• The controller tries to redirect and throws an exception.
• My code navigates the browser window to OAuthLogin controller.
• The forward of the unauthenticated user to login.microsoftonline works
• The user is logged in and redirected back to the the OAuthLogin controller
• The controller enforces its redirect back to the application.

So I have deployed in a production tenant, and at first, everything ran as it should. After some days, it stopped working, the problem exhibiting as follows:

• The XHR status is (Aborted), but no exception is thrown.
• In the network tab, I see that the microsoft login page is called, but it's not in window.location.
• The microsoft login page seems to do a successful auto-login with the info still available in the browsercache.
• The login page returns some cookies and HTML containing a form submission. This HTML shows up in the XHR result, where the applications expects JSON, but since receives HTML, it throws up.

If I then completely reload the application again, the same procedure is tried (and fails) again; not sure why that is.

The HTML returned by the microsoft login page contains a form containing among others an access token and an autosubmit, something like:

<html><head><title>Working...</title></head><body><form action="...<noscript>Scripting is disabled in your browser. Please click submit to proceed: <input type="submit" text="Submit"></noscript></form><script type="text/javascript">document.forms[0].submit();</script></html>

What am I doing wrong here?

Hi, I have a rather strange problem with AAD and am at a loss on how to proceed:

Windows 10 Pro machine has been working fine with a user signed into AAD.

Member of staff has left the business, and I have reset their password (several times now, via Office 365 and the azure portal), as I need to get onto the device under the user account to retrieve company information.

The new password does not seem to take effect on the device, and I simply get "the password is incorrect".

I am also unable to log on to the device using my (office 365 / azure) admin account (this time I get the username or password is incorrect).

I am therefore unable to get on to the device at all. Any old mechanisms I might have used to get onto the machine (local pw reset, local admin account etc) won't work as the machine has bitlocker applied and even if I could get local access the AAD passwords aren't (as far as I believe) stored in a SAM file anyway...

Any suggestions?

I know the machine is on the network as intune has updated and I can even trigger a remote restart using intune, but it's as if it's ignoring the updated password and still looking at a cached one.

Thanks,

Robert

I'm using a trial account to set up our app for SAML with ADFS. I get this error: Failed to load SAML SSO Certificate dataAn error occurred while loading the certificate data. I see this error:

{"errorCode":"Unauthorized","localizedErrorDetails":null,"operationResults":null,"timeStampUtc":"2017-01-25T15:45:48.4999724Z","clientRequestId":"ba4c5a8d-b506-4b2d-9a97-113d1475602b","internalTransactionId":"98207400-0852-4736-a5e3-cdf218b68434","upn":"ralph.decatrel@finario.com","tenantId":"d2160689-8aaf-4074-ae01-12e18fd54f05","userObjectId":"672297c9-da4e-4f3b-a3c3-c5b07620a0cd"}

I am trying to slowly implement Azure AD, my objective is to authenticate the users within my domain without hassle or setting up a VPN.

This seemed like the right solution but currently my two test machines (Windows 10 Enterprise) that joined the AD are asking the users to add a phone number and set up a PIN for the account.

I do not want that, I'd rather use the old fashioned user account and password managed by the AD Administrator.

Have tried disabling the two step authentication and manually disabled the "Windows Hello" through the local group policy which seems to be the one causing the problem.

Searching the web leads me to the Intune service but I currently do not have a subscription for the Intune nor I use it.

While trying to log in in Visual Studio 2017 I received an error. After I checked the logs, it seems the error was caused because my account is in 2 Azure Active Directories, and one of them fails to return data.

01/25/2017 19:26:18 : Error : GetTenantAndScopeInfo
UniqueId:'----removed---'  UserName:'------removed---@outlook.com' IsMSA: 'True' with '0' Scopes
Graph endpoint 'https://graph.windows.net/'
Adding MSA as a tenant
Getting tenant memeberships
Retrieved tenant memberships, found '2' owned tenants
OwnedTenant: 'bb6e453e-018c-4d9b-8f29-60a07d0141ed'
Getting access token for graph.'
Getting tenant friendly name'
Friendly name is 'Default Directory''
OwnedTenant: '71cfe344-9855-4d4b-8a2d-3a039da12e8e'
Getting access token for graph.'
Problem calling 'AcquireTokenSilentAsync' : 'Microsoft.IdentityService.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException: Failed to refresh access token ---> Microsoft.IdentityService.Clients.ActiveDirectory.AdalServiceException: AADSTS50001: Resource 'https://graph.windows.net/' is disabled.
Trace ID: cf5f9a98-a164-4f6e-bac1-da20487f06c6
Correlation ID: 74797ad3-12f0-4da4-b442-9e3efb5df91e
Timestamp: 2017-01-25 17:26:17Z ---> System.Net.Http.HttpRequestException:  Response status code does not indicate success: 400 (BadRequest). ---> System.Exception: {"error":"invalid_resource","error_description":"AADSTS50001: Resource 'https://graph.windows.net/' is disabled.\r\nTrace ID: cf5f9a98-a164-4f6e-bac1-da20487f06c6\r\nCorrelation ID: 74797ad3-12f0-4da4-b442-9e3efb5df91e\r\nTimestamp: 2017-01-25 17:26:17Z","error_codes":[50001],"timestamp":"2017-01-25 17:26:17Z","trace_id":"cf5f9a98-a164-4f6e-bac1-da20487f06c6","correlation_id":"74797ad3-12f0-4da4-b442-9e3efb5df91e"}

Next I tried to remove the second active directory in the old Azure Portal, but I got a generic error "Could not validate this directory for deletion."

Next I tried to select the other active directory in the new portal, but I get into a redirect loop. Also, in the new portal the "friendly name is not displayed"

Old portal:

New Portal:

Next, I tried to set up an user with administrative rights so I can use PowerShell and try something, but I am not able to log in with that user to change the temporary password:

Next, I tried to set up another Microsoft Account in the broken Active Directory instance, thinking that I could log in in the portal and remove my personal account from that directory. When I try to log in with the new Microsoft Account, I get an error: AADSTS70001: Application '00000013-0000-0000-c000-000000000000' is disabled. (Correlation ID: a0ac9c11-9aa9-40b7-888f-bf75de580a5c)

Basically, all the errors I get suggest that the graph api was disabled for this Active Directory, and I can't do anything to on my side to remove the directory. Any suggestions on how I can turn the graph api application on for an Azure Active Directory ? I can't access it via the new Portal because of the redirect loop, I can't access it via Powershell because I can't set up a new user.

Hi,

I have used Azure AD B2C sign-in and sign-up policy for user login and signup process with Multi factor Authentication. Also set password resetting policy.

Everything is working fine with Phone factor (MFA).

Now client wants to add security questions while signing up a user and password resetting.

I have enabled security question and selected 5 questions however, its not visible while signing up a user and password resetting.

I am not able to understand what is the exact problem?

Could you please help me? Its very urgent.

Thanks in advance!

Hema

I've taken over at a company that didn't have AD at all.  They are using Office 365 for email so I'd like to just use those accounts to auth to AD.  Is there a way to do that? If not, what my options?

Hi,

I want to implement login and logout functionality and display user details like username and user role using Azure Active Directory.

We are using Docker to deploy Spring cloud microservices project on Azure cloud. Could you please suggest me steps  to get user details?

Do we need to secure all microservices edge points using Spring cloud OAuth2 security using JWT or just we can secure one web microservice ? Do I need any permission ,specific  user roles to implement this? 

Thanks,

Sunil Soni

I've been referred to make a log through this portal regarding an issue I have discovered with Azure AD.

Using 365 as our storage solution for Hinkley Nuclear New Build, admins have access to exchange admin centres and others. Among that is that use of Azure AD. 

We have two types of admins; Global Admins and Limited admins. Not hard to tell the difference between the two. 

Our limited admins use the new Azure AD portal (with the beautiful dashboard) to create users and reset passwords and manage the profile of a user. The rest is restricted. 

We also have a multi-factor authetification method when logging into 365 in the form of a Mobile Text/Call or Auth App. These devices are managed by global admins, changing an authentication number where required or deleting one entirely. In the NEW AD portal, Limited admins are not able to do this (perfect as that is something we don't want them to manage at this time). 

However as they have access to the old blue and white AD portal through 365, it allows them to edit and save auth details for every user in that directory par a user request ("No signal, or lost phone"). 

The issue for this only lies in the Older portal where they can edit auth methods without the permissions. I have tested this myself using a limited account and can confirm that auth methods can only be changed on a limited account through the old portal via the "Work Info" section of a user profile. 

Hope this makes sense! :) 

This is the high level flow I am trying to enable:

Multi-tenant AngularJS application [ClientApp] -> Multi-tenant ASP.NET Web API [ServicesApp]

My scenario is that I have a multi-tenant AngularJS application which requires Azure AD login using ADAL for JS (OpenID Connect). That web application is registered as a multi-tenant application "ClientApp" in a developer Azure AD, which I'll call"DevAAD". I consented to use this "ClientApp" application in another Azure AD, which I'll call "Tenant1". Once a user from the "Tenant1" directory logs into the web application with their credentials into the login.microsoftonline.com portal, they are able to access the web UI. However, the UI is unable to call Web APIs on behalf of the user using the OAuth 2.0 Implicit Flow. This is the error message I am seeing in the Javascript code:

AADSTS65001: The user or administrator has not consented to use the application with ID '<ClientApp_ClientID>'. Send an interactive authorization request for this user and resource.

There is another Azure AD multi-tenant app representing backend Web API services called "ServicesApp" that is registered in the same "DevAAD" directory as the "ClientApp" UI application. The client ID and app ID URI of "ServicesApp" are the valid audiences for those services. This "ServicesApp" application has been consented to in the same "Tenant1" directory. When invoked from a native client application with permissions to "ServicesApp", the services are authorizing users from the "Tenant1" directory using the OWIN middleware provided in System.IdentityModel.Tokens.Jwt 4.0.0 and the [System.Web.Http.Authorize] attribute in the controller.

Configuration details:

"ClientApp"

Azure AD application manifest has "availableToOtherTenants" set to true and "oauth2AllowImplicitFlow" set to true. "ClientApp" has permissions to access "ServiceApp" Azure AD application.

The AngularJS application has the following configuration:

adalAuthenticationServiceProvider.init(
      {
tenant: 'common',
clientId: <ClientApp_ClientID>,
endpoints: { <ServiceEndpoint> : <ServiceApp_ClientID> }
      },

      $httpProvider);

"ServiceApp"

ValidateIssuer is set to false in TokenValidationParameters object in WindowsAzureActiveDirectoryBearerAuthenticationOptions configuration object passed to IAppBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication()

"knownClientApplications" property in "ServiceApp" Azure AD manifest is set to ["<ClientApp_ClientID>"]

I have not been able to locate any examples of a multi-tenant web application calling multi-tenant Web APIs, specifically a single page application built with AngularJS. How can this be implemented with Azure AD?

Hello I am new to Azure.

We recently setup the Salesforce app in our Azure AD for SSO to Salesforce. The sign on part is working fine.

The question I have is, how many licenses is needed in Azure for my users to be able to sign into salesforce via SSO? I was told by my sales person that every user needs to be licensed but I have not assigned any of my Azure subscription licenses to any of my users other than my 2 admin accounts and every user is able to sign in without issue?

Did my sales person sell me too many licenses? Do I only need licenses for my admin/sync accounts?

Any help would be appreciated.

Hello I am new to Azure.

We recently setup the Salesforce app in our Azure AD for SSO to Salesforce. The sign on part is working fine.

I am having an issue with users that are synced into salesforce. In azure I have it set to sync in AD groups from my local AD. When a user is a part of the AD group Salesforce User they are supposed to be assigned a Saleforce profile which is not working. Every user is getting assigned to the free chatter profile which is incorrect.

Under the application settings for Salesforce(in azure) it lists the correct groups from my local AD. When I click on the group "Salesforce Users" I am able to assign that group to the correct profile in salesforce. But when the users are synced into Salesforce it ignores that group/profile and just throws the user into the chatter free profile.

Anyone having issues with this?

Salesforce is notifying everyone that the default certificate for signing requests is going to be retired. Meaning we have to create a new cert. 

Does anyone know if we have to purchase a cert or use a self signed one for this? If we can use a self signed one does it have to be uploaded to Azure? 

Any help would be appreciated. 

I need to get below details of Azure AD B2C users -

• Created Date user account
• Last Login
• User is Active or De-active

I have explored Azure AD graph API (Get-User) but it throws some exception.https://docs.microsoft.com/da-dk/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet

Still I am not sure that, above information will get from Azure AD B2C graph API or not.

Is there any other way to get the above Azure AD B2C user details?

Thanks in advance.

Hema

The AD authentication used to work earlier and has suddenly stopped.

We are using authentication for an IOS app built in Xamarin. We created a client native application in Azure AD and provided the ClientID and Redirect URI as specified. But it throws an error when"authContext.AcquireToken" is being called

Exception: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS65005: The client application has requested access to resource 'example.com/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.Trace ID: ea22c27c-9913-4423-92dc-6fff1cf9904dCorrelation ID: 4c19258b-2391-4585-911e-853157dde073Timestamp: 2017-01-24 09:28:49Z

Code we are using to acquire token:

var authContext = new AuthenticationContext(authority);
        if (authContext.TokenCache.ReadItems().Any())
            authContext = new AuthenticationContext(authContext.TokenCache.ReadItems().First().Authority);
        var authResult = await authContext.AcquireTokenAsync(resource, clientId, new Uri(returnUri),
            new PlatformParameters(UIApplication.SharedApplication.KeyWindow.RootViewController));

It gives the above "AADSTS65005" error if we run the app but if we change the redirect URI, it opens the page in my app, instead of redirecting. The same used to work earlier for us. We also tried creating a new client native app, but it returned us the same error "AADSTS65005".

Also, we noticed that now it opens the Microsoft login page, then redirects to office 365 login page and then open the page in our app, but does not give back the token. Has there been any microsoft updates lately which could have stopped this code from running?

Hi,

I'm trying to enable Enterprise State Roaming on my tenant, I have Azure AD Premium and enabled the feature within the Azure portal.

The change looked to save correctly and going back into this setting page the feature is still enabled.  However if I go to a user that has been assigned a AD Premium license and click on "Devices syncing settings and enterprise app data" I get the following message:

Any thoughts?

Thanks

Rob

We have an app integrated with B2C (oauth2, signin-or-signup policy, branded login page). Customers are able to login once and then it becomes impossible to login again. They see login page, submit it (data is sent correctly, I checked network traffic) and then see the same login page again. No errors are present, just login page shows again. Unbranded login page works the same so its not a problem with our customization.

When user opens new clear browser (for example in anonymous mode or clear cookie for domain login.onmicrosoft.com) everything works.

How to workaround this issue?