I have a javascript web application accessing a WebAPI using XMLHttpRequest (AJAX). The WebAPI (but not the HTML/JS) is secured with OAuth against a specific Office 365 Tenant.

The OAuth authentication code is as follows:

string clientId =GetSetting("ida:ClientId");string aadInstance =GetSetting("ida:AADInstance");string tenantId =GetSetting("ida:TenantId");string authority =String.Format(CultureInfo.InvariantCulture, aadInstance, tenantId);

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(newCookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(newOpenIdConnectAuthenticationOptions{ClientId= clientId,Authority= authority,PostLogoutRedirectUri="https://www.microsoft.com/",Notifications=newOpenIdConnectAuthenticationNotifications{AuthenticationFailed= context =>{
                context.HandleResponse();
                context.Response.Redirect("/Error?message="+ context.Exception.Message);returnTask.FromResult(0);}}});

In all my tests in the test tenant, if I access the app without a valid token, the XHR send throws an error in my browser, which I catch and change the browser window content to a controller, like this:

try{
    xhr.send(null);catch(ex){
    window.location = APIURI+'OAuthLogin';}

The OAuthLogin controller will only assure the user's logged in, otherwise forward to the login page, and once logged in, just redirects to the javascript application:

publicclassOAuthLoginController:ApiController{[HttpGet]publicHttpResponseMessageLogin(){var baseUri =HttpContext.Current.Request.Url.CutAtAPI();var query =HttpContext.Current.Request.Url.Query;var response =Request.CreateResponse(HttpStatusCode.Moved);
        response.Headers.Location=newUri(baseUri +"/"+ query);return response;}}

In my test tenant, this works completely as expected:

• I call the controller via XHR.
• The controller tries to redirect and throws an exception.
• My code navigates the browser window to OAuthLogin controller.
• The forward of the unauthenticated user to login.microsoftonline works
• The user is logged in and redirected back to the the OAuthLogin controller
• The controller enforces its redirect back to the application.

So I have deployed in a production tenant, and at first, everything ran as it should. After some days, it stopped working, the problem exhibiting as follows:

• The XHR status is (Aborted), but no exception is thrown.
• In the network tab, I see that the microsoft login page is called, but it's not in window.location.
• The microsoft login page seems to do a successful auto-login with the info still available in the browsercache.
• The login page returns some cookies and HTML containing a form submission. This HTML shows up in the XHR result, where the applications expects JSON, but since receives HTML, it throws up.

If I then completely reload the application again, the same procedure is tried (and fails) again; not sure why that is.

The HTML returned by the microsoft login page contains a form containing among others an access token and an autosubmit, something like:

<html><head><title>Working...</title></head><body><form action="...<noscript>Scripting is disabled in your browser. Please click submit to proceed: <input type="submit" text="Submit"></noscript></form><script type="text/javascript">document.forms[0].submit();</script></html>

What am I doing wrong here?

Command: Get-AzureADUser [-Filter ] command

msdn says Parameters -Filter Specifies an oData v3.0 filter statement. This parameter controls which objects are returned.

how to set filter to get the same result as Azure module v1 commands

Get-MsolUser -All| Where-Object {$_.isLicensed -eq "True"}| Select-Object UserPrincipalName -ExpandProperty Licenses|Select-Object UserPrincipalName -ExpandProperty ServiceStatus|Where-Object {$_.ProvisioningStatus -eq "Success" -and $_.ServicePlan.ServiceName -like "MCO*"}|select UserPrincipalName -Unique

I have searched all over the place to find a proper example of setting filter but could not and i ended up here. I am basically trying to convert my Azure module v1 commands to Azure module v2 commands.

We have had Azure Active Directory sign-in on our API management page before, but I just noticed that the option is now gone. I've tried following this guide: https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-aad/ 

but the tab called identities doesn't have an item called Azure Active Directory.

How do I enable Azure Active Directory sign-in again?

I'm using a trial account to set up our app for SAML with ADFS. I get this error: Failed to load SAML SSO Certificate dataAn error occurred while loading the certificate data. I see this error:

{"errorCode":"Unauthorized","localizedErrorDetails":null,"operationResults":null,"timeStampUtc":"2017-01-25T15:45:48.4999724Z","clientRequestId":"ba4c5a8d-b506-4b2d-9a97-113d1475602b","internalTransactionId":"98207400-0852-4736-a5e3-cdf218b68434","upn":"ralph.decatrel@finario.com","tenantId":"d2160689-8aaf-4074-ae01-12e18fd54f05","userObjectId":"672297c9-da4e-4f3b-a3c3-c5b07620a0cd"}

Dear,

I have Azure AD & Azure AD Password enabled for an organisation. I noticed the following :

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

However, I created a new Azure AD user.  After enabling Self Service and assigning an alternate e-mail address, I changed the password by using the passwordreset.microsoftonline.com website.

I noticed that, after receiving the verification code, I was able to change the old password by a new password.  The new password was however identical with the old password.  How is this possible?
Is this a bug / setting or documentation error?

Best regards,
Jens

I am trying to slowly implement Azure AD, my objective is to authenticate the users within my domain without hassle or setting up a VPN.

This seemed like the right solution but currently my two test machines (Windows 10 Enterprise) that joined the AD are asking the users to add a phone number and set up a PIN for the account.

I do not want that, I'd rather use the old fashioned user account and password managed by the AD Administrator.

Have tried disabling the two step authentication and manually disabled the "Windows Hello" through the local group policy which seems to be the one causing the problem.

Searching the web leads me to the Intune service but I currently do not have a subscription for the Intune nor I use it.

I am getting this error when setting up Azure AD to sync our AD accounts to O365. here is the error from trace log.

Hi Everyone,

I have a question in regards to the AD Connect (staging mode). If I have two AD Connect connections set up. One is in staging mode and one which isn't.

Can you confirm if my understanding I have is correct?

If the AD Connect fails on the main connection. The server which is running in Staging mode will remain that way until I manually change the configuration. In the meantime users will still be able to authenticate with Microsoft Services since it's authenticating against Azure AD. If they try do a password reset on Azure AD (and writeback was originally set up) this will still sync with the domain. However, if the domain password is reset will not sync with Azure AD since staging mode is a one way sync.

Thanks,

I am configuring ADFS in AD Connect and receive an IndexOutOfRangeException when transitioning from the Credentials page to the Service Account page. Below is the relevant info from the log. Any idea how to correct this?

[13:35:12.097] [ 28] [INFO ] Page transition from "Credentials" [ConfigFederationServerCredentialsPageViewModel] to "Service account" [ConfigServiceAccountPageViewModel]
[13:35:12.100] [ 28] [ERROR] RootWizardPageViewModel: An unhandled exception occurred during a page load.
Exception Data (Raw): System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at Microsoft.Online.Deployment.Framework.MVVM.Validation.ValidateUsernameFormatAttribute.Format(String username, UsernameFormat desiredFormat)
   at Microsoft.Online.Deployment.OneADWizard.UI.Controls.Credentials.InputCredentialsViewModel.set_Username(String value)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigServiceAccountPageViewModel.OnLoad(NavigateDirection direction)
   at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.ActivatePage(IWizardPage page, NavigateDirection direction)
[13:35:12.180] [  2] [ERROR] A terminating unhandled exception occurred.
Exception Data (Raw): System.AggregateException: A Task's exception(s) were not observed either by Waiting on the Task or accessing its Exception property. As a result, the unobserved exception was rethrown by the finalizer thread. ---> System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at Microsoft.Online.Deployment.Framework.MVVM.Validation.ValidateUsernameFormatAttribute.Format(String username, UsernameFormat desiredFormat)
   at Microsoft.Online.Deployment.OneADWizard.UI.Controls.Credentials.InputCredentialsViewModel.set_Username(String value)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigServiceAccountPageViewModel.OnLoad(NavigateDirection direction)
   at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.ActivatePage(IWizardPage page, NavigateDirection direction)
   at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.MoveNext()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigFederationServerCredentialsPageViewModel.ValidateCredentials()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
---> (Inner Exception #0) System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at Microsoft.Online.Deployment.Framework.MVVM.Validation.ValidateUsernameFormatAttribute.Format(String username, UsernameFormat desiredFormat)
   at Microsoft.Online.Deployment.OneADWizard.UI.Controls.Credentials.InputCredentialsViewModel.set_Username(String value)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigServiceAccountPageViewModel.OnLoad(NavigateDirection direction)
   at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.ActivatePage(IWizardPage page, NavigateDirection direction)
   at Microsoft.Online.Deployment.Framework.UI.WizardPages.RootWizardPageViewModel.MoveNext()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigFederationServerCredentialsPageViewModel.ValidateCredentials()
   at System.Threading.Tasks.Task.Execute()<---

I've been referred to make a log through this portal regarding an issue I have discovered with Azure AD.

Using 365 as our storage solution for Hinkley Nuclear New Build, admins have access to exchange admin centres and others. Among that is that use of Azure AD. 

We have two types of admins; Global Admins and Limited admins. Not hard to tell the difference between the two. 

Our limited admins use the new Azure AD portal (with the beautiful dashboard) to create users and reset passwords and manage the profile of a user. The rest is restricted. 

We also have a multi-factor authetification method when logging into 365 in the form of a Mobile Text/Call or Auth App. These devices are managed by global admins, changing an authentication number where required or deleting one entirely. In the NEW AD portal, Limited admins are not able to do this (perfect as that is something we don't want them to manage at this time). 

However as they have access to the old blue and white AD portal through 365, it allows them to edit and save auth details for every user in that directory par a user request ("No signal, or lost phone"). 

The issue for this only lies in the Older portal where they can edit auth methods without the permissions. I have tested this myself using a limited account and can confirm that auth methods can only be changed on a limited account through the old portal via the "Work Info" section of a user profile. 

Hope this makes sense! :) 

This is the high level flow I am trying to enable:

Multi-tenant AngularJS application [ClientApp] -> Multi-tenant ASP.NET Web API [ServicesApp]

My scenario is that I have a multi-tenant AngularJS application which requires Azure AD login using ADAL for JS (OpenID Connect). That web application is registered as a multi-tenant application "ClientApp" in a developer Azure AD, which I'll call"DevAAD". I consented to use this "ClientApp" application in another Azure AD, which I'll call "Tenant1". Once a user from the "Tenant1" directory logs into the web application with their credentials into the login.microsoftonline.com portal, they are able to access the web UI. However, the UI is unable to call Web APIs on behalf of the user using the OAuth 2.0 Implicit Flow. This is the error message I am seeing in the Javascript code:

AADSTS65001: The user or administrator has not consented to use the application with ID '<ClientApp_ClientID>'. Send an interactive authorization request for this user and resource.

There is another Azure AD multi-tenant app representing backend Web API services called "ServicesApp" that is registered in the same "DevAAD" directory as the "ClientApp" UI application. The client ID and app ID URI of "ServicesApp" are the valid audiences for those services. This "ServicesApp" application has been consented to in the same "Tenant1" directory. When invoked from a native client application with permissions to "ServicesApp", the services are authorizing users from the "Tenant1" directory using the OWIN middleware provided in System.IdentityModel.Tokens.Jwt 4.0.0 and the [System.Web.Http.Authorize] attribute in the controller.

Configuration details:

"ClientApp"

Azure AD application manifest has "availableToOtherTenants" set to true and "oauth2AllowImplicitFlow" set to true. "ClientApp" has permissions to access "ServiceApp" Azure AD application.

The AngularJS application has the following configuration:

adalAuthenticationServiceProvider.init(
      {
tenant: 'common',
clientId: <ClientApp_ClientID>,
endpoints: { <ServiceEndpoint> : <ServiceApp_ClientID> }
      },

      $httpProvider);

"ServiceApp"

ValidateIssuer is set to false in TokenValidationParameters object in WindowsAzureActiveDirectoryBearerAuthenticationOptions configuration object passed to IAppBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication()

"knownClientApplications" property in "ServiceApp" Azure AD manifest is set to ["<ClientApp_ClientID>"]

I have not been able to locate any examples of a multi-tenant web application calling multi-tenant Web APIs, specifically a single page application built with AngularJS. How can this be implemented with Azure AD?

Salesforce is notifying everyone that the default certificate for signing requests is going to be retired. Meaning we have to create a new cert. 

Does anyone know if we have to purchase a cert or use a self signed one for this? If we can use a self signed one does it have to be uploaded to Azure? 

Any help would be appreciated. 

I intend to use Azure AD B2C to authenticate users for mobile apps and a webapi backend. All of this is configured and working as expected until I tries to use my Google login and received a disallowed_useragent error. Researching this I found that authenticating through embedded webviews are considered harmful and there are solutions available, AppAuth being one of these. This library makes use of the SFSafariViewController on iOS, which works until the authentication is successful and the redirect needs to happen. As I understand the process, redirecting to a unique custom uri that my iOS app is registered for will cause Safari to redirect back to my app. The native redirect uri configured in Azure AD does not work in this case. I thought to configure this as a web interface but am unable to add a uri that does not conform to the https scheme.

Is there a way to configure a custom non-https redirect uri? If not, is there any way we can add this feature? I cannot use the current solution with a Google account and suspect that many other authentication providers will follow Google's lead on this soon.

Hi

I'm trying to create my sign-up policy but I get the following error message:

There was an error while creating the policy 'An object was not found while retrieving extension properties in tenant "73a55309-...". Error returned was 404/Request_ResourceNotFound: Resource '7c7ab660-...' does not exist or one of its queried reference-property objects are not present.'

Despite this error my policy has been created. Is that OK?

Hi, I have a rather strange problem with AAD and am at a loss on how to proceed:

Windows 10 Pro machine has been working fine with a user signed into AAD.

Member of staff has left the business, and I have reset their password (several times now, via Office 365 and the azure portal), as I need to get onto the device under the user account to retrieve company information.

The new password does not seem to take effect on the device, and I simply get "the password is incorrect".

I am also unable to log on to the device using my (office 365 / azure) admin account (this time I get the username or password is incorrect).

I am therefore unable to get on to the device at all. Any old mechanisms I might have used to get onto the machine (local pw reset, local admin account etc) won't work as the machine has bitlocker applied and even if I could get local access the AAD passwords aren't (as far as I believe) stored in a SAM file anyway...

Any suggestions?

I know the machine is on the network as intune has updated and I can even trigger a remote restart using intune, but it's as if it's ignoring the updated password and still looking at a cached one.

Thanks,

Robert

I need to get a copy of MS Azure's SOC2 certification so I need to login to the MS Service Trust Portal (http://aka.ms/STP). It doesn't matter which account I use - I've tried the global admin for my Azure account, an external user tied to the account, and a regular Live.com account - it will not let me login and keeps generating the following error each time. 

How can I finally login? I've tried adding "domain_hint=" with my Azure domain but it did not help at all. (Keep in mind the error below is the same thing no matter which user I test with. Even the identity provider "live.com" never changes.)