Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure Password Reset No Longer working

July 13, 2018, 11:51 am
$
0
0

We have an Educational account and use A1 for our faculty. We had setup the password reset function in Azure for a specific group. It has worked. Over the past week or so it no longer works. We get the following message: 

We're sorry

You cannot reset your password at this time because required licenses are missing from your organization. There is no further action you can take to resolve this situation. Please contact  your admin and ask them to check license assignment. To learn more about licensing read the article Licensing requirements for Azure AD self-service password reset.

If you'd like, we can contact an administrator in your organization to reset your password for you.

Additional details:SSPR_0012: Your organization does not have the required licenses necessary to perform password reset. Please contact your admin and ask them to review license assignments.

Search

Clarification on the azure service administrator role

July 12, 2018, 5:42 pm
$
0
0

Please help me to answer below questions:

1. Who can change service administrator for an Azure subscription? Can global admin change this role? -- We have a service admin assigned in azure to someone who has left the company. Now, we want to change the service admin role to someone else but with GA right we cannot do it.

2. Can service administrator elevate it's role to be a global admin in azure? -- We want to restrict service admin to be a GA. If yes, then how can we restrict it to be a GA.

Thanks in advance

J

Alex

End user can Azure Portal by default without any admin privileges also the Azure AD portal even after removing Azure AD licenses

July 12, 2018, 8:26 am
$
0
0

Dear Team,

For the end user access to Azure AD i see it is or was a known issue which can be resolved by enabling access restriction to Azure AD Administration portal in Azure AD Tenant as mentioned in below article.

https://social.technet.microsoft.com/Forums/systemcenter/en-US/3a331dd5-76a7-47d4-bd1c-d4ff26c5c355/restricting-quotuserquot-access-to-azure-portal?forum=windowsazuremanagement

However the end user can still browse https://portal.azure.com and explore it. Any option to block it.

This ideally shouldn't be accessible by end user, I believe there is an answer/explanation to this from Microsoft on why the end user is allowed to access Azure AD & Azure Portal.

Please share those details over email on sagarxxxx@xxxx.com and also workaround and solutions to prevent this.

Also Is Microsoft working on this to prevent end user access by default?


Endpoint migration of SBS Server to Azure

July 9, 2018, 1:48 pm
$
0
0
Hoping someone can point me in the right direction, I want to know how to /get a guide to migrate an SBS2011 server into Azure - Hosted VM for new server bringing current AD setup. Office365 and SharePoint I can do just need help with the Server side...

Error while trying to get token (AcquireTokenAsync) from Azure AD via console app.

July 5, 2018, 9:07 am
$
0
0

Scenario - 

Develop a console app which can interact with Dynamics 365 online platform and do basic operation - create antity, update, delete and get events.

Problem -

AADSTS65005 : Using application 'adapter' is currently not supported for your organization XXXXX because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of XXXX before the application adapter can be provisioned.

Details - 

I am very new to Azure AD and dynamics world. Here is what I did - 

1. Provisioned a dynamics url for my org. https://xxx.crm.dynamics.com using my organization email. 

2. Logged onto azure portal and registered a native app.

When I click on users, I can see myself under my company domain.

3. Gave permissions to my app - 

Windows Azure Active Directory and Dynamics CRM online

4. Downloaded your sample code - Simpel Web Api and modified my url etc.

(First the app wasn't compiling because AcquireToken has been replaced with AcquireToken async. I fixed that.

5. On trying to get a token using OAuth and ADAL , I get following error - 

Using application 'adapter' is currently not supported for your organization XXX because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of XXX before the application adapter can be provisioned. 

- What do I need to do to fix this?

- Am I headed on right path ? In order to interact with dynamics platform programatically, do I need to authenticate via AD using oauth?

- What is wrong with my approach?

- Do I need additional permissions for my account?

- Also, in PlatformParameters for AcquireTokenAsync , I am passing Always. Although I do not want the user to be prompted, There will be no user interaction from my application. How can I achieve that?

Thanks 


unauthorized_client","error_description":"AADSTS70001: Application with identifier 'xxxx-xxxx-xxxx-xxxx-xxxx' was not found in the directory

July 15, 2018, 7:25 pm
$
0
0

using management certificate to authorize with this python script

from azure import *
from azure.servicemanagement import *
subscription_id = 'xxxx-xxxx-xxxx-xxxx-xxxx'
certificate_path = '/root/python/azure/Azure-python/my-cert-file.pem'

sms = ServiceManagementService(subscription_id, certificate_path)

When run with python returns this error

python test.py
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:857: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
Traceback (most recent call last):
  File "test.py", line 1, in <module>
    from azure import *
  File "/root/python/azure/Azure-python/azure.py", line 25, in <module>
  File "/usr/lib/python2.7/site-packages/adal/authentication_context.py", line 179, in acquire_token_with_client_credentials
    return self._acquire_token(token_func)
  File "/usr/lib/python2.7/site-packages/adal/authentication_context.py", line 128, in _acquire_token
    return token_func(self)
  File "/usr/lib/python2.7/site-packages/adal/authentication_context.py", line 177, in token_func
    return token_request.get_token_with_client_credentials(client_secret)
  File "/usr/lib/python2.7/site-packages/adal/token_request.py", line 315, in get_token_with_client_credentials
    token = self._oauth_get_token(oauth_parameters)
  File "/usr/lib/python2.7/site-packages/adal/token_request.py", line 113, in _oauth_get_token
    return client.get_token(oauth_parameters)
  File "/usr/lib/python2.7/site-packages/adal/oauth2_client.py", line 289, in get_token
    raise AdalError(return_error_string, error_response)
adal.adal_error.AdalError: Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS70001: Application with identifier 'xxxx-xxxx-xxxx-xxxx-xxxx' was not found in the directory xxxx-xxxx-xxxx-xxxx-xxxx\r\nTrace ID: xxxx-xxxx-xxxx-xxxx-xxxx\r\nCorrelation ID: xxxx-xxxx-xxxx-xxxx-xxxx\r\nTimestamp: 2018-07-16 02:24:46Z","error_codes":[70001],"timestamp":"2018-07-16 02:24:46Z","trace_id":"xxxx-xxxx-xxxx-xxxx-xxxx","correlation_id":"xxxx-xxxx-xxxx-xxxx-xxxx"}


Group Policy features greyed out in Azure AD DS

July 11, 2018, 10:40 am
$
0
0
I currently have a customer that already have devices and users connected to Azure AD and I am now just created a Azure Directory Services  feature.  I created a Member server that I joined to this domain and was successful and also added the RSAT and group policy management roles.  I am able to access these features, but I noticed I am not able to create or modify any group policies? Is this a limitation and have to use another feature. Or do I need to build my own AD DS server and them be able to manage. Also, if I do that, can I move my current user devices from the AADDC computer container?

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application:

July 17, 2018, 9:26 am
$
0
0
Sign in

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'c9598e68-f*ff-*471-**46-32**69ae50**'.

Integrating Jenkins with Azure AD and I am running Jenkins on http://localhost:8080/, I have also added this to my reply URL but still facing above issue my Jenkins also able to successfully verify the application using application ID.

Search

Azure B2C - Attribute ordering on Sign Up page is very odd, how to customize?

July 17, 2018, 10:20 am
$
0
0

I don't see any documentation about ordering of user attributes on the sign up form even when using custom ui. How do we do this? 

Right now my attribute order is like this, which is super odd (postal code before first name, last name, "Given Name" towards bottom, etc.). How do I fix this?

  • Email Address 
  • New Password
  • Confirm New Password
  • Postal Code
  • Country/Region 
  • State/Province
  • Street Address
  • Surname
  • Given Name
  • City 
  • Job Title

SSPR Windows 10 Password Reset

July 6, 2018, 8:14 am
$
0
0

Hi,

I've been trying to find the answer to this question, but have been unsuccessful. If a customer has a laptop that is Domain Joined and Azure AD Joined, and the user needs to reset their password via the Windows 10 Login page, when they are outside the office (I already have the reset password link setup on the Windows 10 Machine) will the user be able to login to the computer using the new password? What is the proper way of setting this up for the Customer?

Here is the Scenario;

<g class="gr_ gr_1135 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1135" id="1135">User</g> is in the office, and <g class="gr_ gr_1194 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1194" id="1194">user</g> logs into their Windows 10 using domain\username. The user is offsite and connected to the internet. User clicks on reset password, and the password resets successfully. User tries to <g class="gr_ gr_954 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="954" id="954">login</g> to the Windows <g class="gr_ gr_953 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="953" id="953">computer,</g> but gets an error saying <g class="gr_ gr_952 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="952" id="952">password</g> is incorrect. <g class="gr_ gr_1233 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1233" id="1233">User</g> is logging in domain\username.

Should the customer start using their Azure AD account going forward for users who are most of the time remote, instead of their domain account? 

What is the best practice so users who are both working locally in the office and also working off-site? Should we set it up so they use their Azure AD Account only?

Thank you

Azure: Programatically add entry into App Registrations in

July 13, 2018, 7:15 am
$
0
0

I have a web application hosted on my local server and I want it to fetch Resource Management data from Azure.

This works with App Registrations mentioned here https://developer.microsoft.com/en-us/graph/docs/concepts/auth_register_app_v2

where i get the clientid after manually entering the APP in AppRegisrations

But I want this App Registration step to be automated as well, i.e. a user who logins in to my portal will somehow provide me with access to his cloud service so that programatically i can setup my App in his AppRegisrations and get the ClientId of that app which I can use to make my REST calls, i do not want my client to do AppRegisration manually.

Is this possible?

The reply url specified in the request does not match the reply urls configured

June 1, 2018, 12:02 am
$
0
0
Request Id: e70677a0-07cd-4493-a633-a19df8100800
Correlation Id: 0efe31ab-738b-43bc-ade8-5bd6b4780206
Timestamp: 2018-06-01T06:59:41Z
Message: AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'abfa0a7c-a6b6-4736-8310-5855508787cd'.

If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

when i mobile service API open for editing then show this error..

Sign in

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'abfa0a7c-a6b6-4736-8310-5855508787cd'.


please reply me.

Thanks


Azure domain, joining accounts getting stuck at login config after i've joined up to the "cloud domain"

July 17, 2018, 12:56 am
$
0
0

So, i'm quite new to this and i hope i've asked this question in the right Place, but tbh i am in a bit of Deep water so i guess it's a bit of a shot in the dark! I've working at a small Company that's earlier been using a normal server room with a normal server domain, my work really aint that complicated. i remove the computer from the domain and then i put the computer into the Azure "cloud domain" of whatever you want to call it. My problem starts when i try to login to the users account, a configuration starts, called "configurating unit for workplace" it's a 3 step process and it gets stuck on the third step called "profileconfiguration" it says it's trying to identify "security principles" "certificates" "network Connections" and "apps".

I'm sorry if it's all a bit vague, i can supply more information if needed, i thought that however this turns out it's Worth a try!

Azure AD authentication only works in local environment

April 19, 2018, 6:13 am
$
0
0

Ive set up my AzureAD in the portal, and an appservice that uses the AD to authenticate following instructions from microsoft. 

Ive made a .net core app that uses this authorisation. It works on my localhost. But when i publish it i get this error 

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '614f66a9-xxxx-483a-8bc7-xxxxxxx'

What should i change and how come it works in my local but not when published? 

Multi-Tenant App Registrations

July 13, 2018, 4:34 am
$
0
0

I have been reading the documentation on authentication for multi-tenant applications https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview and had the following additional questions:

  1. In the multi-tenant scenario, is the customer admin not able to "add" the provider application by using the Non-Gallery option in Enterprise Apps? Or is the only way to have the custom admin do the initial consent?
  2. Once the customer has the app in their AAD, can it be added to the /myapps page for users in their directory?
  3. How is the multi-tenant scenario impacted by using B2B? When using B2B, when a customer account is invited an account gets created for them of type "Guest" in the inviting directory (where the app lives).  Can this "Guest" account be used to access the application via the registration that is in the directory hosting the application?
  4. What about the scenario where a Web App (UI) that is registered is accessing Function Apps? Do the Function Apps need to be registered as well?
Search

Change Azure AD (AAD) password policy for cloud only accounts?

February 12, 2018, 10:56 pm
$
0
0
From what I have been reading you need an on prem AD to make changes to Azure AD default password policy. Essentially the current policy is pretty weak with allowing only an 8-16 character password which I would like to change for my tenant. Is it possible to change the default policy (including length, history, filters, complexity)? I am not able to find an option except the expiration duration and notification.

Alex

Delete Connector from AD connect Sync configuration

June 30, 2018, 2:42 am
$
0
0

Hi, In our environment, we have two on-premises domain (connectors) configuration in AAD connect to sync to cloud domain for O365. Now I want to delete one of the on-premises domain connector in AAD sync as no resource exist  on it and going to be shutdown.

Is there any procedural way to remove/delete the connector from AAD connect tool and how to take backup in case of any restoration required?

 

Warm Regards, Hariprakash T

Get SSO Enabled Applications Lst

July 10, 2018, 3:07 am
$
0
0

Dear All,

How to get SSO enabled Registered Applications list using PowerShell with Application Owner details?

Need Your Help!

Thanks,

Shashidhar

AzureAD Join Hijacked Local Account?

July 13, 2018, 1:03 pm
$
0
0

I had a Windows 10 account that I logged in with using my hotmail e-mail address. Later on, I connected this account using AzureAD join. Now I login to this account using my work e-mail. Connecting to AzureAD join seems to have converted the local account into an AzureAD join account, but it still uses the local C:\Users\<hotmail account> folder.

I want to remove the work access and go back to the original account. I know that I can do this by disconnecting, but Windows warns me saying that if I disconnect, then I can no longer sign-in with the account.

I thought I would be able to login with my old hotmail account since it was the original sign-in. I tried signing in with my hotmail account, but it won't recognize the password even though it is correct.

What happens if I disconnect? Do I lose access to this account? Why won't Windows 10 recognize my hotmail account anymore? I can login to hotmail with web browsers, but not Windows 10.

This seems like a serious design flaw.

EDIT:

Well, I lost the account after disconnecting and providing an admin account. Thanks alot crappy Windows 10 and AzureAD. Now I have to manually copy over the contents of my old account into a new admin account. This is a pretty serious design flaw in my opinion. You should be able to disconnect from an AzureAD join and go back to the original sign-in. AzureAD should not be hijacking a local account.

Group owners cannot add and remove members from groups

July 5, 2018, 5:27 am
$
0
0

Hi all

this may be an easy one not sure, when we first set up our office 365 tenant, if a user was set as the owner of a group in the 365 admin portal the would then be able to add and remove members from that group, this is a very good feature if we have admins that we only want to be able to administer groups, they do have to be given an admin role to be able to get into the portal, ie password admin, but this is ok for what we are trying to achieve. 

how even if a user is an owner of a group they get the message 

"You need to have the global admin role or the Exchange admin role to edit this group. To get access, contact your global admin and ask them to assign you one of those roles."

can anyone help be understand why this would have changed? group owners were definitely able to manage membership of their groups a few weeks ago

Thanks for your help

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>