Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD Password Protection Policy Proxy fails to fetch Password Policies

July 16, 2018, 11:43 pm
$
0
0

I have a proxy-server connected to the internet, as well as several DC's with the DCAgent running.
When I run Get-AzureADPasswordProtectionDCAgent, all my DC's report PasswordPolicyDateUTC : 01.01.0001 00.00.00.

Looking at logs, I've narrowed it down to Event ID 20001 in the Microsoft-AzureADPasswordProtection-ProxyService/Operational log.
<event>
The Azure AD Password Protection Proxy service attempted to forward a message to Azure on behalf of the calling domain controller but received an http failure.
Http failure code: 400
Elapsed time(msec): 1563
Endpoint: https://enterpriseregistration.windows.net/aadpasswordpolicy<snip>/sendreceive?api-version=1.0&traceid=<snip>

This error may be expected if network connectivity to Azure is unreliable. Please ensure that this machine has network connectivity to Azure.

Additional information may be available at https://aka.ms/AzureADPasswordProtection
</event>

The proxy server has internet access.

Running Invoke-WebRequest on the offending URL, I get the following

Invoke-WebRequest : {"Message":"The request failed with status 
BadRequest (400). No API matching request was found, verify URL and 
parameters are correct"<snip>}

The only thing I can think may be the reason, is the fact that I accidentally ran Register-AzureADPasswordProtectionForest before Register-AzureADPasswordProtectionProxy, though I doubt that's the case.

Please advice. Next step for me is running the cleanup-procedure and attempt a reinstall.


Search

How to change the country/region of an Azure Active Directory directory/tenant

July 16, 2018, 1:37 am
$
0
0

Some back-story is needed here:

We are working remotely in South Africa for a startup business that is registered in the USA and has US-based bank accounts, etc. Central to this is using Azure services and PowerBI reporting. During the initial protoyping phase, the PowerBI account was created BEFORE the Azure account was (and this was before the company was registered) and it was created with country set to South Africa.

Once the company was registered, its own Azure account & subscription was created, with region set to USA. However the PowerBI/Office365 Organisation that is linked to the Azure account is still set to South Africa. I've reached out to PowerBI support who passed me on to Office365 support who then kind of dropped me... the only resolution given is that I need to delete the Organisation but no-one seems to know how this is done. All resources, etc that have been sent to me are for updating/deleting Subscriptions or datacenter locations.

Something that did come up was this uservoice link (which doesn't help in short-term but does indicate that there's a problem!): https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/11214702-add-ability-to-change-country

Unfortunately I'm no expert on AAD but my understanding is that the Office365 Organisation comes from the AAD tenant that is linked to the Azure subscription. Hence, the issue should be fixable via the Active Directory admin panel within Azure?

In summary:
Azure account/subscription: USA
Azure AD: South Africa -> needs to be USA
PowerBI: (Organisation) South Africa -> needs to be USA

Screenshot of what I'm referring to:

What I need to know is:

  • Is it possible to change the country of an AD tenant?
  • If not, can I delete this AAD entirely (from the Azure panel) and then re-create by signing up at powerbi.microsoft.com again?

We're open to deleting the entire Office365 organisation and starting again as the only Office365 service that is in use is PowerBI.

Any help/tips would be appreciated!

Thanks,
Richard

How do I add more apps to the Azure AD, Conditional Access list of apps?

January 24, 2018, 1:26 am
$
0
0

Hi All,

How do I add more apps to the Azure AD, Conditional Access list of apps? Where do this list of apps come from and can I add additional apps? These are Cloud Apps that I can restrict or give permission to users in our network.

I hope you can help
Colin


Azure AD Sign-Ins download capped at 5,000 entries

July 16, 2018, 8:02 am
$
0
0

I try to do a quick search through the Sign-Ins report to make sure there's nothing suspicious since Conditional Access fails to stop things it's supposed to 95% of the time.  The Sign-Ins download only gets 5,000 entries.  That means I can only download about 2 hours of SignIns.

Has anyone found a way around this?

Azure Passthrough Agent install failed - switching from password hash to pass-through authentication

May 31, 2018, 1:23 pm
$
0
0

Hello,

My organization is using Azure AD Connect to sync our on prem AD accounts with our Office 365 mailboxes. We are currently using password hash authentication and would like to switch to pass-through authentication, but the installation of the Authentication Agent fails. I have also tried installing on a different server (in staging mode) and get the same results.

Near the end of the log file I see some errors but I don't know what's causing it. I have gone through the info about firewall issues and I tried the port test at aadap-portcheck.connectorporttest (dot) msappproxy (dot) net  and get all green checks. No other firewall blocks that I am aware of. Here is the relevant portion of the error log:

[15:59:49.215] [  9] [VERB ] Executing task Check Pre-requisities for configuring pass-through authentication
AzureADConnect.exe Error: 0 : Port check for the endpoint: 'https://registration.msappproxy.net/' failed with exception 'System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'registration.msappproxy.net'
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthUtility.<IsHttpEndPointAccessibleAsync>d__6.MoveNext()'
[15:59:56.657] [ 14] [INFO ] Task 'Check Pre-requisities for configuring pass-through authentication' has finished execution
[15:59:56.661] [  9] [INFO ] Task 'Check Pre-requisities for configuring pass-through authentication' finished successfully
[15:59:56.661] [  9] [VERB ] Executing task Install Azure AD Passthrough authentication Connector
[15:59:56.664] [ 20] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[15:59:56.665] [ 20] [VERB ] Getting list of installed packages by upgrade code
[15:59:56.665] [ 20] [INFO ] GetInstalledPackagesByUpgradeCode {0c06f9df-c56b-42c4-a41b-f5f64d01a35c}: no registered products found.
[15:59:56.665] [ 20] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (0c06f9df-c56b-42c4-a41b-f5f64d01a35c)
[15:59:56.665] [ 20] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[16:00:07.243] [ 20] [ERROR] Error installing the connector : System.Runtime.InteropServices.COMException (0x80070643): Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Online.Deployment.Framework.Providers.ProcessProvider.Execute(String domain, String username, SecureString password, String filename, String arguments, TimeSpan timeout, Boolean waitForAllInstance, Int32[] allowedExitCodes)
   at Microsoft.Online.Deployment.Framework.Providers.ProcessProvider.Execute(String filename, String arguments, TimeSpan timeout, Int32[] allowedExitCodes)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
[16:00:07.244] [ 20] [INFO ] Task 'Install Azure AD Passthrough authentication Connector' has finished execution
[16:00:07.246] [  9] [ERROR] Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
Exception Data (Raw): Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskException: The task 'Install Azure AD Passthrough authentication Connector' has failed. ---> Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
   --- End of inner exception stack trace ---
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskGroup.CheckTaskCompletion(Int32 currentTaskIndex)
[16:00:07.247] [  9] [VERB ] Cleanup: Starting cleanup for task 'Install Azure AD Passthrough authentication Connector'
[16:00:07.248] [  9] [VERB ] Task 'Install Azure AD Passthrough authentication Connector': No cleanup defined
[16:00:07.249] [  9] [VERB ] Marking task 'Configure Azure AD Passthrough Authentication Connector' as Skipped
[16:00:07.250] [  9] [VERB ] Rolling back task Check Pre-requisities for configuring pass-through authentication
[16:00:07.250] [  9] [VERB ] Task 'Check Pre-requisities for configuring pass-through authentication': No rollback defined
[16:00:07.250] [  9] [INFO ] Task 'Deploy Microsoft Azure AD Connect Authentication Agent' has finished execution
[16:00:07.251] [ 11] [ERROR] Task failed without an exception
[16:00:07.251] [ 11] [VERB ] Cleanup: Starting cleanup for task 'Deploy Microsoft Azure AD Connect Authentication Agent'
[16:00:07.251] [ 11] [VERB ] Task 'Deploy Microsoft Azure AD Connect Authentication Agent': No cleanup defined
[16:00:07.251] [ 11] [VERB ] Marking task 'Configure Passthrough Authentication' as Skipped
[16:00:07.251] [ 11] [VERB ] Marking task 'Setting DesktopSso enablement' as Skipped
[16:00:07.251] [ 11] [INFO ] Task 'Change Sign-In Method' has finished execution
[16:00:07.286] [  4] [ERROR] Fatal error during installation. (Exception from HRESULT: 0x80070643)
Exception Data (Raw): Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[16:00:07.292] [  4] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[16:00:07.292] [  4] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[16:00:07.294] [  4] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[16:00:07.296] [  4] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[16:00:07.360] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[16:00:07.360] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[16:00:07.362] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[16:18:10.293] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180531-155309.log

Thanks for assistance.

Domain Joined device is not synced to Azure after enabling device writeback

July 18, 2018, 1:52 am
$
0
0

Hi!

I've just enabled device writeback feature on Azure AD Connect, but devices which joining to On-Premise domain are now not replicated to Azure AD.

I checked Sync Service Manager and it only shows "Projections: 1" and "Connectors with Flow Updates: 1" with a new device. No "Adds" or whatsoever. Containers are checked and it worked before...

Does anyone know what could go wrong?

Cannot connect with Powershell script to Azure

July 18, 2018, 5:15 am
$
0
0

Hello guys,

i am using a powershell 5 script to login to Azure with the command "Connect-AzureRmAccount". This command works fine with the user prompt but i want to automate this login:

$user = "my.user@mycompany.com"
$password = ConvertTo-SecureString -String "password" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $password
Connect-AzureRmAccount -Credential $credential

I get the following error:

AADSTS50034: To sign into this application the account must be added to the ... directory


What does this mean? I can perform the login with a user prompt but i dont want this prompt.

Conditional Access App Exception Not Working

June 26, 2018, 2:45 pm
$
0
0

I have 2 conditional access policies:

  1. Policy 1
    1. Assignments:
      1. Users: me only
      2. Cloud Apps: MyApp
      3. Location: Any location except trusted locations (IOW, external locations)
    2. Access controls:
      1. Grant with MFA
  2. Policy 2
    1. Assignments:
      1. Users: me only
      2. Cloud Apps: All apps EXCEPT MyApp
      3. Location: Any location except trusted locations (IOW, external locations)
    2. Access controls:
      1. Block

I would expect this combination to block all apps except MyApp and when using MyApp, it should ask for MFA. What actually happens is that it blocks ALL apps. IOW, the app exception in policy 2 is completely ignored. If I disable policy 2, then, as expected, I am prompted for MFA when using MyApp. So, Policy 1 is correct and working.

It appears that there's a bug in Conditional Access whereby application exceptions are ignored.

Search

Exclude openid connect app from conditional access

June 26, 2018, 12:05 pm
$
0
0

Hi

We're using azure openId connect to allow our users to sign in to our Saas with their microsoft account. Recently we've got a customer that uses Conditional access policies, to allow which services their employees can access with their Microsoft login. When they try to sign in to our application, they're met with a screen saying "You can't get there from here". We've tried excluding our applicaiton from the policy by selecting "cloud apps -> exclude" and selecting our application, which does not work. 

Strangely enough it works if we allow all applications, but specifically block ours (it works, in this instance meaning, our application is blocked, as the only one) 

I haven't really been able to find much documentation about handling conditional access policies from a developers standpoint, except this https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-conditional-access-developer which I'm not really sure applies here. We do request the user.read scope, which I believe is a graph api scope, but I can't really see a way to handle an extra challenge, and besides, we're never getting the response callback, so I'm not sure how we should handle it.

Does anyone have any experience with this, or am I missing some documentation somewhere?

change configuration Azure ad connect

July 18, 2018, 6:41 am
$
0
0

Hello everyone, two years ago , I have configured azure ad connect, to synchronize Users from AD to Office365, this year I've upgraded my O365 license and now I haveAzure Active Directory Premium P2.  I would like to configure a few things and check if it's simple or not. 

I would like to enable Password Writeback . is it easy and safe change that feature? what do I need to check before? 


want to use Azure AD with UNIX attributes

July 10, 2018, 5:32 am
$
0
0

We would like to start using Azure AD service for Linux machines authentication. However it is not so clear from the documentation about the process and the capabilities of the LDAP/LDAPS We would like to use it with UNIX attributes as if we were using openldap server , as if we have some Windows Server X. Is this possible with Azure AD Service ... we would not want to install some special authentication client but to use the Default provided with RHEL/Centos 7 to connect to an open ldap server. Is it possible ? 

Azure Active Directory Connect for Windows 10

July 18, 2018, 9:10 am
$
0
0

Hi 

I'm working towards 70-346 and trying to connect to Azure AD with a windows 10 machine in order to use PowerShell with my 365 account.

Each link for Azure AD connect is for servers only.  Is there a version for Windows 10?

Upgraded Azure AD Connect - now getting 8344 errors on Export of local directory

September 4, 2017, 12:41 pm
$
0
0

performed in place upgrade of Azure AD Connect to 1.1.561.0   

Export stage of synchronization is throwing an error on 400+ user objects.

Status: Completed - export errors

Permission Issue - Export tab shows error 8344 - Insufficient access rights to perform the operation.

Move AD OU to Azure, leaving rest of Forest on-prem

July 18, 2018, 10:28 am
$
0
0

Good day! As instructed by the Azure Support Twitter account, I am posting my question in this venue.

The organization where I am currently employed is in the process of experimenting with Azure solutions. My site is a division within this organization that handles the financial services aspects for the sales company. We are considerably leaner than the rest of the organization, making us an ideal candidate for testing solutions and proofs of concept.

One solution that has significant appetite from management is the mobility and freedom offered by Azure Active Directory. Currently, our solution for connecting users outside of the facility to data is VPN. This is fit for use for now, but it is showing an increasing lack of resilience to load. To that end, we would like to migrate our site's OU within the global Active Directory Forest to Azure Active Directory, leaving the rest of the Forest on-prem.

Is this possible, or does Root of the Forest need to move to Azure for it to work? Thank you very much for any information you can provide!

Failed to get user roles from ADGraph

July 5, 2018, 6:00 am
$
0
0
We're getting in some Tenants for requests to "https://graph.windows.net/tenantId/activities" follwing error:
"code":"FailedToGetUserRolesFromADGraph","message":"Failed to get user roles from ADGraph"

Only with our CSP delegated Admin, if we use an global admin account of those tenants, it works.
Even in portal.azure.com we're recieving an error ("not found") when opening "https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Audit" or "https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview"
with our delegated access.....

Does anyone know what is wrong?
We've found two Tenants so far with this error.
Search

MFA for Azure Users

July 9, 2018, 9:15 am
$
0
0

Hi

we are planning to use NPS and MFA connector for remote desktop services on the local server.

I wanted to know if we could turn on MFA just for accessing the Remote gateway server or does it have to be turned on for outlook clients and OWA straight away.

thank you.

Mahesh

AzureAD Join Hijacked Local Account?

July 13, 2018, 1:03 pm
$
0
0

I had a Windows 10 account that I logged in with using my hotmail e-mail address. Later on, I connected this account using AzureAD join. Now I login to this account using my work e-mail. Connecting to AzureAD join seems to have converted the local account into an AzureAD join account, but it still uses the local C:\Users\<hotmail account> folder.

I want to remove the work access and go back to the original account. I know that I can do this by disconnecting, but Windows warns me saying that if I disconnect, then I can no longer sign-in with the account.

I thought I would be able to login with my old hotmail account since it was the original sign-in. I tried signing in with my hotmail account, but it won't recognize the password even though it is correct.

What happens if I disconnect? Do I lose access to this account? Why won't Windows 10 recognize my hotmail account anymore? I can login to hotmail with web browsers, but not Windows 10.

This seems like a serious design flaw.

EDIT:

Well, I lost the account after disconnecting and providing an admin account. Thanks alot crappy Windows 10 and AzureAD. Now I have to manually copy over the contents of my old account into a new admin account. This is a pretty serious design flaw in my opinion. You should be able to disconnect from an AzureAD join and go back to the original sign-in. AzureAD should not be hijacking a local account.

Group Policy features greyed out in Azure AD DS

July 11, 2018, 10:40 am
$
0
0
I currently have a customer that already have devices and users connected to Azure AD and I am now just created a Azure Directory Services  feature.  I created a Member server that I joined to this domain and was successful and also added the RSAT and group policy management roles.  I am able to access these features, but I noticed I am not able to create or modify any group policies? Is this a limitation and have to use another feature. Or do I need to build my own AD DS server and them be able to manage. Also, if I do that, can I move my current user devices from the AADDC computer container?

Azure user provisioning mapping missed for email alias

July 13, 2018, 5:43 am
$
0
0

During doing Azure G-suite users provisioning I need to assign email alias to my g-suite accounts. But I couldn't find google_apps mapping for this. 

And seems that other attributes such as street, department etc do not work

Please write down step-by-step instructions to make it work

Unable to verify domain

July 12, 2018, 6:51 pm
$
0
0

During the Azure AD process: Trying to add custom domain.  MX record exists and verified through dnsstuff.com. Still getting message Unable to verify domain name. 

During my Twitter conversation, it appears that possibly the domain was already verified with another account.  Need to know how to resolve this.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>