I've been trying for a few weeks, still can't get my domain name verified with either TXT or MX records.
Any ideas on how I can begin to troubleshoot this? I've even switched registrars...
I've also tried deleting my domain name from Azure and re-adding it, using the newly generated MX/TXT records...
Is there a way to verify this domain isn't used elsewhere? O365 somehow? This is all via MSDN and I've done some tinkering in the past...
Thanks,
Greg
Windows10_Allow_Untrusted_MFA | Require multi-factor authentication |
Hello All,
I searched for how to add captcha in b2c sign up policy. but not able to find any article. could you please how to add captcha in b2c sign up policy? or is there any work around for this?
I am looking into implementing Azure AD B2C in my unity game application, to provide my users with identity manage between devices.
So far the documentation has lead me to this article, https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oauth-code as to my understanding I will have to use the http requests to connect the user to the AD b2c back
end. I'm aware applications of the this kind will probably use a web api and/or a database service on conjunction with ad b2c to manage user related data, however I'm not at that stage yet. The documentation of the https request protocol (to my current understanding)
doesn't list where to the communicate the users login credentials (username, password) via http and the other examples in ad b2c documentation assumes that you are in a certain environment that supports webview. Because I am working in a unity environment,
thats not really an option. I need to setup the user fields naively in the unity environment and somehow send those user credentials myself without relying on another library.
I do suspect I am misreading something however. Any advice or direction would be greatly appreciated.
Edit:
Do the limitations outlined in:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps
apply to the development of a unity game.
Hi,
I've joined my laptop to Azure AD (during Windows 10 first configuration) but I still have an OnPremise AD2k16 at work.
But now, I'm facing problems. My OnPremise GPO are not applied to this laptop. And I can't connect to the local AD using RDP because of NTLM (but it works on remote server in datacenter).
So, I tried to configure gpedit.msc to import my GPO using LocalGPO tool. it seems to be imported but not reflected.
Computer reboot didn't change anything.
Any idea about what to do ?
Thanks,
Vincent
I've created a Web App project in VS 2015 using default template. and hosted it in Azure. When I run that project it prompts me for the authentication and after hitting sign in button, it goes into infinite loop.
I've found this working couple of times. but most of the time it doesn't work. I put tracing in it keep executing "OpenIDConnectAuthentication" again and again and also, keep adding new entries in TokenCache database. Here is my code for configureAuth.
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
//
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
//
AuthorizationCodeReceived = (context) =>
{
Trace.TraceWarning("Authorization Code Received!");
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(authority, new ADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
return Task.FromResult(0);
}
}
}
);
// This makes any middleware defined above this line run before the Authorization rule is applied in web.config
app.UseStageMarker(PipelineStage.Authenticate);
}and here is my AdalTokenCache Class:
public class ADALTokenCache : TokenCache
{
private ApplicationDbContext db = new ApplicationDbContext();
private string userId;
private UserTokenCache Cache;
public ADALTokenCache(string signedInUserId)
{
// associate the cache to the current user of the web app
userId = signedInUserId;
Trace.TraceWarning("Logged in User ID: " + userId);
this.AfterAccess = AfterAccessNotification;
this.BeforeAccess = BeforeAccessNotification;
this.BeforeWrite = BeforeWriteNotification;
// look up the entry in the database
Trace.TraceWarning("Total Cached Records " + db.UserTokenCacheList.Count().ToString());
Cache = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
// place the entry in memory
this.Deserialize((Cache == null) ? null : MachineKey.Unprotect(Cache.cacheBits,"ADALCache"));
}
// clean up the database
public override void Clear()
{
base.Clear();
var cacheEntry = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
db.UserTokenCacheList.Remove(cacheEntry);
db.SaveChanges();
}
// Notification raised before ADAL accesses the cache.
// This is your chance to update the in-memory copy from the DB, if the in-memory version is stale
void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
if (Cache == null)
{
// first time access
Cache = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
}
else
{
// retrieve last write from the DB
var status = from e in db.UserTokenCacheList
where (e.webUserUniqueId == userId)
select new
{
LastWrite = e.LastWrite
};
// if the in-memory copy is older than the persistent copy
if (status.First().LastWrite > Cache.LastWrite)
{
// read from from storage, update in-memory copy
Cache = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
}
}
if (Cache == null)
Trace.TraceWarning("Cache is null");
else
Trace.TraceWarning("Cache is not null");
this.Deserialize((Cache == null) ? null : MachineKey.Unprotect(Cache.cacheBits, "ADALCache"));
}
// Notification raised after ADAL accessed the cache.
// If the HasStateChanged flag is set, ADAL changed the content of the cache
void AfterAccessNotification(TokenCacheNotificationArgs args)
{
Trace.TraceWarning("After Access Notification!");
try
{
// if state changed
if (this.HasStateChanged)
{
Trace.TraceWarning("1");
Cache = new UserTokenCache
{
webUserUniqueId = userId,
cacheBits = MachineKey.Protect(this.Serialize(), "ADALCache"),
LastWrite = DateTime.Now
};
Trace.TraceWarning("2");
// update the DB and the lastwrite
db.Entry(Cache).State = Cache.UserTokenCacheId == 0 ? EntityState.Added : EntityState.Modified;
Trace.TraceWarning("3");
Trace.TraceWarning("User Token Cache ID:" + Cache.UserTokenCacheId.ToString());
db.SaveChanges();
Trace.TraceWarning("4");
this.HasStateChanged = false;
}
else
Trace.TraceWarning("Cache State not changed");
}
catch (Exception ex)
{
Trace.TraceWarning("Error in After Access Notification: " + ex.Message + "\n" + ex.StackTrace);
}
}
void BeforeWriteNotification(TokenCacheNotificationArgs args)
{
// if you want to ensure that no concurrent write take place, use this notification to place a lock on the entry
}
public override void DeleteItem(TokenCacheItem item)
{
base.DeleteItem(item);
}
}How can I troubleshoot to find out what is that making Authentication to go in infinite loop ?
Thanks,
Himal
Himal Patel
Sorry! You do not have access to this page.
Why i can't access this page even though I have global administrator permission? Do I need to add other permissions somewhere?
Hello,
We have a app registration who's Key is about to expire or the Duration is about to end.
As per this document:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-application-id-and-authentication-key
Does the part of Get application ID and authentication key
on step 4 and 5 the adding of additional key does resolves the issue or we are really renewing the key? Does this automatically renews the key having it there then just delete the old key?
Thanks!
Gen
Hi All,
Is there any way to authenticate Power-BI On-Perm Report Server using Azure AD accounts?
performed in place upgrade of Azure AD Connect to 1.1.561.0
Export stage of synchronization is throwing an error on 400+ user objects.
Status: Completed - export errors
Permission Issue - Export tab shows error 8344 - Insufficient access rights to perform the operation.
Azure AD “Enterprise Applications” User consent access tenant data
For Azure AD “Enterprise Applications”, is it possible to set “User can consent to apps accessing company data on their behalf” just for an app or does this have to be done for all apps in the tenant?
I am not the admin for my tenant but am registered user in my tenant.
The application is an existing application and has been registered in the developer’s tenant as a multi tenant application. I am trying to get it to work in my tenant.
This application requires the following scopes:
files.readwrite
files.readwrite.all
offline_access
I got the admin for my tenant to create a “service principal” in my tenant for this app by:
How can I set “User can consent to apps accessing company data on their behalf” just for an app in Azure AD Admin Center?
[Also posted to TechNet forum Microsoft Online: Administration Center]
I am using Android version 4.3 for testing and am using paid AzureAD acct.
The code below allows me to get Sign in Page for entering email Address
The problem :
After enter email addr and hit next button:
- I got the "Web page Not available" instead Sign in with your organization acct.
What the problem?
ADAL does not support lower Android version?
var data = await DependencyService.Get<IAuthenticator>()
.Authenticate(App.tenanturl, App.GraphResourceUri, App.ApplicationID, App.ReturnUri);
Please help.
Thanks
I have a proxy-server connected to the internet, as well as several DC's with the DCAgent running.
When I run Get-AzureADPasswordProtectionDCAgent, all my DC's report PasswordPolicyDateUTC : 01.01.0001 00.00.00.
Looking at logs, I've narrowed it down to Event ID 20001 in the Microsoft-AzureADPasswordProtection-ProxyService/Operational log.
<event>
The Azure AD Password Protection Proxy service attempted to forward a message to Azure on behalf of the calling domain controller but received an http failure.
Http failure code: 400
Elapsed time(msec): 1563
Endpoint: https://enterpriseregistration.windows.net/aadpasswordpolicy<snip>/sendreceive?api-version=1.0&traceid=<snip>
This error may be expected if network connectivity to Azure is unreliable. Please ensure that this machine has network connectivity to Azure.
Additional information may be available at https://aka.ms/AzureADPasswordProtection
</event>
The proxy server has internet access.
Running Invoke-WebRequest on the offending URL, I get the following
Invoke-WebRequest : {"Message":"The request failed with status
BadRequest (400). No API matching request was found, verify URL and
parameters are correct"<snip>}The only thing I can think may be the reason, is the fact that I accidentally ran Register-AzureADPasswordProtectionForest before Register-AzureADPasswordProtectionProxy, though I doubt that's the case.
Please advice. Next step for me is running the cleanup-procedure and attempt a reinstall.
Hi,
We are developing the solution in which we want to integrate Skype for Business into our application. We have Office subscription. I was going through your docs and came to know that it is possible through Azure AD. But the challenge we have is, to sign in the user to Azure AD from backend (which means we don't want the user to sign in from Microsoft sign-in page). Is it possible? If yes, how?
The motive is that the user should not left the dashboard (our web application) and use all the services (including Skype for Business)
Hi!
I've just enabled device writeback feature on Azure AD Connect, but devices which joining to On-Premise domain are now not replicated to Azure AD.
I checked Sync Service Manager and it only shows "Projections: 1" and "Connectors with Flow Updates: 1" with a new device. No "Adds" or whatsoever. Containers are checked and it worked before...
Does anyone know what could go wrong?
Afternoon All,
Just wanted to confirm, when AAD Connect (Default Config) Matches (mail Attrib) an object is the memberof attribute additive or replaced based on precedence? For example:
Forest A
Mail Contact MemberOf -eq DL_FORESTA
Forest B
User Mailbox MemberOf -eq DL_FORESTB
AZURE AD
User Mailbox MemberOf -eq DL_FORESTA;DL_FORESTB
or
User Mailbox MemberOf -eq DL_FORESTB
Hi,
In our AD we store DLs and Security groups in the same OU.
When we migrated to o365 we didn't configure AD connect to sync our groups OUs and created all the DLs on o365 manually.
Now we want to sync our groups OUs because we need the security groups, so my question here - if Im syncing the whole OU (contains existing DLs) what will happen? duplictions? or because the DLs have the same address i will get an error? the non exist groups will sync or the whole operation will fail?
Thanks for the help.