Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Multi-Tenant App Registrations

July 13, 2018, 4:34 am
$
0
0

I have been reading the documentation on authentication for multi-tenant applications https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview and had the following additional questions:

  1. In the multi-tenant scenario, is the customer admin not able to "add" the provider application by using the Non-Gallery option in Enterprise Apps? Or is the only way to have the custom admin do the initial consent?
  2. Once the customer has the app in their AAD, can it be added to the /myapps page for users in their directory?
  3. How is the multi-tenant scenario impacted by using B2B? When using B2B, when a customer account is invited an account gets created for them of type "Guest" in the inviting directory (where the app lives).  Can this "Guest" account be used to access the application via the registration that is in the directory hosting the application?
  4. What about the scenario where a Web App (UI) that is registered is accessing Function Apps? Do the Function Apps need to be registered as well?
Search

MePlusDeviceService down?

July 20, 2018, 6:34 am
$
0
0

Hi,

Does anyone promote MePlusDeviceService for end users?

https: // byodtestservice.azurewebsites.net

Why you need this service?

For example if you try to install Intune Company Portal to phone,
you may get his message because reached the maximum number of 20 devices.
"Device Limit Reached you have reached maximum devices registered"

This service was OK 2016 but today I get just error message:

Server Error in '/' Application.

Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Seamless single sign-on.

July 20, 2018, 7:14 am
$
0
0

Hello everyone. I already have Microsoft azure active directory enabled and sync all users from AD to azure, How to enable  Seamless single sign-on. 

I would like to have the users after join our domain can open the browser without type password. If I join with azure account I can open office portal with password, but if the machine is connected to our system I cannot.  

Pass through Local ad and Azure

July 20, 2018, 7:43 am
$
0
0

Hello Everyone, 

Few years ago I've configured Exchange in hybrid mode with O365. today I have a bulk of computers in our local domain which needs to access o365 SharePoint, everytime they need to access it it asks the password. I would to pass through my local domain Authentication for O365 and that way user don't need to type the password.  How can I do that  

Thank you

Logout from different applications signed in with the same Azure AD user

July 20, 2018, 9:53 am
$
0
0

Hi Everyone,

I have two different applications connecting with 2 different Azure ADs but the user of a single AD is present in other AD as a guest user. Both the applications use Azure Authentication and my motive is to integrate both the applications and give the end user an experience of working in a single application.

When a user authenticates into the first application, he does not require to sign-in again for the second application.

My issue is that if the user logged out from the first application, he still remains signed-in on the second. 

For example, if I logged in to the Azure portal using my credentials, and want to access the Power BI portal at the same time, I do not have to re-enter my password working on the same browser. But if I signed out from Azure portal, I remained signed-in to Power BI portal until I manually signed out.

For my applications, I want the user experience to be like in G Suite. If I log in to my Gmail account and access google drive with no need to sign-in again and if I log out from Gmail, I am logged out from google drive too and vice versa.

Please suggest if there is a way to implement the same functionality for my applications using Azure AD authentication. 

delegating user/permissions management for Azure resources

July 20, 2018, 10:36 am
$
0
0

Hello All, 

We have an internal IT group which is responsible for managing our corporate AD.  That AD ('\\zytex) is synched with AzureAD for authentication to our Office365 subscriptions. 

We do have several Azure subscriptions containing dev/test and production resources that we would like to control access to.  \\zytex users are visible and can be assigned roles and permissions to our subscriptions in Azure Portal.

We would like to delegate the ability to create permission groups for Azure and add/remove \\zytex users to those permissions groups to  a few developers instead of requiring internal IT to be involved.

We have been looking at administrative units and self-service groups, but we are unsure of the best way to implement our requirements.

please suggest the best practices.


High CPU Usage

June 14, 2016, 8:35 am
$
0
0

Hi, 

We have Azure AD Sync installed on one of our Domain Controllers, but the service: Microsoft.Online.reporting.monitoringagent.startup keeps on going to high CPU usage and then low then high, it keeps on doing this all day. 

Any ideas of what it could be but also how to stop it from doing it?

Thank you 

Ashley 

Azure Passthrough Agent install failed - switching from password hash to pass-through authentication

May 31, 2018, 1:23 pm
$
0
0

Hello,

My organization is using Azure AD Connect to sync our on prem AD accounts with our Office 365 mailboxes. We are currently using password hash authentication and would like to switch to pass-through authentication, but the installation of the Authentication Agent fails. I have also tried installing on a different server (in staging mode) and get the same results.

Near the end of the log file I see some errors but I don't know what's causing it. I have gone through the info about firewall issues and I tried the port test at aadap-portcheck.connectorporttest (dot) msappproxy (dot) net  and get all green checks. No other firewall blocks that I am aware of. Here is the relevant portion of the error log:

[15:59:49.215] [  9] [VERB ] Executing task Check Pre-requisities for configuring pass-through authentication
AzureADConnect.exe Error: 0 : Port check for the endpoint: 'https://registration.msappproxy.net/' failed with exception 'System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'registration.msappproxy.net'
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthUtility.<IsHttpEndPointAccessibleAsync>d__6.MoveNext()'
[15:59:56.657] [ 14] [INFO ] Task 'Check Pre-requisities for configuring pass-through authentication' has finished execution
[15:59:56.661] [  9] [INFO ] Task 'Check Pre-requisities for configuring pass-through authentication' finished successfully
[15:59:56.661] [  9] [VERB ] Executing task Install Azure AD Passthrough authentication Connector
[15:59:56.664] [ 20] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[15:59:56.665] [ 20] [VERB ] Getting list of installed packages by upgrade code
[15:59:56.665] [ 20] [INFO ] GetInstalledPackagesByUpgradeCode {0c06f9df-c56b-42c4-a41b-f5f64d01a35c}: no registered products found.
[15:59:56.665] [ 20] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (0c06f9df-c56b-42c4-a41b-f5f64d01a35c)
[15:59:56.665] [ 20] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[16:00:07.243] [ 20] [ERROR] Error installing the connector : System.Runtime.InteropServices.COMException (0x80070643): Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Online.Deployment.Framework.Providers.ProcessProvider.Execute(String domain, String username, SecureString password, String filename, String arguments, TimeSpan timeout, Boolean waitForAllInstance, Int32[] allowedExitCodes)
   at Microsoft.Online.Deployment.Framework.Providers.ProcessProvider.Execute(String filename, String arguments, TimeSpan timeout, Int32[] allowedExitCodes)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
[16:00:07.244] [ 20] [INFO ] Task 'Install Azure AD Passthrough authentication Connector' has finished execution
[16:00:07.246] [  9] [ERROR] Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
Exception Data (Raw): Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskException: The task 'Install Azure AD Passthrough authentication Connector' has failed. ---> Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
   --- End of inner exception stack trace ---
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskGroup.CheckTaskCompletion(Int32 currentTaskIndex)
[16:00:07.247] [  9] [VERB ] Cleanup: Starting cleanup for task 'Install Azure AD Passthrough authentication Connector'
[16:00:07.248] [  9] [VERB ] Task 'Install Azure AD Passthrough authentication Connector': No cleanup defined
[16:00:07.249] [  9] [VERB ] Marking task 'Configure Azure AD Passthrough Authentication Connector' as Skipped
[16:00:07.250] [  9] [VERB ] Rolling back task Check Pre-requisities for configuring pass-through authentication
[16:00:07.250] [  9] [VERB ] Task 'Check Pre-requisities for configuring pass-through authentication': No rollback defined
[16:00:07.250] [  9] [INFO ] Task 'Deploy Microsoft Azure AD Connect Authentication Agent' has finished execution
[16:00:07.251] [ 11] [ERROR] Task failed without an exception
[16:00:07.251] [ 11] [VERB ] Cleanup: Starting cleanup for task 'Deploy Microsoft Azure AD Connect Authentication Agent'
[16:00:07.251] [ 11] [VERB ] Task 'Deploy Microsoft Azure AD Connect Authentication Agent': No cleanup defined
[16:00:07.251] [ 11] [VERB ] Marking task 'Configure Passthrough Authentication' as Skipped
[16:00:07.251] [ 11] [VERB ] Marking task 'Setting DesktopSso enablement' as Skipped
[16:00:07.251] [ 11] [INFO ] Task 'Change Sign-In Method' has finished execution
[16:00:07.286] [  4] [ERROR] Fatal error during installation. (Exception from HRESULT: 0x80070643)
Exception Data (Raw): Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Fatal error during installation. (Exception from HRESULT: 0x80070643)
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.InstallAADConnectAgent`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[16:00:07.292] [  4] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[16:00:07.292] [  4] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[16:00:07.294] [  4] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[16:00:07.296] [  4] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[16:00:07.360] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[16:00:07.360] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[16:00:07.362] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[16:18:10.293] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180531-155309.log

Thanks for assistance.

Search

AD connect - groups sync

July 19, 2018, 2:14 am
$
0
0

Hi,

In our AD we store DLs and Security groups in the same OU.

When we migrated to o365 we didn't configure AD connect to sync our groups OUs and created all the DLs on o365 manually.

Now we want to sync our groups OUs because we need the security groups, so my question here - if Im syncing the whole OU (contains existing DLs) what will happen? duplictions? or because the DLs have the same address i will get an error? the non exist groups will sync or the whole operation will fail?

Thanks for the help.

Azure Active Directory Connect for Windows 10

July 18, 2018, 9:10 am
$
0
0

Hi 

I'm working towards 70-346 and trying to connect to Azure AD with a windows 10 machine in order to use PowerShell with my 365 account.

Each link for Azure AD connect is for servers only.  Is there a version for Windows 10?

change configuration Azure ad connect

July 18, 2018, 6:41 am
$
0
0

Hello everyone, two years ago , I have configured azure ad connect, to synchronize Users from AD to Office365, this year I've upgraded my O365 license and now I haveAzure Active Directory Premium P2.  I would like to configure a few things and check if it's simple or not. 

I would like to enable Password Writeback . is it easy and safe change that feature? what do I need to check before? 


How do I add more apps to the Azure AD, Conditional Access list of apps?

January 24, 2018, 1:26 am
$
0
0

Hi All,

How do I add more apps to the Azure AD, Conditional Access list of apps? Where do this list of apps come from and can I add additional apps? These are Cloud Apps that I can restrict or give permission to users in our network.

I hope you can help
Colin


Azure B2C date claim without custom policies

July 16, 2018, 2:16 am
$
0
0

Hi

As custom policies are in preview - and therefore not recommended for production - for an unspecified length of time, is there an alternative method to ask the user to enter a date-field (e.g. date of birth), in Azure B2C? I am probably missing something, but the only way I can see to do it (beyond a free-text field with no input validation), is to have 3x custom fields (day, month & year), using 3x single select drop down fields. Is there a another way that I am missing?

Many thanks in advance!

Mat

app registration

July 21, 2018, 9:30 am
$
0
0

hello

what is the difference between app registration and entreprise application in azure AD

thanks

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application:

July 17, 2018, 9:26 am
$
0
0
Sign in

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'c9598e68-f*ff-*471-**46-32**69ae50**'.

Integrating Jenkins with Azure AD and I am running Jenkins on http://localhost:8080/, I have also added this to my reply URL but still facing above issue my Jenkins also able to successfully verify the application using application ID.

Search

What are the differences between ADAL and MSAL

July 22, 2018, 4:14 am
$
0
0

HI newbie to AzureAD. I am using Xamarin forms for AzureAD.

Can someone tell me which one to use for Xamarin Forms : ADAL or MSAL.

I need to access AzureAD. your help is important to me.

Thanks

Issues with Azure AD Connect not synchronizing for over 24 hours (UI Locks up and service doesn't respond)

July 22, 2018, 9:59 am
$
0
0

Hi everyone.

I've been battling an issue since Friday evening with regards to an Azure AD Connect no longer synchronizing in a timely fashion.

We have multiple on premise DC's, and 1 hosted in Azure.

This past Friday, I received an automated email from Microsoft stating:

>On **Saturday, 21 July 2018 00:16:55 GMT**, Azure Active Directory did not register a synchronization attempt from the Identity synchronization tool in the last 24 hours for <organization URL here> 

>You can troubleshoot this issue by running the Directory Synchronization troubleshooter on the server that has Azure Active Directory identity synchronization tools installed.

So in an attempt to fix, I tried to update to the latest AD Sync tool which I believe is currently 1.1.819.0.

After some digging around online and initializing a MS ticket, it turns out that there was a global issue with the latest patch Tuesday (July, 2018) updates that caused massive CPU spikes on the  AzureADConnectHealthSyncMonitor service process.  A temporary workaround was to disable this service, and sure enough CPU utilization went down and back to normal, however the issue I'm facing seems to be slightly related - but I can't quite put my finger on it. MS has yet to respond to me over the weekend.  Must be too busy.

Normally the typical process of syncing after we add our users to AD is to perform a Delta sync (not a full sync) using this command in the PowerShell which takes less than 30 seconds to complete.

`Start-ADSyncSyncCycle -PolicyType delta`

Within the AD Synchronization service manager - items listing in succession from bottom to top, ex:

* [OFFICE365.onmicrosoft.com](https://OFFICE365.onmicrosoft.com) Export
* [OFFICE365.onmicrosoft.com](https://OFFICE365.onmicrosoft.com) Delta Synchronization
* [domain.com](https://domain.com)Delta Synchronization
* [OFFICE365.onmicrosoft.com](https://OFFICE365.onmicrosoft.com) Delta Import
* [domain.com](https://domain.com)Delta Import

The issue is the process is hanging on the second one (from bottom), [OFFICE365.onmicrosoft.com](https://OFFICE365.onmicrosoft.com) Delta Import.  It successfully replicates the local AD servers and the one in the cloud, however when it comes to communicating with Office365, it just runs for over 24 hours and does not finish.

Things I've noticed is attempting to stop the AD Sync service though the services.msc seem to hang on "Stopping" and do not stop naturally, I have to kill the miiserver.exe process manually.  The service automatically starts again and immediately runs the scheduler task and kicks off the delta sync and continues where it left off, but again, it locks up.

Another issue is the UI for miisclient.exe occasionally locks up where I cannot even stop the connector tasks, they constantly say running, and when I highlight and click stop, nothing happens.

I've gone ahead and removed updates KB4054590 - Server 2016 =  4.7.2 DotNet as well as KB4054566 as per the article I found online to fix the CPU lockup issue related to AD Sync, and still at a standstill with this.

Any assistance would be greatly appreciated.

Difference between Azure AD App Registration and Enterprise Application

July 20, 2018, 3:51 am
$
0
0
Hello All



Greetings!

I would like to get the Difference between Azure AD App Registration and Enterprise Application in terms of registrering a non marketplace app to Azure AD for SSO based authentication. I would like to integrate one of our application running on google cloud to azure AD for SSO authentication.



BR\

Rakhil

Multi-Tenant App Registrations

July 13, 2018, 4:34 am
$
0
0

I have been reading the documentation on authentication for multi-tenant applications https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview and had the following additional questions:

  1. In the multi-tenant scenario, is the customer admin not able to "add" the provider application by using the Non-Gallery option in Enterprise Apps? Or is the only way to have the custom admin do the initial consent?
  2. Once the customer has the app in their AAD, can it be added to the /myapps page for users in their directory?
  3. How is the multi-tenant scenario impacted by using B2B? When using B2B, when a customer account is invited an account gets created for them of type "Guest" in the inviting directory (where the app lives).  Can this "Guest" account be used to access the application via the registration that is in the directory hosting the application?
  4. What about the scenario where a Web App (UI) that is registered is accessing Function Apps? Do the Function Apps need to be registered as well?

Azure AD “Enterprise Applications” User consent access tenant data

July 18, 2018, 10:16 pm
$
0
0

Azure AD “Enterprise Applications” User consent access tenant data

For Azure AD “Enterprise Applications”, is it possible to set “User can consent to apps accessing company data on their behalf” just for an app or does this have to be done for all apps in the tenant?

I am not the admin for my tenant but am registered user in my tenant.

The application is an existing application and has been registered in the developer’s tenant as a multi tenant application. I am trying to get it to work in my tenant.

This application requires the following scopes:

files.readwrite

files.readwrite.all

offline_access

I got the admin for my tenant to create a “service principal” in my tenant for this app by:

  1. https://login.microsoftonline.com/common/adminconsent?client_id22c49a0d-d21c-4792-aed1-8f163c982546&redirect_uri=http://localhost
  2. Sign in on as admin for my tenant

How can I set “User can consent to apps accessing company data on their behalf” just for an app in Azure AD Admin Center?

[Also posted to TechNet forum Microsoft Online: Administration Center]

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>