Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

User name or password is incorrect when performing domain join to Azure VM

August 8, 2018, 1:27 pm
$
0
0
  1. Installed AAD Domain Services with domain name "mydomain.com"
  2. Added verified custom domain "mydomain.com"
  3. Made "mydomain.com" primary
  4. Created AAD user "admin@mydomain.com"
  5. Converted temp password to permanent password
  6. Logged into Azure with permanent password
  7. Added "admin@mydomain.com" to domain administrators group
  8. Ensured VM can see domain services for "mydomain.com"
  9. When performing domain join, receive "The user name or password is incorrect"

I've tried the following credential combinations when doing the domain join (username : password)

  1. admin : pwd
  2. admin@mydomain.com : pwd
  3. mydomain.com\admin : pwd
  4. mydomain.com\admin@mydomain.com : pwd

None of these work and ultimately give me a lock out indication.  I create additional users to continue trying these steps but nothing is working.

Stephen




Search

Call to Micosoft OAuth2 not working as expected.

August 9, 2018, 7:59 am
$
0
0

I have an internal corporate web app that needs to access corporate SharePoint Online. I want to call OAuth2 to take the user through the authentication process so the web app can retrieve an access_token and then call the Microsoft Graph API. I am using Django/Python.

I have registered the app in the corporate Azure Portal, but when I call the /authorize endpoint the user sees what appears to be the wrong login page. I expect the user to see a page that shows the app's name and permissions, but all the user sees is a basic sign-on page. Moreover, when the user enters his corporate email address he sees an error that says “There was an issue looking up your account”. The user has been added to the register app's "Users and Groups".

As far as I can tell, everything is configured correctly.

I have Googled this like mad, but not found any help.

Any suggestions would be greatly appreciated.

Thanks.

AADC user/contact matching issues

August 9, 2018, 12:27 am
$
0
0

Hello,

We have gone from an on-prem Exchange to EOL but we still have on-prem Exchange for management of user objects but everything mail related is done in EOL

Now we're having issues that for some reason our "Azure AD Connect" has matched a user object (which isn't even enabled for Exchange) and a contact object and decided they are one and the same. Which means the contact isn't working in O365!

So, how do I break the matching? I've removed the "mail" attribute from the user object as well as all smtp/proxyaddress and made sure there is nothing in common between the two and done a full import/sync in AADC yet the matching is still there and then it writes back some X500 addresses back as proxyaddresses!

Is there any way to manually break the matching? Because they really have nothing in common!!

Group Policy Management through Azure Active Directory Possible?

August 9, 2018, 10:02 am
$
0
0

Our company has a new entity that will consist of remote employees. There is no physical location with a physical server setup. These employees will be traveling a large portion of the time and all software they need to access will be cloud based. We want them to be able to connect to O365 and other microsoft cloud services, and so have made a custom domain for them in our Azure Tenant, and I have confirmed connectivity. 

We want to know if it is possible to administer group policy to these computers. I have read the article (Administer Group Policy on an Azure AD Domain Services managed domain) that shows that this is possible, but I cannot get this to work. Does group policy through Azure AD DS or an Azure VM with AD DS only affect other VMs, or can it push group policy to physical devices?



AD Connect Group WriteBack to Exchange 2010 OnPrem

August 8, 2018, 3:49 pm
$
0
0

Hello, we got group writeback working however when I run the update-recipient "<group>" i get an error due to a couple of attribute values that Exchange 2010 doesn't understand.

msExchRecipientDisplayType 17
msExchRecipientTypeDetails 8796093022208

The property value you specified, "17", isn't defined in the Enum type "Nullable`1".
    + CategoryInfo          : NotSpecified: (AD.CORP.LOCAL/G...ff-b273de87f6f6:ADObjectId) [Update-Recipient], DataValidationException
    + FullyQualifiedErrorId : 5D595360,Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient

The property value you specified, "8796093022208", isn't defined in the Enum type "RecipientTypeDetails".
    + CategoryInfo          : NotSpecified: (AD.CORP.LOCAL/G...ff-b273de87f6f6:ADObjectId) [Update-Recipient], DataValidationException
    + FullyQualifiedErrorId : 10FAD6F9,Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient

If I manually blank out these value and run the cmdlet again, it works without error. The O365 group object is displayed as a group in the Exchange 2010 GAL. However, during the next dir sync, these values are put back and the object no longer "displays" as a group object in the GAL. The object entry is there in the GAL but there is no group icon nor is the name in bold (like other group objects). You can open the object and see the members and still use it for routing.

I read that you can prepare the schema for Exchange 2013 but I really don't want to go down that road. Is there a way to prevent those 2 attribute values from being sync'd back to OnPrem? I could probably write a powershell script that runs shortly after the dir sync to remove those values but preventing those attribute from writing back to on prem would be ideal.

Microsoft.Online.Workflows.EntitlementValidationException while attempting a patch of an existing servicePrincipal using Microsoft Graph

June 19, 2018, 3:42 am
$
0
0

I'm trying to add an appRole to to an existing ServicePrincipal object using microsoft graph.

Same as I did quite some time already.

I added an appRole object to the appRoles JSON array, and clicked on Patch.

The ServicePrincipal is an AWS console role, the added appRole looks like:

        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "TechnicalSupport-Live-administrator",
            "displayName": "TechnicalSupport-Live-administrator,mydirectory",
            "id": "b55e5bde-6a07-4737-8812-af56750068da",
            "isEnabled": true,
            "origin": "ServicePrincipal",
            "value": "arn:aws:iam::***********:role/TechnicalSupport-Live-administrator,arn:aws:iam::**********:saml-provider/mydirectory"
        },

JSON validation is successfull, but I get 

    "error": {
        "code": "Request_BadRequest",
        "message": "One or more properties contains invalid values.",

       ... 

}

and a weird error code in audo

Name : Update service principal

...

Category : Core Directory
<label aria-hidden="true" class="azc-text-sublabel msportalfx-tooltip-overflow" style="font-weight:inherit;float:right;margin-bottom:-1px;color:#595959;"></label>
Activity Status
Status : Failure
Reason : Microsoft.Online.Workflows.EntitlementValidationException
<label aria-hidden="true" class="azc-text-sublabel msportalfx-tooltip-overflow" style="font-weight:inherit;float:right;margin-bottom:-1px;color:#595959;"></label>
Initiated By (Actor)
Type User
ObjectId : 9673ee65-16e9-4706-b25c-886ddcde7fef

Upn : myiupn

IpAddress : <null>

<label aria-hidden="true" class="azc-text-sublabel msportalfx-tooltip-overflow" style="font-weight:inherit;float:right;margin-bottom:-1px;color:#595959;"></label>
Target(s)
Target
Type ServicePrincipal
Name : Amazon Web Services (AWS)
ObjectId : ******************************

Can someone give me a reason for this weird exception or where to look for further details?

Thanks and best regards

Alex

Get-AzureADTrustedCertificateAuthority - User was not found

August 9, 2018, 11:23 am
$
0
0

I am following the instructions in the following documentation to view the trusted certificate authorities that are defined in my Azure Active Directory (AAD) instance:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-get-started

From the Azure portal, this is my account:

https://carlostransitfiles.blob.core.windows.net/sharefiles/UserProfile.png

And I am indeed the global administrator for my AAD instance:

https://carlostransitfiles.blob.core.windows.net/sharefiles/UserRole.png

I can use the cmdlet Connect-AzureAD just fine:

https://carlostransitfiles.blob.core.windows.net/sharefiles/connectazuread.png

But when using the cmdlet Get-AzureADTrustedCertificateAuthority, I get the error of "User was not found":

https://carlostransitfiles.blob.core.windows.net/sharefiles/usernotfound.png

What is going on?


Authentication Contact Email

August 7, 2018, 3:33 pm
$
0
0

If I update my authentication contact information on my Azure AD profile, and then click on "Access Panel Profile" link, it shows that both "Email" and "Alternate Email" have been changed.

How does that make sense?

And does it actually change my primary email address?

Or is this in fact inaccurate and confusing labeling?

I'd like to provide alternate contact information, however, I'm reluctant to use this feature because of the way the values are labeled on the profile page.

Search

Error after running 1-Aug-2018 AD Upgrade

August 7, 2018, 12:31 pm
$
0
0

Azure AD Connect 1-Aug-2018 Release Fails to Upgrade & provides "AD Error 906: Index out of range error".  I needed to run this update in order to fix the CPU utilization issue associated with KB4338814 “2018-07 Cumulative Update for Windows Server”.  Now I can't sync my AD...  I can't upload pictures here, either.

The Upgrade Azure Active Directory Connect gives error: "An error occurred while upgrading from Azure Active Directory Sync.  Unable to upgrade the Synchronization Service.  Please see the event log for additional details."

The event log has "Event 906, AzureActiveDirectorySyncEngine.  Index was outside the bounds of the array."

Unable to verify domain in Azure Active Directory

August 7, 2018, 10:17 am
$
0
0

Record is added to DNS more then a week ago but Azure refuses to verify it. You can see details below for both actual DNS entry and requirements. I verified there is no fat fingering and it's not obviously issue with TTL either.

PS C:\Windows\system32> resolve-dnsname -Type TXT shamrocksolutionsllc.com

Name                                     Type   TTL   Section    Strings
----                                     ----   ---   -------    -------
shamrocksolutionsllc.com                 TXT    3599  Answer     {google-site-verification=RNAs1pW04xP8x-T
                                                                 8aET310cxi9TsEU5QWIru5jtIVH8}
shamrocksolutionsllc.com                 TXT    3599  Answer     {google-site-verification=u8xUaW-sT6acLdm
                                                                 LL-dU0LvIKLwNnnPoyJ4SR15uwAM}
shamrocksolutionsllc.com                 TXT    3599  Answer     {v=spf1 include:_spf.google.com ~all}
shamrocksolutionsllc.com                 TXT    3599  Answer     {MS=ms81362839}

ADFS services warning health service data is not up to date

August 7, 2018, 5:31 am
$
0
0

If I run ADFS diagnostics using powershell on the ADFS servers they come out clean but I still get this error on the main ADFS server, the other ADFS servers and proxies show no errors.



Can not save Gsuite provisioning settings page

August 7, 2018, 5:10 am
$
0
0

I have followed the Docs for adding G Suite Enterprise app setup on SAML-based sign-on. I have managed to use a user account to sign in. but new users did not sync , so I found that my provisioning was default to manual. I have changed it to Automatic and did the Authorize and Test Connection and clicked save.

After that I wanted to add Notification email on failures ,and change scope for all users, making the changes , colour the change in purple but the save button did not change to black , so I can not save the changes. also the Provisioning Status is on Off , changing to On I still can not click the save button to init the sync.

I found that if I change some thing like status to on  and do the Authorize process again , it save the status , but now I get an error of authentication failure while the test connection show as success.

so the result is this message :

Summary
Synchronization is now in quarantine with execution frequency reduced.

Quarantine first initiated at Sun Aug 05 2018 18:03:22 

and I can not change or save any thing now.

please help.

AD Migration to a new forest. Office 365 has been implemented in both forests

August 6, 2018, 3:02 am
$
0
0

Hi,

Source and target forests have both been migrated to Office 365.  Both forests are using the same UPN Suffix.  Only 100 users are being migrated but still need to keep the WAAD Sync running for the other users in the source domain.

Need the correct produce to migrate using ADMT, has im not sure how to switch the Offcie 365.


Unable to edit/save or create new Azure AD B2C - Application configuration

July 27, 2018, 11:31 am
$
0
0

Hello,

To test a social login SSO we are trying to integrate with Azure AD B2C.  I am facing two problems:

#1 Azure web portal is not allowing us to edit/save or create new configurations. 

#2 Our hybrid (PhoneGap) app developer would like to use this URL for android app in the custom URI field.  "file:///android_asset/www/index.html#/app/social-login"  However, we are getting an error message saying 'fraction URLs are not allowed. It is forcing us to remove the '#' sign. We are not sure if this is going to work because we can't save the application configuration.

Azure portal worked once when we created the configuration soon after signup (around July 12th). We had not entered the custom URI field initially. After a few days I tried to edit to add more URLs. Save action shows the following error message:

===

Cannot update Application: The B2C service has an internal error. If this application was edited outside of this B2C Admin experience, you will have to delete it and create it again. Read this article (https://go.microsoft.com/fwlink/?linkid=826306) for more details. Please read this article (https://go.microsoft.com/fwlink/?linkid=847767) for more details.

===

I am not sure what the above message means because I have tried to edit the config only using the main Azure web portal.

After a few days of retries I tried to create a new application configuration.

====

Cannot save Application: The B2C service has an internal error. If you created this B2C directory just now, please try again after couple of minutes. If the problem persists, please contact Support (https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-support/). If you do not have a B2C directory you can refer https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-get-started/ Please read this article (https://go.microsoft.com/fwlink/?linkid=847767) for more details.

====

Note that this is not a new directory. I tried again after a few days, got the same message.

Today we contacted Azure support. Support engineer suggested trying a different browser (I was using Chrome).  We tried on fresh instance of IE browser (Windows 10, IE 11, nothing in browser cache). We got the same error message as before.

Biju


 

Register proxy failing with certificate error

August 2, 2018, 4:51 pm
$
0
0

Running the Register-AzureADPasswordProtectionProxy cmdlet returned no errors, but my Agents were reporting no registered proxy service found.

Enabling the Trace log and re-running Register-AzureADPasswordProtectionProxy returns the following error:

ProxyCertificatesPopulator: Microsoft.DeviceRegistration.JOSE.JoseException: The certificate validator indicated that the signingCertificate is not trusted 
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidationWorker2(String JWS, X509Certificate2 expectedSigningCert, ICertificateValidator certValidator, X509Certificate2& signingCert, Byte[]& payload)
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidateSignature(String JWS, ICertificateValidator certValidator, String& payload) at ServiceCommon.Converters.ProxyCertAndChainConverter.Convert(ProxyCertAndChainSerialized proxyCertAndChainSerialized) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessaryWorker(FileContentAndPath1 latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessary(FileContentAndPath1 latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.PopulateDirectoryFiles() at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.HandlePopulateDirectory(Object state, Boolean timedOut)

Proxy and AD servers are 2012 R2 with latest updates, including the Universal C update. AD is using DFSR replication. 


Search

Retrieving the all the users information from Azure Subscription

August 9, 2018, 3:05 am
$
0
0

I want to retrieve all the user information from Subscription. We can get all the user list from an Azure subscription using below article.

https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/list

But above URl retrieves list of all User GUIDs(and some more information) but here i want user display name, mailid, etc.

Please help me How can i do this.

We can send this user GUIDs to graph API to retrieve the User information but it needs consent from Tenant admin and also we need two more extra calls(one is to get Graph bearer access token and other is call to actual graph api with above list of User GUIDs). So how can i do this with out graph API.

Dirsync, Azure AD and filtering

August 9, 2018, 10:07 pm
$
0
0

Hello!

We are seeing a strange behavior and I found some indirect references about it in MS documentation. I want to get some better visibility into it so that we can appropriately approach it:

1. We deployed AAD Connect with group based filtering for a set of Pilot users.

2. However, we observed that a lot of groups also got synced although they were not member of the Pilot group for filtering. (The groups existed in AD and AAD but the membership differed.)

3. After further investigations, we got to know that a long time back DirSync was deployed but later on the sync was discontinued.

4. I find following documentation referring to the in scope of objects for filtering. Based on its language it sounds like even though we are using a group based filtering for our pilot, the original scope of sync with DirSync might be still interfering.

AAD Connect FIltering

"Azure AD Connect only deletes objects that it has once considered to be in scope. If there are objects in Azure AD that were created by another sync engine and these objects aren't in scope, adding filtering doesn't remove them. For example, if you start with a DirSync server that created a complete copy of your entire directory in Azure AD, and you install a new Azure AD Connect sync server in parallel with filtering enabled from the beginning, Azure AD Connect doesn't remove the extra objects that are created by DirSync."

5. Can you explicitly confirm that stale configurations with DirSync are interfering with our new AAD Connect setup?  If yes, will recreating these objects in AAD will resolve the issue?

Thanks!!


Azure AD Connect Health Sync Monitor High CPU Usage

July 24, 2018, 3:24 am
$
0
0

once again, on WinServer2016 after KB4345418 ...

Is the recommendation to uninstall KB4345418

or wait for the repair Update?

Thx, Paul

AAD Connect - Merge cross forest groups and export to Azure AD

August 10, 2018, 12:55 am
$
0
0

Hi all, 

I'm facing an issue in an Active Directory migration whereby I would want to merge 2 groups (one from forest A and one from forest B) via AAD connect and export it to Azure AD to have users from forest A and forest B included into the same group. 

Does anyone know if this is possible and how to adapt the AAD connect synchronization rules to have this in place?

With kind regards,

Sebastian 

Cannot connect to Azure SQL from MSSMS using Active Directory - Password

August 7, 2018, 3:59 pm
$
0
0

I'm the Azure Group Admin. 

My primary email for the Azure account is me@mydomain.com (well, you know..)  

I added a custom domain to Default Directory  = mydomain.com.  It shows up on the list as verified.

I created an AD group in Default Directory called DBA.

I added me@mydomain.com to the DBA group.

I assigned DBA group as AD SQL Admin for MyAzureSQLServer  (an Azure SQL server).

I did the query for principals via MSSMS and saw DBA group, to verify that it is wired up.

I then try to login to MyAzureSQLServer from MSSMS with Active Directory Password, using me@mydomain.com and with the correct password (which I confirmed two days ago, trying to get into Azure). 

THEN

I get the following error:

====================================

TITLE: Connect to Server
------------------------------

Cannot connect to actionmap.database.windows.net.

------------------------------
ADDITIONAL INFORMATION:

One or more errors occurred. (mscorlib)

------------------------------

One or more errors occurred. (mscorlib)

------------------------------

AADSTS50034: To sign into this application the account must be added to the 05907bd6-5198-4caf-a794-f31461d86a8b directory.
Trace ID: e271f101-9292-46ee-b841-873eae340300
Correlation ID: 1ce045a5-e70b-4c61-a83f-1665ea5123f3
Timestamp: 2018-08-07 22:47:15Z (System.Data)

------------------------------
BUTTONS:

OK
------------------------------

=======================================

The directory id in bold above is the Default Directory (confirmed).

Following the explanation in here:

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication

where it says

The following members of Azure AD can be provisioned in Azure SQL server or SQL Data Warehouse:

... based on that I thought that the login me@mydomain.com should be able to access MyAzureSQLServer through Active Directory - Password,  because the custom domain mydomain.com has been added to Azure AD and verified.

What might I be missing here?

Thanks!


Viewing all 16000 articles
Browse latest View live
Search