Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Bitcode compatible Azure AD version for iOS applications

August 10, 2018, 4:54 am
$
0
0

Hi,

We have integrated the Azure AD library for iOS successfully into our ios application.

However, we want to ship a Bitcode enabled version of our app to Apples Appstore. 

This is not possible since the Azure AD library is not Bitcode compatible yet.

Are there plans to change this or will it always stay Bitcode incompatible?

thanks for your time

Search

Error upgrading Azure AD Connector

August 9, 2018, 5:53 am
$
0
0

Hi all, 

I get an error when upgrading the latest AAD Connector, "Input string was not in a correct format".

The error occours after the AAD Connector connects to Azure AD and when the upgrade process are updating the on-premise rules.

The logfile indicate that logins to the webservices "AADSTS*****" are failing, but the password for sync account have been reset before upgrade process were started and the sync  account can login without problems.

I need to get this working again, anyone?


Azure initial setup questions

August 10, 2018, 6:14 am
$
0
0

Our goal is to remove our current DR private cloud infrastructure and setup a replacement on Azure.  We will just have an Exchange VM, Files Server VM, and AntiEmailSpam VM. 

I plan on following this page to get it setup: https://social.technet.microsoft.com/wiki/contents/articles/51353.azure-step-by-step-guide-extending-ad-ds-to-azure-using-site-to-site-vpn-or-express-route.aspx using vpn and virtual machines.

However, I’ve been reading about azure ad, azure ad connect, and azure ad domain services. I am a little confused on it.  Do these technologies basically sync your on prem AD to Azure ad but on a separate domain?  Say my onprem is called abc.com, I assume the azure ad will be called efg.com? I saw that azure ad domain services syncs the onprem sids to azure ad but the domains will be different?  Also, it said that domain services is cheaper, $110/month <25k ad objects.  If I spin up a vm and run a domain controller, it should be cheaper than that per month, like $50/60. 

Will having these Azure technologies benefit me if I am simply want to establish a DR environment in Azure?  (I know about less maintenance, no patching, high availably parts).

Thanks

Azure AD Identity Protection missing "skipping multi-factor authentication registration" settings

March 28, 2018, 8:01 am

Azure AD Connect (Express install) migration to another server

August 9, 2018, 2:42 am
$
0
0

Hello Community,

I'm planning to move our current AADC application to another server. I haven't found any questions regarding to moving an Express installation to a new server. The reason it's important for me, because in Express installation mode, a user was created (MSOL_XYZ...) with Windows managed password (so I don't know its password), and previously we had a Custom installation which caused sync errors in the environment. But, the new environment has to be started in Staging mode which is only seems possible when using Custom installaton.

So my question is: Is it (if yes, how?) possible to migrate an Express installation to a server where I use Custom installation in Staging mode?

Thanks,

Csaba

Azure Domain joined computers admin/standard users

August 10, 2018, 12:17 pm
$
0
0

We need the ability to have local admin's / domain admin's (either or) able to sign in separately from the enrolled end users. We need to limit the end user from installing whatever they want.

This is on an Azure domain.

Azure AD user in Windows 10 - local admin problem

March 7, 2018, 5:54 am
$
0
0

Hi

We have Office 365 Business Essentials and Premium licenses, we do not have AAD Premium, EMS, Intune licenses.

If I login to a new PC using some users (not O365 admin user account) O365 credentials, this user becomes a local admin in that PC.

But if I use some other user's O365 credentials (not O365 admin user account) to login to that same PC, this second user that log's in to the same PC is not a local admin.

Also, I can't find anywhere on that PC to change this.

How do I control which (O365) user account is local admin and which is not?

Azure AD Join gives ADMIN rights to user - A STEP BACK IN IT SECURITY, IS IT?

September 29, 2016, 9:14 am
$
0
0

So, we’re currently trialing Microsoft EMS in our organization and have set up a trail environment for a pilot program. Our estate is made up of standalone PC’s or a group of PC’s in a LAN/Workgroups and we do not have any on-prem ADDS or ADFS in place. In short, a cloud only setup.

 

With that said, we have been trying to set up Self Provisioning and Out-of-Box Enrolment /AD join for our Windows 10 Pro devices (laptops and desktops), in line with the guidance notes provided on the Docs & Technet portal for setting up Azure AD join for devices, but have had no luck so far.

 

Here are the key issues we’re facing:

 

-       IF we let the employees perform Azure AD Join for their corporate owned devices, then the employee is made Administrator and then after the joining happens, rest of MDM Enrolment process kicks in… with all the polices set in the MDM, restrictions etc. The challenge here is, we cannot let the end user/ non IT staff have elevated permissions as administrator on their work laptops/desktops.

 

Leaving employee with Admin premissions on the device has 2 key issues:

  1.     The user can install ANY application from anywhere online and run it on the device with elevated permissions, which is a major risk and there is NO way to prevent this using Intune or any other MDM out there. This is a risk we cannot take.
  2.     Any IT company / Managed Servcie Provider would not take resposibilty if aything happens because they’re not comfortable with the end user left with Admin permissions on the machine.

OR

-       IF we have an IT Admin perform the AD Join (and MDM enrolment) for all of our devices (before a device is handed over to the end user), then the issue we’re facing when the device is given to the enduser and he logs in as Other User with his Office365 credentials, is that, the user is not able to access the office365 resources which require conditional access (devcies must be compliant or domain joined).

 

When attepting to access, say Exchange Online, the user is presented with the error: “Your IT Admin is a ensuring this device is compliant and this may take some time. To check the status check the company portal”. Now, in the company portal, it says “you must Enrol this device” and shows and Enrol button which is basically a link to download Intune Client. And when we try to download Intune Client, again we’re presented with an error message: “This device is already managed by an MDM”, i.e. the built in MDM of Windows 10”.

 

Any guidance / help with this conundrum, will be highly appreciated. Many thanks. 

Search

Group Policy Management through Azure Active Directory Possible?

August 9, 2018, 10:02 am
$
0
0

Our company has a new entity that will consist of remote employees. There is no physical location with a physical server setup. These employees will be traveling a large portion of the time and all software they need to access will be cloud based. We want them to be able to connect to O365 and other microsoft cloud services, and so have made a custom domain for them in our Azure Tenant, and I have confirmed connectivity. 

We want to know if it is possible to administer group policy to these computers. I have read the article (Administer Group Policy on an Azure AD Domain Services managed domain) that shows that this is possible, but I cannot get this to work. Does group policy through Azure AD DS or an Azure VM with AD DS only affect other VMs, or can it push group policy to physical devices?



User name or password is incorrect when performing domain join to Azure VM

August 8, 2018, 1:27 pm
$
0
0
  1. Installed AAD Domain Services with domain name "mydomain.com"
  2. Added verified custom domain "mydomain.com"
  3. Made "mydomain.com" primary
  4. Created AAD user "admin@mydomain.com"
  5. Converted temp password to permanent password
  6. Logged into Azure with permanent password
  7. Added "admin@mydomain.com" to domain administrators group
  8. Ensured VM can see domain services for "mydomain.com"
  9. When performing domain join, receive "The user name or password is incorrect"

I've tried the following credential combinations when doing the domain join (username : password)

  1. admin : pwd
  2. admin@mydomain.com : pwd
  3. mydomain.com\admin : pwd
  4. mydomain.com\admin@mydomain.com : pwd

None of these work and ultimately give me a lock out indication.  I create additional users to continue trying these steps but nothing is working.

Stephen




AADC user/contact matching issues

August 9, 2018, 12:27 am
$
0
0

Hello,

We have gone from an on-prem Exchange to EOL but we still have on-prem Exchange for management of user objects but everything mail related is done in EOL

Now we're having issues that for some reason our "Azure AD Connect" has matched a user object (which isn't even enabled for Exchange) and a contact object and decided they are one and the same. Which means the contact isn't working in O365!

So, how do I break the matching? I've removed the "mail" attribute from the user object as well as all smtp/proxyaddress and made sure there is nothing in common between the two and done a full import/sync in AADC yet the matching is still there and then it writes back some X500 addresses back as proxyaddresses!

Is there any way to manually break the matching? Because they really have nothing in common!!

Unable to Join to Azure domain

August 9, 2018, 6:10 am
$
0
0

I have a VM in Azure running Server 2016 with Active Directory Domain Controler. (Not Azure AD! But AD role setup on a VM!) and for this I use our public domain intra.test.online (I didn't share actual domain name!) . For some reason I'm no longer able to join any machine to this domain and it worked before? I get the prompt asking me for user name and password and then I get the error "The Network Path was not found". I did try disabling FW on both sides, and adding Azure VM's public IP as preferred DNS in local VM but still get the error!

Thanks!

Alen Mikic

Domain Joined device is not synced to Azure after enabling device writeback

July 18, 2018, 1:52 am
$
0
0

Hi!

I've just enabled device writeback feature on Azure AD Connect, but devices which joining to On-Premise domain are now not replicated to Azure AD.

I checked Sync Service Manager and it only shows "Projections: 1" and "Connectors with Flow Updates: 1" with a new device. No "Adds" or whatsoever. Containers are checked and it worked before...

Does anyone know what could go wrong?

Unable to install the Synchronization Service. Please see the event log for additional details.

August 8, 2018, 1:43 pm
$
0
0
[13:06:31.879] [ 1] [INFO ]
[13:06:31.879] [ 1] [INFO ] ================================================================================
[13:06:31.879] [ 1] [INFO ] Application starting
[13:06:31.879] [ 1] [INFO ] ================================================================================
[13:06:31.879] [ 1] [INFO ] Start Time (Local): Wed, 08 Aug 2018 13:06:31 GMT
[13:06:31.879] [ 1] [INFO ] Start Time (UTC): Wed, 08 Aug 2018 20:06:31 GMT
[13:06:31.879] [ 1] [INFO ] Application Version: 1.1.880.0
[13:06:31.879] [ 1] [INFO ] Application Build Date: 2018-07-20 22:37:14Z
[13:06:33.191] [ 1] [INFO ] Telemetry session identifier: {5b09e322-00a5-4a9c-a9f7-1b9998fcdb61}
[13:06:33.191] [ 1] [INFO ] Telemetry device identifier: qp13nTfjkj3Zno5GQHVA5uic6t7CdPcTkvuWWcH5H5A=
[13:06:33.191] [ 1] [INFO ] Application Build Identifier: AD-IAM-HybridSync master (3f67a493d)
[13:06:33.270] [ 1] [INFO ] machine.config path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.
[13:06:33.270] [ 1] [INFO ] Default Proxy [ProxyAddress]: <Unspecified>
[13:06:33.270] [ 1] [INFO ] Default Proxy [UseSystemDefault]: Unspecified
[13:06:33.270] [ 1] [INFO ] Default Proxy [BypassOnLocal]: Unspecified
[13:06:33.270] [ 1] [INFO ] Default Proxy [Enabled]: True
[13:06:33.270] [ 1] [INFO ] Default Proxy [AutoDetect]: Unspecified
[13:06:33.300] [ 1] [VERB ] Scheduler wizard mutex wait timeout: 00:00:05
[13:06:33.300] [ 1] [INFO ] AADConnect changes ALLOWED: Successfully acquired the configuration change mutex.
[13:06:33.363] [ 1] [INFO ] RootPageViewModel.GetInitialPages: Beginning detection for creating initial pages.
[13:06:33.379] [ 1] [INFO ] Checking if machine version is 6.1.7601 or higher
[13:06:33.410] [ 1] [INFO ] The current operating system version is 10.0.14393, the requirement is 6.1.7601.
[13:06:33.410] [ 1] [INFO ] Password Hash Sync supported: 'True'
[13:06:33.441] [ 1] [INFO ] DetectInstalledComponents stage: The installed OS SKU is 7
[13:06:33.441] [ 1] [INFO ] DetectInstalledComponents stage: Checking install context.
[13:06:33.441] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[13:06:33.457] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.457] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[13:06:33.457] [ 1] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[13:06:33.457] [ 1] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[13:06:33.457] [ 1] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[13:06:33.472] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Directory Sync Tool
[13:06:33.472] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.472] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[13:06:33.472] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[13:06:33.472] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[13:06:33.472] [ 1] [INFO ] Determining installation action for Microsoft Directory Sync Tool UpgradeCodes {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}, {dc9e604e-37b0-4efc-b429-21721cf49d0d}
[13:06:33.472] [ 1] [INFO ] DirectorySyncComponent: Product Microsoft Directory Sync Tool is not installed.
[13:06:33.472] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Sync Engine
[13:06:33.472] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.472] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[13:06:33.472] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[13:06:33.472] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[13:06:33.488] [ 1] [INFO ] Determining installation action for Azure AD Sync Engine (545334d7-13cd-4bab-8da1-2775fa8cf7c2)
[13:06:33.863] [ 1] [INFO ] Product Azure AD Sync Engine is not installed.
[13:06:33.863] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Synchronization Agent
[13:06:33.863] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.863] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {3cd653e3-5195-4ff2-9d6c-db3dacc82c25}: no registered products found.
[13:06:33.863] [ 1] [INFO ] Determining installation action for Azure AD Connect Synchronization Agent (3cd653e3-5195-4ff2-9d6c-db3dacc82c25)
[13:06:33.863] [ 1] [INFO ] Product Azure AD Connect Synchronization Agent is not installed.
[13:06:33.863] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Health agent for sync
[13:06:33.863] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.863] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {114fb294-8aa6-43db-9e5c-4ede5e32886f}: no registered products found.
[13:06:33.863] [ 1] [INFO ] Determining installation action for Azure AD Connect Health agent for sync (114fb294-8aa6-43db-9e5c-4ede5e32886f)
[13:06:33.863] [ 1] [INFO ] Product Azure AD Connect Health agent for sync is not installed.
[13:06:33.863] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[13:06:33.863] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.863] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {0c06f9df-c56b-42c4-a41b-f5f64d01a35c}: no registered products found.
[13:06:33.863] [ 1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (0c06f9df-c56b-42c4-a41b-f5f64d01a35c)
[13:06:33.863] [ 1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[13:06:33.863] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Command Line Utilities
[13:06:33.863] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.863] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {52446750-c08e-49ef-8c2e-1e0662791e7b}: verified product code {89ca7913-f891-4546-8f55-355338677fe6}.
[13:06:33.863] [ 1] [VERB ] Package=Microsoft SQL Server 2012 Command Line Utilities , Version=11.4.7001.0, ProductCode=89ca7913-f891-4546-8f55-355338677fe6, UpgradeCode=52446750-c08e-49ef-8c2e-1e0662791e7b
[13:06:33.863] [ 1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Command Line Utilities (52446750-c08e-49ef-8c2e-1e0662791e7b)
[13:06:33.863] [ 1] [INFO ] Product Microsoft SQL Server 2012 Command Line Utilities (version 11.4.7001.0) is installed.
[13:06:33.863] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Express LocalDB
[13:06:33.863] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.863] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {c3593f78-0f11-4d8d-8d82-55460308e261}: verified product code {72b030ed-b1e3-45e5-ba33-a1f5625f2b93}.
[13:06:33.863] [ 1] [VERB ] Package=Microsoft SQL Server 2012 Express LocalDB , Version=11.4.7469.6, ProductCode=72b030ed-b1e3-45e5-ba33-a1f5625f2b93, UpgradeCode=c3593f78-0f11-4d8d-8d82-55460308e261
[13:06:33.863] [ 1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Express LocalDB (c3593f78-0f11-4d8d-8d82-55460308e261)
[13:06:33.863] [ 1] [INFO ] Product Microsoft SQL Server 2012 Express LocalDB (version 11.4.7469.6) is installed.
[13:06:33.863] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Native Client
[13:06:33.863] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.863] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {1d2d1fa0-e158-4798-98c6-a296f55414f9}: verified product code {b9274744-8bae-4874-8e59-2610919cd419}.
[13:06:33.863] [ 1] [VERB ] Package=Microsoft SQL Server 2012 Native Client , Version=11.4.7001.0, ProductCode=b9274744-8bae-4874-8e59-2610919cd419, UpgradeCode=1d2d1fa0-e158-4798-98c6-a296f55414f9
[13:06:33.863] [ 1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Native Client (1d2d1fa0-e158-4798-98c6-a296f55414f9)
[13:06:33.863] [ 1] [INFO ] Product Microsoft SQL Server 2012 Native Client (version 11.4.7001.0) is installed.
[13:06:33.863] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[13:06:33.863] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.863] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {fb3feca7-5190-43e7-8d4b-5eec88ed9455}: no registered products found.
[13:06:33.863] [ 1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (fb3feca7-5190-43e7-8d4b-5eec88ed9455)
[13:06:33.863] [ 1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[13:06:33.863] [ 1] [INFO ] Determining installation action for Microsoft Azure AD Connection Tool.
[13:06:33.910] [ 1] [WARN ] Failed to read DisplayName registry key: An error occurred while executing the 'Get-ItemProperty' command. Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftAzureADConnectionTool' because it does not exist.
[13:06:33.910] [ 1] [INFO ] Product Microsoft Azure AD Connection Tool is not installed.
[13:06:33.910] [ 1] [INFO ] Performing direct lookup of upgrade codes for: Azure Active Directory Connect
[13:06:33.910] [ 1] [VERB ] Getting list of installed packages by upgrade code
[13:06:33.910] [ 1] [INFO ] GetInstalledPackagesByUpgradeCode {d61eb959-f2d1-4170-be64-4dc367f451ea}: verified product code {e369ca42-bb0d-4776-84f1-4618da3c3ce1}.
[13:06:33.925] [ 1] [VERB ] Package=Microsoft Azure AD Connect, Version=1.1.880.0, ProductCode=e369ca42-bb0d-4776-84f1-4618da3c3ce1, UpgradeCode=d61eb959-f2d1-4170-be64-4dc367f451ea
[13:06:33.925] [ 1] [INFO ] Determining installation action for Azure Active Directory Connect (d61eb959-f2d1-4170-be64-4dc367f451ea)
[13:06:33.925] [ 1] [INFO ] Product Azure Active Directory Connect (version 1.1.880.0) is installed.
[13:06:40.160] [ 1] [INFO ] ServiceControllerProvider: GetServiceStartMode(seclogon) is 'Manual'.
[13:06:40.160] [ 1] [INFO ] ServiceControllerProvider: verifying EventLog is in state (Running)
[13:06:40.160] [ 1] [INFO ] ServiceControllerProvider: current service status: Running
[13:06:40.160] [ 1] [INFO ] Checking for DirSync conditions.
[13:06:40.160] [ 1] [INFO ] DirSync not detected. Checking for AADSync/AADConnect upgrade conditions.
[13:06:40.160] [ 1] [INFO ] Sync engine is not present. Performing clean install.
[13:07:06.287] [ 1] [INFO ] Page transition from "Welcome" [LicensePageViewModel] to "Express Settings" [ExpressSettingsPageViewModel]
[13:07:06.334] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ExpressSettingsPageViewModel.GatherEnvironmentData in Page:"Express Settings"
[13:07:06.334] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:212
[13:07:06.349] [ 7] [INFO ] Checking if machine version is 6.1.7601 or higher
[13:07:06.349] [ 7] [INFO ] The current operating system version is 10.0.14393, the requirement is 6.1.7601.
[13:07:06.349] [ 7] [INFO ] Password Hash Sync supported: 'True'
[13:07:06.396] [ 1] [INFO ] Express Settings install is supported: domain-joined + OS version allowed.
[13:07:13.091] [ 1] [INFO ] Express Settings: Updating page flow for EXPRESS mode install.
[13:07:13.092] [ 1] [INFO ] Called SetWizardMode(ExpressInstall, True)
[13:07:13.094] [ 1] [WARN ] MicrosoftOnlinePersistedStateProvider.Save: zero state elements provided, saving an empty persisted state file
[13:07:13.113] [ 1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[13:07:13.235] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ExpressSettingsPageViewModel.StartPrerequisiteInstallation in Page:"Express Settings"
[13:07:13.235] [ 1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:1246
[13:07:13.321] [ 4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.InstallSyncEnginePageViewModel.StartNewInstallation in Page:"Install required components"
[13:07:13.321] [ 4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:1275
[13:07:13.431] [ 16] [INFO ] SyncEngineSetupViewModel: Validating sync engine settings.
[13:07:13.431] [ 16] [INFO ] Sync engine data directory exists. Checking if the directory is empty.
[13:07:13.431] [ 16] [INFO ] Enter ValidateSqlVersion.
[13:07:13.431] [ 16] [INFO ] Exit ValidateSqlVersion (localdb).
[13:07:13.446] [ 16] [INFO ] Enter ValidateSqlAoaAsyncInstance.
[13:07:13.446] [ 16] [INFO ] Exit ValidateSqlAoaAsyncInstance (localdb).
[13:07:13.446] [ 16] [INFO ] The ADSync database does not exist and will be created. serverAdmin=True.
[13:07:13.446] [ 16] [INFO ] Attaching to the ADSync database: SQLServerName=DoesNotExist SQLInstanceName= ServiceAccountName=, state=, Collation=, /UseExistingDatabase=False.
[13:07:13.446] [ 16] [INFO ] Starting Sync Engine installation
[13:07:13.446] [ 16] [INFO ] Starting Prerequisite installation
[13:07:13.446] [ 16] [VERB ] WorkflowEngine created
[13:07:13.446] [ 16] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[13:07:13.446] [ 16] [VERB ] Getting list of installed packages by upgrade code
[13:07:13.446] [ 16] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[13:07:13.446] [ 16] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[13:07:13.446] [ 16] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[13:07:13.446] [ 16] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[13:07:13.446] [ 1] [INFO ] Page transition from "Express Settings" [ExpressSettingsPageViewModel] to "Connect to Azure AD" [AzureTenantPageViewModel]
[13:07:13.478] [ 1] [WARN ] Failed to read IAzureActiveDirectoryContext.AzureADUsername registry key: An error occurred while executing the 'Get-ItemProperty' command. Property IAzureActiveDirectoryContext.AzureADUsername does not exist at path HKEY_CURRENT_USER\SOFTWARE\Microsoft\Azure AD Connect.
[13:07:13.478] [ 1] [INFO ] Property Username failed validation with error The Microsoft Azure account name cannot be empty.
[13:07:22.683] [ 1] [INFO ] Property Password failed validation with error A Microsoft Azure password is required.
[13:07:36.766] [ 16] [INFO ] AzureTenantPage: Beginning Windows Azure tenant credential validation for user - admin@KOOLIPSolutions.onmicrosoft.com
[13:07:37.313] [ 16] [INFO ] DiscoverAzureInstance [Worldwide]: authority=https://login.windows.net/koolipsolutions.onmicrosoft.com, awsServiceResource=https://graph.windows.net. Resolution Method [AzureInstanceDiscovery]: Cloud Instance Name (microsoftonline.com), Tenant Region Scope (NA), Token Endpoint (https://login.microsoftonline.com/fd114970-cb11-4668-97fe-5aa45825bd35/oauth2/token).
[13:07:37.406] [ 16] [INFO ] ADAL: 2018-08-08T20:07:37.4068302Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Clearing Cache :- 0 items to be removed
[13:07:37.406] [ 16] [INFO ] ADAL: 2018-08-08T20:07:37.4068302Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Successfully Cleared Cache
[13:07:37.406] [ 16] [INFO ] Authenticate-ADAL: acquiring token using explicit tenant credentials.
[13:07:37.422] [ 16] [INFO ] ADAL: 2018-08-08T20:07:37.4224069Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[13:07:37.422] [ 16] [INFO ] ADAL: 2018-08-08T20:07:37.4224069Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[13:07:37.828] [ 8] [INFO ] ADAL: 2018-08-08T20:07:37.8286570Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: No matching token was found in the cache
[13:07:37.828] [ 8] [INFO ] ADAL: 2018-08-08T20:07:37.8286570Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: No matching token was found in the cache
[13:07:37.828] [ 8] [INFO ] ADAL: 2018-08-08T20:07:37.8286570Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: No matching token was found in the cache
[13:07:37.828] [ 8] [INFO ] ADAL: 2018-08-08T20:07:37.8286570Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: No matching token was found in the cache
[13:07:37.828] [ 8] [INFO ] ADAL: 2018-08-08T20:07:37.8286570Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: No matching token was found in the cache
[13:07:37.828] [ 8] [INFO ] ADAL: 2018-08-08T20:07:37.8286570Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: No matching token was found in the cache
[13:07:37.828] [ 8] [INFO ] ADAL: 2018-08-08T20:07:37.8286570Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: Sending request to userrealm endpoint.
[13:07:38.938] [ 8] [INFO ] ADAL: 2018-08-08T20:07:38.9380292Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: Token of type 'urn:oasis:names:tc:SAML:1.0:assertion' acquired from WS-Trust endpoint
[13:07:39.563] [ 8] [INFO ] ADAL: 2018-08-08T20:07:39.5630321Z: 265c75c4-990c-4f6b-8632-522ea3f8ada8 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 8/8/2018 9:07:38 PM +00:00
[13:07:39.563] [ 16] [INFO ] Authenticate-ADAL: retrieving company configuration for tenant=fd114970-cb11-4668-97fe-5aa45825bd35.
[13:07:39.594] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.5942806Z: d3dcb9bf-e012-4a81-a805-358959c0ad90 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[13:07:39.594] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.5942806Z: d3dcb9bf-e012-4a81-a805-358959c0ad90 - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[13:07:39.594] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.5942806Z: d3dcb9bf-e012-4a81-a805-358959c0ad90 - LoggerBase.cs: An item matching the requested resource was found in the cache
[13:07:39.594] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.5942806Z: d3dcb9bf-e012-4a81-a805-358959c0ad90 - LoggerBase.cs: 59.9809896016667 minutes left until token in cache expires
[13:07:39.594] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.5942806Z: d3dcb9bf-e012-4a81-a805-358959c0ad90 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[13:07:39.594] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.5942806Z: d3dcb9bf-e012-4a81-a805-358959c0ad90 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 8/8/2018 9:07:38 PM +00:00
[13:07:39.953] [ 16] [INFO ] Authenticate: tenantId=(fd114970-cb11-4668-97fe-5aa45825bd35), IsDirSyncing=False, IsPasswordSyncing=True, DomainName=, DirSyncFeatures=8249, AllowedFeatures=ObjectWriteback, PasswordWriteback.
[13:07:39.984] [ 16] [INFO ] AzureTenantPage: AzureTenantSourceAnchorAttribute is mS-DS-ConsistencyGuid
[13:07:39.984] [ 16] [INFO ] AzureTenantPage: attempting to connect to Azure via AAD PowerShell.
[13:07:39.984] [ 16] [INFO ] DiscoverAzureEndpoints [AzurePowerShell]: ServiceEndpoint=https://provisioningapi.microsoftonline.com/provisioningwebservice.svc, AdalAuthority=https://login.windows.net/koolipsolutions.onmicrosoft.com, AdalResource=https://graph.windows.net.
[13:07:39.984] [ 16] [INFO ] AcquireServiceToken [AzurePowerShell]: acquiring additional service token.
[13:07:39.984] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.9849058Z: 710677c5-f680-4ffe-a806-4b8d8bbce152 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[13:07:39.984] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.9849058Z: 710677c5-f680-4ffe-a806-4b8d8bbce152 - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[13:07:39.984] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.9849058Z: 710677c5-f680-4ffe-a806-4b8d8bbce152 - LoggerBase.cs: An item matching the requested resource was found in the cache
[13:07:39.984] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.9849058Z: 710677c5-f680-4ffe-a806-4b8d8bbce152 - LoggerBase.cs: 59.9744791816667 minutes left until token in cache expires
[13:07:39.984] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.9849058Z: 710677c5-f680-4ffe-a806-4b8d8bbce152 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[13:07:39.984] [ 16] [INFO ] ADAL: 2018-08-08T20:07:39.9849058Z: 710677c5-f680-4ffe-a806-4b8d8bbce152 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 8/8/2018 9:07:38 PM +00:00
[13:07:39.984] [ 16] [INFO ] PowerShellHelper.ConnectMsolService: Connecting using an AccessToken. AzureEnvironment=0.
[13:07:41.361] [ 16] [INFO ] AzureTenantPage: successfully connected to Azure via AAD PowerShell.
[13:07:42.484] [ 16] [INFO ] AzureTenantPage: Successfully retrieved company information for tenant fd114970-cb11-4668-97fe-5aa45825bd35. Initial domain (KOOLIPSolutions.onmicrosoft.com).
[13:07:42.484] [ 16] [INFO ] AzureTenantPage: DirectorySynchronizationEnabled=False
[13:07:42.484] [ 16] [INFO ] AzureTenantPage: DirectorySynchronizationStatus=PendingDisabled
[13:07:42.500] [ 16] [INFO ] PowershellHelper: lastDirectorySyncTime=7/26/2018 7:21:29 PM
[13:07:42.781] [ 16] [INFO ] AzureTenantPage: Successfully retrieved 8 domains from the tenant.
[13:07:42.781] [ 16] [INFO ] Calling to get the last dir sync time for the current user
[13:07:43.047] [ 16] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[13:07:43.047] [ 16] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[13:07:43.047] [ 16] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[13:07:43.047] [ 16] [INFO ] AzureTenantPage: Windows Azure tenant credentials validation succeeded.
[13:07:43.063] [ 1] [INFO ] Page transition from "Connect to Azure AD" [AzureTenantPageViewModel] to "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel]
[13:07:43.078] [ 1] [INFO ] Property Username failed validation with error Enterprise Administrator credentials are required
[13:07:54.621] [ 1] [INFO ] Property Username failed validation with error The username format is incorrect. Specify the username in the format of DOMAIN\username.
[13:07:56.962] [ 1] [INFO ] Property Password failed validation with error A password is required - unless using a Virtual or Managed Service Account .
[13:08:10.333] [ 7] [INFO ] ConfigOnPremiseCredentialsPage: Validating credentials for user - KOOL-IP\administer
[13:08:10.370] [ 7] [INFO ] ConfigOnPremiseCredentialsPage: LogonUser succeeded for user KOOL-IP\administer
[13:08:10.374] [ 7] [INFO ] ActiveDirectoryProvider.GetRootDomainName: getting user root domain name
[13:08:10.405] [ 7] [INFO ] ActiveDirectoryProvider.GetRootDomainName: user root domain - KooL-IP.ca
[13:08:10.407] [ 7] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: checking if KOOL-IP\administer has AccountEnterpriseAdminsSid privileges in KooL-IP.ca
[13:08:10.614] [ 7] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: domain sid - S-1-5-21-821616781-20522954-931919424, group sid - S-1-5-21-821616781-20522954-931919424-519
[13:08:10.616] [ 7] [INFO ] ActiveDirectoryProvider.GetGroupMembershipSidsForUser: retrieving group membership SIDs from AD
[13:08:10.622] [ 7] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: found membership - user is a member of the group
[13:08:10.644] [ 7] [INFO ] ValidateCredentials UseExpressSettings: The domain name 'KooL-IP.ca' was successfully matched.
[13:08:10.648] [ 7] [INFO ] ConfigOnPremiseCredentialsPage: Validating forest
[13:08:10.655] [ 7] [INFO ] Validating forest with FQDN KooL-IP.ca
[13:08:10.717] [ 7] [INFO ] Examining domain KooL-IP.ca (:0% complete)
[13:08:10.730] [ 7] [INFO ] ValidateForest: using DC.KooL-IP.ca to validate domain KooL-IP.ca
[13:08:10.733] [ 7] [INFO ] Successfully examined domain KooL-IP.ca GUID:90180d0d-1f0c-49f1-a6f6-678efaa6fd4f DN:DC=KooL-IP,DC=ca
[13:08:10.758] [ 7] [INFO ] ConfigOnPremiseCredentialsPageViewModel: Credentials will be used to administer the AD MA account (New Install).
[13:08:10.813] [ 7] [VERB ] MsolDomainExtensions.ConnectMsolService: Connecting to MSOL service.
[13:08:10.813] [ 7] [INFO ] DiscoverAzureEndpoints [AzurePowerShell]: ServiceEndpoint=https://provisioningapi.microsoftonline.com/provisioningwebservice.svc, AdalAuthority=https://login.windows.net/koolipsolutions.onmicrosoft.com, AdalResource=https://graph.windows.net.
[13:08:10.813] [ 7] [INFO ] AcquireServiceToken [AzurePowerShell]: acquiring additional service token.
[13:08:10.813] [ 7] [INFO ] ADAL: 2018-08-08T20:08:10.8136169Z: cf012fcb-aced-44a8-b8dd-6a48b4933b37 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[13:08:10.813] [ 7] [INFO ] ADAL: 2018-08-08T20:08:10.8136169Z: cf012fcb-aced-44a8-b8dd-6a48b4933b37 - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[13:08:10.813] [ 7] [INFO ] ADAL: 2018-08-08T20:08:10.8136169Z: cf012fcb-aced-44a8-b8dd-6a48b4933b37 - LoggerBase.cs: An item matching the requested resource was found in the cache
[13:08:10.813] [ 7] [INFO ] ADAL: 2018-08-08T20:08:10.8136169Z: cf012fcb-aced-44a8-b8dd-6a48b4933b37 - LoggerBase.cs: 59.46066733 minutes left until token in cache expires
[13:08:10.813] [ 7] [INFO ] ADAL: 2018-08-08T20:08:10.8136169Z: cf012fcb-aced-44a8-b8dd-6a48b4933b37 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[13:08:10.813] [ 7] [INFO ] ADAL: 2018-08-08T20:08:10.8136169Z: cf012fcb-aced-44a8-b8dd-6a48b4933b37 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 8/8/2018 9:07:38 PM +00:00
[13:08:10.813] [ 7] [INFO ] PowerShellHelper.ConnectMsolService: Connecting using an AccessToken. AzureEnvironment=0.
[13:08:11.453] [ 7] [INFO ] Page transition from "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel] to "Azure AD sign-in" [UserSignInConfigPageViewModel]
[13:08:11.456] [ 7] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.UserSignInConfigPageViewModel.ValidateScenario in Page:"Azure AD sign-in configuration"
[13:08:11.457] [ 7] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:4969
[13:08:11.522] [ 9] [VERB ] MsolDomainExtensions.ConnectMsolService: Connecting to MSOL service.
[13:08:11.522] [ 9] [INFO ] DiscoverAzureEndpoints [AzurePowerShell]: ServiceEndpoint=https://provisioningapi.microsoftonline.com/provisioningwebservice.svc, AdalAuthority=https://login.windows.net/koolipsolutions.onmicrosoft.com, AdalResource=https://graph.windows.net.
[13:08:11.522] [ 9] [INFO ] AcquireServiceToken [AzurePowerShell]: acquiring additional service token.
[13:08:11.523] [ 9] [INFO ] ADAL: 2018-08-08T20:08:11.5235234Z: 3cbb037a-46ee-4ed5-8aff-72d68df1c04e - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[13:08:11.523] [ 9] [INFO ] ADAL: 2018-08-08T20:08:11.5235234Z: 3cbb037a-46ee-4ed5-8aff-72d68df1c04e - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[13:08:11.523] [ 9] [INFO ] ADAL: 2018-08-08T20:08:11.5235234Z: 3cbb037a-46ee-4ed5-8aff-72d68df1c04e - LoggerBase.cs: An item matching the requested resource was found in the cache
[13:08:11.523] [ 9] [INFO ] ADAL

Unable to authenticate using Open id connect to Azure ad

August 7, 2018, 5:32 am
$
0
0

Hello,

I am integrating azure ad authentication in my application to authenticate the user and also search for the users using Microsoft Graph. But I am unable to get the access token back from the azure ad. The main issue I am facing is that when I am running the application in my organization's network then I am not redirected to the Microsoft's login page. But when I run the application outside my organization's network I am redirected to the Microsoft login page. Do I need to use another URL to redirect to Microsoft login page? below is the Authority URL I am using to connect to.

Authority :"https://login.microsoftonline.com/common/v2.0"

Thank you in advance!

Regards,

Soni


Search

How to add external users to AD in the new portal?

October 24, 2017, 2:41 pm
$
0
0

Hi,

I have just received an e-mail that the AD management in the old portal (manage.windowsazure.com) will be retired on 30th November 2017.

But it is not possible (I haven't found yet the wat to do it) in the new portal (portal.azure,com) to add external user to AD (users with Microsoft account or from other AD) as it was possible in the old portal. See attached pictures.MicrosoftAccountExternalAD

AAD Connect Group Sync Issue

August 7, 2018, 2:02 pm
$
0
0

Hello,

I want to do a pilot for AAD Connect. The AAD Tenant already exists. As part of pilot I want to sync only a handful of pilot users. I don't want to sync groups or any other objects.

I installed and configured AAD Connect in custom mode and provided the pilot group to do object filtering based on group membership (say SyncToAAD group). I followed steps @ https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom

It clearly says " All objects you want to synchronize must be a direct member of the group. Users, groups, contacts, and computers/devices must all be direct members. Nested group membership is not resolved. "

However, once I was done with the configurations it synced a whole bunch of AD Groups from AAD to AD. The were not member of the SyncToAAD group. It did not sync the members but based on email address match it renamed a few group name. This was not a expected behavior for me. How do I stop it? How do I stop synchronization of groups between AD and AAD and vice versa ?

Thanks,

AD Connect - Missing default attributes in Graph API

August 11, 2018, 4:24 am
$
0
0

Hi,

I have AD Connect configured with my local domain and Azure. Everything looks good except that I can't see various 'default' attributes when querying Graph API.

For example, a default attribute that is listed is 'assistant', so I've updated assistant and synced this to Azure AD.

When I query Azure AD via Graph API, the property 'assistant' is not shown.

AADC - Default attributes includes 'assistant'

Local AD - Assistant set correctly in user account

Sync result shows OK

Fields returned by Graph API does not show 'assistant'

I did have success adding a custom extension field for employeeID .... and that appeared straight away with the $select=* query in Graph API , however my question is how do I access the attributes that should be 'default'?

Any help would be appreciated!

Thanks

** These are the fields returned by Graph API - note the custom extensions that was successfully added ...

deletedDateTime
accountEnabled
ageGroup
businessPhones
city
companyName
consentProvidedForMinor
country
createdDateTime 
department
displayName
givenName
jobTitle
legalAgeGroupClassification
mail
mailNickname
mobilePhone
onPremisesDomainName
onPremisesImmutableId
onPremisesLastSyncDateTime
onPremisesProvisioningErrors
onPremisesSecurityIdentifier
onPremisesSamAccountName
onPremisesSyncEnabled
onPremisesUserPrincipalName 
passwordPolicies
passwordProfile
officeLocation
onPremisesExtensionAttributes
postalCode
preferredLanguage
proxyAddresses
imAddresses
isResourceAccount
state
streetAddress
surname
usageLocation
userPrincipalName
userType
extension_9c3d4c6fc7eb4601804ef9ecac7fea22_employeeID
id
assignedLicenses
assignedPlans
provisionedPlans

AAD custom rule to manage devices

August 7, 2018, 1:03 pm
$
0
0

Need to provide custom AAD permissions to a group of users


Permissions: Manage AAD Devices (Create and delete Devices, and read and update all properties in Azure Active Directory)

Property: microsoft.aad.directory/Device/AllActions/AllProperties

Source: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Anyone got lucky and managed to create a custom rule in Azure AD?

SAML required Permissions AAD

August 6, 2018, 5:13 am
$
0
0

Hello,

I have a question regarding the permissions for the SAML mechanism. The aim is to use the ADAL SDK within this authentication process. I followed this guide (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-customer-cloud-tutorial) to set up Azure AD.

Below the simplified authentication process.

The SAML enabled application (Service Provider) directs to AzureAD ( the IdentityProvider) where no password is stored. The URL is https://login.microsoftonline.com/xxxxx, after providing the UPN I get forwarded to the internal ADFS where I enter the password and afterwards getting directed back to Azure AD where the permission error occurs.

After providing the right credentials for the user in the internal ADFS an error occurs in AzureAD regarding the permissions for AAD. 

"AADSTS65005: Misconfigured application. This could be due to one of the following:
The client has not listed any permissions for 'AAD Graph' in the requested
permissions in the client's application registration. Or, the admin has not consented
in the tenant."

The Application doesn´t need any further permissions to access some APIs on AzureAD except the ones needed for the SAML process. In the scenario where the error occurs just reading permissions are set (application and delegation), I think there are also writing permissions required due to the management of the several tokens, but which exactly? I don´t want to give the application more permissions than required.

What permissions are needed exactly in this scenario?

Thank you very much and kind regards,

Flo

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>