I have created app registration in azure aad. I want to add a app role using Microsoft Graph API programtically. is this functionality supported by microsoft graph api?
↧
Add a app role using Microsoft Graph API
↧
Differences to SCIM specification
I am trying to integrate SCIM support for Azure AD into an existing web application. At the moment I struggle with several points.
- Azure Ad is sending PATCH request for simple attributes with complex attribute as value. E.g.
{"op": "Replace","path": "userName","value": [
{"$ref": null,"value": "blubb2@mysignavio.onmicrosoft.com"
}
]
} This is in contrast to the SCIM specification.- Azure AD is upper casing operations in PATCH request, e.g. "Add" instead of "add"
{"op": "Add","path": "name.formatted","value": [
{"$ref": null,"value": "Blubb Blabb"
}
]
}- The urls for Users and Groups have to have "scim" as a prefix, e.g. https://examplewebapp.com/.../scim/Users. The specification does not mention a "scim" prefix. This can force additional adjustments for existing implementations that don't have such a prefix in the url.
- When A AD sends PATCH requests, the add operation sometimes contains filters in the path. This is not part of the SCIM specification and is not supported by many frameworks.
- Azure AD is using the schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User. Is there a way to choose the core User schema of SCIM? Is it enough to support the core schema when only core attributes are mapped?
↧
↧
Destination IP's OR Domains for Azure MFA & AD Connect for on-prem AD Connect & MFA Servers
Hi,
We are implementing Azure AD Connect with Azure MFA as a multifactor solution that will integrate with Citrix NetScaler for users logging in remotely via NetScaler.
We need to configure the on-prem core firewalls to allow communication from the on-prem AD Connect/MFA Server (a single server) to Azure AD Connect and Azure MFA services.
I have found the following list of IP's and Domains and just want to know if all are actually required to get Azure AD Connect and Azure MFA working?
134.170.116.0/25 OR pfd.phonefactor.net | TCP | 443 |
134.1470.165.0/25 OR pfd2.phonefactor.net | TCP | 443 |
70.37.154.128/25 OR css.phonefactor.net | TCP | 443 |
api.informationprotection.azure.com | TCP | 443 |
mobile.pipe.aria.microsoft.com | TCP | 443 |
*.portal.cloudappsecurity.com | TCP | 443 |
*.us.portal.cloudappsecurity.com | TCP | 443 |
*.eu.portal.cloudappsecurity.com | TCP | 443 |
*.eu2.portal.cloudappsecurity.com | TCP | 443 |
*.us2.portal.cloudappsecurity.com | TCP | 443 |
*.us3.portal.cloudappsecurity.com | TCP | 443 |
account.office.net | TCP | 443 |
admin.microsoft.com | TCP | 443 |
home.office.com | TCP | 443 |
portal.office.com | TCP | 443 |
www.office.com | TCP | 443 |
*.aria.microsoft.com | TCP | 443 |
browser.pipe.aria.microsoft.com | TCP | 443 |
portal.microsoftonline.com | TCP | 443 |
nexus.officeapps.live.com | TCP | 443 |
nexusrules.officeapps.live.com | TCP | 443 |
amp.azure.net | TCP | 443 |
*.o365weve.com | TCP | 443 |
auth.gfx.ms | TCP | 443 |
appsforoffice.microsoft.com | TCP | 443 |
assets.onestore.ms | TCP | 443 |
az826701.vo.msecnd.net | TCP | 443 |
c.microsoft.com | TCP | 443 |
c1.microsoft.com | TCP | 443 |
client.hip.live.com | TCP | 443 |
contentstorage.osi.office.net | TCP | 443 |
dgps.support.microsoft.com | TCP | 443 |
docs.microsoft.com | TCP | 443 |
groupsapi-prod.outlookgroups.ms | TCP | 443 |
groupsapi2-prod.outlookgroups.ms | TCP | 443 |
groupsapi3-prod.outlookgroups.ms | TCP | 443 |
groupsapi4-prod.outlookgroups.ms | TCP | 443 |
msdn.microsoft.com | TCP | 443 |
products.office.com | TCP | 443 |
prod.msocdn.com | TCP | 443 |
r1.res.office365.com | TCP | 443 |
r4.res.office365.com | TCP | 443 |
*.manage.office.com | TCP | 443 |
*.protection.office.com | TCP | 443 |
protection.office.com | TCP | 443 |
*.blob.core.windows.net | TCP | 443 |
office365servicehealthcommunications.cloudapp.net | TCP | 443 |
signup.microsoft.com | TCP | 443 |
testconnectivity.microsoft.com | TCP | 443 |
securescore.office.com | TCP | 443 |
The above information was sourced from:
https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-AU&ad=AU#bkmk_portal_ip
AND:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy
Thanks,
James
↧
Enabling Ldap for an Azure Web App
Hi
I have an azure web app which is also configured to login active directory credentials using LDAP.
How can I provide the those ldap settings?
i have created my own domain using godaddy and used azure managed domain services to enable ldap. But my active directory users are still not authorized to use the web app.
Also i the ping times out for the ip address provided by ad domain services when i allow secure ldap access over internet. Neither can i ping my domain which is associated with this ip address.
Is there any other approach i shall try to enable ldap?
Any inputs on this are deeply appreciated.
↧
Any trick to authenticating AAD identities for existing WPA2-Enterprise Wi-Fi and Transparent Proxy?
In our current environment, we have AD, GPO-deployed WPA2-Enterprise Wireless (PEAP/MSCHAPv2), with RADIUS also handling authentication for our web filter (transparent proxy). Obviously, this is a pretty standard configuration, and it all just works as expected with AD identities on domain-joined devices. We're also configured as Hybrid, and we've confirmed that this all continues to work like magic with synchronised AD identities, and even on AAD-Joined (only) devices... which is pretty awesome. But what about pure AAD identities?
Right now, we're looking to migrate some web-kiosk, point-of-sale, and similar configurations, to the cloud so that we can more fully explore AAD (identities/devices) and Intune management. The question is, how do we make those accounts authenticate as required? We could obviously enable "User Write-back" to create an AD account for the user, but that would be defeating the purpose a little. So what else can we do? Would we be looking at using something like an Azure MFA server, configured to act as a RADIUS proxy, to somehow authenticate our AAD users internally?
I realise that this is probably the "hard way", and that a solution might be to roll a parallel configuration that is better able to be supported for this scenario - i.e. a new SSID with a completely different Wi-Fi configuration, and probably replace or remove the web filter/proxy from the equation - but these types of changes would all be longer-term (if at all). Is this configuration possible? Options?
↧
↧
I can not delete my Azure AD
Hello:
I get into trouble with delete my Azure AD. I am using my Microsoft account opened a azure subscription and I messed up, so I created new Azure ad and transferred all subscription to the new one. Now I am trying to delete the old one, however it will not let me to. It shows the following:
However as you can see following screen capture, I do not have any subscription:
Can someone help me or tell me what is going on?
↧
Call to Micosoft OAuth2 not working as expected.
I have an internal corporate web app that needs to access corporate SharePoint Online. I want to call OAuth2 to take the user through the authentication process so the web app can retrieve an access_token and then call the Microsoft Graph API. I am using Django 1.11/Python 2.7.
I have registered the app in the corporate Azure Portal, but when I call the /authorize endpoint the user sees what appears to be the wrong login page. I expect the user to see a page that shows the app's name and permissions, but all the user sees is a basic sign-on page. Moreover, when the user enters his corporate email address he sees an error that says “There was an issue looking up your account”. The user has been added to the register app's "Users and Groups".
As far as I can tell, everything is configured correctly.
I have Googled this like mad, but not found any help.
UPDATE: When called from a proper server, the call to /authorize is working correctly on IE11, but failing as described above on the latest Firefox and the latest (Windows) Chrome. When called from a local server (i.e.,http://127.0.0.1) the call to /authorize fails as described above on all browsers.
Any suggestions would be greatly appreciated.
Thanks.
↧
Groups have no members
None of my groups on my Azure AD console have members. I have recently had to reinstall Azure AD Connect so maybe I'm missing something.
↧
Azure AD B2C - Can my ASP app have two separate Azure signin/signup?
Hi;
I'm building an ASP.Net Core app. It's users are into two separate groups (Vendors & Consumers).
The consumers can login third party providers with minimum user data.
The Vendors however, require an email/password signup with a series of data.
My questions are:
a) Can an app two Azure Login/signup forms with different policies like in my case?
b) If yes, where can I learn how to do it? I checked the docs but nothing?
Thank you in advance!
..Ben
..Ben
↧
↧
Can not save Gsuite provisioning settings page
I have followed the Docs for adding G Suite Enterprise app setup on SAML-based sign-on. I have managed to use a user account to sign in. but new users did not sync , so I found that my provisioning was default to manual. I have changed it to Automatic and did the Authorize and Test Connection and clicked save.
After that I wanted to add Notification email on failures ,and change scope for all users, making the changes , colour the change in purple but the save button did not change to black , so I can not save the changes. also the Provisioning Status is on Off , changing to On I still can not click the save button to init the sync.
I found that if I change some thing like status to on and do the Authorize process again , it save the status , but now I get an error of authentication failure while the test connection show as success.
so the result is this message :
Summary
Synchronization is now in quarantine with execution frequency reduced.
Quarantine first initiated at Sun Aug 05 2018 18:03:22
and I can not change or save any thing now.
please help.
↧
Azure AD B2C Msal.js acquireTokenSilent Performance issue
Hi Microsoft Azure Team,
I have an .NET Core 2 solution with 2 Projects. 1. SPA 2. Web API (Both will be hosted into Azure Web Apps later)
I am using Azure AD B2C with MSAL.js to login to the SPA and call the authenticated endpoints in the Web API project.
I would be converting the SPA to a Progressive Web App later.
As per the documentation, after the user logs in to the SPA, acquireTokenSilent can be used for making subsequent calls to the Authenticated endpoints.
I am able to login to the SPA, and use acquireTokenSilent to get the access token and able to call my Web API endpoints in the Web API project.
My problem is the acquireTokenSilent is taking 4 - 5 seconds (from my local development machine, js are not bundled yet) to get the access token.
I will be testing after deploying these both as Azure Websites (with JS bundled) at a later stage.
Will I face this performance lag after bundling the JS files and deploying in Azure?
Kindly advice for performance improvement, since this is making my app very slow.
↧
unable to connect to Azure AD
How to connect to Azure AD with MFA enabled. We are using exchange hybrid environment. we have enabled MFA few days back.
when i login to Windows Azure Active Directory Module for Windows PowerShell
when i use the below syntax
Connect-MsolService
Connect-MsolService : This account is blocked. Contact your Tenant administrator.
At line:1 char:1
+ Connect-MsolService
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineExc
eption
+ FullyQualifiedErrorId : 0x80048823,Microsoft.Online.Administration.Automation.ConnectMs
olService
------------------------------------------------
i have even connected to exchange online using MFA and typed the command Connect-MsolService, i am getting the same error
experts help me
↧
Need help to configure own domain name in AAD
Hello all.
I'm trying AAD and want to add my domain name. I wrote my domain and added DNS records. But Azure cant't verify my domain name.
I replaced origin domain resistrator service to Azure DNS Zone and added records.
I check DNS records with Dig and found needed records.
But I have error on verification domain name in AAD.
Level of Subscription - Free trial.
↧
↧
Register proxy failing with certificate error
Running the Register-AzureADPasswordProtectionProxy cmdlet returned no errors, but my Agents were reporting no registered proxy service found.
Enabling the Trace log and re-running Register-AzureADPasswordProtectionProxy returns the following error:
ProxyCertificatesPopulator: Microsoft.DeviceRegistration.JOSE.JoseException: The certificate validator indicated that the signingCertificate is not trusted
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidationWorker2(String JWS, X509Certificate2 expectedSigningCert, ICertificateValidator certValidator, X509Certificate2& signingCert, Byte[]& payload)
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidateSignature(String JWS, ICertificateValidator certValidator, String& payload) at ServiceCommon.Converters.ProxyCertAndChainConverter.Convert(ProxyCertAndChainSerialized proxyCertAndChainSerialized) at
ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessaryWorker(FileContentAndPath1
latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessary(FileContentAndPath1
latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.PopulateDirectoryFiles()
at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.HandlePopulateDirectory(Object state, Boolean timedOut)
Proxy and AD servers are 2012 R2 with latest updates, including the Universal C update. AD is using DFSR replication.
↧
Azure AD Connect (Express install) migration to another server
Hello Community,
I'm planning to move our current AADC application to another server. I haven't found any questions regarding to moving an Express installation to a new server. The reason it's important for me, because in Express installation mode, a user was created (MSOL_XYZ...) with Windows managed password (so I don't know its password), and previously we had a Custom installation which caused sync errors in the environment. But, the new environment has to be started in Staging mode which is only seems possible when using Custom installaton.
So my question is: Is it (if yes, how?) possible to migrate an Express installation to a server where I use Custom installation in Staging mode?
Thanks,
Csaba
↧
Azure initial setup questions
Our goal is to remove our current DR private cloud infrastructure and setup a replacement on Azure. We will just have an Exchange VM, Files Server VM, and AntiEmailSpam VM.
I plan on following this page to get it setup: https://social.technet.microsoft.com/wiki/contents/articles/51353.azure-step-by-step-guide-extending-ad-ds-to-azure-using-site-to-site-vpn-or-express-route.aspx using vpn and virtual machines.
However, I’ve been reading about azure ad, azure ad connect, and azure ad domain services. I am a little confused on it. Do these technologies basically sync your on prem AD to Azure ad but on a separate domain? Say my onprem is called abc.com, I assume the azure ad will be called efg.com? I saw that azure ad domain services syncs the onprem sids to azure ad but the domains will be different? Also, it said that domain services is cheaper, $110/month <25k ad objects. If I spin up a vm and run a domain controller, it should be cheaper than that per month, like $50/60.
Will having these Azure technologies benefit me if I am simply want to establish a DR environment in Azure? (I know about less maintenance, no patching, high availably parts).
Thanks
↧
Error upgrading Azure AD Connector
Hi all,
I get an error when upgrading the latest AAD Connector, "Input string was not in a correct format".
The error occours after the AAD Connector connects to Azure AD and when the upgrade process are updating the on-premise rules.
The logfile indicate that logins to the webservices "AADSTS*****" are failing, but the password for sync account have been reset before upgrade process were started and the sync account can login without problems.
I need to get this working again, anyone?
↧
↧
Retrieving the all the users information from Azure Subscription
I want to retrieve all the user information from Subscription. We can get all the user list from an Azure subscription using below article.
https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/list
But above URl retrieves list of all User GUIDs(and some more information) but here i want user display name, mailid, etc.
Please help me How can i do this.
We can send this user GUIDs to graph API to retrieve the User information but it needs consent from Tenant admin and also we need two more extra calls(one is to get Graph bearer access token and other is call to actual graph api with above list of User GUIDs). So how can i do this with out graph API.
↧
AAD Connect - Merge cross forest groups and export to Azure AD
Hi all,
I'm facing an issue in an Active Directory migration whereby I would want to merge 2 groups (one from forest A and one from forest B) via AAD connect and export it to Azure AD to have users from forest A and forest B included into the same group.
Does anyone know if this is possible and how to adapt the AAD connect synchronization rules to have this in place?
With kind regards,
Sebastian
↧
Azure AD Identity Protection missing "skipping multi-factor authentication registration" settings
As per https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-flows#multi-factor-authentication-registration and https://jankesblog.com/2016/03/azure-ad-identity-protection-mfa-registration-policy/ (in the middle of the page) it appears that we should be able to set the amount of time users can skip multi-factor authentication. It appears this setting is not available and would like to know where this can be set now.
Thanks!
Tim
↧