I am following the instructions in the following documentation to view the trusted certificate authorities that are defined in my Azure Active Directory (AAD) instance:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-get-started

From the Azure portal, this is my account:

https://carlostransitfiles.blob.core.windows.net/sharefiles/UserProfile.png

And I am indeed the global administrator for my AAD instance:

https://carlostransitfiles.blob.core.windows.net/sharefiles/UserRole.png

I can use the cmdlet Connect-AzureAD just fine:

https://carlostransitfiles.blob.core.windows.net/sharefiles/connectazuread.png

But when using the cmdlet Get-AzureADTrustedCertificateAuthority, I get the error of "User was not found":

https://carlostransitfiles.blob.core.windows.net/sharefiles/usernotfound.png

What is going on?

Hi after help with this, googles to death...

Am using the office365 admin as auth that side

Local creds am using a enterprise administrator and putting the fulle domain.local\ in front

Trace logs >>

[08:30:34.961] [ 15] [INFO ] ServiceControllerProvider:DeleteService successful - serviceName:ADSync
[08:30:34.968] [ 15] [INFO ] BuildMsiArguments: Setting Sync Engine MSI parameters for clean installation
[08:30:53.731] [ 15] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedException: Error installing msi package 'Synchronization Service.msi'. Full log is available at 'C:\ProgramData\AADConnect\Synchronization Service_Install-20180806-083034.log'.

Extracted error message:
ActionStart(Name=ProcessMachineDcomPermission,,)
MSI (s) (B4:A8) [08:30:47:993]: Executing op: CustomActionSchedule(Action=ProcessMachineDcomPermission,ActionType=1025,Source=BinaryData,Target=ProcessMachineDcomPermission,CustomActionData=ADMINS=ADSyncAdmins OPERATORS=ADSyncOperators BROWSE=ADSyncBrowse PASSWORDSET=ADSyncPasswordSet)
MSI (s) (B4:AC) [08:30:47:998]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4C81.tmp, Entrypoint: ProcessMachineDcomPermission
CustomAction ProcessMachineDcomPermission returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (B4:A8) [08:30:48:132]: User policy value 'DisableRollback' is 0
MSI (s) (B4:A8) [08:30:48:132]: Machine policy value 'DisableRollback' is 0
Action ended 08:30:48: InstallExecute.
 ---> Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.

Details:
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String& processOutput, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit, Boolean traceArguments, Int32 exitCodeToIgnore)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String msiPackageFileName, String packageOptions, String installationPath, NetworkCredential credential, String installLogFileName, Boolean extractOnly, Boolean quiet, Boolean suppressReboot)
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String msiPackageFileName, String packageOptions, String installationPath, NetworkCredential credential, String installLogFileName, Boolean extractOnly, Boolean quiet, Boolean suppressReboot)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallSynchronizationService(String pathToMsiFiles, String msiFileName, String installationPath, String sqlServerName, String sqlInstanceName, Boolean useInstallPathForDBFiles, IDictionary`2 syncServiceGroups, SyncServiceAccount syncServiceAccount, String logFilePath)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)
[08:31:07.799] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180806-082646.log

then tail end of sync service install logs >>

MSI (s) (B4:A8) [08:30:51:027]: Executing op: ComponentUnregister(ComponentId={63684FF4-FD87-45CF-9E44-9C57675FEB6E},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:028]: Executing op: ComponentUnregister(ComponentId={124FA056-EC1E-48CA-BC66-468D72C8449F},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:029]: Executing op: ComponentUnregister(ComponentId={1681AE41-ADA8-4B70-BC11-98A5A4EDD046},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:030]: Executing op: ComponentUnregister(ComponentId={A64FDC9B-3E02-4D59-8C59-3A1F95FF4315},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:031]: Executing op: ComponentUnregister(ComponentId={9AE4D8E0-D3F6-47A8-8FAE-38496FE32FF5},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:033]: Executing op: ComponentUnregister(ComponentId={186E945D-79D5-460C-BF9E-32C958C49705},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:034]: Executing op: ActionStart(Name=ValidateDebugPrivilege,,)
MSI (s) (B4:A8) [08:30:51:034]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (B4:A8) [08:30:51:034]: Error in rollback skipped.    Return: 5
MSI (s) (B4:A8) [08:30:51:034]: Entering MsiProvideAssembly. AssemblyName: Microsoft.MetadirectoryServices.Host,version="1.1.0.0",culture="neutral",publicKeyToken="31BF3856AD364E35",processorArchitecture="AMD64", AppContext: , InstallMode: -4
MSI (s) (B4:A8) [08:30:51:034]: Pathbuf: 0, pcchPathBuf: 0
MSI (s) (B4:A8) [08:30:51:034]: MsiProvideAssembly is returning: 1607
MSI (s) (B4:A8) [08:30:51:048]: Note: 1: 2318 2:  
MSI (s) (B4:A8) [08:30:51:049]: No System Restore sequence number for this installation.
MSI (s) (B4:A8) [08:30:51:050]: Unlocking Server
MSI (s) (B4:A8) [08:30:51:138]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 08:30:51: INSTALL. Return value 3.
MSI (s) (B4:A8) [08:30:51:141]: Note: 1: 1708
MSI (s) (B4:A8) [08:30:51:141]: Product: Microsoft Azure AD Connect synchronization services -- Installation operation failed.

MSI (s) (B4:A8) [08:30:51:142]: Windows Installer installed the product. Product Name: Microsoft Azure AD Connect synchronization services. Product Version: 1.1.880.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

MSI (s) (B4:A8) [08:30:51:174]: Deferring clean up of packages/files, if any exist
MSI (s) (B4:A8) [08:30:51:174]: MainEngineThread is returning 1603
MSI (s) (B4:B8) [08:30:51:179]: RESTART MANAGER: Session closed.
MSI (s) (B4:B8) [08:30:51:179]: No System Restore sequence number for this installation.
=== Logging stopped: 06/08/2018  08:30:51 ===
MSI (s) (B4:B8) [08:30:51:183]: User policy value 'DisableRollback' is 0
MSI (s) (B4:B8) [08:30:51:183]: Machine policy value 'DisableRollback' is 0
MSI (s) (B4:B8) [08:30:51:183]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B4:B8) [08:30:51:184]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B4:B8) [08:30:51:184]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B4:B8) [08:30:51:186]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (s) (B4:B8) [08:30:51:186]: Restoring environment variables
MSI (s) (B4:B8) [08:30:51:188]: Destroying RemoteAPI object.
MSI (s) (B4:0C) [08:30:51:188]: Custom Action Manager thread ending.
MSI (c) (A0:78) [08:30:51:194]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (A0:78) [08:30:51:194]: MainEngineThread is returning 1603
=== Verbose logging stopped: 06/08/2018  08:30:51 ===

Any ideas pls

Simon Wilks Technical Manager Microsoft Certified Technology Specialist Emerald IT Managed Solutions Ltd Tel: 0845 467 1314 Fax: 0845 467 1316 Email: simon.wilks@emeralditms.co.uk Office 18 - Pure Offices - Plato Close - Tachbrook Park - Leamington Spa - Warwickshire - CV34 6WE www.emeralditms.co.uk • Servers & PC'S • IT Cabling • Networking • Support & Maintenance • Document Management • Wifi solutions • Websites

Hi Microsoft Team,

In my workplace we have personal computers with Outlook 2013 and Outlook 2010. We have setup Azure Active Directory Connect using Password Hash Authentication so we can use our domain passwords to login in our email accounts. The computers with Office 2013 are working fine, we can login via webmail and via Outlook just fine with the domain password, but on the computers with Office 2010 we are only able to login via webmail and not via Outlook because it keeps asking for a password even tough we are inserting the correct one. 

Can you please confirm us if Password Hash Authentication works with Outlook 2010?

Best Regards

David Lourenço

Hello,

We have gone from an on-prem Exchange to EOL but we still have on-prem Exchange for management of user objects but everything mail related is done in EOL

Now we're having issues that for some reason our "Azure AD Connect" has matched a user object (which isn't even enabled for Exchange) and a contact object and decided they are one and the same. Which means the contact isn't working in O365!

So, how do I break the matching? I've removed the "mail" attribute from the user object as well as all smtp/proxyaddress and made sure there is nothing in common between the two and done a full import/sync in AADC yet the matching is still there and then it writes back some X500 addresses back as proxyaddresses!

Is there any way to manually break the matching? Because they really have nothing in common!!

I am trying to integrate SCIM support for Azure AD into an existing web application. At the moment I struggle with several points.

• Azure Ad is sending PATCH request for simple attributes with complex attribute as value. E.g.
  

{"op": "Replace","path": "userName","value": [
        {"$ref": null,"value": "blubb2@mysignavio.onmicrosoft.com"
        }
      ]
}

• Azure AD is upper casing operations in PATCH request, e.g. "Add" instead of "add"
  

{"op": "Add","path": "name.formatted","value": [
        {"$ref": null,"value": "Blubb Blabb"
        }
      ]
}

• The urls for Users and Groups have to have "scim" as a prefix, e.g. https://examplewebapp.com/.../scim/Users. The specification does not mention a "scim" prefix. This can force additional adjustments for existing implementations that don't have such a prefix in the url.
• When A AD sends PATCH requests, the add operation sometimes contains filters in the path. This is not part of the SCIM specification and is not supported by many frameworks.
• Azure AD is using the schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User. Is there a way to choose the core User schema of SCIM? Is it enough to support the core schema when only core attributes are mapped?
  

I have a VM in Azure running Server 2016 with Active Directory Domain Controler. (Not Azure AD! But AD role setup on a VM!) and for this I use our public domain intra.test.online (I didn't share actual domain name!) . For some reason I'm no longer able to join any machine to this domain and it worked before? I get the prompt asking me for user name and password and then I get the error "The Network Path was not found". I did try disabling FW on both sides, and adding Azure VM's public IP as preferred DNS in local VM but still get the error!

Thanks!

Alen Mikic

Good Morning,

I'm hoping someone can offer me some clear advice regarding the following scenario and requirements. Any help would be much appreciated!

Scenario:

We currently have about 25-30 users in our organisation which is a recent start-up business. Many users have a desktop and laptop, all have Windows 10 Professional installed. Office 365 is use to host our email and all users login to their machines using their Office 365 accounts (not local accounts). All users work from one office location, though many will often be on the road or working from home.

We do not have a domain currently in place or any servers in our organisation and all the machines are in a work group. If we can avoid it we would prefer not to have any on premise servers, DC's etc.. We don't do anything over complicated and use cloud based services for shared storage, through we do run some manual backups to a Windows Desktop PC.

Requirements

• It would good if any solution can provide some form of authentication at login and control access to shared resources at some level and be managed centrally
• We would like more control over client machines, ideally something offering similar functionality to that of group policy, even if this is lighter which can be managed from a central point (password resets, blocking access etc)
• If this above is not possible without at least a hosted DC of some formwe would consider getting one

Could someone please me me in the right direction of what Azure service we would need to be able to provide the above functionality? Please let me know what further information you may require.

Kind regards

Trevor

Hi,

We are currently <g class="gr_ gr_56 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="56" id="56">login</g> to our Azure environments using privates keys. If I want to implement lockout policy, do I need to change the authentication to password? or how do I implement lockout policy with keys?

Thanks,

Lilia

Hi all,

we have this project and I was wondering how to do the setup:

1. we have an application (actually, a Remote Desktop Gateway that allows users to have RDP access to different servers, entire infrastructure in Azure)

2. the users allowed to access RDGateway are stored in Active Directory "on-premises" (an AD DS installed on an Azure VM)

3. we have synced (with Azure AD Connect) this AD with Azure AD

4. our customers (that access the services through RDGateway) are asking for SSO (basically, they want to use the users in their domains to have access to the services we offer)

The question is: how do we connect our Azure AD with out customer's ADFS in order to obtain SSO?

Thank you,

Sorin

Hi,

I am deploying SSPR within AAD now and   when choose the Authentication methods, there are 2 methods called "Mobile app notification" and "Mobile app code". It requires registration separately.

After i tried enable it with my own phone, when I try to reset password, i don't see anything related to this mobile app authentication, but it required a mobile code when I log in.

I have a colleague has MFA enabled and registered already, but when register SSPR for mobile app notification and code, it gave him a new barcode to scan for registration.

I am wondering what's the difference between MFA and these 2 authentication methods in SSPR? Are they the same? Is the Mobile app authentication method if SSPR recommended?

Thank you.

I have followed the Docs for adding G Suite Enterprise app setup on SAML-based sign-on. I have managed to use a user account to sign in. but new users did not sync , so I found that my provisioning was default to manual. I have changed it to Automatic and did the Authorize and Test Connection and clicked save.

After that I wanted to add Notification email on failures ,and change scope for all users, making the changes , colour the change in purple but the save button did not change to black , so I can not save the changes. also the Provisioning Status is on Off , changing to On I still can not click the save button to init the sync.

I found that if I change some thing like status to on  and do the Authorize process again , it save the status , but now I get an error of authentication failure while the test connection show as success.

so the result is this message :

I've just set up Azure Active Directory Domain Services and noticed that accounts get locked out after 5 failed attempts even though the default domain group policy lockout threshold is set to 0.  I'm also not able to unlock user accounts when logged in as a member of the AAD DC Administrators group.

Is there a way to modify the lockout threshold and to unlock accounts?

Hi

I am using my student email and when I go into active directory it appears to have synced up with the college and has all the colleges emails and groups migrated over. I have sent them an email to explain this but for me this means I can't create or delete anything as my permissions from the college have carried too.

My question is if there is a way to safely remove all this data from my azure active directory so I can carry on with the practical aspects or should I just wait until the college implement a fix to this as quite a lot of information has been carried over that I would hope they will be trying to prevent it from sharing.

Also I cannot add a custom domain either.

Thanks

Gary

Hello:

I get into trouble with delete my Azure AD. I am using my Microsoft account opened a azure subscription and I messed up, so I created new Azure ad and transferred all subscription to the new one. Now I am trying to delete the old one, however it will not let me to. It shows the following:

However as you can see following screen capture, I do not have any subscription:

Can someone help me or tell me what is going on?

Hi,

I have AD Connect configured with my local domain and Azure. Everything looks good except that I can't see various 'default' attributes when querying Graph API.

For example, a default attribute that is listed is 'assistant', so I've updated assistant and synced this to Azure AD.

When I query Azure AD via Graph API, the property 'assistant' is not shown.

AADC - Default attributes includes 'assistant'

Local AD - Assistant set correctly in user account

Sync result shows OK

Fields returned by Graph API does not show 'assistant'

I did have success adding a custom extension field for employeeID .... and that appeared straight away with the $select=* query in Graph API , however my question is how do I access the attributes that should be 'default'?

Any help would be appreciated!

Thanks

** These are the fields returned by Graph API - note the custom extensions that was successfully added ...

Hi

I have an azure web app which is also configured to login active directory credentials using LDAP.
How can I provide the those ldap settings?

i have created my own domain using godaddy and used azure managed domain services to enable ldap. But my active directory users are still not authorized to use the web app.

Also i the ping times out for the ip address provided by ad domain services when i allow secure ldap access over internet. Neither can i ping my domain which is associated with this ip address.

Is there any other approach i shall try to enable ldap?

Any inputs on this are deeply appreciated.

Need to provide custom AAD permissions to a group of users


Permissions: Manage AAD Devices (Create and delete Devices, and read and update all properties in Azure Active Directory)

Property: microsoft.aad.directory/Device/AllActions/AllProperties

Source: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Anyone got lucky and managed to create a custom rule in Azure AD?