Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Dirsync, Azure AD and filtering

August 9, 2018, 10:07 pm
$
0
0

Hello!

We are seeing a strange behavior and I found some indirect references about it in MS documentation. I want to get some better visibility into it so that we can appropriately approach it:

1. We deployed AAD Connect with group based filtering for a set of Pilot users.

2. However, we observed that a lot of groups also got synced although they were not member of the Pilot group for filtering. (The groups existed in AD and AAD but the membership differed.)

3. After further investigations, we got to know that a long time back DirSync was deployed but later on the sync was discontinued.

4. I find following documentation referring to the in scope of objects for filtering. Based on its language it sounds like even though we are using a group based filtering for our pilot, the original scope of sync with DirSync might be still interfering.

AAD Connect FIltering

"Azure AD Connect only deletes objects that it has once considered to be in scope. If there are objects in Azure AD that were created by another sync engine and these objects aren't in scope, adding filtering doesn't remove them. For example, if you start with a DirSync server that created a complete copy of your entire directory in Azure AD, and you install a new Azure AD Connect sync server in parallel with filtering enabled from the beginning, Azure AD Connect doesn't remove the extra objects that are created by DirSync."

5. Can you explicitly confirm that stale configurations with DirSync are interfering with our new AAD Connect setup?  If yes, will recreating these objects in AAD will resolve the issue?

Thanks!!


Search

SAML required Permissions AAD

August 6, 2018, 5:13 am
$
0
0

Hello,

I have a question regarding the permissions for the SAML mechanism. The aim is to use the ADAL SDK within this authentication process. I followed this guide (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-customer-cloud-tutorial) to set up Azure AD.

Below the simplified authentication process.

The SAML enabled application (Service Provider) directs to AzureAD ( the IdentityProvider) where no password is stored. The URL is https://login.microsoftonline.com/xxxxx, after providing the UPN I get forwarded to the internal ADFS where I enter the password and afterwards getting directed back to Azure AD where the permission error occurs.

After providing the right credentials for the user in the internal ADFS an error occurs in AzureAD regarding the permissions for AAD. 

"AADSTS65005: Misconfigured application. This could be due to one of the following:
The client has not listed any permissions for 'AAD Graph' in the requested
permissions in the client's application registration. Or, the admin has not consented
in the tenant."

The Application doesn´t need any further permissions to access some APIs on AzureAD except the ones needed for the SAML process. In the scenario where the error occurs just reading permissions are set (application and delegation), I think there are also writing permissions required due to the management of the several tokens, but which exactly? I don´t want to give the application more permissions than required.

What permissions are needed exactly in this scenario?

Thank you very much and kind regards,

Flo

Linux-Openldap equivalent in Azure

August 13, 2018, 1:35 pm
$
0
0

Hello,

We are using openldap to serve our directory needs for a saas based web application. Is there any openldap equivalent in Azure where I can migrate existing schema and data and point my app to it for Authentication/Authorization purposes?

Environment: AWS Ubuntu EC2, Openldap.

Thanks in Advance

Azure AD Connect Health Sync Monitor High CPU Usage

June 5, 2018, 4:45 am
$
0
0
Hello.  I have Azure AD Connect installed on my server to sync our on-premise domain with Office 365 and I'm noticing the Azure AD Connect Health Sync Monitoring Service is always running high CPU usage.  The actual process is Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe.  Is there a reason for this or a way to fix it?  Right now, I'm just stopping the Azure AD Connect Health Sync Monitoring Service(AzureADConnectHealthSyncMonitor) and my resources go back to normal.  I'm running Azure AD Connect 1.1.819.0 so it is the latest version.  If I restart the service, things are normal for a few minutes before this process spikes again.  Any help would be appreciated.  Thanks!

Migrate openldap to AzureAD

July 24, 2018, 9:35 am
$
0
0
Hello, 

I come from pure AWS world and exploring Azure to migrate resources. I have an openldap server on a linux VM in AWS serving our web application. 
I'm planning to migrate it to Azure AD to utilize the SSO ability to some of our applications. 

Is there a way to export the ldif from oprnldap and import it to AD? Apparently AD connect on Azure only support windows servers.

Thanks in Advance 


Can't login to my new Lynda.com LinkedIn Learning - Azure AD Error

August 13, 2018, 5:05 pm
$
0
0

Trying to access my new Lynda LinkedIn Learning using my account I have the following error:

Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'frmateo@live.com' from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application 'https://www.linkedin.com/learning/ABEAAAAAAAAADPoAAAAAACFVmgFvTxOkj9WDa4_9bWKuJSRyMruh_g' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Please advise.

fimateof@gmail.com

frmateo@live.com

AD Authentication with Windows/Service App

August 13, 2018, 6:31 pm
$
0
0

Hi,

I am developing a .NET Windows Application and I am trying to integrate Active Directory using ADAL library. We don't want to use storage/container key. I ran into the following two issues. I registered the app as Native App in Azure Active Directory

1. I keep getting the error AADSTS65001: The user or administrator has not consented to use the application with ID 'a87d3d9f-<g class="gr_ gr_447 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="447" id="447">cbdc</g>-465d-aa8d-d506ebec064b' named 'Test1'.

 a. I am a global administrator for my AD I granted the permission(global consent) for this app but that didn't <g class="gr_ gr_914 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="914" id="914">help</g>

<g class="gr_ gr_914 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="914" id="914"> b</g>. I also manually consented that also didn't' help.

c.  Set the oauth2AllowImplicitFlow to true in the manifest for test1 app

Here  is the code

string authority = string.Format(CultureInfo.InvariantCulture, AuthEndpoint, TenantId);var authContext = new AuthenticationContext(authority);var userCredential = new UserPasswordCredential("user@domain.com", "password");// Acquire an access token from Azure AD. var result = authContext.AcquireTokenAsync(ResourceId, ClientId, userCredential).Result;


2. Above is trying to connect with an explicit windows username and password and our ultimate goal is to use the logged-in user and I have been told(google) it should be possible if I am using Active directory but I am getting the following error.

{"password_required_for_managed_user: Password is required for managed user"}

Here is the code.

string authority = string.Format(CultureInfo.InvariantCulture, AuthEndpoint, TenantId);var authContext = new AuthenticationContext(authority);var userCredential = new UserCredential();// Acquire an access token from Azure AD. var result = authContext.AcquireTokenAsync(ResourceId, ClientId, userCredential).Result;

Could you guys help us to resolve?

unable to connect to Azure AD

August 12, 2018, 9:31 am
$
0
0

How to connect to Azure AD with MFA enabled. We are using exchange hybrid environment. we have enabled MFA few days back.

when i login to Windows Azure Active Directory Module for Windows PowerShell
when i use the below syntax

Connect-MsolService

Connect-MsolService : This account is blocked. Contact your Tenant administrator.
At line:1 char:1
+ Connect-MsolService
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineExc
   eption
    + FullyQualifiedErrorId : 0x80048823,Microsoft.Online.Administration.Automation.ConnectMs
   olService

------------------------------------------------

i have even connected to exchange online using MFA and typed the command Connect-MsolService, i am getting the same error

experts help me

Search

sAMAccountName attribute in Azure AD

June 19, 2018, 8:13 am
$
0
0


Almost all the enterprise applications use sAMAccoutName attribute as a username to applications that's using AD/SAML for authentication.

So, wondering if there an attribute that stores username of the account in Azure AD?

Thanks

Syncing email attributes to workday

August 13, 2018, 10:59 pm
$
0
0

Hello Team,

Azure AD doesn't sync email attributes to workday. I have gone through the article - (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/workday-inbound-tutorial) but no headway. Therefore, no email attributes are provisioned on Workday. Kindly assist in proffering solution to the issue. Thanks

Can we have a custom Azure SSPR URL?

August 13, 2018, 9:19 pm
$
0
0

Hi,

Can we have custom Azure SSPR URLs, e.g. https://passwordregister.company.com and https://passwordreset.company.com

And can we upload an already purchased SSL certificate for these URLs?

Thank you,

SK

Add a app role using Microsoft Graph API

August 1, 2018, 1:00 pm
$
0
0 
 I have created app registration in azure aad. I want to add a app role using Microsoft Graph API programtically. is this functionality supported by microsoft graph api?

AAD Connect - Merge cross forest groups and export to Azure AD

August 10, 2018, 12:55 am
$
0
0

Hi all, 

I'm facing an issue in an Active Directory migration whereby I would want to merge 2 groups (one from forest A and one from forest B) via AAD connect and export it to Azure AD to have users from forest A and forest B included into the same group. 

Does anyone know if this is possible and how to adapt the AAD connect synchronization rules to have this in place?

With kind regards,

Sebastian 

Azure Single Sign On

August 14, 2018, 7:31 am
$
0
0

Hi all

When a user tries to perform a password reset on our website using Azure single sign on, they receive an authentication code via email, even if they do not exist in our Azure active directory.

Does anyone know why this is?

Thanks,

Rob

How to remove Store and Groups links on Azure Access Panel Applications

August 14, 2018, 7:36 am
$
0
0

I'm trying to remove the links "Store" and "Groups" on the Azure Access Panel Applications but I don't find anything. All the options in AD are for Apps but this ones are "Features" in AD. Any idea?

Thanks!

Alejandro

Search

can we automate the user for provisioning enterprise applications

August 14, 2018, 5:31 am
$
0
0

Hello 

Is there any workaround for the user to provision SaaS enterprise applications automatically in azure?

Please help!

Azure Issue

August 14, 2018, 8:34 am
$
0
0
Having an issue with the "Users may register their devices with Azure AD" option under Devices>Device Settings being grayed out. This is due to a user being unable to load o365 on her laptop due to this error "We weren't able to register your device and add your account to Windows. Your access to org resources may be limited."

options using azure ad to sign in to the application in azure

August 13, 2018, 11:34 am
$
0
0
Is anyone guide me in right way for what are the best possible options when using azure ad to sign in to the application in azure? please help me

Azure initial setup questions

August 10, 2018, 6:14 am
$
0
0

Our goal is to remove our current DR private cloud infrastructure and setup a replacement on Azure.  We will just have an Exchange VM, Files Server VM, and AntiEmailSpam VM. 

I plan on following this page to get it setup: https://social.technet.microsoft.com/wiki/contents/articles/51353.azure-step-by-step-guide-extending-ad-ds-to-azure-using-site-to-site-vpn-or-express-route.aspx using vpn and virtual machines.

However, I’ve been reading about azure ad, azure ad connect, and azure ad domain services. I am a little confused on it.  Do these technologies basically sync your on prem AD to Azure ad but on a separate domain?  Say my onprem is called abc.com, I assume the azure ad will be called efg.com? I saw that azure ad domain services syncs the onprem sids to azure ad but the domains will be different?  Also, it said that domain services is cheaper, $110/month <25k ad objects.  If I spin up a vm and run a domain controller, it should be cheaper than that per month, like $50/60. 

Will having these Azure technologies benefit me if I am simply want to establish a DR environment in Azure?  (I know about less maintenance, no patching, high availably parts).

Thanks

Azure AD with CoreHR Integration

August 14, 2018, 9:24 am
$
0
0

Hi Team,

Has anybody integrated Azure AD with Core HR third party systmes for SSO?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>