Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Create all resources inside Azure Active Directory B2C?

August 16, 2018, 6:22 pm
$
0
0

Hello, I'm new to Azure and I want to make it clear about AAD B2C.

I'm creating a web service which includes user login so I created a new tenant of AAD B2C to manage users' accounts.
I found out that since I've created a new directory, there are no resources like Blob Storage that I created in the original directory.

I want to make it clear that which is more common for the development.

a) AAD B2C directory is used for the users' management only and create other resources in the original directory.

OR

b) Create all resources in AAD B2C directory for the same service.

I'm sorry my explanation is not good, so ask me if you don't understand what I want to say.

Search

Can't login to my new Lynda.com LinkedIn Learning - Azure AD Error

August 13, 2018, 5:05 pm
$
0
0

Trying to access my new Lynda LinkedIn Learning using my account I have the following error:

Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'frmateo@live.com' from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application 'https://www.linkedin.com/learning/ABEAAAAAAAAADPoAAAAAACFVmgFvTxOkj9WDa4_9bWKuJSRyMruh_g' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Please advise.

fim*****@gmail.com

frm****@live.com


How can we make our app privileged in AAD?

August 16, 2018, 11:28 pm
$
0
0

We are building a service where we use AAD to authenticate users. We also have the need to read the groups the user is member of from AAD, so that we can resolve the permissions the user should have in our system (we shadow some of the groups from AAD in our system and have system specific permissions stored on our side). However, what we face is that to query AAD for the permissions of the user, it seems our app needs to have permission of reading all groups (full directory) in AAD. 

Question is, how can we make our app privileged in AAD to only read certain groups from the directory? 

Register proxy failing with certificate error

August 2, 2018, 4:51 pm
$
0
0

Running the Register-AzureADPasswordProtectionProxy cmdlet returned no errors, but my Agents were reporting no registered proxy service found.

Enabling the Trace log and re-running Register-AzureADPasswordProtectionProxy returns the following error:

ProxyCertificatesPopulator: Microsoft.DeviceRegistration.JOSE.JoseException: The certificate validator indicated that the signingCertificate is not trusted 
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidationWorker2(String JWS, X509Certificate2 expectedSigningCert, ICertificateValidator certValidator, X509Certificate2& signingCert, Byte[]& payload)
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidateSignature(String JWS, ICertificateValidator certValidator, String& payload) at ServiceCommon.Converters.ProxyCertAndChainConverter.Convert(ProxyCertAndChainSerialized proxyCertAndChainSerialized) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessaryWorker(FileContentAndPath1 latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessary(FileContentAndPath1 latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.PopulateDirectoryFiles() at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.HandlePopulateDirectory(Object state, Boolean timedOut)

Proxy and AD servers are 2012 R2 with latest updates, including the Universal C update. AD is using DFSR replication. 


Download and Upload Default B2C Signin Policy

August 16, 2018, 12:52 am
$
0
0

Hello All,

I have created B2C Signin Policy using B2C default policy( from screen, not a custom policy) in development environment. Now I want this policy to  move to different Environment say Quality Environment. How to copy all configuration of B2C Signin policy of Development to Quality environment?



Azure MFA with onpremise RDS

August 17, 2018, 2:18 am
$
0
0

Hi I have issue with haveing MFA working with our onpremise rds enviroment 2016 server.

I have installed:

Azure MFA server
Azure AD Connect
Configured MFA provider authentication based billing
NPSextension is installed on domain controller
Enabled MFA auth on AD object

Now when I login to RDS login fails and I receive a OTP SMS code for 2FA.

This error is generated on the server where the NPS extension is installed:

###########################################

Network Policy Server denied access to a user.
 
Contact the Network Policy Server administrator for more information.
 
User:
Security ID: mydomain\test1
Account Name: mydomain\test1
Account Domain: mydomain
Fully Qualified Account Name: mydomain.com/Companies/test1
 
Client Machine:
Security ID: NULL SID
Account Name: PC1
Fully Qualified Account Name: -
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: -
 
NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -
 
RADIUS Client:
Client Friendly Name: RDSGateway
Client IP Address: 192.168.100.12
 
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: RDG_CAP
Authentication Provider: Windows
Authentication Server: LAB-DC1.mydomain.com
Authentication Type: Extension
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 21
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

#################################################### 

sAMAccountName attribute in Azure AD

June 19, 2018, 8:13 am
$
0
0


Almost all the enterprise applications use sAMAccoutName attribute as a username to applications that's using AD/SAML for authentication.

So, wondering if there an attribute that stores username of the account in Azure AD?

Thanks

Group policy in two way trust in Azure AD

August 17, 2018, 2:39 am
$
0
0
I have two way trust between two domains say ABC and contoso domain.ABC domain users can read and write contoso domain users but contoso domain users can only read ABC domain users. How to achieve this?
Search

Syncing email attributes to workday

August 13, 2018, 10:59 pm
$
0
0

Hello Team,

Azure AD doesn't sync email attributes to workday. I have gone through the article - (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/workday-inbound-tutorial) but no headway. Therefore, no email attributes are provisioned on Workday. Kindly assist in proffering solution to the issue. Thanks

Configure Single Sign-On Tab is not available

August 15, 2018, 3:19 am
$
0
0

Hi Team,

I am configuring a SSO for an application in azure AD and but i couldnt see the SSO Tab for that specific application.

I guess it will be available if i use Non-Gallery application, but that would require AAD Premium. So is it possible to get SSO tab without AAD premium?

Thanks and Regards,

Deepika


How to handle 401 error when using Azure App Authentication

August 16, 2018, 10:43 am
$
0
0

Hi!

I'm using Azure App Authentication with Azure Active Directory as the provider. I have it set to Allow Anonymous Requests and the site pushes the user to /.auth/login/aad when authentication is required. This works flawlessly UNLESS the user has a valid Microsoft login but it's not assigned to my AD App (basically authenticated but not authorized). In that case they land at /.auth/login/aad/callback and get the ugly text message below:

{"code":401,"message":"An error of type 'access_denied' occurred during the login process: 'AADSTS50105: The signed in user is not assigned to a role for the application '18b35087-4aa1-453d-8770-89e52942ce59'.\u000d\u000aTrace ID: e690c46c-f61c-49ca-8ba8-9bed3e2b2800\u000d\u000aCorrelation ID: 23160c20-d9cf-4f0e-8678-57cbbcb3a5db\u000d\u000aTimestamp: 2018-08-16 17:27:22Z'"}

So my question is, how do I prevent this ugly message? I do set post_login_redirect_uri when calling /.auth/login/aad to tell the provider where to return the user once authenticated. Shouldn't it return them there? Or is there another parameter I can set to tell the provider where to return a user who isn't authorized?

I know I could set User Assignment Required in the AD App settings to No and then everyone would just get passed on through and then my code could do the authorization... but I like the security of AD doing it. I just want more control over what happens if authorization fails.

- Ron

How to access Source Property on Azure AD user profile?

August 16, 2018, 8:47 am
$
0
0 
Azure AD has Source property. The Graph API return user profile which does not has Source.
How can I access this property in code?

How-to set the user identifier claim depending on the UserType (Guest / Member) in Enterprise applications?

August 16, 2018, 12:33 am
$
0
0
I registered a custom enterprise application to issue SAML 1.1 tokens as described in this article.
I set the user identifier to "user.UserPrincipalName" and it's working fine.

But in another scenario, I have an app registration with ADFS, and upon authentication, Azure AD issues a SAML 2 token (to ADFS) with the user identifier set like this (non-configurable by the administrator):
- if UserType is "Member": claim type "name" is set with the property UserPrincipalName
- if UserType is "Guest" : claim type "name" is set with the property Mail

Here are my questions:
- For consistency, I need to make a similar configuration on the user identifier in the custom enterprise application: how can I configure Azure AD to set the user identifier value to the property UserPrincipalName for "Member" and Mail for "Guest"?
- Overall, what is the best practice to handle user identifier of Guest users? It feels very inconsistent to use a different property depending on the UserType (which is what Azure AD does with my ADFS app registration and that I cannot change).

Device Authentication while off premises

August 14, 2018, 11:05 pm
$
0
0

Good Day,

Our issue is that when users are off the corporate network (ie Travelling Abroad) and they forget their password they are currently out of luck and the only way to get them back into their laptop would be for them to return to one of our sites to sign in.

Ive setup AAD with password write back and users are able to change their own passwords via office.com but again, they still have to return to the LAN to authenticate against a domain controller to access their machine with their changed password.

Im trying to find out if devices can be sync'd with AAD so that if a user is off the LAN then all they would need is internet access and they could authenticate against AAD to gain access to their laptop with a changed password.

Ive attempted an EMS Fast Track with Microsoft but this only lead to the consultant saying that we are too far along in the integration for FastTrack to be any use, and im not getting any clear suggestions as to whether the above can be implemented or not.

Any advice is highly appreciated.

Update DomainDNSName,Netbiosname & Onpremisesamaccoutnanme without using AAD Connect

August 17, 2018, 6:26 am
$
0
0

Hi,

We use okta for synchronizing accounts to Azure AD.

We plan to use AAD Join for our windows10 devices, it works well with AAD Connect(As AAD Connect synchronizes attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme)

Okta could not update these attributes, I want to find a way to update the attributes(by using PowerShell or GraphAPI?).

And also would like to know if there is any possibility to sync MSDS-Keycredentiallink attribute to on-premise without using AAD Connect so that I can use windows hello.


Search

All devices in Azure Active Directory

August 15, 2018, 4:03 am
$
0
0

Hello,

I've gone into Azure Active Directory >  All devices and all our workstations are in there, is this normal?

Most say "Hybrid Azure AD joined" but some say "Azure AD registered" these ones have started to get logon prompts.  No one knows why.

Thanks

Using Azure (requires Anonymous Authentication) removes username from IIS Log of User Traffic?

August 17, 2018, 8:41 am
$
0
0

We recently converted one of our .NET applications from WIF to Azure AD authentication.  Under WIF, the IIS logs contained the username in the traffic so that we could crawl the logs and generate usage analytics.

Under Azure AD, anonymous authentication is needed in order for it to work.  Our IIS logs now show "-" as the user and our analytics engines are not reporting proper data.

Is there a way to re-integrate the use of Azure AD to add the user back to the IIS logs?


Can't find my persistent cookie after logging in to B2C.

August 17, 2018, 7:29 am
$
0
0

I am trying to detect a login for a user from a browser that is new to them. 

It could be a new PC, a new browser, etc.  I'm doing this to attempt to notify them of a possible security problem. You know, someone else logging in on a computer they don't recognize.

My plan was to add a guid to a cookie and, at login, retrieve that cookie and see if that user has logged in with that cookie present before.  I am not storing any auth information, just a unique device id.

Here's my set up:

Now processing the login...

And here are the screenshots from Chrome.

Here, I am logged in and the cookie is there:

I log out and the same cookie value is still there, so far so good.

But I put a break point in my code so I could see the state of the browser after returning from B2C and redirecting back to m y site.  And the cookie is gone, which causes my site to think it's a login from a new device.

I can see that the domains are different, and I understand cookies are particular to a domain, but I don't know where it went.

Is there any chance that this is related to localhost ?  I'm pretty sure I'll be using cookies for other things and I don't understand what's happening.

Thanks in advance.

#noobalert

Relevant stuff:

  • Asp.Net Core 2.1
  • Chrome
  • Windows 10
  • Azure B2C

Azure AD Connect 1.1.750.0 cannot uninstall

August 17, 2018, 9:22 am
$
0
0

Hi all,

With the assistance of a M$ engineer, AAD Connect is in a limbo state on one of our servers. When I run the intaller, I get an error about services not existing. When I try to uninstall via Control Panel the uninstaller appears to be missing.

We moved AAD Connect to another server and so just want to remove the remnants from this old install. Can this be done manually?

It is still showing up in Azure online but obviously with errors.

Thanks in advance

Wayne

Migrate openldap to AzureAD

July 24, 2018, 9:35 am
$
0
0
Hello, 

I come from pure AWS world and exploring Azure to migrate resources. I have an openldap server on a linux VM in AWS serving our web application. 
I'm planning to migrate it to Azure AD to utilize the SSO ability to some of our applications. 

Is there a way to export the ldif from oprnldap and import it to AD? Apparently AD connect on Azure only support windows servers.

Thanks in Advance 


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>