We have 2 Azure B2C tenants, which we're currently using more like B2B tenants. My issue is that since the removal of the old Admin Portal, I cannot add external accounts (I was able to do so under the old portal very easily). I'm aware I need to invite guest, but I get a generic error of Unable to Invite User when trying to invite an external user.  I believe this is due to a setting issue for Guest Inviting, however I cannot access the User Settings page to change the Guest Invite permissions.  I get a very basic error:  Sorry! You do not have access to this page.

My user account is a global admin for the tenant.  Yet I cannot determine what I need to do to gain access to this page.  Is anyone able to provide some assistance with this issue? 

Hello!
Right now we are deploying devices with Windows 10 1709, and joining them to Azure Active Directory using Provisioning packages. This works perfect (except for the fact that the Bulk token needs to be refreshed every 30 days).

However, we wish to make the switch to 1803, but the provisioning package failes while joining the AD. All other settings, like the Upgrade to Enterprise etc are configured correctly, but actually joining AD fails.

I've completely recreated the package in ICD 10.0.17134.1 (1803) and still, to no avail.

The message in the Eventlog *(provisioning-diagnostics-provider) is the one below:

ProvXML category 'DeviceAADJoin' failed with '0x80070057' at CSP node 'AADJ/BPRT'. Provisioning failed

This is from AAD Eventlog:

Error: 0xCAA5001C Token broker operation failed.Operation name: AddAccount, 
Error: -895352821 (0xcaa2000b), Description: AADSTS50001: Resource 'https://enrollment.manage.microsoft.com/' is disabled.
Trace ID: e89d2d37-1a08-40fd-8655-33217cc60700Correlation ID: 68407247-141e-4ad0-bece-143152bfcbcfTimestamp: 2018-08-17 00:14:11Z
Logged at webaccountprocessor.cpp, line: 532, method: AAD::Core::WebAccountProcessor::ReportOperationError.

This happens on 2 different Azure domains (test and production) with confirmed accounts.

The actual XML of the package uses

<Authority>https://login.microsoftonline.com/common</Authority>

(automatically generated by the ICD). This URL however, 404's?

Hi,

We use okta for synchronizing accounts to Azure AD.

We plan to use AAD Join for our windows10 devices, it works well with AAD Connect(As AAD Connect synchronizes attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme)

Okta could not update these attributes, I want to find a way to update the attributes(by using PowerShell or GraphAPI?).

And also would like to know if there is any possibility to sync MSDS-Keycredentiallink attribute to on-premise without using AAD Connect so that I can use windows hello.

I have an client app (daemon service) which checks if user exists from single tenant mailbox.
I use client_credenatials auth mechanism (certificate) to speak to registered app in Azure
Graph permission to access user details is also given in Azure by admin during app registration by grant permission button, so there is no user intervention for consent.


token_url -https://login.microsoftonline.com/{tenant_id}/oauth2/token
post request data  = {
            'resource': https://graph.microsoft.com/,
            'client_id': client_id,
            'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion': assertion(),
            'grant_type': 'client_credentials'
        }

assertion value is rsa signed value of this header and payload

client_assertion_header = {
            'alg': 'RS256',
            'x5t': thumbprint,
        }
client_assertion_payload = {
    'sub': client_id,
    'iss' : client_id,
    'jti' : GUID,
'exp'  : ten_mins_from_now, 
'nbf' : now,
'aud' : token_url
}


For single tenant everything works perfect as i would be knowing tenant id (i explicitly set the tenant id in token url and use obtained bearer in graph api call ) !! 
Now i need to convert this application to access user of multi-tenant (more than one tenant) . User can be in tenant A, or Tenant B
With respect to my client app i'll be knowing only user id (and not tenant id when i make token access call) in case of multi-tenant.

Things to keep in mind
1. I am admin of both tenant. 
2. There is no user intervention, consent should be given in Azure portal itself (cannot do based on user sign in).
3. I can use only client credentials auth flow as client app runs as daemon service

I tried marking aaplication as multitenant and accessing token for /common endpoint. But obtained token cannot be used for graph api call , its throwingThe identity of the calling application could not be established error.

I think this is because graph would not know to which tenant it should route call to , so i think it's giving error

I am not sure if my application belongs to multi-tenant category.
Can someone please help me on how to proceed ?  Anything i can do in manifest file ? As well as any sample implementation !

Hi Microsoft Azure Team,

I have an .NET Core 2 solution with 2 Projects. 1. SPA 2. Web API (Both will be hosted into Azure Web Apps later)

I am using Azure AD B2C with MSAL.js  to login to the SPA and call the authenticated endpoints in the Web API project.

I would be converting the SPA to a Progressive Web App later. 

As per the documentation, after the user logs in to the SPA, acquireTokenSilent can be used for making subsequent calls to the Authenticated endpoints.

I am able to login to the SPA, and use acquireTokenSilent  to get the access token and able to call my Web API endpoints in the Web API project.

My problem is the acquireTokenSilent is taking 4 - 5 seconds (from my local development machine, js are not bundled yet) to get the access token. 

I will be testing after deploying these both as Azure Websites (with JS bundled) at a later stage.

Will I face this performance lag after bundling the JS files and deploying in Azure?

Kindly advice for performance improvement, since this is making my app very slow.

Recently we have run into some problem with our Web App integration with Azure AD B2C using Graph API.

We believe the problem has something to do with the SSL/TLS certificate on one or more of Azure AD Graph API endpoint (on https://login.microsoftonline.com)

The problem seems to start in early July (seems like to align with the SSL3 obsolete timeline of June 30, 2018).

Before hand, our code works fine with integration with Azure AD B2C over Graph API using the Azure Active Directory Authentication Library (ADAL) .net.

Now, it seems like there are some random issue with the ADAL authentication context’s AcquireTokenAsync() call to throw the following exception:

2018-07-24T13:08:44  PID[6124] Information RemoteCertificateValidationCallback(F3B414056D8FB86D98FB6F282D8F451F0A87BA40, None)
2018-07-24T13:08:44  PID[6124] Error       AzureADRequest Error: System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.<GetResponseAsync>d__31.MoveNext()

The issue doesn’t happen all the time. It can be working fine for a while then it doesn’t work for maybe 15-30 min, then after restarting the web app there’s a chance that it’s back to normal for a while.

It seems like the one (or more) authentication servers on login.microsoftonline.com has a bad SSL/TLS certificate.

According to diagnostics trace, It seems like the failing certificate have the thumbprint of F3B414056D8FB86D98FB6F282D8F451F0A87BA40.

When the integration is working, we got the following log
2018-07-20T18:05:02  PID[6124] Information RemoteCertificateValidationCallback(D4444B60F628539C586F1AACE0AAA71F7AD8F726, None)

So it seems like that the Azure site can trust one certificate (D4444B60F628539C586F1AACE0AAA71F7AD8F726) from Azure AD but not the other (F3B414056D8FB86D98FB6F282D8F451F0A87BA40).

Furthermore, when we try to connect using our local dev environment, using either a console app test or unit test, we can get the token properly all the time. So we are not sure whether this is related to either Azure App Service or specific Data Center/Location, etc.

We also tried to override the ServerCertificateValidationCallback by attaching to ServicePointManager.ServerCertificateValidationCallback, but it's never being called. (seems like the ADAL library is doing its own thing.)

Any help would be appreciated!

I have followed the Docs for adding G Suite Enterprise app setup on SAML-based sign-on. I have managed to use a user account to sign in. but new users did not sync , so I found that my provisioning was default to manual. I have changed it to Automatic and did the Authorize and Test Connection and clicked save.

After that I wanted to add Notification email on failures ,and change scope for all users, making the changes , colour the change in purple but the save button did not change to black , so I can not save the changes. also the Provisioning Status is on Off , changing to On I still can not click the save button to init the sync.

I found that if I change some thing like status to on  and do the Authorize process again , it save the status , but now I get an error of authentication failure while the test connection show as success.

so the result is this message :

Hi all,

I am looking for commandline to export CloudOnly users from AAD, with the rights they have. At the moment im using this command to export all CloudOnly users: 

get-msoluser -all | Where-Object {$_.ImmutableId -like "$null"} |export-csv -Path c:\temp\filename.csv -NoTypeInformation

Can anyone help me out with this? What command do I need to add to export these users with rights?
Thanks in advance!

Regards,

Kerim Tupkovic

Hi

Can someone please send me a powershell script to list ALL users from Azure AD for Office 365 with all the properties.

Any pointers greatly appreciated.

Regards

Sekhar

Hi everyone,

we will sync our users to the cloud. They have already a routeable UPN.

But they also have several email addresses. One of them is an address which is used only locally by a Quest/DELL programm for coexistance.

IDfix showed them all as error. But we need them until all applications from Lotus Domino are moved. Will the AD Sync NOT work at all or just not sync these addresses up to Azure AD?

We are going for hybrid until the Domino system will "die".

Best regards

Stephan

<h3>Regards Stephan</h3>

Hi there,

we have set up Azure AD Sync with Pass Hash Sync on friday. Due to windows updates we had to restart the server today.

Now it is not syncing anymore because of permission problems:

Password hash synchronization failed for domain: horvath.de. Details: 
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.

I found this article:

https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx

But it's not clear where it needs those permissions. When installing the azure client we've let Azure AD client to manage the service user for syncing. So the entries were set by the program.

It has these rights on "root" but not on all OUs.



Can anyone please advise? 

<h3>Regards Stephan</h3>

I'm setting up an AAD Connect synchronisation and some users are seeing the following error, others are created fine.  I can't find any reference on the reason listed to show me where to start looking.  On the Server / Local side things look OK, this is from the Audit Log on the Azure portal side.  I've blanked the details for security, let me know if you need them.

Cheers,

Laurie

Laurie Calverley Blue Compass IT

Hello all.

I'm trying AAD and want to add my domain name. I wrote my domain and added DNS records. But Azure cant't verify my domain name.

I replaced origin domain resistrator service to Azure DNS Zone and added records.

I check DNS records with Dig and found needed records.

But I have error on verification domain name in AAD. 

Level of Subscription - Free trial.

We are trying to set up SPNs for SQL SSRS in an environment that only has Azure AD. If I ran the SETSPN -S

MSCRMSandboxService/TESTCRM domain\crmtestserv

I always get the message that my account has insufficient right even if the account is in the AAD DC Administrators group.

So what would be the process to set a SPN while using Azure AD?

Hi all,

we have this project and I was wondering how to do the setup:

1. we have an application (actually, a Remote Desktop Gateway that allows users to have RDP access to different servers, entire infrastructure in Azure)

2. the users allowed to access RDGateway are stored in Active Directory "on-premises" (an AD DS installed on an Azure VM)

3. we have synced (with Azure AD Connect) this AD with Azure AD

4. our customers (that access the services through RDGateway) are asking for SSO (basically, they want to use the users in their domains to have access to the services we offer)

The question is: how do we connect our Azure AD with out customer's ADFS in order to obtain SSO?

Thank you,

Sorin

Just installed ADconnect and the Health service isn't working.  HTTP proxies are defined and we have connectivity - the PS command to test connectivity gets past that part.  It errors out during "Step 2 - blob data upload":

PS C:\Windows\system32> Test-AzureADConnectHealthConnectivity -Role Sync -ShowResult 
Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://login.windows.net
Endpoint validation for https://login.windows.net is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Testing dependent service endpoints completed successfully.

Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
Unhandled exception occurred: System.Security.Cryptography.CryptographicException: The parameter is incorrect.

   at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.LoadIdentityInfo()
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProced
ure()
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.ProcessRecord()

Anybody ever seen that before?

Azure AD has Source property. The Graph API return user profile which does not has Source.
How can I access this property in code?

Hi all,

With the assistance of a M$ engineer, AAD Connect is in a limbo state on one of our servers. When I run the intaller, I get an error about services not existing. When I try to uninstall via Control Panel the uninstaller appears to be missing.

We moved AAD Connect to another server and so just want to remove the remnants from this old install. Can this be done manually?

It is still showing up in Azure online but obviously with errors.

Thanks in advance

Wayne