In active directory there is a GPO where i can clear the contents of the run history at startup.
Is this also possible in Azure. If Yes, how?
In active directory there is a GPO where i can clear the contents of the run history at startup.
Is this also possible in Azure. If Yes, how?
Hi I would like some help setting up a Hybrid AAD Join environment.
1. I have got a domain and some domain joined workstations that I want to make Azure AD registered too.
2. I have created a SCP
Now I want to be able to add them to Azure.
I cant see the option under account settings in Windows 10.
Please help.
Thanks
Hi after help with this, googles to death...
Am using the office365 admin as auth that side
Local creds am using a enterprise administrator and putting the fulle domain.local\ in front
Trace logs >>
[08:30:34.961] [ 15] [INFO ] ServiceControllerProvider:DeleteService successful - serviceName:ADSync
[08:30:34.968] [ 15] [INFO ] BuildMsiArguments: Setting Sync Engine MSI parameters for clean installation
[08:30:53.731] [ 15] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service. Please see the event log for additional details. ---> Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedException: Error installing msi package
'Synchronization Service.msi'. Full log is available at 'C:\ProgramData\AADConnect\Synchronization Service_Install-20180806-083034.log'.
Extracted error message:
ActionStart(Name=ProcessMachineDcomPermission,,)
MSI (s) (B4:A8) [08:30:47:993]: Executing op: CustomActionSchedule(Action=ProcessMachineDcomPermission,ActionType=1025,Source=BinaryData,Target=ProcessMachineDcomPermission,CustomActionData=ADMINS=ADSyncAdmins OPERATORS=ADSyncOperators BROWSE=ADSyncBrowse PASSWORDSET=ADSyncPasswordSet)
MSI (s) (B4:AC) [08:30:47:998]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4C81.tmp, Entrypoint: ProcessMachineDcomPermission
CustomAction ProcessMachineDcomPermission returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (B4:A8) [08:30:48:132]: User policy value 'DisableRollback' is 0
MSI (s) (B4:A8) [08:30:48:132]: Machine policy value 'DisableRollback' is 0
Action ended 08:30:48: InstallExecute.
---> Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.
Details:
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String& processOutput, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow,
Boolean waitForExit, Boolean traceArguments, Int32 exitCodeToIgnore)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String msiPackageFileName, String packageOptions, String installationPath, NetworkCredential credential, String installLogFileName,
Boolean extractOnly, Boolean quiet, Boolean suppressReboot)
--- End of inner exception stack trace ---
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String msiPackageFileName, String packageOptions, String installationPath, NetworkCredential credential, String installLogFileName,
Boolean extractOnly, Boolean quiet, Boolean suppressReboot)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallSynchronizationService(String pathToMsiFiles, String msiFileName, String installationPath, String sqlServerName, String sqlInstanceName, Boolean useInstallPathForDBFiles,
IDictionary`2 syncServiceGroups, SyncServiceAccount syncServiceAccount, String logFilePath)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
--- End of inner exception stack trace ---
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)
[08:31:07.799] [ 1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180806-082646.log
then tail end of sync service install logs >>
MSI (s) (B4:A8) [08:30:51:027]: Executing op: ComponentUnregister(ComponentId={63684FF4-FD87-45CF-9E44-9C57675FEB6E},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:028]: Executing op: ComponentUnregister(ComponentId={124FA056-EC1E-48CA-BC66-468D72C8449F},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:029]: Executing op: ComponentUnregister(ComponentId={1681AE41-ADA8-4B70-BC11-98A5A4EDD046},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:030]: Executing op: ComponentUnregister(ComponentId={A64FDC9B-3E02-4D59-8C59-3A1F95FF4315},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:031]: Executing op: ComponentUnregister(ComponentId={9AE4D8E0-D3F6-47A8-8FAE-38496FE32FF5},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:033]: Executing op: ComponentUnregister(ComponentId={186E945D-79D5-460C-BF9E-32C958C49705},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:034]: Executing op: ActionStart(Name=ValidateDebugPrivilege,,)
MSI (s) (B4:A8) [08:30:51:034]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (B4:A8) [08:30:51:034]: Error in rollback skipped. Return: 5
MSI (s) (B4:A8) [08:30:51:034]: Entering MsiProvideAssembly. AssemblyName: Microsoft.MetadirectoryServices.Host,version="1.1.0.0",culture="neutral",publicKeyToken="31BF3856AD364E35",processorArchitecture="AMD64", AppContext:
, InstallMode: -4
MSI (s) (B4:A8) [08:30:51:034]: Pathbuf: 0, pcchPathBuf: 0
MSI (s) (B4:A8) [08:30:51:034]: MsiProvideAssembly is returning: 1607
MSI (s) (B4:A8) [08:30:51:048]: Note: 1: 2318 2:
MSI (s) (B4:A8) [08:30:51:049]: No System Restore sequence number for this installation.
MSI (s) (B4:A8) [08:30:51:050]: Unlocking Server
MSI (s) (B4:A8) [08:30:51:138]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 08:30:51: INSTALL. Return value 3.
MSI (s) (B4:A8) [08:30:51:141]: Note: 1: 1708
MSI (s) (B4:A8) [08:30:51:141]: Product: Microsoft Azure AD Connect synchronization services -- Installation operation failed.
MSI (s) (B4:A8) [08:30:51:142]: Windows Installer installed the product. Product Name: Microsoft Azure AD Connect synchronization services. Product Version: 1.1.880.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error
status: 1603.
MSI (s) (B4:A8) [08:30:51:174]: Deferring clean up of packages/files, if any exist
MSI (s) (B4:A8) [08:30:51:174]: MainEngineThread is returning 1603
MSI (s) (B4:B8) [08:30:51:179]: RESTART MANAGER: Session closed.
MSI (s) (B4:B8) [08:30:51:179]: No System Restore sequence number for this installation.
=== Logging stopped: 06/08/2018 08:30:51 ===
MSI (s) (B4:B8) [08:30:51:183]: User policy value 'DisableRollback' is 0
MSI (s) (B4:B8) [08:30:51:183]: Machine policy value 'DisableRollback' is 0
MSI (s) (B4:B8) [08:30:51:183]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B4:B8) [08:30:51:184]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B4:B8) [08:30:51:184]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B4:B8) [08:30:51:186]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (B4:B8) [08:30:51:186]: Restoring environment variables
MSI (s) (B4:B8) [08:30:51:188]: Destroying RemoteAPI object.
MSI (s) (B4:0C) [08:30:51:188]: Custom Action Manager thread ending.
MSI (c) (A0:78) [08:30:51:194]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (A0:78) [08:30:51:194]: MainEngineThread is returning 1603
=== Verbose logging stopped: 06/08/2018 08:30:51 ===
Any ideas pls
Simon Wilks Technical Manager Microsoft Certified Technology Specialist Emerald IT Managed Solutions Ltd Tel: 0845 467 1314 Fax: 0845 467 1316 Email: simon.wilks@emeralditms.co.uk Office 18 - Pure Offices - Plato Close - Tachbrook Park - Leamington Spa - Warwickshire - CV34 6WE www.emeralditms.co.uk • Servers & PC'S • IT Cabling • Networking • Support & Maintenance • Document Management • Wifi solutions • Websites
Hello,
When I try to execute Enable-ADSyncExportDeletionThreshold using global admin credentials it gives me authentication error. The password is correct and works fine when I directly login to azure portal. Multi factor authentication is enabled on global admin account, if it makes any difference.
What might be the reason for this behavior? Is there a way to configure this setting through UI or some alternate commands that I can try?
Error String ==> "Enable-ADSyncExportDeletionThreshold : AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password"Thanks!
Azure AD has Source property. The Graph API return user profile which does not has Source.
How can I access this property in code?
We recently converted one of our .NET applications from WIF to Azure AD authentication. Under WIF, the IIS logs contained the username in the traffic so that we could crawl the logs and generate usage analytics.
Under Azure AD, anonymous authentication is needed in order for it to work. Our IIS logs now show "-" as the user and our analytics engines are not reporting proper data.
Is there a way to re-integrate the use of Azure AD to add the user back to the IIS logs?
I have an internal corporate web app that needs to access corporate SharePoint Online. I want to call OAuth2 to take the user through the authentication process so the web app can retrieve an access_token and then call the Microsoft Graph API. I am using Django 1.11/Python 2.7.
I have registered the app in the corporate Azure Portal, but when I call the /authorize endpoint the user sees what appears to be the wrong login page. I expect the user to see a page that shows the app's name and permissions, but all the user sees is a basic sign-on page. Moreover, when the user enters his corporate email address he sees an error that says “There was an issue looking up your account”. The user has been added to the register app's "Users and Groups".
As far as I can tell, everything is configured correctly.
I have Googled this like mad, but not found any help.
UPDATE: When called from a proper server, the call to /authorize is working correctly on IE11, but failing as described above on the latest Firefox and the latest (Windows) Chrome. When called from a local server (i.e.,http://127.0.0.1) the call to /authorize fails as described above on all browsers.
UPDATE 2: It turns out the call to /authorize from a server is NOT working correctly on IE11. After Grant Permission is selected, I am getting an "invalid parameters" error.
Any suggestions would be greatly appreciated.
Thanks.
Hi!
I'm using Azure App Authentication with Azure Active Directory as the provider. I have it set to Allow Anonymous Requests and the site pushes the user to /.auth/login/aad when authentication is required. This works flawlessly UNLESS the user has a valid Microsoft
login but it's not assigned to my AD App (basically authenticated but not authorized). In that case they land at /.auth/login/aad/callback and get the ugly text message below:
{"code":401,"message":"An error of type 'access_denied' occurred during the login process: 'AADSTS50105: The signed in user is not assigned to a role for the application '18b35087-4aa1-453d-8770-89e52942ce59'.\u000d\u000aTrace ID: e690c46c-f61c-49ca-8ba8-9bed3e2b2800\u000d\u000aCorrelation
ID: 23160c20-d9cf-4f0e-8678-57cbbcb3a5db\u000d\u000aTimestamp: 2018-08-16 17:27:22Z'"}
So my question is, how do I prevent this ugly message? I do set post_login_redirect_uri when calling /.auth/login/aad to tell the provider where to return the user once authenticated. Shouldn't it return them there? Or is there another parameter I can set to
tell the provider where to return a user who isn't authorized?
I know I could set User Assignment Required in the AD App settings to No and then everyone would just get passed on through and then my code could do the authorization... but I like the security of AD doing it. I just want more control over what happens if authorization fails.
- Ron
We are currently having some issues and are not able to find a resolution not sure what is causing the problem. Here is the scenario.
Created Azure AD security groups with assigned memberships (Security Is Enabled) Added members and owner.
Placed those AZAD groups into SharePoint online groups for access to site that were existing (XXX_Owner_group). Those groups had user population and On Prem AD groups.
Users who are members of the Azure AD group are not able to log onto SharePoint site getting permission denied. Other users in the owner_group are fine.
Using Azure AD free version
Users have office e3 license
Replicated 4 hours
Any help would be great
Thanks
JF
Hi there,
we have set up Azure AD Sync with Pass Hash Sync on friday. Due to windows updates we had to restart the server today.
Now it is not syncing anymore because of permission problems:
Password hash synchronization failed for domain: horvath.de. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.
I found this article:
https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx
But it's not clear where it needs those permissions. When installing the azure client we've let Azure AD client to manage the service user for syncing. So the entries were set by the program.
It has these rights on "root" but not on all OUs.
Can anyone please advise?
<h3>Regards Stephan</h3>
Hello,
I am using Azure Hybrid AD Joined, which is working fine to connect the device to Azure. But when I run the commanddsregcmd /status the user state does not join unless the user is local admin.
Is it possible to connect the user without them being Local Admin?
I am having trouble connecting to a work account (Binding to azure-ad)
This user had previously registered this device, i have removed her orphaned devices and checked to make sure device registration is enabled for all users and it is set to unlimited
Hi,
I have enabled the Azure Premium P2 Trial license. However, if I open the 'Password Reset' blade, it still says: "Get a free premium trial to use this feature". If I click this again, it says I have the trial license already enabled.
Why am I not able to see the SSPR options?
Thank you,
SK
Hi all,
we have this project and I was wondering how to do the setup:
1. we have an application (actually, a Remote Desktop Gateway that allows users to have RDP access to different servers, entire infrastructure in Azure)
2. the users allowed to access RDGateway are stored in Active Directory "on-premises" (an AD DS installed on an Azure VM)
3. we have synced (with Azure AD Connect) this AD with Azure AD
4. our customers (that access the services through RDGateway) are asking for SSO (basically, they want to use the users in their domains to have access to the services we offer)
The question is: how do we connect our Azure AD with out customer's ADFS in order to obtain SSO?
Thank you,
Sorin
Hi,
I am developing a .NET Windows Application and I am trying to integrate Active Directory using ADAL library. We don't want to use storage/container key. I ran into the following two issues. I registered the app as Native App in Azure Active Directory
1. I keep getting the error AADSTS65001: The user or administrator has not consented to use the application with ID 'a87d3d9f-<g class="gr_ gr_447 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="447" id="447">cbdc</g>-465d-aa8d-d506ebec064b' named 'Test1'.
a. I am a global administrator for my AD I granted the permission(global consent) for this app but that didn't <g class="gr_ gr_914 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="914" id="914">help</g>
<g class="gr_ gr_914 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="914" id="914"> b</g>. I also manually consented that also didn't' help.
c. Set the oauth2AllowImplicitFlow to true in the manifest for test1 app
Here is the code
string authority = string.Format(CultureInfo.InvariantCulture, AuthEndpoint, TenantId);var authContext = new AuthenticationContext(authority);var userCredential = new UserPasswordCredential("user@domain.com", "password");// Acquire an access token from Azure AD. var result = authContext.AcquireTokenAsync(ResourceId, ClientId, userCredential).Result;
2. Above is trying to connect with an explicit windows username and password and our ultimate goal is to use the logged-in user and I have been told(google) it should be possible if I am using Active directory but I am getting the following error.
{"password_required_for_managed_user: Password is required for managed user"}
Here is the code.
string authority = string.Format(CultureInfo.InvariantCulture, AuthEndpoint, TenantId);var authContext = new AuthenticationContext(authority);var userCredential = new UserCredential();// Acquire an access token from Azure AD. var result = authContext.AcquireTokenAsync(ResourceId, ClientId, userCredential).Result;
Could you guys help us to resolve?
Hello, we got group writeback working however when I run the update-recipient "<group>" i get an error due to a couple of attribute values that Exchange 2010 doesn't understand.
msExchRecipientDisplayType 17
msExchRecipientTypeDetails 8796093022208
If I manually blank out these value and run the cmdlet again, it works without error. The O365 group object is displayed as a group in the Exchange 2010 GAL. However, during the next dir sync, these values are put back and the object no longer "displays" as a group object in the GAL. The object entry is there in the GAL but there is no group icon nor is the name in bold (like other group objects). You can open the object and see the members and still use it for routing.
I read that you can prepare the schema for Exchange 2013 but I really don't want to go down that road. Is there a way to prevent those 2 attribute values from being sync'd back to OnPrem? I could probably write a powershell script that runs shortly after the dir sync to remove those values but preventing those attribute from writing back to on prem would be ideal.
Hi,
I originally posted on SO here so will be brief and somewhat reword because I understood some things better since yesterday.
I have a registered Azure AD app, with "Sign in and read user profile" delegated permission granted for both "Windows Azure Active Directory" and "Microsoft Graph" APIs. Indeed I have an API entry point that returns the JWT access token so guess the "Microsoft Graph" API should be granted too.
The problem lies here: when a new user logs in by calling my API app, he's redirected to microsoftonline.com to login, but after he acknowledges consent for app to "sign in and read user profile" the redirection is incorrect. Instead of redirecting to the originally called url, http://localhost/my-api-entry-point, it gets redirected to the previous url in the authentication flow, http://localhost/signin-oidc, that displays the following error message:
OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.
How can I remedy to this please? Thank you very much.
Hi,
I have added an application and SSO is working. I can only specify permissions for individual users and not groups. If i add a group it is set as an object type of Group, and role assigned is User. How do i add a group?
Thanks
Shane
hello I have a free azure account . I would like to add azure active directory services subscription.
can anyone share the steps?
Hi,
We use okta for synchronizing accounts to Azure AD.
We plan to use AAD Join for our windows10 devices, it works well with AAD Connect(As AAD Connect synchronizes attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme)
Okta could not update these attributes, I want to find a way to update the attributes(by using PowerShell or GraphAPI?).
And also would like to know if there is any possibility to sync MSDS-Keycredentiallink attribute to on-premise without using AAD Connect so that I can use windows hello.