I have an client app (daemon service) which checks if user exists from single tenant mailbox.
I use client_credenatials auth mechanism (certificate) to speak to registered app in Azure
Graph permission to access user details is also given in Azure by admin during app registration by grant permission button, so there is no user intervention for consent.


token_url -https://login.microsoftonline.com/{tenant_id}/oauth2/token
post request data  = {
            'resource': https://graph.microsoft.com/,
            'client_id': client_id,
            'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion': assertion(),
            'grant_type': 'client_credentials'
        }

assertion value is rsa signed value of this header and payload

client_assertion_header = {
            'alg': 'RS256',
            'x5t': thumbprint,
        }
client_assertion_payload = {
    'sub': client_id,
    'iss' : client_id,
    'jti' : GUID,
'exp'  : ten_mins_from_now, 
'nbf' : now,
'aud' : token_url
}


For single tenant everything works perfect as i would be knowing tenant id (i explicitly set the tenant id in token url and use obtained bearer in graph api call ) !! 
Now i need to convert this application to access user of multi-tenant (more than one tenant) . User can be in tenant A, or Tenant B
With respect to my client app i'll be knowing only user id (and not tenant id when i make token access call) in case of multi-tenant.

Things to keep in mind
1. I am admin of both tenant. 
2. There is no user intervention, consent should be given in Azure portal itself (cannot do based on user sign in).
3. I can use only client credentials auth flow as client app runs as daemon service

I tried marking aaplication as multitenant and accessing token for /common endpoint. But obtained token cannot be used for graph api call , its throwingThe identity of the calling application could not be established error.

I think this is because graph would not know to which tenant it should route call to , so i think it's giving error

I am not sure if my application belongs to multi-tenant category.
Can someone please help me on how to proceed ?  Anything i can do in manifest file ? As well as any sample implementation !

Hi

I have added a new enterprise app manually and have enabled SSO which works through a browser. If we use the softwares providors app on a phone, we cant use SSO. The app blocks the popup where you enter your username and password at sts.mydomain.com.

Is there a way to handle the authentication in azure to prevent this popup?

Thanks

Shane

Hi,

I have added an enterprise app manually and have enabled single sign on. Single sign on works through the applications website, but not through the applications app on the iphone and android. Is there a setting to allow an app to use single sign on?

Thanks

Shane

Hi,

I'm having trouble with old removed roles which I deleted in AWS IAM: they do not get removed from Azure.
When I assign a role to an Azure User within the enterpreise app it still shows the roles which I deleted 10 days ago.

The provision tab says, it only synced 12 Objects (roles), but the role tab includes 20 objects - 8 roles were deleted.

We have a federated domain using OneLogin cloud directory for Identity Management.  There is no active sync between AAD and Onelogin, so we synchronise the 2 directories by manually adding the Immutable ID to OneLogin Cloud Directory.

Our user is successfully authenticated by OneLogin, but cannot access O365.  

Error message:   AADSTS51004: To sign into this application the account <ImmutableID>  must be added to the directory ___?

This issue just occurred as of Thursday 17th Aug.  Before this user worked perfectly.

Help would be greatly appreciated.

I have configured a third party IdP for Office 365 single sign on as explained in here. When I test the connectivity manually, I can sign in and sign out using a federated identity with no issue. But when I try to test the connectivity using "Microsoft Connectivity Analyzer Tool", the test fails saying that IdP's passive authentication endpoint value is either null or empty. However, I am able to sign in manually via web browser successfully. The following is the result I get from the connectivity test.

Can someone please suggest what could be going wrong here?

Dinix195

Hi after help with this, googles to death...

Am using the office365 admin as auth that side

Local creds am using a enterprise administrator and putting the fulle domain.local\ in front

Trace logs >>

[08:30:34.961] [ 15] [INFO ] ServiceControllerProvider:DeleteService successful - serviceName:ADSync
[08:30:34.968] [ 15] [INFO ] BuildMsiArguments: Setting Sync Engine MSI parameters for clean installation
[08:30:53.731] [ 15] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedException: Error installing msi package 'Synchronization Service.msi'. Full log is available at 'C:\ProgramData\AADConnect\Synchronization Service_Install-20180806-083034.log'.

Extracted error message:
ActionStart(Name=ProcessMachineDcomPermission,,)
MSI (s) (B4:A8) [08:30:47:993]: Executing op: CustomActionSchedule(Action=ProcessMachineDcomPermission,ActionType=1025,Source=BinaryData,Target=ProcessMachineDcomPermission,CustomActionData=ADMINS=ADSyncAdmins OPERATORS=ADSyncOperators BROWSE=ADSyncBrowse PASSWORDSET=ADSyncPasswordSet)
MSI (s) (B4:AC) [08:30:47:998]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI4C81.tmp, Entrypoint: ProcessMachineDcomPermission
CustomAction ProcessMachineDcomPermission returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (B4:A8) [08:30:48:132]: User policy value 'DisableRollback' is 0
MSI (s) (B4:A8) [08:30:48:132]: Machine policy value 'DisableRollback' is 0
Action ended 08:30:48: InstallExecute.
 ---> Microsoft.Azure.ActiveDirectory.Client.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.

Details:
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String& processOutput, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit, Boolean traceArguments, Int32 exitCodeToIgnore)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String msiPackageFileName, String packageOptions, String installationPath, NetworkCredential credential, String installLogFileName, Boolean extractOnly, Boolean quiet, Boolean suppressReboot)
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String msiPackageFileName, String packageOptions, String installationPath, NetworkCredential credential, String installLogFileName, Boolean extractOnly, Boolean quiet, Boolean suppressReboot)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallSynchronizationService(String pathToMsiFiles, String msiFileName, String installationPath, String sqlServerName, String sqlInstanceName, Boolean useInstallPathForDBFiles, IDictionary`2 syncServiceGroups, SyncServiceAccount syncServiceAccount, String logFilePath)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)
[08:31:07.799] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180806-082646.log

then tail end of sync service install logs >>

MSI (s) (B4:A8) [08:30:51:027]: Executing op: ComponentUnregister(ComponentId={63684FF4-FD87-45CF-9E44-9C57675FEB6E},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:028]: Executing op: ComponentUnregister(ComponentId={124FA056-EC1E-48CA-BC66-468D72C8449F},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:029]: Executing op: ComponentUnregister(ComponentId={1681AE41-ADA8-4B70-BC11-98A5A4EDD046},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:030]: Executing op: ComponentUnregister(ComponentId={A64FDC9B-3E02-4D59-8C59-3A1F95FF4315},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:031]: Executing op: ComponentUnregister(ComponentId={9AE4D8E0-D3F6-47A8-8FAE-38496FE32FF5},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:033]: Executing op: ComponentUnregister(ComponentId={186E945D-79D5-460C-BF9E-32C958C49705},ProductKey={C8AD3784-5841-4E99-97A8-603F2EEE3427},BinaryType=1,)
MSI (s) (B4:A8) [08:30:51:034]: Executing op: ActionStart(Name=ValidateDebugPrivilege,,)
MSI (s) (B4:A8) [08:30:51:034]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (B4:A8) [08:30:51:034]: Error in rollback skipped.    Return: 5
MSI (s) (B4:A8) [08:30:51:034]: Entering MsiProvideAssembly. AssemblyName: Microsoft.MetadirectoryServices.Host,version="1.1.0.0",culture="neutral",publicKeyToken="31BF3856AD364E35",processorArchitecture="AMD64", AppContext: , InstallMode: -4
MSI (s) (B4:A8) [08:30:51:034]: Pathbuf: 0, pcchPathBuf: 0
MSI (s) (B4:A8) [08:30:51:034]: MsiProvideAssembly is returning: 1607
MSI (s) (B4:A8) [08:30:51:048]: Note: 1: 2318 2:  
MSI (s) (B4:A8) [08:30:51:049]: No System Restore sequence number for this installation.
MSI (s) (B4:A8) [08:30:51:050]: Unlocking Server
MSI (s) (B4:A8) [08:30:51:138]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 08:30:51: INSTALL. Return value 3.
MSI (s) (B4:A8) [08:30:51:141]: Note: 1: 1708
MSI (s) (B4:A8) [08:30:51:141]: Product: Microsoft Azure AD Connect synchronization services -- Installation operation failed.

MSI (s) (B4:A8) [08:30:51:142]: Windows Installer installed the product. Product Name: Microsoft Azure AD Connect synchronization services. Product Version: 1.1.880.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

MSI (s) (B4:A8) [08:30:51:174]: Deferring clean up of packages/files, if any exist
MSI (s) (B4:A8) [08:30:51:174]: MainEngineThread is returning 1603
MSI (s) (B4:B8) [08:30:51:179]: RESTART MANAGER: Session closed.
MSI (s) (B4:B8) [08:30:51:179]: No System Restore sequence number for this installation.
=== Logging stopped: 06/08/2018  08:30:51 ===
MSI (s) (B4:B8) [08:30:51:183]: User policy value 'DisableRollback' is 0
MSI (s) (B4:B8) [08:30:51:183]: Machine policy value 'DisableRollback' is 0
MSI (s) (B4:B8) [08:30:51:183]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B4:B8) [08:30:51:184]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B4:B8) [08:30:51:184]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (B4:B8) [08:30:51:186]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (s) (B4:B8) [08:30:51:186]: Restoring environment variables
MSI (s) (B4:B8) [08:30:51:188]: Destroying RemoteAPI object.
MSI (s) (B4:0C) [08:30:51:188]: Custom Action Manager thread ending.
MSI (c) (A0:78) [08:30:51:194]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (A0:78) [08:30:51:194]: MainEngineThread is returning 1603
=== Verbose logging stopped: 06/08/2018  08:30:51 ===

Any ideas pls

Simon Wilks Technical Manager Microsoft Certified Technology Specialist Emerald IT Managed Solutions Ltd Tel: 0845 467 1314 Fax: 0845 467 1316 Email: simon.wilks@emeralditms.co.uk Office 18 - Pure Offices - Plato Close - Tachbrook Park - Leamington Spa - Warwickshire - CV34 6WE www.emeralditms.co.uk • Servers & PC'S • IT Cabling • Networking • Support & Maintenance • Document Management • Wifi solutions • Websites

Hi,

We're trying to integrate an application that does "standard SAML 2" with Azure AD SSO, and we need to implement role-based access control. I'm on the application side, with no access to the Azure AD administration (which is handled by a consultant for our customer).

Looking at the online docs, we're in this situation: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-enterprise-app-role-management

The consultant tells me that steps 8–10 of the “Create roles for an application” section are obsolete, and that roles cannot be sent in the SAML response, pointing me at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#restricted-claims as a proof.

I cannot believe that Microsoft would have made such a switch, requiring applications to call Azure-specific APIs (MS Graph API, if I understood correctly) to retrieve the user's roles.

So, can anyone confirm to me that "standard SAML" cannot be used for role-based access control (passing the app roles as a SAML claim in the response), and that it requires Azure-specific integration through additional calls to the MS Graph API ?

Fwiw, I first posted to Twitter, and was asked to post here instead: https://twitter.com/tbroyer/status/1032207267381301248

im trying to install the Azure AD Connect in Windows server 2016 standard.

The installation stops in the Configuring step with the error:

[12:59:04.387] [ 11] [VERB ] ServiceControllerProvider:  Initial service status: Stopped
[12:59:04.388] [ 11] [VERB ] ServiceControllerProvider:  Starting service and waiting for completion.
[12:59:04.389] [ 11] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (2).
Exception Data (Raw): System.InvalidOperationException: Impossibile avviare il servizio ADSync sul computer '.'. ---> System.ComponentModel.Win32Exception: Il servizio non è stato avviato a causa di un errore in fase di accesso
   --- Fine della traccia dello stack dell'eccezione interna ---
   in System.ServiceProcess.ServiceController.Start(String[] args)
   in Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[12:59:04.389] [ 11] [VERB ] ServiceControllerProvider:  Initial service status: Stopped
[12:59:04.389] [ 11] [VERB ] ServiceControllerProvider:  Starting service and waiting for completion.
[12:59:04.390] [ 11] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (3).
Exception Data (Raw): System.InvalidOperationException: Impossibile avviare il servizio ADSync sul computer '.'. ---> System.ComponentModel.Win32Exception: Il servizio non è stato avviato a causa di un errore in fase di accesso
   --- Fine della traccia dello stack dell'eccezione interna ---
   in System.ServiceProcess.ServiceController.Start(String[] args)
   in Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[12:59:04.391] [ 11] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync). The system event log may contain more details for this issue.
[12:59:07.050] [ 11] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.

 in the System log I have Events ID 7000 and 7041

Hi,

I updated my ADFS farm few months ago.

Now, I want to use device authentication in order to do conditionnal Access.

But I have an error when I launch Initialize-ADDeviceRegistration.

The schema is 87, I have Enterprise Admin rights...

Can you help me please ?

Thanks,

Hi

Is there a way to automate permissions for an enterprise app?

All of our users are in a security group, but i gather that nested groups are not supported.

What is the best way to grant bulk access to an app, and automate this going forward for new users?

Thanks

Shane

Hi, 

I'm trying to customize the sign-in page of a SignIn policy but it let me edit only the error page.

SignInUp and ResetPassword policies work fine.

Is there something I'm missing?

Thanks

We are a little confused on how registered applications should have access to API's protected by AAD.

We have created a web API and registered it on apps.dev.microsoft.com. We created a scope for it for other client applications to access it. (api://<guid>/)

It appears that any application with secret we register in our domain can access this API without specifically granting access by using the applications - client id - secret - and scope of the API with the format of api://<guid>/.default

Is this true?

We have an on-prem Active Directory environment that is only accessed from our corporate network.  We want to extend this environment to an Azure subscription via ExpressRoute.  We intended to have IaaS and PaaS services in the subscription but these services will only be accessed from the corporate network...no external/Internet access.  We are considering sync'ing our on-prem Active Directory with Azure AD using AD Connect and installing DCs and ADFS VMs in a VNet in the subscription.  ADFS would be used for seamless authentication when we access PaaS based applications that are developed for the cloud.

My question is, in this scenario...do we need to create a DMZ (in the cloud) and deploy WAP servers into?  We are thinking we do not need this since there will not be any access external to our corporate network.

ABSTRACT
The Workflow that I'm writing will read the extended properties of a Calendar event.  This extended property contains custom data from our on-premises database.

THE WORKFLOW
1. User modifies a calendar event in Outlook (OWA)
2. Function App checks for the existence of custom data using the Outlook Extended Properties REST API reference (version 2.0)
3. If that custom data exists then we update our on-premises database with the new information.

PRE-REQUISITES:
- I must use the Outlook Extended Properties REST API endpoints to retrieve this information.
- In order to use the Outlook Endpoint I must provide an Access Token
- In order to get an access token I must register an Application within AAD

QUESTION:
How do I create and register this application (the azure function)?
Do I select "Web", "Native Application", or "Web API"?

I'm not sure about this "Redirect URL".   A user will be making a change from the Outlook web application.  I have no other web pages to which I'll send the user.

Germán Hayles

I'm trying to call the Graph API from within an Azure Function.

 I've tried following the example shown in this blog  Using Microsoft Graph in an Azure Function

The problem begins with the HTTP Trigger template.  It appears that Microsoft is using a completely different template than the one shown in the article.

The example in the article shows this function signature: 

public static async Task<HttpResponseMessage> Run

The "HTTP Trigger" template generates the following signature: public static IActionResult Run
Please, if you do provide a link to an example that shows how to authenticate from within an Azure function it would be great if the example:
1) Shows how to Authenticate within an Azure Function
2) Uses the Graph API from within an Azure function
3) It would be great if you tested it before posting.  I'm getting a lot of help, that's marginally relevant or simply out of date.

Germán Hayles

We have just recently had our service with ADP upgraded and are now using the Workforce Now service which is supported by Azure AD for SSO.  I added ADP Workforce Now from the Application Gallery and configured it for "Password Single Sign-On". (The only other option was "Existing Single Sign-On", and we don't have a pre-existing SSO for ADP.)

I assigned the app to a few accounts, and tested the SSO.  Using IE 11 on Windows 10, I logged into portal.office.com, and selected the ADP Workforce Now icon from the app launcher menu.  The first time, I had to download and install an extension, and restart the browser a couple of times.  Then I tried launching the ADP site from the app launcher menu again, and got a pop up from AzureAD asking for my credentials.  After entering them, there was a delay, and then the ADP workforce now login page loaded.  And that's it.  No credentials were filled in, no auto login, it was just sitting at the login page waiting for me to enter my credentials.   I tried logging in manually, thinking maybe I had to do it once manually before the SSO would kick in, but after logging out and launching it again from the O365 app launcher menu, I got the same results.  It is clearly going through a redirect, but when the redirect takes me to the ADP login page, it doesn't fill anything in.  

Any idea what's wrong here?  I was really looking forward to offering SSO to our timeclock system, but as of now it doesn't work at all.