Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Error installing AAD PowerShell module

August 17, 2018, 12:24 pm
$
0
0

I have a Windows 7 64bit workstation and I am trying to install AAD PowerShell module. 

I have a PowerShell window opened with elevated privileges and I ran the following command: Install-Module -Name AzureAD

I get the following errors. Help!

WARNING: Unable to download from URI 'https://oneget.org/nuget-2.8.5.208.package.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/nugetv2.feed.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/psl.feed.swidtag' to ''.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 
'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21
+ ...     $null = PackageManagement\Install-PackageProvider -Name $script:N ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider
 
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name 'NuGet'. Try 'Get-PackageProvider -ListAvailable' to 
see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21
+ ...     $null = PackageManagement\Import-PackageProvider -Name $script:Nu ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider
 
WARNING: Unable to download from URI 'https://oneget.org/nuget-2.8.5.208.package.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/nugetv2.feed.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/psl.feed.swidtag' to ''.
PackageManagement\Get-PackageProvider : Unable to find package provider 'NuGet'. It may not be imported yet. Try 'Get-PackageProvider -ListAvailable'.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30
+ ... tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Microsoft.Power...PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception
    + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider
 
Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that '2.8.5.201' or newer version of NuGet provider is installed.
At line:1 char:1
+ Install-Module -Name AzureAD
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-Module], InvalidOperationException
    + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module

Search

Sync users from Security Using AD Connect to AAD

August 22, 2018, 2:02 pm
$
0
0

As we are moving towards O365 but for only a limited subset of users, we would like to Sync only users thats going to use the o365 services.

Can we sync users only which are part of Security Group rather than syncing an OU as GP's are tied to OU's when using AAD Connect to sync onpremised AD object to O365.

Regards

Sathya

Sathya Paul

Azure AD Connect for multi-forest

August 22, 2018, 2:33 pm
$
0
0
Hi May I have recommendation / answer how Azure AD Connect can be setup behind DMZ and what are pre-requisites to perform before setup.

Azure Active Directory Hybrid Joined Windows 10 - user not connecting unless local admin

August 20, 2018, 7:22 am
$
0
0

Hello,

I am using Azure Hybrid AD Joined, which is working fine to connect the device to Azure. But when I run the commanddsregcmd /status the user state does not join unless the user is local admin.

Is it possible to connect the user without them being Local Admin?



Differences to SCIM specification

August 8, 2018, 8:14 am
$
0
0

I am trying to integrate SCIM support for Azure AD into an existing web application. At the moment I struggle with several points.

  • Azure Ad is sending PATCH request for simple attributes with complex attribute as value. E.g.
{"op": "Replace","path": "userName","value": [
        {"$ref": null,"value": "blubb2@mysignavio.onmicrosoft.com"
        }
      ]
}
     This is in contrast to the SCIM specification.
  • Azure AD is upper casing operations in PATCH request, e.g. "Add" instead of "add"
{"op": "Add","path": "name.formatted","value": [
        {"$ref": null,"value": "Blubb Blabb"
        }
      ]
}

  • The urls for Users and Groups have to have "scim" as a prefix, e.g. https://examplewebapp.com/.../scim/Users. The specification does not mention a "scim" prefix. This can force additional adjustments for existing implementations that don't have such a prefix in the url.
  • When A AD sends PATCH requests, the add operation sometimes contains filters in the path. This is not part of the SCIM specification and is not supported by many frameworks.
  • Azure AD is using the schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User. Is there a way to choose the core User schema of SCIM? Is it enough to support the core schema when only core attributes are mapped?

Migration plan from on-premises to cloud

August 19, 2018, 7:18 pm
$
0
0

Hi,

I am new to Azure and cloud, We have a requirement to move all my on-premises users to cloud, can anyone please suggest us the best process to migrate.

Requirment:

  1. 3 level of users (total 3000 employees)
  2. Level 1 users need machine access
  3. Level 1 and level 2 users need email accesss
  4. All users need one-drive access
  5. previlized identity managment
  6. Shared emails
  7. Rights management
  8. Service accounts

Thank you,

Uday

Can't login to my new Lynda.com LinkedIn Learning - Azure AD Error

August 13, 2018, 5:05 pm
$
0
0

Trying to access my new Lynda LinkedIn Learning using my account I have the following error:

Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'frmateo@live.com' from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application 'https://www.linkedin.com/learning/ABEAAAAAAAAADPoAAAAAACFVmgFvTxOkj9WDa4_9bWKuJSRyMruh_g' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Please advise.

fim*****@gmail.com

frm****@live.com


AAD token lifetime

August 22, 2018, 3:47 pm
$
0
0
I have couple of questions regarding Azure AD tokens. Please help me to clarify it:

I refered to this KB article but not able to get my queries cleared -

https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-configurable-token-lifetimes


1) What is the difference between Access token and Single sign-on session tokens?

2) Where is the access token and refresh token stored? Is it store the tokens in the cookie?

2) What is the default time-out for MyApps portal? How can it be configured? Would access token lifetime property applies to Myapps portal time-out?

3) MyApps portal life time policy will apply on application session time-out as well? I am looking to set a ORG level time-out session for applications deployed with OIDC in Azure. 

Thanks in advance

Alex

Search

How to implement Azure Active Directory Authentication to Unity Android Application

August 20, 2018, 8:23 pm
$
0
0
I need AAD Authentication to be implemented to my Unity - Vuforia AR project and :https://github.com/Unity3dAzure/AppServicesDemo: uses FB and Azure to Authenticate . I just need AAD to authenticate my application and use existing DB to login . Any help would be appreciated .

Universal security groups vs global security group

August 22, 2018, 9:51 pm
$
0
0

I am involved in rolling out an application to many offices. The application relies on a universal security group to provide single sign-on access. A number of the offices I am working with have traditionally only used global security groups. Of those, they predominantly contain nested groups.

There is opposition from these offices to create a universal security group for the one application. This is often due to the number of staff required to be inputted and that they have normally used nested groups, which do not appear to work with universal groups.

I am wondering if anyone else has faced a similar issue, and what they did to overcome it? Is there a simple way to create a universal group, other than changing the current global group to a universal group (as we have found this does not always work when nested groups are involved). I'm just trying to find a solution that might be easy for everyone.

Thank you in advance.

Unable to invite user xxxx@mls.nc ?

August 22, 2018, 11:49 pm
$
0
0

Hi there,

I've been able to add several external guest users but still having issue with one from "mls.nc" domain (local NC ISP).

Here is the error I get:

Title: "Unable to invite user xxxx@mls.nc."

Description: "Users from this identity provider cannot be invited. Contact your administrator to add this user."

I'm one of the administrator, and double check that I'm not limiting any domain at all.

Any idea?

Thanks in advance,

Nicolas

remove contents from run in windows 10

August 21, 2018, 7:16 am
$
0
0

In active directory there is a GPO where i can clear the contents of the run history at startup.

Is this also possible in Azure. If Yes, how? 

Enterprise Application SSO

August 20, 2018, 1:25 am
$
0
0

Hi,

I have added an enterprise app manually and have enabled single sign on. Single sign on works through the applications website, but not through the applications app on the iphone and android. Is there a setting to allow an app to use single sign on?

Thanks

Shane


Decommission multi forest hybrid setup / how to reconfigure Azure AD Connect post decommission

September 11, 2017, 10:23 am
$
0
0

Hi,

We are currently using an on-premise exchange 2010 server.

We have one account forest and one resource (the exchange) forest, there is a one-way trust between the two forests.

99% of the mailboxes are linked mailboxes.

We setup Azure AD connect for both forests/domains and created a hybrid setup.
We use ms-ds-consistencyguid as source anchor.

We want to use the hybrid setup to migrate all of our mailboxes to Office 365, remove the hybrid setup post migration, keep synchronizing identities from the account forest, but not the resource forest.

I am wondering about the correct approach to update Azure AD Connect post migration.

The way I see it, we should re-run the Azure AD Connect wizard and remove the 'hybrid' option.
Additionally, we should remove the connector of the resource forest domain from the synchronization service manager (is there any other way to remove a directory from Azure AD Connect?).

What I am wondering about is what it says on this page:

"Since all attributes in Azure AD are going to be overwritten by the on-premises value, make sure you have good data on-premises. For example, if you only have managed email address in Office 365 and not kept it updated in on-premises AD DS, then you lose any values in Azure AD/Office 365 not present in AD DS."

On the same page, it also says that "The exception is when an attribute has a NULL value on-premises. In this case, the value in Azure AD remains, but you can still only change it on-premises to something else."

Technically, attributes like proxyaddresses are null in the account forest, i.e.
Get-ADuser -filter * -properties proxyaddresses  | ? {$_.proxyaddresses -ne $null}
does not return anything.

Does that mean that we can get away with just removing the the resource forest domain from Azure AD Connect, without losing mail addresses and other attributes of our mailboxes on Office 365?

Thank you very much

Mapping claims with Azure AD B2C Custom Identity Provider (OpenID Connect)

August 23, 2018, 1:52 am
$
0
0
Although, I've set all the claim mappings well so they match those issued by our Identity Server 3, we don't seem to have those values on Azure AD side. Name and email are claims which can be used as an example. And which is weird, this happens only with Custom Identity Provider (Open ID Connect) while for example Facebook built-in Identity Provider works well and takes those claims received from IdP. Is there anyone who made this work ever?

Additionally, I have also tried to achieve this through custom polices as it was suggested to me as the only possible way how this could be solved. Now, I'm facing with another problem to simply connect AAD B2C to Identity Server 3 by using custom policies. Here is my TechnicalProfile definition from TrustFrameworkExnsion.xml:

<TechnicalProfile Id="IdentityServerProfile"><DisplayName>IdentityServer</DisplayName><Description>Login with your IdentityServer account</Description><Protocol Name="OpenIdConnect"/><OutputTokenFormat>JWT</OutputTokenFormat><Metadata><Item Key="METADATA">https://{identity_server_hostname}/identity/.well-known/openid-configuration</Item><Item Key="ProviderName">https://{identity_server_hostname}/identity</Item><Item Key="client_id">00000000-0000-0000-0000-000000000000</Item><Item Key="IdTokenAudience">00000000-0000-0000-0000-000000000000</Item><Item Key="response_types">code</Item><Item Key="scope">openid profile customScope</Item><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="AccessTokenResponseFormat">json</Item><Item Key="HttpBinding">POST</Item></Metadata><CryptographicKeys><Key Id="client_secret" StorageReferenceId="B2C_1A_IdentityServerAppSecret"/></CryptographicKeys><OutputClaims>      <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="IdentityServer" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /><OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" /><OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/><OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/></OutputClaimsTransformations><UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/></TechnicalProfile>

Basically, after authentication on IdentityServer side, I got redirected back to my web page which initialized the sign-in and then I get this error: AADB2C: An exception has occurred. Correlation ID: 6797f691-4adb-4963-ad12-f31add3e1919 Timestamp: 2018-08-23 08:42:54Z

While analyzing the log on AAD B2C for the given correlation ID, I didn't find anything useful which would lead me to the possible solution.

Any help would be much appreciated!

Search

Wrong redirection after delegated permission user consent

August 22, 2018, 12:07 am
$
0
0

Hi,

I originally posted on SO here so will be brief and somewhat reword because I understood some things better since yesterday.

I have a registered Azure AD app, with "Sign in and read user profile" delegated permission granted for both "Windows Azure Active Directory" and "Microsoft Graph" APIs. Indeed I have an API entry point that returns the JWT access token so guess the "Microsoft Graph" API should be granted too.

The problem lies here: when a new user logs in by calling my API app, he's redirected to microsoftonline.com to login, but after he acknowledges consent for app to "sign in and read user profile" the redirection is incorrect. Instead of redirecting to the originally called url, http://localhost/my-api-entry-point, it gets redirected to the previous url in the authentication flow, http://localhost/signin-oidc, that displays the following error message:

OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.

How can I remedy to this please? Thank you very much.

B2C - Unable to customize the sign in page in a SignIn policy

August 22, 2018, 8:09 am
$
0
0

Hi, 

I'm trying to customize the sign-in page of a SignIn policy but it let me edit only the error page.

SignInUp and ResetPassword policies work fine.

Is there something I'm missing?

Thanks

Windows 10 1803 - Join AD via Provisioning Package

August 16, 2018, 5:37 pm
$
0
0

Hello!
Right now we are deploying devices with Windows 10 1709, and joining them to Azure Active Directory using Provisioning packages. This works perfect (except for the fact that the Bulk token needs to be refreshed every 30 days).

However, we wish to make the switch to 1803, but the provisioning package failes while joining the AD. All other settings, like the Upgrade to Enterprise etc are configured correctly, but actually joining AD fails.

I've completely recreated the package in ICD 10.0.17134.1 (1803) and still, to no avail.

The message in the Eventlog *(provisioning-diagnostics-provider) is the one below:

ProvXML category 'DeviceAADJoin' failed with '0x80070057' at CSP node 'AADJ/BPRT'. Provisioning failed

This is from AAD Eventlog:

Error: 0xCAA5001C Token broker operation failed.Operation name: AddAccount, 
Error: -895352821 (0xcaa2000b), Description: AADSTS50001: Resource 'https://enrollment.manage.microsoft.com/' is disabled.
Trace ID: e89d2d37-1a08-40fd-8655-33217cc60700Correlation ID: 68407247-141e-4ad0-bece-143152bfcbcfTimestamp: 2018-08-17 00:14:11Z
Logged at webaccountprocessor.cpp, line: 532, method: AAD::Core::WebAccountProcessor::ReportOperationError.


This happens on 2 different Azure domains (test and production) with confirmed accounts.


The actual XML of the package uses

<Authority>https://login.microsoftonline.com/common</Authority>

(automatically generated by the ICD). This URL however, 404's?

Login to Wufoo using Azure AD SSO

August 21, 2018, 12:46 am
$
0
0

Hi,

I am trying to use the Wufoo plugin in AD to log into Wufoo using my organization's credentials. After adding the Wufoo app to the Enterprise applications the option for SAML based sign in is missing in the SSO configuration but I am able to see password based sign on and linked sign on. Does this plug-in not offer that option? Or is there another way I can integrate Wufoo with my organization's AD and log-in using organization credentials?

Thanks and any help would be appreciated.

[Enterprise app] AWS role sync doesn't remove old roles

August 20, 2018, 7:40 am
$
0
0

Hi,

I'm having trouble with old removed roles which I deleted in AWS IAM: they do not get removed from Azure.
When I assign a role to an Azure User within the enterpreise app it still shows the roles which I deleted 10 days ago.

The provision tab says, it only synced 12 Objects (roles), but the role tab includes 20 objects - 8 roles were deleted.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>