<TechnicalProfile Id="IdentityServerProfile"><DisplayName>IdentityServer</DisplayName><Description>Login with your IdentityServer account</Description><Protocol Name="OpenIdConnect"/><OutputTokenFormat>JWT</OutputTokenFormat><Metadata><Item Key="METADATA">https://{identity_server_hostname}/identity/.well-known/openid-configuration</Item><Item Key="ProviderName">https://{identity_server_hostname}/identity</Item><Item Key="client_id">00000000-0000-0000-0000-000000000000</Item><Item Key="IdTokenAudience">00000000-0000-0000-0000-000000000000</Item><Item Key="response_types">code</Item><Item Key="scope">openid profile customScope</Item><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="AccessTokenResponseFormat">json</Item><Item Key="HttpBinding">POST</Item></Metadata><CryptographicKeys><Key Id="client_secret" StorageReferenceId="B2C_1A_IdentityServerAppSecret"/></CryptographicKeys><OutputClaims>      <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="IdentityServer" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /><OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" /><OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/><OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/></OutputClaimsTransformations><UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/></TechnicalProfile>

Basically, after authentication on IdentityServer side, I got redirected back to my web page which initialized the sign-in and then I get this error: AADB2C: An exception has occurred. Correlation ID: 6797f691-4adb-4963-ad12-f31add3e1919 Timestamp: 2018-08-23 08:42:54Z

While analyzing the log on AAD B2C for the given correlation ID, I didn't find anything useful which would lead me to the possible solution.

Any help would be much appreciated!

Hi!

I'm using Azure App Authentication with Azure Active Directory as the provider. I have it set to Allow Anonymous Requests and the site pushes the user to /.auth/login/aad when authentication is required. This works flawlessly UNLESS the user has a valid Microsoft login but it's not assigned to my AD App (basically authenticated but not authorized). In that case they land at /.auth/login/aad/callback and get the ugly text message below:

{"code":401,"message":"An error of type 'access_denied' occurred during the login process: 'AADSTS50105: The signed in user is not assigned to a role for the application '18b35087-4aa1-453d-8770-89e52942ce59'.\u000d\u000aTrace ID: e690c46c-f61c-49ca-8ba8-9bed3e2b2800\u000d\u000aCorrelation ID: 23160c20-d9cf-4f0e-8678-57cbbcb3a5db\u000d\u000aTimestamp: 2018-08-16 17:27:22Z'"}

So my question is, how do I prevent this ugly message? I do set post_login_redirect_uri when calling /.auth/login/aad to tell the provider where to return the user once authenticated. Shouldn't it return them there? Or is there another parameter I can set to tell the provider where to return a user who isn't authorized?

I know I could set User Assignment Required in the AD App settings to No and then everyone would just get passed on through and then my code could do the authorization... but I like the security of AD doing it. I just want more control over what happens if authorization fails.

- Ron

We've recently experienced an odd issue where our users who use Microsoft/Azure AD to sign in via OAuth suddenly have different `sub` claim values. This means we no longer can identify our users when they log in using Microsoft as an identity provider.

For additional context, it also looks like our current app registration shows both a different client ID and client secret than we have had (we hadn't touched any of these configurations in over a year).

Has anyone else experienced this issue or know why this would have happened?

I am involved in rolling out an application to many offices. The application relies on a universal security group to provide single sign-on access. A number of the offices I am working with have traditionally only used global security groups. Of those, they predominantly contain nested groups.

There is opposition from these offices to create a universal security group for the one application. This is often due to the number of staff required to be inputted and that they have normally used nested groups, which do not appear to work with universal groups.

I am wondering if anyone else has faced a similar issue, and what they did to overcome it? Is there a simple way to create a universal group, other than changing the current global group to a universal group (as we have found this does not always work when nested groups are involved). I'm just trying to find a solution that might be easy for everyone.

Thank you in advance.

Hi,

I have a requirement to set Azure AD Authentication to one of my ASP.net web application. I searched a lot in net, got so many links but that all are mentioning the Azure AD authentication to MVC application. i am new in Azure, so please give a reply, is this authentication only possible to MVC application. 

I tried with O Auth, but I am not sure about how to implement in asp.net. I didn't get an example of Normal asp.net Application  .kindly please give an advice for this Question. 

Thanks in Advance.

I continue to be mystified as to how normal Windows Active Directory user profiles, user document storage, and shared organizational document storage is supposed to work on Azure.

I have looked through the available Azure documentation, and there is no explanation of how user profiles are stored "in the cloud" with Azure. There does not appear to be a way to specify a user profile path location for a user account via the Azure AD web interface, and I can't find any information on what costs may be involved for Windows user account document storage within Azure.

It is unclear to me if Azure is really only meant for use by programmers and developers, and is not really intended for just mere Windows 10 user accounts that previously had stored their roaming user profiles and document data on a central Windows file server in-house.

Am I expected to be doing something via the Office 365 web interface to configure business/education user data storage in the cloud, rather than expecting to find it within the Azure web interface?

,

Meanwhile it seems roaming profiles as they have existed for the last 20 years as a standard included component of Active Directory, is now being billed as a special add-on for Azure, with a minimum cost of $72 a year per user for Enterprise State Roaming using Azure Premium P1.

This new premium monthly charge for use of roaming with Azure is just ridiculously expensive for education. I've long been able to get Windows Server licenses for about 90% off the full business price, and I've been able to use roaming on our local Windows file servers at no additional charge. Here's what we're paying annually to license Windows server: 

And yet it seems if I want that traditional roaming user capability with Azure, suddenly we are going to be forced into forking over $72 a year for each kindergarten student that makes a few drawing scribbles in Windows Paint? 

It gives me the impression that Microsoft wants to nickel and dime us to death with their new cloud thing. The total lack of any sort of cost discounting for education customers is also extremely frustrating.

,

I may be better off just sticking with Active Directory roaming profiles on our in-house Windows Server 2016 file servers that we have been using for the last decade, and set up hidden administrative VPNs for Windows 10 devices that need to leave our building, so that people can access their data remotely on our servers, in our own low-cost "private cloud" without Azure at all.

Hello,

We have an Azure AD that contains our Microsoft Account ( firstname.lastname@mycompany.com ).

I want to configure AzureAD Connect with this Azure AD.

The problem is that the name that we use for our Microsoft Account is the same as the UPN of our on-premise AD.

What will append after the synchronisation ? Are they merging together ?

I try to be clear but it's difficult to explain :-)

Il the meantime i found this post : "http://feedback.azure.com/forums/169401-azure-active-directory/suggestions/5214614-merge-office365-and-live-accounts-that-use-the-sam"

And the solution that they provide is that we have to rename our Microsoft Account...

thanks for your input !

Hi everybody,

we try to introduce AADSync between an on-premise AD and an existing Azure AD. The problem is, users already exist in the Azure AD because of Exchange online.

While testing this scenario we ran into the problem, that on-premise and AAD users are not merged correctly, even if they have exactly the same attributes (surname, first name, display name, UPN).

After synchronizing, in AAD occures a second user, for example: In AAD exists a user test.user@test.onmicrosoft.com (UPN) and on-premise exists the same user. After the sync there are two users (the new looks like test.user1234@test.onmicrosoft.com).

Can anyone provide some hints where the problem could be? Maybe we have to change some sync-settings in the synchronization service or while setting up (see next screenshot)?

Sorry for the German screenshots and thanks for your help.

I have a problem with an extension attribute,

followed the create example as described here
    https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

I set the value to a String "JEFF".

Configured optional claim as described here
     https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#optional-claims-example

However in my version I configured the extension attribute under the IDToken not the SAML section as thats where I need it.

My Value is coming thru so the link works, however the claim in the IDtoken is in an array like this

"extn.MyClaim": [

"JEFF" ],

As this is defined as a string and configured as a string in the attribute, not an array,  It should not come out as an array in the jwt token.  I believe it should look like this.

"extn.MyClaim":"JEFF",

Hi,

I have added an application and SSO is working. I can only specify permissions for individual users and not groups. If i add a group it is set as an object type of Group, and role assigned is User. How do i add a group?

Thanks

Shane

My boss has told me to migrate our Internal Domain to AZURE and would like me to setup 2 Domain Controllers as VM's within the Azure cloud.  

I tried to argue the idea of:   On Prem Domain controllers AND Azure.   He has rejected that notion and 'wants' the DC's in AZURE as VM's.

We are ALSO updating all workstations to Windows 10.  

Exchange has been retired and we've since migrated to Gmail and Google Docs, and our legacy software is being retired and replaced with "SAS" in around 1 month.

Am I just crazy thinking here..  or could we 'essentially' just use AZURE AD and allow Win 10 clients to authenticate through that?

The only servers that are going to be on prem any longer (by present demands) are a simple file share and a print server.

In AZURE, the plan is a SQL server, and SCCM.  Other than that, most of our other services are cloud based.

Does anyone have experience with Windows 10 and Azure authentication?  Is that a viable strategy for a small business of 100 users?

Opinions and experiences welcomed.

Hi all,

we have this project and I was wondering how to do the setup:

1. we have an application (actually, a Remote Desktop Gateway that allows users to have RDP access to different servers, entire infrastructure in Azure)

2. the users allowed to access RDGateway are stored in Active Directory "on-premises" (an AD DS installed on an Azure VM)

3. we have synced (with Azure AD Connect) this AD with Azure AD

4. our customers (that access the services through RDGateway) are asking for SSO (basically, they want to use the users in their domains to have access to the services we offer)

The question is: how do we connect our Azure AD with out customer's ADFS in order to obtain SSO?

Thank you,

Sorin

Hi there,

we have set up Azure AD Sync with Pass Hash Sync on friday. Due to windows updates we had to restart the server today.

Now it is not syncing anymore because of permission problems:

Password hash synchronization failed for domain: horvath.de. Details: 
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
   at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
   at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T](Func`1 operation, Func`1 shouldAbort, RetryPolicyHandler retryPolicy)
   at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
   at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
   at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
   at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.

I found this article:

https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx

But it's not clear where it needs those permissions. When installing the azure client we've let Azure AD client to manage the service user for syncing. So the entries were set by the program.

It has these rights on "root" but not on all OUs.



Can anyone please advise? 

<h3>Regards Stephan</h3>

Azure AD Connect 1-Aug-2018 Release Fails to Upgrade & provides "AD Error 906: Index out of range error".  I needed to run this update in order to fix the CPU utilization issue associated with KB4338814 “2018-07 Cumulative Update for Windows Server”.  Now I can't sync my AD...  I can't upload pictures here, either.

The Upgrade Azure Active Directory Connect gives error: "An error occurred while upgrading from Azure Active Directory Sync.  Unable to upgrade the Synchronization Service.  Please see the event log for additional details."

The event log has "Event 906, AzureActiveDirectorySyncEngine.  Index was outside the bounds of the array."

Hi,

I got an error when get user from AAD.

"Message: Index was outside the bounds of the array.
 Inner Exception: 
 Stacktrace:    at System.Array.Clear(Array array, Int32 index, Int32 length)
   at System.Collections.Generic.List`1.Clear()
   at System.Data.Services.Client.AtomMaterializerLog.MergeEntityDescriptorInfo(EntityDescriptor trackedEntityDescriptor, EntityDescriptor entityDescriptorFromMaterializer, Boolean mergeInfo, MergeOption mergeOption)
   at System.Data.Services.Client.AtomMaterializerLog.ApplyToContext()
   at System.Data.Services.Client.MaterializeAtom.MoveNextInternal()
   at System.Data.Services.Client.MaterializeAtom.MoveNext()
   at System.Linq.Enumerable.<CastIterator>d__94`1.MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.PagedCollection`2..ctor(DataServiceContextWrapper context, QueryOperationResponse`1 qor)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<>c__DisplayClass4b`2.<ExecuteAsync>b__49(IAsyncResult r)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteAsync>d__4d`2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.ActiveDirectory.GraphClient.DirectoryObjectCollection.<<ExecuteAsync>b__2>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

It occured after Japan east accident last day.

"Starting at 12:42 UTC on 08 Mar 2017, a subset of customers using Virtual Machines, HD Insight, Redis Cache or App Service \ Web Apps in Japan East may experience difficulties connecting to resources hosted in this region. Engineers have determined that this is caused by an underlying Storage incident which is currently under investigation. Other services that leverage Storage in this region may be experiencing impact related to this and additional services will be listed on the Azure Status Health Dashboard. Engineers are aware of this issue and are actively investigating. The next update will be provided in 60 minutes, or as events warrant"

Regards,

Zhong

I am in the process of enabling Seamless SSO via Azure AD Connect. AD Connect was already setup and functioning, but without SSO functionality enabled. I have followed the Quick Start guide, but have been halted with an unknown error. 

I can't post links apparently, so 'Bing' Azure AD Connect Quick Start for the documentation link.

The AD Connect client is the latest and greatest, 1.1.880.0. When following Step 2 (enable the feature), I'm immediately given an error after checking 'Enable single sign on' > Next. The wizard throws the error "Cannot retrieve single sign-on status."

I ran through all the troubleshooting guides and haven't found a similar scenario, or explanation for the error. I've now decided to bypass the AD Connect client, and complete this through PS. Again, more errors without much explanation.

When running Get-AzureADSSOStatus, I get no status returned. This I'm guessing is expected, as SSO has not been enabled yet. I then run 'Enable-AzureADSSOForest' with some success...until it deletes the newly created AZUREADSSOACCT object and throws and error.

PS C:\Windows\system32> Enable-AzureADSSOForest -OnPremCredentials $creds -ParentDN "DC=mydomain,DC=com"
[07:20:25.271] [  9] [INFORMATIONAL] CreateComputerAccount: Making sure 'DC=mydomain,DC=com' exists...
[07:20:25.286] [  9] [INFORMATIONAL] No conflicts found for the reserved SPNs and computer account display name.
[07:20:25.286] [  9] [INFORMATIONAL] Creating computer account in DC=mydomain,DC=com (mydomain.com)...
[07:20:25.818] [  9] [INFORMATIONAL] Setting password for computer account with DN 'CN=AZUREADSSOACC,DC=mydomain,DC=com'...
[07:20:25.880] [  9] [INFORMATIONAL] Successfully created computer account with DN 'CN=AZUREADSSOACC,DC= mydomain,DC=com'.
[07:20:26.021] [  9] [INFORMATIONAL] DeleteComputerAccount: Locating SSO computer account with name 'AZUREADSSOACC'...
[07:20:26.036] [  9] [INFORMATIONAL] DeleteComputerAccount: AZUREADSSOACC found in mydomain.com. Deleting...
Enable-AzureADSSOForest : One or more errors occurred.
At line:1 char:1+ Enable-AzureADSSOForest -OnPremCredentials $creds -ParentDN "DC= mydomain,DC=com"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Enable-AzureADSSOForest], AggregateException+ FullyQualifiedErrorId : System.AggregateException,Microsoft.KerberosAuth.Powershell.PowershellCommands 
   .EnableAzureADSSOForestCommand 

I currently have a ticket open with support, but I haven't gotten any traction yet. Hoping somebody else has experienced this and can shed some light on the problem.

Is there a way to cancel a request to wipe a device in Intune?

Or do I have to have them bring the device in after the wipe and factory reset and re-enroll the device?

<TechnicalProfile Id="IdentityServerProfile"><DisplayName>IdentityServer</DisplayName><Description>Login with your IdentityServer account</Description><Protocol Name="OpenIdConnect"/><OutputTokenFormat>JWT</OutputTokenFormat><Metadata><Item Key="METADATA">https://{identity_server_hostname}/identity/.well-known/openid-configuration</Item><Item Key="ProviderName">https://{identity_server_hostname}/identity</Item><Item Key="client_id">00000000-0000-0000-0000-000000000000</Item><Item Key="IdTokenAudience">00000000-0000-0000-0000-000000000000</Item><Item Key="response_types">code</Item><Item Key="scope">openid profile customScope</Item><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="AccessTokenResponseFormat">json</Item><Item Key="HttpBinding">POST</Item></Metadata><CryptographicKeys><Key Id="client_secret" StorageReferenceId="B2C_1A_IdentityServerAppSecret"/></CryptographicKeys><OutputClaims>      <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="IdentityServer" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /><OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" /><OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/><OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/></OutputClaimsTransformations><UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/></TechnicalProfile>

Basically, after authentication on IdentityServer side, I got redirected back to my web page which initialized the sign-in and then I get this error: AADB2C: An exception has occurred. Correlation ID: 6797f691-4adb-4963-ad12-f31add3e1919 Timestamp: 2018-08-23 08:42:54Z

While analyzing the log on AAD B2C for the given correlation ID, I didn't find anything useful which would lead me to the possible solution.

Any help would be much appreciated!

Hello, we got group writeback working however when I run the update-recipient "<group>" i get an error due to a couple of attribute values that Exchange 2010 doesn't understand.

msExchRecipientDisplayType 17
msExchRecipientTypeDetails 8796093022208

If I manually blank out these value and run the cmdlet again, it works without error. The O365 group object is displayed as a group in the Exchange 2010 GAL. However, during the next dir sync, these values are put back and the object no longer "displays" as a group object in the GAL. The object entry is there in the GAL but there is no group icon nor is the name in bold (like other group objects). You can open the object and see the members and still use it for routing.

I read that you can prepare the schema for Exchange 2013 but I really don't want to go down that road. Is there a way to prevent those 2 attribute values from being sync'd back to OnPrem? I could probably write a powershell script that runs shortly after the dir sync to remove those values but preventing those attribute from writing back to on prem would be ideal.