Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

How-to set the user identifier claim depending on the UserType (Guest / Member) in Enterprise applications?

August 16, 2018, 12:33 am
$
0
0
I registered a custom enterprise application to issue SAML 1.1 tokens as described in this article.
I set the user identifier to "user.UserPrincipalName" and it's working fine.

But in another scenario, I have an app registration with ADFS, and upon authentication, Azure AD issues a SAML 2 token (to ADFS) with the user identifier set like this (non-configurable by the administrator):
- if UserType is "Member": claim type "name" is set with the property UserPrincipalName
- if UserType is "Guest" : claim type "name" is set with the property Mail

Here are my questions:
- For consistency, I need to make a similar configuration on the user identifier in the custom enterprise application: how can I configure Azure AD to set the user identifier value to the property UserPrincipalName for "Member" and Mail for "Guest"?
- Overall, what is the best practice to handle user identifier of Guest users? It feels very inconsistent to use a different property depending on the UserType (which is what Azure AD does with my ADFS app registration and that I cannot change).
Search

App service not available to tenants

August 24, 2018, 5:10 am
$
0
0

I have three tenants but one app service, it is only available to the tenancy in which it was created, as is my subscription, it seems.

Is this how it's supposed to work? I have a paid subscription and set up a tenant so I could take advantage of more suitable domain name but without the ability to create an app service - short of setting up another subscription? - it's of very limited use?

Token from Azure AD does not contain groups claim

August 24, 2018, 9:25 am
$
0
0

I followed this tutorial to get groups claim for authorization

https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims

But I when I log in, I got a token without groups claim

What I try

- Edit manifest 

"groupMembershipClaims": "All"

- Change 

"homepage": "https://localhost:4200/"


Hope that you can help

 

Error getting Authorization Code Microsoft Azure

August 24, 2018, 6:12 am
$
0
0

I am trying to generate Authorization Code for Microsoft Azure Application. I am following the below docs

docs.microsoft.com/en-gb/rest/api/azure/#authorization-code-grant-interactive-clients

docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

I got all the all the below details 

App ID : xxxxxxxxxxxxxxxxxxxxxxxx
Authentication Key : xxxxxxxxxxxxxxxxxxx
Tenat ID : xxxxxxxxxxxxxxxxxxx

when I try to get the code with the below URL, I am getting error

login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A12345&response_mode=query&resource=https%3A%2F%2FAzureApp.mydomain.com&state=12345

Error

AADSTS90009: Application '<AppID>' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.


Azure Active Directory Connect Error

August 24, 2018, 12:48 pm
$
0
0

Hello,

We are on a pay as you go subscription and I would like to try pass through authentication with Azure AD. I tried to install Azure Active Directory Connect on our Win 2012 R2 server which hosts our on premise AD but I get the following connection error. The user I am connecting with is the Global Administrator for my tenant.

Azure Active Directory Connect Event Log Error:
ProvisioningWebServiceAdapter::ExecuteWithRetry: Action ProvisioningWebServiceAdapter::GetCompanyConfiguration, Exception: Microsoft.Online.Coexistence.ProvisionException: An error occurred. Error Code: 106. Error Description: Sync from on-premise is not supported for this tenant. Tracking ID: 9aa4e4f1-c8ea-440b-ace2-1983e3cbcc04 Server Name: . ---> System.ServiceModel.FaultException`1[Microsoft.Online.Coexistence.Schema.AdminWebServiceFault]: Sync from on-premise is not supported for this tenant.

Thanks


Azure domain service

August 24, 2018, 1:06 pm
$
0
0

Hi, i have office365 subscription which bases on xxx.com, and i created azure domain services successfully. Now I created a vm which attached to it and i successfully join the AD which is xxx.com. Inside the VM, xxx.com will map to 10.1.0.4 so i can browse to xxx.com which is hosted in somewhere else. Can i change the domain name (xxx.com) which created by domain services to dc.xxx.com ?

thanks

From Peter

Unable to Register Device - When setting up Outlook 365

August 24, 2018, 1:26 pm
$
0
0

I have a machine that had the motherboard changed and I am in the process of setting up Microsoft Outlook 365 (was working before repair) and it picks up the username and I enter the password, then it asks if I want to "Allow my organization to manage my device" and it is checked just like every other machine I have set up, click the "YES" button at the bottom and it churns for awhile then comes back asking for the Password again, I enter it and it takes off then comes back and says "Something Went Wrong" "We weren't able to register your device and add you account to Windows"...

NOTE:  our email provider is Comcast Business so what we do in AZURE is limited, in fact this is the first time I have even looked around in it as we have never had this issue before, the question is, why will this machine not join and all others seem to join just fine?????


Unable to add a second forest in AAD Connect

March 3, 2017, 5:48 am
$
0
0

I have been struggling to add a second forest in AAD Connect, the error that I get is 'the specified domain does not exist or cannot be contacted':



The forest in question is located on a separate, isolated domain controller, and the AAD Connect server is placed in DMZ:

I found the following article stating that they was able to contact the domain by using FQDN instead of Netbios name: https://blog.kloud.com.au/2015/12/16/azure-ad-connect-the-specified-domain-does-not-exist-or-cannot-be-contacted-when-adding-an-untrusted-ad-forest/
Using FQDN does not work either - actually it fails even quicker than using Netbios.

I've tried reinstalling AAD Connect with no success. The domain in question is added in the Office 365 portal.

The domain answers to ping using the FQDN as in the article  - but I had to add an entry in the hosts file, because initially the domain did not answer - only the domain controller. However by forcing this in the hosts file, the AAD Connect server should definitely be able to contact the domain, shouldn't it?

So I suspect there's either an issue with the Domain Controller, or the DNS(DNS role is installed on the DC).

What could be the reason for this, and what should I try to adjust/rectify?
I would deeply appreciate any advise on this matter.

Thanks.

Search

Optional Custom Claim in jwt IDToken appearing as Array not String

August 24, 2018, 1:31 am
$
0
0

I have a problem with an extension attribute,

followed the create example as described here
    https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

I set the value to a String "JEFF".

Configured optional claim as described here
     https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#optional-claims-example

However in my version I configured the extension attribute under the IDToken not the SAML section as thats where I need it.

My Value is coming thru so the link works, however the claim in the IDtoken is in an array like this

"extn.MyClaim": [

"JEFF" ],

As this is defined as a string and configured as a string in the attribute, not an array,  It should not come out as an array in the jwt token.  I believe it should look like this.

"extn.MyClaim":"JEFF",

Rename existing domain from xyz.com to ABC.com

August 24, 2018, 8:08 pm
$
0
0

Hi,

I am working for XYZ company and they have their azure subscription , public portal, office365 everytihing is on xyz.com.

Now they would like to change the xyz.com to ABC.com.  since this is first time i don't know the right steps and starting point to complete below needs.  They need their AD also changed from xyz to abc.  So can you please share the steps and how much effort required to complete this task if they have around 100VMs in their environment.  ( few applications are 2 tier, 3 tier applications having SQL as data layer) 

XYZ will be called abc.com 
All the public facing URLs / Points will be updated to abc.com
Setting up abc.com Domain (Internal). 
Setting up/ Configuration of 0365 SMTP connectivity reflecting abc.com
XYZ wants all outbound email to be send as abc.com domain. 

Unable to connect to work account

August 21, 2018, 3:36 pm
$
0
0

I am having trouble connecting to a work account (Binding to azure-ad)

This user had previously registered this device, i have removed her orphaned devices and checked to make sure device registration is enabled for all users and it is set to unlimited

How can I tell which account is the Global Administrator

August 23, 2018, 11:24 am
$
0
0

Hello,

When I log into the Azure Portal or AAD Azure Portal, I see 4 user accounts all of which are user accounts.

How do I make my account the Global administrator account for our domain?

Thanks

Allen

ARM Template - Role Assignment

August 23, 2018, 5:10 am
$
0
0

Hi,

I am looking for the template which can assign access to the multiple subscription. In my case, we are CSP and I have access to multiple customer tenants (Directories). Currently if I want to assign reader permission of a user to the all customer's subscription then I have to do it one by one. I want to this task get done by a single script. Do you have such types of script. Thank you Sakaldeep

Sakaldeep Yadav

AAD token lifetime

August 22, 2018, 3:47 pm
$
0
0
I have couple of questions regarding Azure AD tokens. Please help me to clarify it:

I refered to this KB article but not able to get my queries cleared -

https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-configurable-token-lifetimes


1) What is the difference between Access token and Single sign-on session tokens?

2) Where is the access token and refresh token stored? Is it store the tokens in the cookie?

2) What is the default time-out for MyApps portal? How can it be configured? Would access token lifetime property applies to Myapps portal time-out?

3) MyApps portal life time policy will apply on application session time-out as well? I am looking to set a ORG level time-out session for applications deployed with OIDC in Azure. 

Thanks in advance

Alex

Sync Issues

August 23, 2018, 1:49 pm
$
0
0

Azure AD Sync complains about mail attribute being mismatched although its displaying the same address under both columns. tried using IDFix. It finds no errors

get the following information via email

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [Mail <removed Email Address>;]. Correct or remove the duplicate values in your local directory. Please refer to<removed due to unverified account> for more information on identifying objects with duplicate attribute values.

tried the solution given. as well as solution from Azure twitter support. Still experiencing issues on this single account.

Search

How to merge a domain with a subdomain

August 23, 2018, 11:08 am
$
0
0

I've been trying to fix an issue in the company where I'm working right now.

Before migrating to the Microsoft Office 365 for business services we used to have a domain just for hosting a webpage, i.e. domain.com, we started an on-premises domain controller as domain.com but we encountered the problem where you cant open your own web page inside that domain network so we renamed it to corp.domain.com, but we never connected it to the root domain domain.com because there wasn't a domain controller at the time on that domain.

Now we have the domain.com domain linked to the Microsoft services, including the basic azure active directory. We want to connect the azure active directory with the on-premises active directory.

Azure active directory connect just syncs the accounts on the on-premises to the azure active directory which is fine with the people that only has on-premises accounts but is duplicating the people that has on-premises and azure which is a problem, specially for the email directory.<sub></sub><sup></sup><strike></strike>

Somebody has encountered this problem before? and, What was your solution?

Two Azure applications with the same external vendor using the same (SAML) authentication?

August 23, 2018, 5:33 am
$
0
0

Hi,

I'm trying to setup two Azure applications for SSO using SAML-based sign-on.

1. is using the sign-on URL, Identifier and Reply URL of:

https://companyname.externaldomain.com

2. is using the sign-on URL, Identifier and Reply URL of:

https://applicationname.companyname.com

The idea of course being that we are moving away from the exposing externaldomain to our staff, we want it to appear more like an internal system.

Both of these have ended up with the same App Federation Metadata URL, I suppose thats natural because its a application (Freshservice) that exists in the Azure applications gallery when setting it up.

The first one works fine and has worked for years, but the knew one gives various error messages when testing the SAML Settings:

AADSTS70001: Application with identifier 'http://applicationname.companyname.com' was not found in the directory <string from the App Federation Metadata URL>

If I change the Idenitifier to HTTP instead of HTTPS (which the resolving errors guide suggests) I instead get this error:

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'http://applicationname.companyname.com'.

Changing the Reply URL to HTTP instead of HTTPS isn't allowed so thats not an option.

Please note that we have a DNS CNAME in place for applicationname.companyname.comto point at the old address: companyname.externaldomain.com.

Any and all suggestions are welcome. Thank you.

Unable to invite user xxxx@mls.nc ?

August 22, 2018, 11:49 pm
$
0
0

Hi there,

I've been able to add several external guest users but still having issue with one from "mls.nc" domain (local NC ISP).

Here is the error I get:

Title: "Unable to invite user xxxx@mls.nc."

Description: "Users from this identity provider cannot be invited. Contact your administrator to add this user."

I'm one of the administrator, and double check that I'm not limiting any domain at all.

Any idea?

Thanks in advance,

Nicolas

AD Connect Group WriteBack to Exchange 2010 OnPrem

August 8, 2018, 3:49 pm
$
0
0

Hello, we got group writeback working however when I run the update-recipient "<group>" i get an error due to a couple of attribute values that Exchange 2010 doesn't understand.

msExchRecipientDisplayType 17
msExchRecipientTypeDetails 8796093022208

The property value you specified, "17", isn't defined in the Enum type "Nullable`1".
    + CategoryInfo          : NotSpecified: (AD.CORP.LOCAL/G...ff-b273de87f6f6:ADObjectId) [Update-Recipient], DataValidationException
    + FullyQualifiedErrorId : 5D595360,Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient

The property value you specified, "8796093022208", isn't defined in the Enum type "RecipientTypeDetails".
    + CategoryInfo          : NotSpecified: (AD.CORP.LOCAL/G...ff-b273de87f6f6:ADObjectId) [Update-Recipient], DataValidationException
    + FullyQualifiedErrorId : 10FAD6F9,Microsoft.Exchange.Management.RecipientTasks.UpdateRecipient

If I manually blank out these value and run the cmdlet again, it works without error. The O365 group object is displayed as a group in the Exchange 2010 GAL. However, during the next dir sync, these values are put back and the object no longer "displays" as a group object in the GAL. The object entry is there in the GAL but there is no group icon nor is the name in bold (like other group objects). You can open the object and see the members and still use it for routing.

I read that you can prepare the schema for Exchange 2013 but I really don't want to go down that road. Is there a way to prevent those 2 attribute values from being sync'd back to OnPrem? I could probably write a powershell script that runs shortly after the dir sync to remove those values but preventing those attribute from writing back to on prem would be ideal.

Redirect to https

August 21, 2018, 1:15 am
$
0
0

Hi!

I have a microservice with AAD authentication. My service is located on AKS.Have moved it to ASP.NET Core 2.1 and now using

app.UseHsts();
and
app.UseHttpsRedirection();

Currently when I am log in I can see "redirect_uri=http%3A%2F%2Fmycustomname-ingress.westeurope.cloudapp.azure.com"

And I am a little bit stuck on changing this http to https.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>