Hi, i have office365 subscription which bases on xxx.com, and i created azure domain services successfully. Now I created a vm which attached to it and i successfully join the AD which is xxx.com. Inside the VM, xxx.com will map to 10.1.0.4 so i can browse to xxx.com which is hosted in somewhere else. Can i change the domain name (xxx.com) which created by domain services to dc.xxx.com ?
thanks
From Peter
Alex
Hi,
I've added some external users to my Azure AD - users from another organisation.
When they click on the invitation link, they all receive an error message -
"This tenant does not allow email verified users to be added due to an admin-defined policy."
Any idea how I can fix this?
Thanks
Hi all,
I recently implemented an Office 365 tenant using Azure and ADFS.
It ran smoothly for about a month but then the AAD connecter stopped syncing.
I was advised by someone to uninstall Azure AD Connect and reconfigure.
I attempted to do this, configured Domain/OU filtering for my users and pointed to my existing ADFS server.
When I get to the last stage "Configure", it throws the error that I posted above.
Thanks for your help.
Hi!
I'm using Azure App Authentication with Azure Active Directory as the provider. I have it set to Allow Anonymous Requests and the site pushes the user to /.auth/login/aad when authentication is required. This works flawlessly UNLESS the user has a valid Microsoft
login but it's not assigned to my AD App (basically authenticated but not authorized). In that case they land at /.auth/login/aad/callback and get the ugly text message below:
{"code":401,"message":"An error of type 'access_denied' occurred during the login process: 'AADSTS50105: The signed in user is not assigned to a role for the application '18b35087-4aa1-453d-8770-89e52942ce59'.\u000d\u000aTrace ID: e690c46c-f61c-49ca-8ba8-9bed3e2b2800\u000d\u000aCorrelation
ID: 23160c20-d9cf-4f0e-8678-57cbbcb3a5db\u000d\u000aTimestamp: 2018-08-16 17:27:22Z'"}
So my question is, how do I prevent this ugly message? I do set post_login_redirect_uri when calling /.auth/login/aad to tell the provider where to return the user once authenticated. Shouldn't it return them there? Or is there another parameter I can set to
tell the provider where to return a user who isn't authorized?
I know I could set User Assignment Required in the AD App settings to No and then everyone would just get passed on through and then my code could do the authorization... but I like the security of AD doing it. I just want more control over what happens if authorization fails.
- Ron
I have a problem with an extension attribute,
followed the create example as described here
https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0
I set the value to a String "JEFF".
Configured optional claim as described here
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#optional-claims-example
However in my version I configured the extension attribute under the IDToken not the SAML section as thats where I need it.
My Value is coming thru so the link works, however the claim in the IDtoken is in an array like this
"extn.MyClaim": [
"JEFF" ],
As this is defined as a string and configured as a string in the attribute, not an array, It should not come out as an array in the jwt token. I believe it should look like this.
"extn.MyClaim":"JEFF",
We support an app that shows users Power BI Embedded reports. Azure AD B2C is used for authentication. Some user attributes are stored in custom fields, some (to which reports they have access) in the database.
Statistics by individual paid user to include
General usage statistics
What from this list can be seen in Azure using B2C?
Hi,
I recently changed my personal MS ID, and when I logged on to the portal.azure.com to check if all was working with my changed account, I accidentally deleted the Azure AD from one of my 3 Azure subscriptions. Not that big of a problem, but I cannot create a new one. Also when I logon to the portal in the upper right corner there is shown that with my new febiunz@outlook.com MS ID I am logged on into the directory febiunzgmail.onmicrosoft.com which does not exist anymore. Could you help me so that I am able to create a new AAD when needed, and that I logon to no organisation/directory?
Kind regards, Fabian
I am trying to create a web asp.net application to add a user to Azure Active Directory(ADD). I have the single Sign on working properly. AD and Application are created. When I try to add a new user to the AD via my codebehind I get AADSTS70001: Application '-------' is not registered for the account.
I am in development so I am using locolhost as the domain. I am using Microsoft.IdentityModel.Clients.ActiveDirectory and AcquireToken. That is where the error happens.
Am I missing a setting somewhere?
Mark Perry
Hi,
I originally posted on SO here so will be brief and somewhat reword because I understood some things better since yesterday.
I have a registered Azure AD app, with "Sign in and read user profile" delegated permission granted for both "Windows Azure Active Directory" and "Microsoft Graph" APIs. Indeed I have an API entry point that returns the JWT access token so guess the "Microsoft Graph" API should be granted too.
The problem lies here: when a new user logs in by calling my API app, he's redirected to microsoftonline.com to login, but after he acknowledges consent for app to "sign in and read user profile" the redirection is incorrect. Instead of redirecting to the originally called url, http://localhost/my-api-entry-point, it gets redirected to the previous url in the authentication flow, http://localhost/signin-oidc, that displays the following error message:
OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.
How can I remedy to this please? Thank you very much.
Hi,
I have created a project to connect to Microsoft Azure ad and get the access token to authenticate the user. However, communicating with Azure ad only works if I am monitoring the traffic using Fiddler, otherwise it returns below screen:
If I turn on Fiddlerand try to sign in again, it is successful. But Fiddler pops up with a modal dialog below:If I hit "Yes", and proceeds on successfully and redirects to the Microsofts login page and User is Authenticated.
What does RemoteCertificateChainErrors mean? How do I resolve this issue?
Regards,
Arushi Soni
Corey Hynes
Hello,
I'm trying to upgrade to Azure AD Connect 1.1.880.0 from 1.1.819.0 . When inputting my enterprise admin credentials, it authenticates, but doesn't recognize that the account is a part of the enterprise admins group, error being "The provided user is not a member of the Enterprise Admins group"
I've tried adding 3 different users to the Enterprise Admin Group but the AD Connect upgrade won't recognize them as being enterprise admins. Anyone have any ideas?
Hi,
I'm trying to setup two Azure applications for SSO using SAML-based sign-on.
1. is using the sign-on URL, Identifier and Reply URL of:
https://companyname.externaldomain.com
2. is using the sign-on URL, Identifier and Reply URL of:
https://applicationname.companyname.com
The idea of course being that we are moving away from the exposing externaldomain to our staff, we want it to appear more like an internal system.
Both of these have ended up with the same App Federation Metadata URL, I suppose thats natural because its a application (Freshservice) that exists in the Azure applications gallery when setting it up.
The first one works fine and has worked for years, but the knew one gives various error messages when testing the SAML Settings:
AADSTS70001: Application with identifier 'http://applicationname.companyname.com' was not found in the directory <string from the App Federation Metadata URL>
If I change the Idenitifier to HTTP instead of HTTPS (which the resolving errors guide suggests) I instead get this error:
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'http://applicationname.companyname.com'.
Changing the Reply URL to HTTP instead of HTTPS isn't allowed so thats not an option.
Please note that we have a DNS CNAME in place for applicationname.companyname.comto point at the old address: companyname.externaldomain.com.
Any and all suggestions are welcome. Thank you.
It would be great to see additional details on High Availability for NPS extension. Since, it is getting popular , many customers has this question in mind before they take it to production. Options like using Load Balancer over NPS server or any other recommendations with traffic flow will be helpful.
As per the article :
The NPS extension automatically handles redundancy, so you don't need a special configuration. You can create as many Azure MFA-enabled NPS servers as you need. If you do install multiple servers, you should use a difference client certificate for each one of them. Creating a cert for each server means that you can update each cert individually, and not worry about downtime across all your servers. VPN servers route authentication requests, so they need to be aware of the new Azure MFA-enabled NPS server. '
However, in this case, We need to configure new RADIUS server address with VPN along with secret in order to keep it working when other NPS extension server is down ( Manual Process) . What is the recommendation for automatic fail-over ? Should we use LB, Traffic Manager or something else , since most VPN solutions will let u define only one IP as Primary RADIUS server and others as secondary, however, if we need to have multiple NPS servers to be available to server requests at one time under Primary NPS servers ( to handle load & redundancy ) , what solution is recommend ?
Hi,
I have Azure AD connect set up for Syncing to my Azure Active Directory. For some reason, it stopped working and I can't figure out why. If I look at the Synchronization Service Manager, I can see that AD Sync is running a few times a day and all of the statues say success. If I look at them individually for both AD side and Azure side, they show rows being updated in the Export Statistics. However, when I go to my Azure Portal all of my old users are there and none of my group are showing up.
Does anyone know why this might be happening or where I can look to see where an issue might be? My biggest problem is that I don't actually have any errors showing up in the sync manager to start looking at.
Thanks,
Chris
I have a Windows 7 64bit workstation and I am trying to install AAD PowerShell module.
I have a PowerShell window opened with elevated privileges and I ran the following command: Install-Module -Name AzureAD
I get the following errors. Help!
WARNING: Unable to download from URI 'https://oneget.org/nuget-2.8.5.208.package.swidtag' to ''.