Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Error after running 1-Aug-2018 AD Upgrade

August 7, 2018, 12:31 pm
$
0
0

Azure AD Connect 1-Aug-2018 Release Fails to Upgrade & provides "AD Error 906: Index out of range error".  I needed to run this update in order to fix the CPU utilization issue associated with KB4338814 “2018-07 Cumulative Update for Windows Server”.  Now I can't sync my AD...  I can't upload pictures here, either.

The Upgrade Azure Active Directory Connect gives error: "An error occurred while upgrading from Azure Active Directory Sync.  Unable to upgrade the Synchronization Service.  Please see the event log for additional details."

The event log has "Event 906, AzureActiveDirectorySyncEngine.  Index was outside the bounds of the array."

Search

Keep having to reinstall Azure AD Connect every month or so

August 28, 2018, 10:51 am
$
0
0

I installed AD Connect on a brand new instance of Windows Server 2016 Standard and everything worked well for a while and then I started getting an email every day from Microsoft saying "Unhealthy identity synchronization...".

I checked the server and fount the service "Microsoft Azure AD Sync" in a stopped state. I tried to start it but when I did, I got an error saying: "Windows could not start the Microsoft Azure AD Sync service on Local Computer. Error 1053: The service did not respond to the start or control request in a timely fashion." I tried rebooting the server, checking the service account it uses and nothing seemed out of the ordinary. The service accounts password was set to never expire so it couldn't be this.

I tried all sorts of things but finally resorted to uninstalling AD Connect, having to delete some registry items, then reinstall. IT WORKS AGAIN! or at least I thought.

Anywhere between a week to a month later, it fails again and I'm back to square one. This has happened 4-5 times now. Any ideas what could cause this?

ADSync New Forest w/o Over-writing Existing Forest

August 28, 2018, 12:50 pm
$
0
0

So I've inherited an Azure setup from a previous IT team who was totally incompetent (Really, you can't imagine). They setup Azure with one of the corporate domains (let's call it stupid-name.com). Unfortunately, we actually use a different domain for pretty much everything else (reallystupid.com). Even better, the office Active Directory forest is a subdomain (corp.reallystupid.com) of that one.

Currently in Azure: stupid-name.com, with all our users and 4 years of Onedrive data. They did an initial sync to get all the usernames in, but it does NOT sync with the office AD domain, and has not for the last 4 years. Usernames and Passwords are manually managed by me. The usernames directly match the local AD usernames, the passwords do not.

Our email domain (hosted elsewhere): reallystupid.com

Our office AD domain (Onsite Domain Controllers): corp.reallystupid.com

Just to make it even more idiotic, they created the initial Azure account with an @reallystupid.com address, so Azure has reallystupid.onmicrosoft.com while we're using @stupid-name.com to login.

What do I want? To use ADSync to get us to using @reallystupid.com for a login with the usernames and passwords from our corp.reallystupid.com. It's vitally important that I do not overwrite the passwords on the stupid-name.com login until I'm ready. I'd like to do the configuration, sync, testing, then flip a switch and have everybody's password suddenly switch to the @reallystupid.com login name and corp.reallystupid.com password.

I should mention that I'm a Unix/Networking guy, but I can do basic-to-moderate Active Directory stuff.

Help? Please? :)

-steve

Azure Web-App Permissions through azure-powershell

August 28, 2018, 5:20 am
$
0
0 

Is it possible through azure-powershell to check all the permissions available to an Azure App?

For e.g- Get-AzureRmRoleDefinition <role_name> for fetching all the permissions attached to a role

Inaddition, can we add graph api permissions to a custom RBAC roles. If yes, any relevant link will be more helpful.

App service not available to tenants

August 24, 2018, 5:10 am
$
0
0

I have three tenants but one app service, it is only available to the tenancy in which it was created, as is my subscription, it seems.

Is this how it's supposed to work? I have a paid subscription and set up a tenant so I could take advantage of more suitable domain name but without the ability to create an app service - short of setting up another subscription? - it's of very limited use?

Token from Azure AD does not contain groups claim

August 24, 2018, 9:25 am
$
0
0

I followed this tutorial to get groups claim for authorization

https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims

But I when I log in, I got a token without groups claim

What I try

- Edit manifest 

"groupMembershipClaims": "All"

- Change 

"homepage": "https://localhost:4200/"


Hope that you can help

 

Azure AD Connect - Auto Upgrade problem

August 23, 2018, 11:20 am
$
0
0

Hi All,

Is there someone who can explain / help with one issue which I am facing please?

We had set up Azure AD Connect around year ago. Before that DirSync was in use.

There is a general problem with auto - upgrade on Azure AD Connect. 

We used Set-ADSyncAutoUpgrade Enabled which allow us to change the status from Suspended to Enabled.

for some reason Auto-Upgrade is still not working.

I have noticed that in configuration we are do not using MSOL account. OLD DIR sync account is still in use. Is this could be the issue why we have a problem with auto-upgrade and we cannot to upgrade Azure AD Connect to the newest version ?

Microsoft Azure AD Connect version 1.1.533.0

Waiting for any ideas,

Thanks in advance.

Rename existing domain from xyz.com to ABC.com

August 24, 2018, 8:08 pm
$
0
0

Hi,

I am working for XYZ company and they have their azure subscription , public portal, office365 everytihing is on xyz.com.

Now they would like to change the xyz.com to ABC.com.  since this is first time i don't know the right steps and starting point to complete below needs.  They need their AD also changed from xyz to abc.  So can you please share the steps and how much effort required to complete this task if they have around 100VMs in their environment.  ( few applications are 2 tier, 3 tier applications having SQL as data layer) 

  • XYZ will be called abc.com 
  • All the public facing URLs / Points will be updated to abc.com
  • Setting up abc.com Domain (Internal). 
  • Setting up/ Configuration of 0365 SMTP connectivity reflecting abc.com
  • XYZ wants all outbound email to be send as abc.com domain. 
    Extend Azure DNS, Azure AD for a single forest setup. 
  • XYZ is interested to streamline MFA using Azure native services vs Azure AD Connect today. 
  • abc.com as internal and external domain controllers. 
  • Capture/Perform all changes for Azure Subscription, including Domain Names, Certificates to reflect abc.com
  • Capture/Perform all changes for Azure Network connectivity (Express Route, VNET Peering. 


Please let me know steps to achieve above.  What are the risks doing ?  I know they have SharePoint servers  , domino based applications in Azure and also they have Office365.  So how to get all these done without breaking and impacting business.  

Search

OAuth app registration client ID and secret updated by MS?

August 23, 2018, 3:51 pm
$
0
0

We've recently experienced an odd issue where our users who use Microsoft/Azure AD to sign in via OAuth suddenly have different `sub` claim values. This means we no longer can identify our users when they log in using Microsoft as an identity provider.

For additional context, it also looks like our current app registration shows both a different client ID and client secret than we have had (we hadn't touched any of these configurations in over a year).

Has anyone else experienced this issue or know why this would have happened?

Configure AAD Sync - An error occurred executing Configure AAD Sync task: Object reference not set to an instance of an object.

August 27, 2018, 4:55 pm
$
0
0

Hi all,

I recently implemented an Office 365 tenant using Azure and ADFS.

It ran smoothly for about a month but then the AAD connecter stopped syncing.

I was advised by someone to uninstall Azure AD Connect and reconfigure.

I attempted to do this, configured Domain/OU filtering for my users and pointed to my existing ADFS server.

When I get to the last stage "Configure", it throws the error that I posted above.

Thanks for your help.


** I'm trying to post a log file but my account has not been verified **

Send Custom attributes in SAML token, SSO

May 29, 2018, 5:39 am
$
0
0
We have AzureAD/Salesforce SSO integration and need to send Azure custom (not extension) attributes to Salesforce side. The problem is that Azure application configuration page does not allow to enter custom attributes to send in SAML token. Once entered Azure adds quotes and send attributes names instead of values. How to send custom attributes values in SAML token? This was possible to configure using old Azure portal.

permissions

August 27, 2018, 3:16 pm
$
0
0

Hello, i have problem with application. My admin grant permissions to securityevents. but in graph explorer i am unable to call this methods. appID:493c1ca9-xxxx-xxxx-xxxxx-1eae574b6007 Can you please check please? Thank you

n permissions for graphAPI is allow to usehttp://SecurityEvents.Read .All but when i try to use it in https://developer.microsoft.com/en-us/graph/graph-explorer#  there is still prohibited with anton.xxxxx@xxxxx.com Need admin approval Graph explorer Graph explorer needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.


Redirect to https

August 21, 2018, 1:15 am
$
0
0

Hi!

I have a microservice with AAD authentication. My service is located on AKS.Have moved it to ASP.NET Core 2.1 and now using

app.UseHsts();
and
app.UseHttpsRedirection();

Currently when I am log in I can see "redirect_uri=http%3A%2F%2Fmycustomname-ingress.westeurope.cloudapp.azure.com"

And I am a little bit stuck on changing this http to https.

Insufficient privileges to perform certain tasks

August 28, 2018, 4:07 pm
$
0
0

Hi,

I am trying to install an application into my customer's Azure tenant.  So I'm an external user, listed as an Owner in the subscription.  I was able to create a Resource Group and other resources, such as App Services and SQL Severs/Databases, but I can't do the following:

- Create an App Registration

- Validate Custom Domain ownership 

- Access a Key Vault to upload a certficiate

The customer receives their Azure services from another company.  When viewing the subscription in the Azure Portal, there's a message at the top:  "This subscription is managed in the Microsoft Partner Center".  I assume that the customer needs to be given more privileges by this partner, but I'm not sure what to do from here.

Note: the customer has verified that non-admins should have permission to create app registrations (under Azure Active Directory - User Settings, the 'App Registrations' setting is 'Yes' (users can register applications), and the 'Administration Portal' setting is 'No' (Restrict access to Azure AD administration portal).

What is special/different about management via CSP, and how do I get rights to perform the above tasks?

Thanks,

Phil


    Upgrading Azure AD Connect, enterprise admin error

    August 23, 2018, 12:06 pm
    $
    0
    0

    Hello,

    I'm trying to upgrade to Azure AD Connect 1.1.880.0 from 1.1.819.0 .  When inputting my enterprise admin credentials, it authenticates, but doesn't recognize that the account is a part of the enterprise admins group, error being "The provided user is not a member of the Enterprise Admins group"

    I've tried adding 3 different users to the Enterprise Admin Group but the AD Connect upgrade won't recognize them as being enterprise admins.  Anyone have any ideas?

    Search

    B2C - Customize the UI of a user journey with custom policies

    August 29, 2018, 1:14 am
    $
    0
    0
    https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-customize-ui-custom

    From the above link, document said that,

    Note
    For security reasons, the use of JavaScript is currently blocked for customization. To unblock JavaScript, use of a custom domain name for your Azure AD B2C tenant is needed.

    We tried this in our ad b2c tenant which has custom domain. But while rendering signup/signin html page, the custom javascripts are removed. 

    Could you please guide me how to unblock Javascript?

    OWA via Azure App proxy - SPN - Multiple connectors possible?

    August 28, 2018, 1:38 am
    $
    0
    0
    Exchange 2016, Hybrid joined, however not ready to migrate mailbox for several months at least.

    Prior to then I will be migrating off RSA SecurId to MFA for my 2FA solution and was hoping therefore to publish OWA using Azure Application Proxy with AAD authentication and MFA.

    Central to publishing OWA and getting KCD working appears to be setting the SPN for the internal OWA on the computer account hosting the AAP connector, e.g. setspn -s http/owa.domain.local ConnectorComputer

    But of course we cant have two identical SPN ... right? ... so I'm therefore limited to one connector for this Enterprise app, e.g. I can't:
    setspn -s http/owa.domain.local ConnectorComputer1
    setspn -s http/owa.domain.local ConnectorComputer2

    Am I right?

    How do people build resilience in to publishing this way or is there a better way to do this? 

    The only solution I can think off is to publish two Enterprise apps, a primary and a backup.

    Hope above makes sense?

    Thanks,

    Aengus


    Office 365 Authentication

    August 23, 2018, 6:10 am
    $
    0
    0

    Hi

    I am trying to figure out how users are authenticating in Office 365. In the configuration of the AD Connect tool, only the password hash syncronization option is ticked as shown below.

    We do have two ADFS servers, and was hoping to remove these by enabling pass-through authentication.

    How would i go about changing from ADFS, if this is what we are using now, to pass-through SSO? If we were using ADFS, wouldnt the ADFS option below be ticked?

    Thanks

    Shane

    A quick question about Azure B2B (Business to Business)

    August 29, 2018, 2:43 am
    $
    0
    0

    I saw a post today on linkedIN to say Azure B2B now accepts Google IDs (e.g. people with a Gmail account)

    It said this is achieved via Federation, (using google as the identity provider) 

    As far as I am aware you have been able to do this for a while (or was that because it was in public preview), whereby someone could enter their gmail account but in the background (after the simple on boarding process was completed) this gmail account is linked to a place holder Azure AD account (represented by a GUID). 

    So in the announcement of Azure AD now accepts google IDs, is this the case where a preview service is now main stream ? or is this something new?

    As far as I understand federation (please correct me if I am wrong) although your own Identity provider together with your own STS (secure token service, which is trusted by the replying party) provides you with a token (signed SAML/JWT) with is then presented to the replying parties STS (which then creates is own token from the information in the token you provided), you still need an instance of an object (user/group etc) in the Replaying parties system to check if said instance is allowed access to a resource based on the token (looking at the ACL on the resource and the information in the token). So although the replying party does not need to maintain the users password to authenticate them   (done by the trusted Identity Provider) an instance of an object still needs to be created/exists on the Relaying Party system (to match the token information e.g. group membership for example) to the ACL on the actual object trying to be accessed

    is the above correct? 

    Thanks very much

    CXMelga

    Delegate permissions in Azure AD

    August 29, 2018, 3:10 am
    $
    0
    0

    Hello,

    we will sync a forest with Azure AD Sync to use password hash synchronization.

    One root Domain with two Sub Domains.

    We'd like to delegate permission to AD objects:

    Administrator 1 -> delegated permissions to objects in Azure AD from sub Domain 1

    Administrator 2 -> delegated permissions to objects in Azure AD from sub Domain 2

    Is this possible?

    What licenses do we Need. I read about Azure AD Basic for all objects and Azure AD Premium for the Administrators?

    Thank you

    Thomas


    Viewing all 16000 articles
    Browse latest View live
    Search