Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD and Subdomains

August 29, 2018, 3:11 am
$
0
0

Hello,

we'd like to implement Azure AD Connect with Password hash synchonization.

AD forest with subdomains:

Domain.local

sub1.domain.local

sub2.domain.local

Domains are not rootable -> users in every subdomain have the same mail domain:

Domain.local: company1-example.com

sub1.domain.local: crazycompany2-example.com

sub2.domain.local: coolcompany-example.com

Idea:

- Every user gets a UPN <user>@<routable mail Domain>

- Create one tenant in Azure AD

- Verify every routable mail domain in Office365

- One Server with Azure AD Connect and synchronization to Azure AD (the whole forest with all Sub Domains)

Is this possible? Any improvements?

Best regards

Thomas

Search

Wrong redirection after delegated permission user consent

August 22, 2018, 12:07 am
$
0
0

Hi,

I originally posted on SO here so will be brief and somewhat reword because I understood some things better since yesterday.

I have a registered Azure AD app, with "Sign in and read user profile" delegated permission granted for both "Windows Azure Active Directory" and "Microsoft Graph" APIs. Indeed I have an API entry point that returns the JWT access token so guess the "Microsoft Graph" API should be granted too.

The problem lies here: when a new user logs in by calling my API app, he's redirected to microsoftonline.com to login, but after he acknowledges consent for app to "sign in and read user profile" the redirection is incorrect. Instead of redirecting to the originally called url, http://localhost/my-api-entry-point, it gets redirected to the previous url in the authentication flow, http://localhost/signin-oidc, that displays the following error message:

OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.

How can I remedy to this please? Thank you very much.

Azure ZD

August 29, 2018, 6:26 am

Username stuck as .onmicrosoft.com - primary email is OK

August 29, 2018, 8:11 am
$
0
0

I have a Windows 2012 domain using Azure AD Connect to sync my users to Azure AD (where we have Exchange Online). 


I'm in the process of enabling Multi Factor Authentication for all our users. I enabled a couple users first to test the process. One worked fine. The second user however, was having trouble logging in. I can see in his account that his username has changed from fn@<domainname>.com to fn@<domainname>.onmicrosoft.com. But his primary email address is still fn@<domainname>.com. 


When I login to Azure, I cannot change the domain used for the username (it's greyed out). In my on premise AD, his primary email is set to fn@<domainname>.com, and in proxyAddresses there is SMTP:fn@<domainname>.com 

Why did the username domain change? And how can I change it back? 

Azure AD Connect not Syncing

August 28, 2018, 6:14 am
$
0
0

Hi,

I have Azure AD connect set up for Syncing to my Azure Active Directory. For some reason, it stopped working and I can't figure out why. If I look at the Synchronization Service Manager, I can see that AD Sync is running a few times a day and all of the statues say success. If I look at them individually for both AD side and Azure side, they show rows being updated in the Export Statistics. However, when I go to my Azure Portal all of my old users are there and none of my group are showing up.

Does anyone know why this might be happening or where I can look to see where an issue might be? My biggest problem is that I don't actually have any errors showing up in the sync manager to start looking at.

Thanks,

Chris

Accidentally deleted AAD

August 28, 2018, 1:50 am
$
0
0

Hi,

I recently changed my personal MS ID, and when I logged on to the portal.azure.com to check if all was working with my changed account, I accidentally deleted the Azure AD from one of my 3 Azure subscriptions. Not that big of a problem, but I cannot create a new one. Also when I logon to the portal in the upper right corner there is shown that with my new febiunz@outlook.com MS ID I am logged on into the directory febiunzgmail.onmicrosoft.com which does not exist anymore. Could you help me so that I am able to create a new AAD when needed, and that I logon to no organisation/directory?

Kind regards, Fabian

trywebsitesnowhotmail.onmicrosoft.com directory added to my account and can't be removed.

January 31, 2017, 3:31 pm
$
0
0

The Azure Active Directory trywebsitesnowhotmail.onmicrosoft.com was added to my account and I can't manage\remove it. I assume this was from when I used the try now button for Azure App Services and it created a time limited service for me. But that was only supposed to last for 24 hours and this has been her for days now. If I go to the classic portal it doesn't show the directory, but from the new portal it shows in my list of directories: If I switch over to it it reloads the portal and if I go to the Azure Active Directory resource it says I do not have permissions to manage this directory. I see no way to remove this from my account. Online I see a few areas where people have asked how to manage and remove directories but all the answers just suggest to use the classic portal, but this directory doesn't exist there. There was also one MSDN forum post (https://social.msdn.microsoft.com/Forums/sqlserver/en-US/72738df5-ade7-4c1a-a30d-b61f531e31a1/azure-portal-directories?forum=windowsazurewebsitespreview) where the Microsoft worker seems to have just manually removed it from multiple accounts. Could someone do the same for me or let me know when this is supposed to be removed from my account.

AAD Global Admin User Type is Guest and I cannot do Connect-IPPSSession

August 29, 2018, 10:04 am
$
0
0
Hello,

Following are the example values:

Azure tenet ID : abc.org

Global Admin UPN : admin@abc.onmicrosoft.com

1. Using above Global Admin ID I used to be able to login to Connect-IPPSSession.

2. Then we enabled AAD Connect. Please note that the global admin is a cloud only user.

3. Now I get auth error while trying to login to Connect-IPPSSession.

4. I do not remember how was admin@abc.onmicrosoft.com was listed before but now it shows up as user type "Guest" under users on Azure Portal.

5. Also I see a few other cloud only users with UPN suffix matching to tenent ID listed as of type "guest" E.g. User.Name@abc.org

I want,

1. How I can enable Connect-IPPSSession for the global admin user ID.

2. All users to be listed as of user type "member".



(Side note: When I create a new cloud only test user with Global Administrator role, it shows the user type as "Member" and I can login using Connect-IPPSSession).

Thanks,
Search

Guest users cannot accept invite

June 21, 2018, 12:10 am
$
0
0

Hi all, 

I am trying to invite users from user@xxxxx.net to my Azure AD as a guest. 

The email invite goes as as usual but when they click the 'Get Started' button They simply get:

Invitation redemption failed

An error has occurred. Please retry again shortly.

This was working a little while ago, the error message does not give any real reason as to why. I'm not sure where to even check on this one? I can't find any log that covers redemption failures (any pointers here would be good).


Edit: Checked the domain invite restrictions and they are set to allow any. 

Edit2: The Direct link produces the same error. 

Update DomainDNSName,Netbiosname & Onpremisesamaccoutnanme without using AAD Connect

August 17, 2018, 6:26 am
$
0
0

Hi,

We use okta for synchronizing accounts to Azure AD.

We plan to use AAD Join for our windows10 devices, it works well with AAD Connect(As AAD Connect synchronizes attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme)

Okta could not update these attributes, I want to find a way to update the attributes(by using PowerShell or GraphAPI?).

And also would like to know if there is any possibility to sync MSDS-Keycredentiallink attribute to on-premise without using AAD Connect so that I can use windows hello.


Group management via AzureAD

August 29, 2018, 12:54 pm
$
0
0

Hi,

I recently synced our active directory security groups into the AAD but i found the followig issues:

1. only groups are synced, the members of the group not synced

2. nested group is not synced as well

I didn't see any where mention that the group members won't be synced, or maybe I missed it.

Can someone help me or give me the documentations that i can find the answer please.

Thank you.

Error installing configuring AAD Connect for Federation services

August 29, 2018, 2:37 pm
$
0
0
Element 'ma-run-data' was not found. Line 1, position 2.
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Element 'ma-run-data' was not found. Line 1, position 2. ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Element 'ma-run-data' was not found. Line 1, position 2.
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateEmptyRunProfile(RunProfile runProfile)
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateRunProfile(RunProfile runProfile)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRunProfileCmdlet.ProcessRecord()

Device Registration failed

March 10, 2017, 6:43 am
$
0
0

I have installed ADDconnect and creating a GPO to enable automatic registration of windows 10 machines. 

but automatic registrations always failed with below errors. 

Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0x801c0002. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: sync
tenantType: managed
tenantId: fd95fe1a-1798-4386-b8b9-882505eccaff
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0
.

Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0x801c0002. Server error: . Debug Output:\r\n Managed.

The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c0002. 
Activity Id: fa3539e1-e195-4cf5-b1e2-5f36ec2d13dc 
The server returned HTTP status: 400 
Server response was: {"ErrorType":"AuthenticationError","Message":"The provided client identity data is not valid: (S-1-5-21-1023253932-726605409-1206319596-1107.2017-03-10 18:15:22Z).","TraceId":"fa3539e1-e195-4cf5-b1e2-5f36ec2d13dc","Time":"03-10-2017 14:29:05Z"}

and when I try to join the machine manual I get below error. 

This Device is joined to Azure AD, however, the user did not sign-in with an Azure AD account. Microsoft Passport provisioning will not be enabled. User: 

Configure AAD Sync - An error occurred executing Configure AAD Sync task: Object reference not set to an instance of an object.

August 27, 2018, 4:55 pm
$
0
0

Hi all,

I recently implemented an Office 365 tenant using Azure and ADFS.

It ran smoothly for about a month but then the AAD connecter stopped syncing.

I was advised by someone to uninstall Azure AD Connect and reconfigure.

I attempted to do this, configured Domain/OU filtering for my users and pointed to my existing ADFS server.

When I get to the last stage "Configure", it throws the error that I posted above.

Thanks for your help.

** I'm trying to post a log file but my account has not been verified **

EDIT:

Azure support assisted me with the problem.

Turns out I needed to edit the machine.config file and add proxy details:

Solution:

Kindly please add the script below to the machine.config file underC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\

Script:

++++++

<system.net>

        <defaultProxy>

            <proxy

            usesystemdefault="true"

            proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"

            bypassonlocal="true"

            />

        </defaultProxy>

</system.net>

++++++

This was a strange solution as we had this set up and working for a number of weeks without this config and we hadn't changed anything in this time.

Anyway, that resolved our issue so I won't argue.

Thanks to Jiwei Ma @ Microsoft for the support, very helpful!

Mapping claims with Azure AD B2C Custom Identity Provider (OpenID Connect)

August 23, 2018, 1:52 am
$
0
0
Although, I've set all the claim mappings well so they match those issued by our Identity Server 3, we don't seem to have those values on Azure AD side. Name and email are claims which can be used as an example. And which is weird, this happens only with Custom Identity Provider (Open ID Connect) while for example Facebook built-in Identity Provider works well and takes those claims received from IdP. Is there anyone who made this work ever?

Additionally, I have also tried to achieve this through custom polices as it was suggested to me as the only possible way how this could be solved. Now, I'm facing with another problem to simply connect AAD B2C to Identity Server 3 by using custom policies. Here is my TechnicalProfile definition from TrustFrameworkExnsion.xml:

<TechnicalProfile Id="IdentityServerProfile"><DisplayName>IdentityServer</DisplayName><Description>Login with your IdentityServer account</Description><Protocol Name="OpenIdConnect"/><OutputTokenFormat>JWT</OutputTokenFormat><Metadata><Item Key="METADATA">https://{identity_server_hostname}/identity/.well-known/openid-configuration</Item><Item Key="ProviderName">https://{identity_server_hostname}/identity</Item><Item Key="client_id">00000000-0000-0000-0000-000000000000</Item><Item Key="IdTokenAudience">00000000-0000-0000-0000-000000000000</Item><Item Key="response_types">code</Item><Item Key="scope">openid profile customScope</Item><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="AccessTokenResponseFormat">json</Item><Item Key="HttpBinding">POST</Item></Metadata><CryptographicKeys><Key Id="client_secret" StorageReferenceId="B2C_1A_IdentityServerAppSecret"/></CryptographicKeys><OutputClaims>      <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="IdentityServer" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /><OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" /><OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/><OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/></OutputClaimsTransformations><UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/></TechnicalProfile>

Basically, after authentication on IdentityServer side, I got redirected back to my web page which initialized the sign-in and then I get this error: AADB2C: An exception has occurred. Correlation ID: 6797f691-4adb-4963-ad12-f31add3e1919 Timestamp: 2018-08-23 08:42:54Z

While analyzing the log on AAD B2C for the given correlation ID, I didn't find anything useful which would lead me to the possible solution.

Any help would be much appreciated!

Search

We need to migrate over 5-7 ADs to 1, and thinking about having that just running AAD, no DC on-prem

August 29, 2018, 5:14 pm
$
0
0

we use AAD Connect now, but the plan is to migrate 5-7 different ADs to one new. And the main question for that, can we just use AAD plan 1 or 2, or must we still have Domain Controllers on-prem? Would be nice to not have to :)

We also need the ability to connect on-prem server 2016 directly to AAD, and later on also other services such as Atlassian, firewalls, AP, things that we want to use AAD as a directory server.

Thanks, have a great day

ADAL AcquireToken with ClientCredential fails with invalid_client (ACS50012)

March 17, 2014, 9:28 am
$
0
0

My Azure AD "web application" won't allow me to get an auth token using ADAL's AuthenticationContext.AcquireToken method with ClientCredential.

I am trying to use Microsoft.IdentityModel.Clients.ActiveDirectory version 1.0.3 (from NuGet).

(I can't use the overload that prompts the user to login because I'm writing a service, not an app.)

I configured my Azure AD web application as described in various tutorials/samples (e.g. [ADAL - Server to Server Authentication](http://code.msdn.microsoft.com/windowsazure/AAL-Server-to-Server-9aafccc1)).

My code looks like:

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");
ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);


The `AcquireToken` line throws an exception:

    sts_token_request_failed: Token request to security token service failed.  Check InnerException for more details

The inner exception is a WebException, and the response received looks like an oauth error:

    { "error":"invalid_client",
     "error_description":"ACS50012: Authentication failed."
     "error_codes":[50012],
     "timestamp":"2014-03-17 12:26:19Z",
     "trace_id":"a4ee6702-e07b-40f7-8248-589e49e96a8d",
     "correlation_id":"b304af2e-2748-4067-99d0-2d7e55b121cd" }

Bypassing ADAL and using curl with the oauth endpoint also gives the same error.

My code works if I use the details of the Azure application that I found [here](https://github.com/MSOpenTech/AzureAD-Node-Sample/wiki/Windows-Azure-Active-Directory-Graph-API-Access-Using-OAuth-2.0):

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");
ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);


So it's not an error with my code. I think it's either an error with my Azure AD, or I've got the ClientCredential parameters wrong.

Someone on stackoverflow has the same issue and no answer: http://stackoverflow.com/questions/21797154/azure-active-directory-webapi-server-to-server?rq=1

Can anyone replicate creating a new Azure account, adding a web application to the Default Directory Azure AD, and authenticating with it using ADAL and ClientCredential?

Azure AD Connect - Update AD FS SSL certificate missing

August 27, 2018, 11:59 am
$
0
0
We are running version 1.1.819.0 (test and prod environments) and we have the same issue. The Update AD FS SSL certificate is missing. Also noticed that Repair AAD and ADFS Trust from the list of additional tasks is missing.

Unable to Register Device - When setting up Outlook 365

August 24, 2018, 1:26 pm
$
0
0

I have a machine that had the motherboard changed and I am in the process of setting up Microsoft Outlook 365 (was working before repair) and it picks up the username and I enter the password, then it asks if I want to "Allow my organization to manage my device" and it is checked just like every other machine I have set up, click the "YES" button at the bottom and it churns for awhile then comes back asking for the Password again, I enter it and it takes off then comes back and says "Something Went Wrong" "We weren't able to register your device and add you account to Windows"...

NOTE:  our email provider is Comcast Business so what we do in AZURE is limited, in fact this is the first time I have even looked around in it as we have never had this issue before, the question is, why will this machine not join and all others seem to join just fine?????


Can I join an on premises Windows server 2016 to Azure AD

January 29, 2018, 12:38 pm
$
0
0

I don't want to create a vm in Azure AD

I don't want to configure Automatic Domain registration in GP

I simply want to join a server 2016 vm that I have at my office to Azure AD in the same manner that I register Windows 10 devices.

Is this possible?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>