Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

rename Azure subscription

August 27, 2018, 9:50 am
$
0
0

Is it possible to change the url of azure subscription? if so what is the approach and steps.  

please let me know.

Search

Azure ADConnect Stop Sync

August 28, 2018, 1:00 am
$
0
0
Hello, I am getting an error message in the administration of O365 indicating that they go 3 days without synchronization, then in the server where the azure adcconect is installed I can not open neither the application nor the sync service, they do not respond, any idea of ​​the reason ? Thank you

Unable to add a second forest in AAD Connect

March 3, 2017, 5:48 am
$
0
0

I have been struggling to add a second forest in AAD Connect, the error that I get is 'the specified domain does not exist or cannot be contacted':



The forest in question is located on a separate, isolated domain controller, and the AAD Connect server is placed in DMZ:

I found the following article stating that they was able to contact the domain by using FQDN instead of Netbios name: https://blog.kloud.com.au/2015/12/16/azure-ad-connect-the-specified-domain-does-not-exist-or-cannot-be-contacted-when-adding-an-untrusted-ad-forest/
Using FQDN does not work either - actually it fails even quicker than using Netbios.

I've tried reinstalling AAD Connect with no success. The domain in question is added in the Office 365 portal.

The domain answers to ping using the FQDN as in the article  - but I had to add an entry in the hosts file, because initially the domain did not answer - only the domain controller. However by forcing this in the hosts file, the AAD Connect server should definitely be able to contact the domain, shouldn't it?

So I suspect there's either an issue with the Domain Controller, or the DNS(DNS role is installed on the DC).

What could be the reason for this, and what should I try to adjust/rectify?
I would deeply appreciate any advise on this matter.

Thanks.

This tenant does not allow email verified users to be added due to an admin-defined policy

January 30, 2017, 8:14 am
$
0
0

Hi,

I've added some external users to my Azure AD - users from another organisation.

When they click on the invitation link, they all receive an error message - 

"This tenant does not allow email verified users to be added due to an admin-defined policy."

Any idea how I can fix this?

Thanks

AAD token lifetime

August 22, 2018, 3:47 pm
$
0
0
I have couple of questions regarding Azure AD tokens. Please help me to clarify it:

I refered to this KB article but not able to get my queries cleared -

https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-configurable-token-lifetimes


1) What is the difference between Access token and Single sign-on session tokens?

2) Where is the access token and refresh token stored? Is it store the tokens in the cookie?

2) What is the default time-out for MyApps portal? How can it be configured? Would access token lifetime property applies to Myapps portal time-out?

3) MyApps portal life time policy will apply on application session time-out as well? I am looking to set a ORG level time-out session for applications deployed with OIDC in Azure. 

Thanks in advance

Alex

Send Custom attributes in SAML token, SSO

May 29, 2018, 5:39 am
$
0
0
We have AzureAD/Salesforce SSO integration and need to send Azure custom (not extension) attributes to Salesforce side. The problem is that Azure application configuration page does not allow to enter custom attributes to send in SAML token. Once entered Azure adds quotes and send attributes names instead of values. How to send custom attributes values in SAML token? This was possible to configure using old Azure portal.

Azure AD and Subdomains

August 29, 2018, 3:11 am
$
0
0

Hello,

we'd like to implement Azure AD Connect with Password hash synchonization.

AD forest with subdomains:

Domain.local

sub1.domain.local

sub2.domain.local

Domains are not rootable -> users in every subdomain have the same mail domain:

Domain.local: company1-example.com

sub1.domain.local: crazycompany2-example.com

sub2.domain.local: coolcompany-example.com

Idea:

- Every user gets a UPN <user>@<routable mail Domain>

- Create one tenant in Azure AD

- Verify every routable mail domain in Office365

- One Server with Azure AD Connect and synchronization to Azure AD (the whole forest with all Sub Domains)

Is this possible? Any improvements?

Best regards

Thomas

Can SSPR via Powershell?

August 26, 2018, 8:16 pm
$
0
0

Can the SSPR be programmed to reset user password if the security questions are configured? If so, I need the snippet of the code to do it. I am aware the admin can reset it but am looking at more for the user to do it themselves. We are trying to work out a POC for password reset via BOT framework. Any ideas on how this can be done? Right now, we have a AD environment running up in Azure with a few users configured. I would like to validate the questions and answers and reset the password and send it back to the user.

Search

Azure AD Graph API failing with "Insufficient privileges to complete the operation" while assigning applications

August 30, 2018, 4:57 am
$
0
0
Hi,

I am using Azure AD Graph API to manage Azure applications.

When trying to assign an application's appRole to a user using API https://graph.windows.net/<TenantID>/servicePrincipals/<ServicePrincipalID>/appRoleAssignments?api-version=1.6, it fails with 403 and response is as below. Even though the API fails, the app role gets assigned to user.

{
    "odata.error": {
        "code": "Authorization_RequestDenied",
        "message": {
            "lang": "en",
            "value": "Insufficient privileges to complete the operation."
        }
    }
}

The same API works fine with Azure AD Graph Explorer.
The DELETE operation to remove appRoleAssignments works fine without any issues.

Does it need any specific privileges to assign appRole?

Any help on this is appreciated.

Thanks,
Ishwar

Could not retrieve Azure application's logo using Azure AD Graph API

August 30, 2018, 5:14 am
$
0
0
Hi,

I need help in retrieving Azure application's logo using Azure AD Graph API.

I have tried to retrive application's details from the following URLs both didn't have logo information.

https://graph.windows.net/<TenantID>/applications?api-version=1.6 and 
https://graph.windows.net/<TenantID>/servicePrincipals?$filter=appId eq '<Application's appId>'&api-version=1.6

As per the documentation: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity, the response should havemainLogo attribute. But this attribute is never included in the response. I have tried with external client ans also with Azure AD Graph explorer but this attribute is not included in the response.

However, the response includes logoUrl attribute which is not in the documentation. This attribute has logo URL only when the application has custom logo configured. Otherwise, it is always null.

Any suggestions on how to retrieve the application's logo that is seen in Azure portal?

Thanks,
Ishwar

Enforce SSPR registration before allowing login?

August 30, 2018, 7:16 am
$
0
0
Is there a way to force a user to register for SSPR before they can login?

A quick question about Azure B2B (Business to Business)

August 29, 2018, 2:43 am
$
0
0

I saw a post today on linkedIN to say Azure B2B now accepts Google IDs (e.g. people with a Gmail account)

It said this is achieved via Federation, (using google as the identity provider) 

As far as I am aware you have been able to do this for a while (or was that because it was in public preview), whereby someone could enter their gmail account but in the background (after the simple on boarding process was completed) this gmail account is linked to a place holder Azure AD account (represented by a GUID). 

So in the announcement of Azure AD now accepts google IDs, is this the case where a preview service is now main stream ? or is this something new?

As far as I understand federation (please correct me if I am wrong) although your own Identity provider together with your own STS (secure token service, which is trusted by the replying party) provides you with a token (signed SAML/JWT) with is then presented to the replying parties STS (which then creates is own token from the information in the token you provided), you still need an instance of an object (user/group etc) in the Replaying parties system to check if said instance is allowed access to a resource based on the token (looking at the ACL on the resource and the information in the token). So although the replying party does not need to maintain the users password to authenticate them   (done by the trusted Identity Provider) an instance of an object still needs to be created/exists on the Relaying Party system (to match the token information e.g. group membership for example) to the ACL on the actual object trying to be accessed

is the above correct? 

Thanks very much

CXMelga

Azure B2C AD password reset wording

August 30, 2018, 7:59 am
$
0
0

Hi we have azure portal with yourselves and have custom B2C AD login, but would like the password reset policy wording (strong) to be displayed to the user

Minimum 8 characters and maximum 64 characters in length 3 of 4 character classes - uppercase, lowercase, number, symbol

is this possible?

Microsoft Flow Integration

August 30, 2018, 10:34 am
$
0
0

Hi team, please I'm needing your help.

I'm trying to use Microsoft flow to get information from Microsoft Bookings.

So what I done is get the token from an http POST conector, the parameters that I use are:

methot: POST

Uri: https://login.microsoftonline.com/tenant/oauth2/token

Headers: Content-Type: application/x-www-form-urlencoded

Body: grant_type=client_credentials&client_id=client_id'&client_secret=client_secret&resource=https://graph.microsoft.com/

And I get a Token that I map to parse into a new HTTP the parameters that I use are:

methot : GET

URI: https://graph.microsoft.com/beta/bookingBusinesses/ID/appointments/

Headers: Authorization: Bearer access_token (with no space)

So when I run the flow I recive: Unauthorized.CompactToken parsing failed with error code: 80049217

I'm global admin user, and I give every permission.

When I decode de token I saw that I've the permissions as you can see:

{
  "aud": "https://graph.microsoft.com/",
  "iss": "https://sts.windows.net/{value}/",
  "iat": 1535649444,
  "nbf": 1535649444,
  "exp": 1535653344,
  "aio": "{value}",
  "app_displayname": "myflowapp",
  "appid": "{value}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{value}",
  "oid": "{value}",
  "roles": [
    "Group.Read.All",
    "Group.ReadWrite.All",
    "Directory.Read.All"
  ],
  "sub": "{value}",
  "tid": "{value}",
  "uti": "{value}",
  "ver": "1.0"
}

just for security I change the codes for {value}

.....

Please could enyone help me? What I'm doing wrong?

Question about metrics/reporting for users who have signed up for secure self-service password reset feature

August 30, 2018, 10:37 am
$
0
0
Hello Experts, We are a small college and recently purchased the Azure P1 Premium service to leverage some of the cloud features including the self-service password reset feature. Is there a way to find statistics or a report on who has signed up for the feature ?
Search

Azure AD B2C Msal.js acquireTokenSilent Performance issue

August 12, 2018, 6:08 am
$
0
0

Hi Microsoft Azure Team,

I have an .NET Core 2 solution with 2 Projects. 1. SPA 2. Web API (Both will be hosted into Azure Web Apps later)

I am using Azure AD B2C with MSAL.js  to login to the SPA and call the authenticated endpoints in the Web API project.

I would be converting the SPA to a Progressive Web App later. 

As per the documentation, after the user logs in to the SPA, acquireTokenSilent can be used for making subsequent calls to the Authenticated endpoints.

I am able to login to the SPA, and use acquireTokenSilent  to get the access token and able to call my Web API endpoints in the Web API project.

My problem is the acquireTokenSilent is taking 4 - 5 seconds (from my local development machine, js are not bundled yet) to get the access token. 

I will be testing after deploying these both as Azure Websites (with JS bundled) at a later stage.

Will I face this performance lag after bundling the JS files and deploying in Azure?

Kindly advice for performance improvement, since this is making my app very slow.

Error after running 1-Aug-2018 AD Upgrade

August 7, 2018, 12:31 pm
$
0
0

Azure AD Connect 1-Aug-2018 Release Fails to Upgrade & provides "AD Error 906: Index out of range error".  I needed to run this update in order to fix the CPU utilization issue associated with KB4338814 “2018-07 Cumulative Update for Windows Server”.  Now I can't sync my AD...  I can't upload pictures here, either.

The Upgrade Azure Active Directory Connect gives error: "An error occurred while upgrading from Azure Active Directory Sync.  Unable to upgrade the Synchronization Service.  Please see the event log for additional details."

The event log has "Event 906, AzureActiveDirectorySyncEngine.  Index was outside the bounds of the array."

When I delete the ADDS and recreate it, I cant login with my AAD Group users

August 30, 2018, 12:29 pm
$
0
0
I get a NLA Error when I tried using my AADDC user, the same user that I used to join the domain, why I cant I login using my AAD DC group users?? What do I have to take care of before deleting the ADDS??

AAD Global Admin User Type is Guest and I cannot do Connect-IPPSSession

August 29, 2018, 10:04 am
$
0
0
Hello,

Following are the example values:

Azure tenet ID : abc.org

Global Admin UPN : admin@abc.onmicrosoft.com

1. Using above Global Admin ID I used to be able to login to Connect-IPPSSession.

2. Then we enabled AAD Connect. Please note that the global admin is a cloud only user.

3. Now I get auth error while trying to login to Connect-IPPSSession.

4. I do not remember how was admin@abc.onmicrosoft.com was listed before but now it shows up as user type "Guest" under users on Azure Portal.

5. Also I see a few other cloud only users with UPN suffix matching to tenent ID listed as of type "guest" E.g. User.Name@abc.org

I want,

1. How I can enable Connect-IPPSSession for the global admin user ID.

2. All users to be listed as of user type "member".



(Side note: When I create a new cloud only test user with Global Administrator role, it shows the user type as "Member" and I can login using Connect-IPPSSession).

Thanks,

trywebsitesnowhotmail.onmicrosoft.com directory added to my account and can't be removed.

January 31, 2017, 3:31 pm
$
0
0

The Azure Active Directory trywebsitesnowhotmail.onmicrosoft.com was added to my account and I can't manage\remove it. I assume this was from when I used the try now button for Azure App Services and it created a time limited service for me. But that was only supposed to last for 24 hours and this has been her for days now. If I go to the classic portal it doesn't show the directory, but from the new portal it shows in my list of directories: If I switch over to it it reloads the portal and if I go to the Azure Active Directory resource it says I do not have permissions to manage this directory. I see no way to remove this from my account. Online I see a few areas where people have asked how to manage and remove directories but all the answers just suggest to use the classic portal, but this directory doesn't exist there. There was also one MSDN forum post (https://social.msdn.microsoft.com/Forums/sqlserver/en-US/72738df5-ade7-4c1a-a30d-b61f531e31a1/azure-portal-directories?forum=windowsazurewebsitespreview) where the Microsoft worker seems to have just manually removed it from multiple accounts. Could someone do the same for me or let me know when this is supposed to be removed from my account.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>