Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

SSO and List of Market place Apps

August 30, 2018, 8:45 am
$
0
0

Hi All 

Organisation has an O365 tenant and federated to Azure with on premise AD servers using AD conect.

All users Authenticate using Azure as it first point 

We have an application that does bookings that we have purchased, currently you have to login to application using a username/password specific to the application.

We want this application to use SSO on Azure , my queries 

1. how can i find out if this application is on azure app list 

2. if the app is in the azure list, what are the steps to get this application to SSO on Azure

3. if this application is not on the list

Regards

ian


Search

Question about Azure AD self service password reset feature

August 30, 2018, 1:08 pm
$
0
0

Hello Experts, We are a small college and recently purchased the Azure P1 Premium service so we can use some of the cloud features and specifically the self service password reset feature for students. The trouble is that our helpdesk team has to spend a lot of time walking the students through the enrollment process to add their email and/or phone number, and I was wondering if it is possible that we can pre-auhtorize a students phone number/email either when their account is added/sync from our on premise AD or by using a script or other feature in the Azure portal?

How to handle 401 error when using Azure App Authentication

August 16, 2018, 10:43 am
$
0
0

Hi!

I'm using Azure App Authentication with Azure Active Directory as the provider. I have it set to Allow Anonymous Requests and the site pushes the user to /.auth/login/aad when authentication is required. This works flawlessly UNLESS the user has a valid Microsoft login but it's not assigned to my AD App (basically authenticated but not authorized). In that case they land at /.auth/login/aad/callback and get the ugly text message below:

{"code":401,"message":"An error of type 'access_denied' occurred during the login process: 'AADSTS50105: The signed in user is not assigned to a role for the application '18b35087-4aa1-453d-8770-89e52942ce59'.\u000d\u000aTrace ID: e690c46c-f61c-49ca-8ba8-9bed3e2b2800\u000d\u000aCorrelation ID: 23160c20-d9cf-4f0e-8678-57cbbcb3a5db\u000d\u000aTimestamp: 2018-08-16 17:27:22Z'"}

So my question is, how do I prevent this ugly message? I do set post_login_redirect_uri when calling /.auth/login/aad to tell the provider where to return the user once authenticated. Shouldn't it return them there? Or is there another parameter I can set to tell the provider where to return a user who isn't authorized?

I know I could set User Assignment Required in the AD App settings to No and then everyone would just get passed on through and then my code could do the authorization... but I like the security of AD doing it. I just want more control over what happens if authorization fails.

- Ron

Azure AD Connect. First time and I am nervous. Someone please confirm my steps.

August 30, 2018, 2:46 pm
$
0
0

Hello Everyone,

Tomorrow, 8/31, I will be running AD Connect for the first time for the company I work for. I am the only tech so it's all on me.

It's a single tree domain. So I will be running Express settings. 

I have finished the prerequisites except for the IDFix which I am planning to run on 8/31. 

After I run IDFix > AD connect express settings > everything should be connected. 

Here are my questions:

1.) If they are connected to Azure and the domain changed from .local to .com. Will everyone loses their desktop profiles? Or only for people who have redirected profile from the server? I am hoping that AT THE LEAST desktop profiles on the local machine will be the same regardless of the domain changes from .local to .com. Someone, please confirm for me. I am nervous about this. Especially my CEO's Desktop profile.

2.) After the successful connection between the local server and Azure AD, if I pull the network cable from the server, everyone will be still okay since they are connected now to Azure AD over <g class="gr_ gr_2563 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="2563" id="2563">local</g> server. Correct? 

3.) Will there be any complications that will be critical like the internet goes down and firewall issues because I pull the server? I know it will not? But, I want to cover any possible mess I could run in to. 

I hope someone answers me soon. I am bit scared. Thank you <g class="gr_ gr_5498 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="5498" id="5498">EVERYONE</g>! 

Kurtis J. 


Can't save manifest with optionalClaims on App Registration Portal

August 26, 2018, 3:08 pm
$
0
0

Hi,

I'm using OpenID Connect with Azure AD. I have an app on apps.dev.microsoft.com and things are working. Now I'm trying to add the verified_primary_email optional claim. Usually "upn" is the user's e-mail address, but sometimes it's not, for customers with various ADFS setups, so I'm trying to get the email attribute.

When I edit the manifest, add an "optionalClaims" property to the body, and save, I get an error message:

The request body contains unexpected characters/content for the specified content type and encoding.

Here's the block I'm trying to add to the manifest:

"optionalClaims": {"idToken": [
        {"name": "given_name","essential": false
        },
        {"name": "family_name","essential": false
        },
        {"name": "verified_primary_email","essential": false
        }
    ]
}

I've also tried simpler variations. For example, this no-op block gives the same error message:

"optionalClaims": {}

This one gives a slightly different error ("One or more property values specified are invalid"):

"optionalClaims": null

Can I get a hint as to how to add optionalClaims to the manifest?

Mike

Sending immutable-id as a SAML claim

March 16, 2018, 3:19 am
$
0
0

I'm trying to send user's immutable-id as a SAML claim to our application, is this possible?

I can see the Azure AD GUID coming through as a claim, but it's the on premise AD GUID I require and I was hoping to discern this from the immutable-id. Alternatively if I could just send through the on premise AD guid that would also work.

Thanks!

Azure AD Connect syncing devices

August 30, 2018, 11:00 pm
$
0
0

Hi

Is Azure AD Connect supposed to sync also devices (Win10 laptop's) to Azure AD or do I need to manually join these devices to AAD?

Allow domains at Group level in Azure AD B2B

August 31, 2018, 3:10 am
$
0
0

Hi All,

We are using Azure AD B2B collboration feature by sending guest invites to external partners. For this,  we have only allowed 2 domains for example, xyz.com and abc.com for partners xyz and abc (screenshot attached). We have created 2 Groups, one for XYZ partner and other one for ABC partner and assigned group owner to each group. Now they are able to send invites to their teams using Access Panel (myapps.microsoft.com).

 

Problem: - The group owner of XYZ partner are able to send invites to ABC.com and vice-versa. We want to restrict XYZ group owner to only send invites to xyz.com not on abc.com. Please let us know how we can do this allowed domains settings at group level. We are using access panel as we only want group owners to see the members of their team only and blocked their access in Azure portal.

We also tried Group as a dynamic  type but with this Group owner would not be able to add users in this group from Access Panel, it says 'This group has dedicated users'.

 

Thanks in advance

ankur.a.gupta@capgemini.com

Ankur Gupta


Search

Azure - Web Application with MultiTenant SaaS model

December 21, 2017, 1:23 am
$
0
0

Hi,

We have created asp.net C# web application (not used MVC) and hosted in Azure environment. This is working fine.

Now we have tried to achieve the below in Azure:

1) We will host the asp.net c# web application (not MVC application) in Azure.

2) Provision to access the web application for multiple AD users (i.e. Multitenant model)

3) Each tenant will have the separate database, File storage in Azure.

We are trying to achieve the above Multitenant concept in SaaS. When we google the Multitenant concepts, we have got MVC application samples. But we need to achieve this for normal asp.net C# web application. We need to know how we can separate the tenants, how we can manage the separate databases for each tenant, how to achieve the above solution?.

Kindly provide sample applications (asp.net C# applications) to achieve the Multitenant SaaS model. (We expect non-MVCsample applications).

Kindly help us on this.

Nandhakumar R

Adding custom header in response send by azure app proxy

August 31, 2018, 1:59 am
$
0
0

I have created Enterprise Application in azure AD and setting of this application I have selected integrated windows auth(IWA) for Single sign-on option. I have configured app proxy in this and pre-authentication set to AAD and internal URL is my java based web application URL.
On other side AAD connector is install with federation as ADFS.
Now the flow is : when I hit User access URL(URL for enterprise application) it challenge for domain verification and after successful verification it redirect to my on-premises AD. after successful authentication to ADFS it redirect to app proxy and app proxy redirects me to my web application .

Now the response sned by my on-premises AD to app proxy is SAML. But app proxy redirects to my web application is not SAML.

But I receive headers, mainly authorizationNegotiate 

My question is how can I identify the user, like UPN.
If authorizationNegotiate contains the all data what I need to identify the user how can I decode the same using java ? Is there any standard lib?

Or

Is it possible to send custom header in response send by app proxy?

thanks in advance.

AD Connect not writing back passwords

August 31, 2018, 4:13 am
$
0
0
I'm testing Azure AD Connect on a small "test" domain before I proceed with a full sync of our domain. Unfortunately, I'm having some problems. Before I get to the problems, here's my test setup:
  • The name of the domain is NOT the same as the Azure domain, but an added UPN suffix IS.
  • I've set-up AD Connect to sync only a single OU (for testing)
  • The OU contains a single User with a manually specified email.
  • The same user was created manually in Azure prior to starting the sync process. The Azure user was given an email licence, and an email address.
  • Azure AD connect was set up with pretty basic settings. Password write-back was enabled as part of those settings. The system is set up to only sync that single OU specified earlier.

It appears that changing the test user's password in my local AD (and waiting for a sync) does update the password in Azure. However, the operation appears to be one-way, despite password write-back being enabled. Logged in as the test user I can request a password change without any issues (AND this new password starts to work for online logins), however this is never replicated in my local AD (old password works, new password doesn't).

There's an event log that happens at the same time the password is changed, but it doesn't really get me anywhere.

TrackingId: 5a76d0fc-3248-42b6-9a7a-cf8265766f38, HeartBeat for Namespace: ssprdedicatedsbprodscu, Endpoint: 3333b860-8fed-4146-aaeb-682401d60e10_2f466786-5627-462d-bcf7-ffc4bf83e8a0, Details: Version: 5.0.0.1541

I also tried to use the AD Connect troubleshooting portal, but that detected no faults.

Any idea how to proceed with debugging / fixing this?

PS. Also, if I stop the synchronization, is there a way to re-enable normal user management of accounts in Azure? I'm basically wondering if setting up AD Connect is reversible, or if it's all a one-way operation.

Azure AD Connect - Errors enabling SSO

August 24, 2018, 6:27 am
$
0
0

I am in the process of enabling Seamless SSO via Azure AD Connect. AD Connect was already setup and functioning, but without SSO functionality enabled. I have followed the Quick Start guide, but have been halted with an unknown error. 

I can't post links apparently, so 'Bing' Azure AD Connect Quick Start for the documentation link.

The AD Connect client is the latest and greatest, 1.1.880.0. When following Step 2 (enable the feature), I'm immediately given an error after checking 'Enable single sign on' > Next. The wizard throws the error "Cannot retrieve single sign-on status."

I ran through all the troubleshooting guides and haven't found a similar scenario, or explanation for the error. I've now decided to bypass the AD Connect client, and complete this through PS. Again, more errors without much explanation.

When running Get-AzureADSSOStatus, I get no status returned. This I'm guessing is expected, as SSO has not been enabled yet. I then run 'Enable-AzureADSSOForest' with some success...until it deletes the newly created AZUREADSSOACCT object and throws and error. 

PS C:\Windows\system32> Enable-AzureADSSOForest -OnPremCredentials $creds -ParentDN "DC=mydomain,DC=com"
[07:20:25.271] [  9] [INFORMATIONAL] CreateComputerAccount: Making sure 'DC=mydomain,DC=com' exists...
[07:20:25.286] [  9] [INFORMATIONAL] No conflicts found for the reserved SPNs and computer account display name.
[07:20:25.286] [  9] [INFORMATIONAL] Creating computer account in DC=mydomain,DC=com (mydomain.com)...
[07:20:25.818] [  9] [INFORMATIONAL] Setting password for computer account with DN 'CN=AZUREADSSOACC,DC=mydomain,DC=com'...
[07:20:25.880] [  9] [INFORMATIONAL] Successfully created computer account with DN 'CN=AZUREADSSOACC,DC= mydomain,DC=com'.
[07:20:26.021] [  9] [INFORMATIONAL] DeleteComputerAccount: Locating SSO computer account with name 'AZUREADSSOACC'...
[07:20:26.036] [  9] [INFORMATIONAL] DeleteComputerAccount: AZUREADSSOACC found in mydomain.com. Deleting...
Enable-AzureADSSOForest : One or more errors occurred.
At line:1 char:1+ Enable-AzureADSSOForest -OnPremCredentials $creds -ParentDN "DC= mydomain,DC=com"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Enable-AzureADSSOForest], AggregateException+ FullyQualifiedErrorId : System.AggregateException,Microsoft.KerberosAuth.Powershell.PowershellCommands 
   .EnableAzureADSSOForestCommand

I currently have a ticket open with support, but I haven't gotten any traction yet. Hoping somebody else has experienced this and can shed some light on the problem.

Azure AD Connect - Update AD FS SSL certificate missing

August 27, 2018, 11:59 am
$
0
0
We are running version 1.1.819.0 (test and prod environments) and we have the same issue. The Update AD FS SSL certificate is missing. Also noticed that Repair AAD and ADFS Trust from the list of additional tasks is missing.

Azure AD Graph API failing with "Insufficient privileges to complete the operation" while assigning applications

August 30, 2018, 4:57 am
$
0
0
Hi,

I am using Azure AD Graph API to manage Azure applications.

When trying to assign an application's appRole to a user using API https://graph.windows.net/<TenantID>/servicePrincipals/<ServicePrincipalID>/appRoleAssignments?api-version=1.6, it fails with 403 and response is as below. Even though the API fails, the app role gets assigned to user.

{
    "odata.error": {
        "code": "Authorization_RequestDenied",
        "message": {
            "lang": "en",
            "value": "Insufficient privileges to complete the operation."
        }
    }
}

The same API works fine with Azure AD Graph Explorer.
The DELETE operation to remove appRoleAssignments works fine without any issues.

Does it need any specific privileges to assign appRole?

Any help on this is appreciated.

Thanks,
Ishwar

Problem with self-service password reset due to "organization's password reset configuration"

August 31, 2018, 9:27 am
$
0
0
Hello Experts, Please see screenshot error attached. We are a small college and just purchased the Azure Active Directory Premium P1 subscription and I am testing the self-service password reset feature. We would like to pre-populate students and staff mobile phone number so they can use self-service password reset right away, without first having to register. I am using my test account and went to passwordreset.microsoftonline.com, enterned my user ID, it asked to verify my phone number, which is great. I then received a text message with the code, but when I tried to supply a new password, I received an error "we cannot reset your password at this time because of a problem with your organization's password reset configuration". We have on-premise integration write-back enabled, and students are able to change their password from office.com for example, and they can register their accounts as well. Any idea what am I missing? 
Search

Need help identifying AD DS Connector Account and/or AD Sync Service Account

August 31, 2018, 11:44 am
$
0
0
Hello experts, I am new to a company and taken over for a previous administrator. We are trying to get AD Self service password reset working, but when I try it from passwordreset.microsoftonline.com, I receive ERROR SSPR_0029 "we cannot reset your password at this time because of a problem with your organization's password reset configuration'. My understanding is that this is due to a permission issue with the AD DS Connector Account and or AD Sync Service Account. Is there any way to identify these accounts so I can correct the permissions issue ?

Getting insufficient privileges error for New-AzureADUserAppRoleAssignment

September 1, 2018, 9:08 am
$
0
0

I am using inbuilt <g class="gr_ gr_11 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="11" id="11">powershell</g> console on https://portal.azure.com and getting below error. My login account is "External Azure Active Directory" and Member with "Global administrator" directory role.

New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADUserAppRoleAssignment -ObjectId e5eaa3e9-611e-473d-a874-4c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-AzureADUserAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewUserAppRoleAssignment


Customize MFA

September 1, 2018, 10:09 am
$
0
0
MFA requires a login and second factor code to be entered for access to applications. Instead of user entering username & password as a first factor we want to customize the MFA to receive an encrypted token (stored during the installation of app) from the device and validate it. Is it possible? Ideally we want to customize or create own provider for MFA to validate the first factor and continue to use the mobile app or text message as second factor.

Azure ADConnect Stop Sync

August 28, 2018, 1:00 am
$
0
0
Hello, I am getting an error message in the administration of O365 indicating that they go 3 days without synchronization, then in the server where the azure adcconect is installed I can not open neither the application nor the sync service, they do not respond, any idea of ​​the reason ? Thank you

Insufficient privileges to perform certain tasks

August 28, 2018, 4:07 pm
$
0
0

Hi,

I am trying to install an application into my customer's Azure tenant.  So I'm an external user, listed as an Owner in the subscription.  I was able to create a Resource Group and other resources, such as App Services and SQL Severs/Databases, but I can't do the following:

- Create an App Registration

- Validate Custom Domain ownership 

- Access a Key Vault to upload a certficiate

The customer receives their Azure services from another company.  When viewing the subscription in the Azure Portal, there's a message at the top:  "This subscription is managed in the Microsoft Partner Center".  I assume that the customer needs to be given more privileges by this partner, but I'm not sure what to do from here.

Note: the customer has verified that non-admins should have permission to create app registrations (under Azure Active Directory - User Settings, the 'App Registrations' setting is 'Yes' (users can register applications), and the 'Administration Portal' setting is 'No' (Restrict access to Azure AD administration portal).

What is special/different about management via CSP, and how do I get rights to perform the above tasks?

Thanks,

Phil


    Viewing all 16000 articles
    Browse latest View live
    Search