Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Error while creating user for AzureAD via Powershell

September 4, 2018, 3:01 am
$
0
0
While trying to create new user, using the commands mentioned on the website
"https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureaduser?view=azureadps-2.0"
and providing the necessary parameters, I get the following issue:
Error while processing: CREATE for url: /azurescript/Users, Exit Value: 1, output: Connect-AzureAD : One or more errors occurred.: AADSTS50034: To sign into this \r\napplication the account must be added to the XXXX directory.\r\nTrace ID: 4e44e39f-76f3-4258-816a-4f8b1d7f5d00\r\nCorrelation ID: 8235f094-ec2d-43c3-8d94-2c4565b5909c\r\nTimestamp: 2018-09-04 09:26:52Z
How is this resolved?
Search

AAD issue have only member user

September 4, 2018, 3:12 am
$
0
0
Hello, I have an account with member rights and no other users in AAD. I was get the account from VLSC when buyed Windows Server license. How can I add administrator in the AAD.

Changing from Azure Federated authentication to Pass-through Authentication

September 4, 2018, 4:38 am
$
0
0

Hi,

I am aware that choosing the correct authentication method is the first concern for organisations wanting to move their apps to the cloud, and that the authentication method is difficult to change after it's implemented. But, sometime an organisation may need to change an authentication method. What must be considered if an organisation wish to change their authentication method from Federated authentication to Pass-through authentication? Assume that the organisation is using Federated authentication to sign in to several cloud apps (e.g. DropBox for Business, Netsuite etc.).

Best regards,

Alerteye

Best regards, Marco

Configuring Azure AD federation with a third party IdP for Office365 SSO

September 3, 2018, 12:33 am
$
0
0

 Hi,

I am working on configuring Asure AD identity federation with a third party STS solution for Office 365 sign-in using WS* protocols. I tested the configuration by trying to sign in to Office 365 portal using a federated identity's username and password. It works all fine. But I when I test the federation connectivity using Microsoft Connectivity Analyzer, (which is a compulsory requirement in my case), I am redirected to my IdP login page and when I log in, the home page of the Office 365 account is also displayed. But the test continues to run for 10 minutes and the following test case fails.

Test Case :

Retrieving an identity token from the Passive authentication federation endpoint of your identity provider

Result: There was an error retrieving a token from your identity provider.

Additional Details: The token could not be found in the response body : (here the entire HTML body of the office 365 home page is displayed)

All the other tests are passed. 

I would be much thankful if anyone can suggest what is gone wrong here.

Thanks. 

Dinix195


Need help identifying AD DS Connector Account and/or AD Sync Service Account

August 31, 2018, 11:44 am
$
0
0
Hello experts, I am new to a company and taken over for a previous administrator. We are trying to get AD Self service password reset working, but when I try it from passwordreset.microsoftonline.com, I receive ERROR SSPR_0029 "we cannot reset your password at this time because of a problem with your organization's password reset configuration'. My understanding is that this is due to a permission issue with the AD DS Connector Account and or AD Sync Service Account. Is there any way to identify these accounts so I can correct the permissions issue ?

Azure AD Connect not Syncing

August 28, 2018, 6:14 am
$
0
0

Hi,

I have Azure AD connect set up for Syncing to my Azure Active Directory. For some reason, it stopped working and I can't figure out why. If I look at the Synchronization Service Manager, I can see that AD Sync is running a few times a day and all of the statues say success. If I look at them individually for both AD side and Azure side, they show rows being updated in the Export Statistics. However, when I go to my Azure Portal all of my old users are there and none of my group are showing up.

Does anyone know why this might be happening or where I can look to see where an issue might be? My biggest problem is that I don't actually have any errors showing up in the sync manager to start looking at.

Thanks,

Chris

Angular 6 and ADAL

September 4, 2018, 7:38 am
$
0
0

Hi

i m using following ADAL for angular library **adal-angular4 **

I have angular6 based app with  ADAL library for my app for my on prem ADSFS and login works and i am able to get token. But i want to get back custom claim like email address , first name , last name . So as per ADFS 2016 doc i need to have resource parameter. So here is my config object

config: {
instance: 'myadfsserver https link',
tenant: 'adfs',
clientId: 'my_client_id',
resource : 'myresource/',
redirectUri: window.location.origin ,
//extraQueryParameter : 'resource=myresource/',
extraQueryParameter : 'use_windows_client_authentication=true',
postLogoutRedirectUri : 'myurl',

endpoints: {
'myadfsserver https link  ': '00000000-0000-0000-0000-000000000000'

}

so when i click login in

my app the URL constructed doesn't have ?resource=myresource
upon logout its not redirecting to my postLogoutRedirectUri configured
when i uncomment extraQueryParameter line &resource=myresource shows up but jwt token doesn't have my custom claims :(

is there any other way to get custom claims ?

Thanks

** From my ADFS setup we have configured email address , first name , last name  in pass through claims

Adding custom header in response send by azure app proxy

August 31, 2018, 1:59 am
$
0
0

I have created Enterprise Application in azure AD and setting of this application I have selected integrated windows auth(IWA) for Single sign-on option. I have configured app proxy in this and pre-authentication set to AAD and internal URL is my java based web application URL.
On other side AAD connector is install with federation as ADFS.
Now the flow is : when I hit User access URL(URL for enterprise application) it challenge for domain verification and after successful verification it redirect to my on-premises AD. after successful authentication to ADFS it redirect to app proxy and app proxy redirects me to my web application .

Now the response sned by my on-premises AD to app proxy is SAML. But app proxy redirects to my web application is not SAML.

But I receive headers, mainly authorizationNegotiate 

My question is how can I identify the user, like UPN.
If authorizationNegotiate contains the all data what I need to identify the user how can I decode the same using java ? Is there any standard lib?

Or

Is it possible to send custom header in response send by app proxy?

thanks in advance.

Search

Cant install AD connect - Unable to Install the Synchronization Service

December 7, 2017, 1:33 am
$
0
0

Hi,

I had Dirsync installed on a 2012 R2 server and ran the AD connect wizard to upgrade from dirsync to AD connect, the wizard successfully removed dirsync but it failed when installing AD connect with the error Unable to Install the Synchronization Service.

At this point i had to uninstall the AD connect program that was half installed and then try to install it again as a new install as dirsync is gone it wont pick up any setting from that.

AD connect still fails with the same error and when looking in the log it seems as though the ADSync service cannot be started see part of the log below.

What can i do to resolve this?

[09:26:56.605] [ 26] [INFO ] ServiceControllerProvider:CreateService - serviceName:ADSync, username:NT SERVICE\ADSync, assemblyPath:C:\Program Files\Microsoft Azure Active Directory Connect\ADSyncBootstrap.exe
[09:26:56.637] [ 26] [INFO ] ServiceControllerProvider: Processing StartService request for: ADSync
[09:26:56.637] [ 26] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[09:26:56.637] [ 26] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[09:27:16.837] [ 26] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (1).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[09:27:16.839] [ 26] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[09:27:16.839] [ 26] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[09:27:37.013] [ 26] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (2).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[09:27:37.013] [ 26] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[09:27:37.013] [ 26] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[09:27:57.187] [ 26] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (3).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[09:27:57.187] [ 26] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync).
[09:27:59.525] [ 26] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.


 

Can Excel do ad b2c authentication?

September 3, 2018, 2:56 am
$
0
0
I know and tested Excel doing normal azure AD authentication when accessing odata.
 
But can Excel do AD B2C authentication? 

Connecting Meraki Client VPN to Azure Active Directory Domain Services (AADDS)

July 17, 2018, 4:58 am
$
0
0
<p>I need to connect our Cisco Meraki Client VPN to Azure Active Directory Domain Services (AADDS) for authentication via Azure MFA. The below articles describe how this connection is supposed to be made but I cannot seem to be able to get it to work.</p><p>I am putting in the external IP address but it cannot seems to connect to the domain controller. Packet capture shows that there is no SYN-ACK response during attempts to connect.</p><p></p><p>Any help would be much appreciated.</p><p><a href="https://t.co/SHdRiMA5BZ"></a><br /></p> 

Register New User via Easy Auth and Azure AD, Support Limited Anonymous or Unregistered Access

September 4, 2018, 9:28 am
$
0
0

I am trying to use Azure AD and openid in an AspNet Core website I'm building. The site is part of a larger project which will implement some Azure Functions to handle telemetry gathered from a smartphone while riding a motorcycle, as part of a crash monitoring application. Azure AD, open ID, etc., are new to me, so I'm not sure I'm even using the right terminology here, so bear with me.

What I'd like to do as a first step is to use Easy Auth to register new users on the site. The current VS 2017 (15.8) template implements Azure AD (at least) by default, and I've confirmed that it works: I can log into the site using my Microsoft Windows credentials.

Where I'm having a problem is understanding how that authentication fits into registering, and then authenticating, a user onto my site. In other words, I want the login process to check to see if a user is registered with my site (user info to be stored in a SqlServer database). In all the AspNet websites I've written heretofore, that's been implicitly done, because I've been authenticating users against the site database. Now that I'm authenticating against other sources (e.g., Microsoft, Google, Facebook), I'm unclear how to implement the site-specific stuff.

I've tried inserting site-specific authentication when the OpenID service is configured during startup (from Startup.cs):

 

          services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // Instead of using the default validation (validating against a single issuer value, as we do in
                    // line of business apps), we inject our own multitenant validation logic
                    ValidateIssuer = false,

                    // If the app is meant to be accessed by entire organizations, add your issuer validation logic here.
                    //IssuerValidator = (issuer, securityToken, validationParameters) => {
                    //    if (myIssuerValidationLogic(issuer)) return issuer;
                    //}
                };

                options.Events = new OpenIdConnectEvents
                {
                    OnTicketReceived = context =>
                    {
                        // If your authentication logic is based on users then add your logic here
                        return Task.CompletedTask;
                    },

                    OnAuthenticationFailed = context =>
                    {
                        context.Response.Redirect("/Error");
                        context.HandleResponse(); // Suppress the exception
                        return Task.CompletedTask;
                    },

                    OnTokenValidated = context =>
                    {
                        // throwing an exception here when the user is not in the site database
                        // just causes the authentication request to be repeated, endlessly

                    }
                };
            });

When a user is not registered locally, do I just return a redirect to a page that allows them to register?

Related to this, I'd also like to allow some level of anonymous access, directing anonymous users to a page describing the site, how to register, etc. I'm not sure how to do that, either. Is there a way to inject specific claims into the authorization, and then control access to controller actions based on claims?

Sorry about the vague questions here. But, as I mentioned, I'm new to Azure AD, open id, easy auth and, for that matter, AspNet Core 2.0 :)

- Mark

This tenant does not allow email verified users to be added due to an admin-defined policy

January 30, 2017, 8:14 am
$
0
0

Hi,

I've added some external users to my Azure AD - users from another organisation.

When they click on the invitation link, they all receive an error message - 

"This tenant does not allow email verified users to be added due to an admin-defined policy."

Any idea how I can fix this?

Thanks

How to handle 401 error when using Azure App Authentication

August 16, 2018, 10:43 am
$
0
0

Hi!

I'm using Azure App Authentication with Azure Active Directory as the provider. I have it set to Allow Anonymous Requests and the site pushes the user to /.auth/login/aad when authentication is required. This works flawlessly UNLESS the user has a valid Microsoft login but it's not assigned to my AD App (basically authenticated but not authorized). In that case they land at /.auth/login/aad/callback and get the ugly text message below:

{"code":401,"message":"An error of type 'access_denied' occurred during the login process: 'AADSTS50105: The signed in user is not assigned to a role for the application '18b35087-4aa1-453d-8770-89e52942ce59'.\u000d\u000aTrace ID: e690c46c-f61c-49ca-8ba8-9bed3e2b2800\u000d\u000aCorrelation ID: 23160c20-d9cf-4f0e-8678-57cbbcb3a5db\u000d\u000aTimestamp: 2018-08-16 17:27:22Z'"}

So my question is, how do I prevent this ugly message? I do set post_login_redirect_uri when calling /.auth/login/aad to tell the provider where to return the user once authenticated. Shouldn't it return them there? Or is there another parameter I can set to tell the provider where to return a user who isn't authorized?

I know I could set User Assignment Required in the AD App settings to No and then everyone would just get passed on through and then my code could do the authorization... but I like the security of AD doing it. I just want more control over what happens if authorization fails.

- Ron

Disconnect AzureAD from Godaddy

September 4, 2018, 1:22 pm
$
0
0

Is there a process to disconnect using a 3rd party identity provider like godaddy, we have a LOT of issues on one of our domains where they simply cannot use some of the services and programs, including visual studio is intermittent in its authentication, outlook2016 - forget about it.  There are others, but these are the main two.

We would like to continue using the logins (we can withstand a password change, etc if needed); but want to completely remove godaddy from the middle of things.

Thanks,

John

Search

rename Azure subscription

August 27, 2018, 9:50 am
$
0
0

Is it possible to change the url of azure subscription? if so what is the approach and steps.  

please let me know.

ADSync New Forest w/o Over-writing Existing Forest

August 28, 2018, 12:50 pm
$
0
0

So I've inherited an Azure setup from a previous IT team who was totally incompetent (Really, you can't imagine). They setup Azure with one of the corporate domains (let's call it stupid-name.com). Unfortunately, we actually use a different domain for pretty much everything else (reallystupid.com). Even better, the office Active Directory forest is a subdomain (corp.reallystupid.com) of that one.

Currently in Azure: stupid-name.com, with all our users and 4 years of Onedrive data. They did an initial sync to get all the usernames in, but it does NOT sync with the office AD domain, and has not for the last 4 years. Usernames and Passwords are manually managed by me. The usernames directly match the local AD usernames, the passwords do not.

Our email domain (hosted elsewhere): reallystupid.com

Our office AD domain (Onsite Domain Controllers): corp.reallystupid.com

Just to make it even more idiotic, they created the initial Azure account with an @reallystupid.com address, so Azure has reallystupid.onmicrosoft.com while we're using @stupid-name.com to login.

What do I want? To use ADSync to get us to using @reallystupid.com for a login with the usernames and passwords from our corp.reallystupid.com. It's vitally important that I do not overwrite the passwords on the stupid-name.com login until I'm ready. I'd like to do the configuration, sync, testing, then flip a switch and have everybody's password suddenly switch to the @reallystupid.com login name and corp.reallystupid.com password.

I should mention that I'm a Unix/Networking guy, but I can do basic-to-moderate Active Directory stuff.

Help? Please? :)

-steve

Can't save manifest with optionalClaims on App Registration Portal

August 26, 2018, 3:08 pm
$
0
0

Hi,

I'm using OpenID Connect with Azure AD. I have an app on apps.dev.microsoft.com and things are working. Now I'm trying to add the verified_primary_email optional claim. Usually "upn" is the user's e-mail address, but sometimes it's not, for customers with various ADFS setups, so I'm trying to get the email attribute.

When I edit the manifest, add an "optionalClaims" property to the body, and save, I get an error message:

The request body contains unexpected characters/content for the specified content type and encoding.

Here's the block I'm trying to add to the manifest:

"optionalClaims": {"idToken": [
        {"name": "given_name","essential": false
        },
        {"name": "family_name","essential": false
        },
        {"name": "verified_primary_email","essential": false
        }
    ]
}

I've also tried simpler variations. For example, this no-op block gives the same error message:

"optionalClaims": {}

This one gives a slightly different error ("One or more property values specified are invalid"):

"optionalClaims": null

Can I get a hint as to how to add optionalClaims to the manifest?

Mike

Onedrive auto logon.

September 4, 2018, 11:06 pm
$
0
0

Hi there,

I need a way to force Onedrive to automatically login and sync with the currently logged in users account.

We have a set of devices that are shared among many students so when User A logs into Computer A we want the OneDrive client to auto login to User A's account using their domain credentials. After Recces user Z might log into Computer A and we also want the OneDrive client to auto login but now with User B's account using their domain credentials.

If I manually register a device to Azure AD and restart then I get the desired behavior but obviously this is not feasible for every student to register then restart just to get their one drive.

Does anyone have any suggestions on how to approach this?


Thanks in advance.

How to add Graph API Permissions in azure custom RBACs ?

September 4, 2018, 10:34 pm
$
0
0

Hi,

I need to add Graph API Permissions like "Directory.Read .All","User.Read.All" in custom RBACs.

For more reference: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>