Hi,

I'm using OpenID Connect with Azure AD. I have an app on apps.dev.microsoft.com and things are working. Now I'm trying to add the verified_primary_email optional claim. Usually "upn" is the user's e-mail address, but sometimes it's not, for customers with various ADFS setups, so I'm trying to get the email attribute.

When I edit the manifest, add an "optionalClaims" property to the body, and save, I get an error message:

The request body contains unexpected characters/content for the specified content type and encoding.

Here's the block I'm trying to add to the manifest:

"optionalClaims": {"idToken": [
        {"name": "given_name","essential": false
        },
        {"name": "family_name","essential": false
        },
        {"name": "verified_primary_email","essential": false
        }
    ]
}

I've also tried simpler variations. For example, this no-op block gives the same error message:

"optionalClaims": {}

This one gives a slightly different error ("One or more property values specified are invalid"):

"optionalClaims": null

Can I get a hint as to how to add optionalClaims to the manifest?

Mike

 Hi,

I am working on configuring Asure AD identity federation with a third party STS solution for Office 365 sign-in using WS* protocols. I tested the configuration by trying to sign in to Office 365 portal using a federated identity's username and password. It works all fine. But I when I test the federation connectivity using Microsoft Connectivity Analyzer, (which is a compulsory requirement in my case), I am redirected to my IdP login page and when I log in, the home page of the Office 365 account is also displayed. But the test continues to run for 10 minutes and the following test case fails.

Test Case :

Retrieving an identity token from the Passive authentication federation endpoint of your identity provider

Result: There was an error retrieving a token from your identity provider.

Additional Details: The token could not be found in the response body : (here the entire HTML body of the office 365 home page is displayed)

All the other tests are passed. 

I would be much thankful if anyone can suggest what is gone wrong here.

Thanks. 

Dinix195

Hi - We've got people from a external organisation who we want to be able to use our service desk system to take incidents and requests. our service desk system is a cloud system (Service-now) - we've invited the users with B2B access, and granted the groups that we'd normally grant to an internal user for access to the system.   I can see in service-now they have the right roles and groups. I'm not sure however that Service-now would be able to authenticate them properly- how will it know what password to use to authenticate them?

Hello,

I'am trying to implement Azure AD Domain Services but I find two doubts:

- Is it possible tom implement +1 Azure AD Domain Services in the same tenant?

- If I have AD Federation Services (on-premise), is it possible to implement Azure AD DS? Is it necessary syncr passwords?

thanks!

I have added a 3rd party app from the Application Gallery for the purposes of SAML SSO.  This app is configured and the SSO works properly so I am getting ready to deploy it to my users.  Initially I had set the "User assignment required?" option to yes during testing so only I could see it.  I then assigned the application to myself and was able to see it in my app list and sign in to it from the link in the app list.

I have now set "User assignment required?" to no since this is an application to which all users in my organization should have access.  I don't want to have to assign every user to it.  According to the tooltip for this setting it claims that when the option is set to no as I have done then any user who navigates to the application link will be able to access it.  

This is not the case.  When I look at the my apps list for another user they cannot see it and when I try to go to the app url directly as that user I get the message

Oops, this link isn’t working…
This link to Citra University is invalid. Click the link below to see what applications you have access to. Otherwise, contact your administrator or the person who gave you this link to resolve this issue.

Which seems to suggest that user assignment is still required even though I have disabled the option.

Why is this happening when I have disabled the user assignment requirement?

Hi,

I'm currently trying to get group-writeback working. Although we do have a subscription for Azure AD Premium and I've used the script from https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74 to configure the advanced permissions, I'm still seeing permission-issue-errors in Synchronization Service Manager. I've also checked the permissions using the script and the steps described here:

https://blogs.technet.microsoft.com/dkegg/2018/01/30/testing-aad-connect-write-back-permissions-on-an-ou/

Trying to further narrow down the cause of this issue, I remembered that it seemed impossible to explicitly specify an OU for group-writeback when I ran the AzureADConnect-Wizard, as the field was not editable / greyed out. Therefore, I've manually set the OU-value using Powershell:

$gs = Get-ADSyncGlobalSettings
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.GroupWriteBack.Container", String, SynchronizationGlobal, $null, $null, $null
$p.Value = "OU=Office365-Cloudgroups,DC=learnship,DC=net"
$gs.Parameters.Remove($p.Name)
$gs.Parameters.Add($p)
Set-ADSyncGlobalSettings -GlobalSettings $gs

$a = Get-ADSyncGlobalSettings
$a.parameters | where {$_.Name -eq "Microsoft.GroupWriteBack.Container"}



Name                   : Microsoft.GroupWriteBack.Container
InputType              : String
Scope                  : SynchronizationGlobal
Description            :
RegexValidationPattern :
DefaultValue           :
Value                  : OU=Office365-Cloudgroups,DC=xyz,DC=net
Extensible             : False
PageNumber             : 0
Intrinsic              : False
DataType               : String

However, the permission errors still persists :-( How can I find further details / debug this?

I have a simple ASP.Net web application consist of .aspx web from hosted on azure as cloud service. In my application there is no user login.
I want to connect with Microsoft Graph API and and to use Microsoft Bookings API to get the BookingBusiness collection on my home page load without user login. I am currently debugging my web app on my desktop using Azure emulator.
I have the ofiice 365 premium account access assoiciated with my microsoft account (XXXXX@microsoft.com) and I had created a Booking business using my v- alias through Booking tools (https://outlook.office.com/owa/?path=/bookings).
I registered an app in AAD in the same tenant with all required permission and provided the Cliend Id and secret in the code to get the access token. I am using Client credentials Grant flow to get the access token and try to invoke the booking API.I am able to get the access token, but when the code try to get the the list of booking businesses it is giving below exception.

DataServiceClientException: {
  "error": {
    "code": "",
    "message": "Authorization has been denied for this request.",
    "innerError": {
      "request-id": "d0ac6470-9aae-4cc2-9bf3-ac83e700fd6a",
      "date": "2018-09-03T08:38:29"
    }
  }
}

The code and registered app setting details are in below screen shot.

        private static async Task<AuthenticationResult> AcquireToken()
        {
            var tenant = "microsoft.onmicrosoft.com"; //"yourtenant.onmicrosoft.com";
            var resource = "https://graph.microsoft.com/";
            var instance = "https://login.microsoftonline.com/";
            var clientID = "7389d0b8-1611-4ef9-a01f-eba4c59a6427";
            var secret = "mxbPBS10|[#!mangJHQF791";
            var authority = $"{instance}{tenant}";
            var authContext = new AuthenticationContext(authority);
            var credentials = new ClientCredential(clientID, secret);           

            var authResult = await authContext.AcquireTokenAsync(resource, credentials);
            
            return authResult;
        }


        protected void MSBooking()
        {               
            var authenticationContext = new AuthenticationContext(GraphService.DefaultAadInstance, TokenCache.DefaultShared);
            var authenticationResult =  AcquireToken().Result;

                      
	    var graphService = new GraphService(
            GraphService.ServiceRoot,
            () => authenticationResult.CreateAuthorizationHeader());

           // Get the list of booking businesses that the logged on user can see.
            
            var bookingBusinesses = graphService.BookingBusinesses; ----- this line throwing an exception "Authorization has                                been denied for this request."
        }

GraphService.cs

// ---------------------------------------------------------------------------
// <copyright file="GraphService.cs" company="Microsoft">
//     Copyright (c) Microsoft Corporation.  All rights reserved.
// </copyright>
// ---------------------------------------------------------------------------

namespace Microsoft.Bookings.Client
{
    using System;
    using System.Net;

    using Microsoft.OData;
    using Microsoft.OData.Client;

    public partial class GraphService
    {
        /// <summary>
        /// The resource identifier for the Graph API.
        /// </summary>
        public const string ResourceId = "https://graph.microsoft.com/";

        /// <summary>
        /// The default AAD instance to use when authenticating.
        /// </summary>
        public const string DefaultAadInstance = "https://login.microsoftonline.com/common/";

        /// <summary>
        /// The default v1 service root
        /// </summary>
        public static readonly Uri ServiceRoot = new Uri("https://graph.microsoft.com/beta/");

        /// <summary>
        /// Initializes a new instance of the <see cref="BookingsContainer"/> class.
        /// </summary>
        /// <param name="serviceRoot">The service root.</param>
        /// <param name="getAuthenticationHeader">A delegate that returns the authentication header to use in each request.</param>
        public GraphService(Uri serviceRoot, Func<string> getAuthenticationHeader)
            : this(serviceRoot)
        {
            this.BuildingRequest += (s, e) => e.Headers.Add("Authorization", getAuthenticationHeader());
        }

        /// <summary>
        /// Gets or sets the odata.maxpagesize preference header.
        /// </summary>
        /// <remarks>
        /// Using the Prefer header we can control the resulting page size of certain operations,
        /// in particular of GET bookingBusinesses(id)/appointments and bookingBusinesses(id)/customers.
        /// </remarks>
        public int? MaxPageSize
        {
            get;
            set;
        } = null;

        /// <summary>
        /// Gets or sets the odata.continue-on-error preference header.
        /// </summary>
        /// <remarks>
        /// Using the Prefer header we can control if batch operations stop or continue on error.
        /// </remarks>
        public bool ContinueOnError
        {
            get;
            set;
        }

        /// <summary>
        /// Gets or sets the web proxy to use when sending requests.
        /// </summary>
        public IWebProxy WebProxy
        {
            get;
            set;
        }

        partial void OnContextCreated()
        {
            // Default to send only the properties that were set on a data object
            this.EntityParameterSendOption = EntityParameterSendOption.SendOnlySetProperties;

            // Allows new results to override cached results, if the object is not changed.
            this.MergeOption = MergeOption.PreserveChanges;

            if (this.BaseUri.AbsoluteUri[this.BaseUri.AbsoluteUri.Length - 1] != '/')
            {
                throw new ArgumentException("BaseUri must end with '/'");
            }

            this.BuildingRequest += (s, e) => e.Headers.Add("client-request-id", Guid.NewGuid().ToString());

            this.SendingRequest2 += (s, e) =>
                {
                    var requestMessage = e.RequestMessage as HttpWebRequestMessage;
                    if (requestMessage != null)
                    {
                        var preferenceHeader = new ODataRequestOnHttpWebRequest(requestMessage.HttpWebRequest).PreferHeader();
                        preferenceHeader.MaxPageSize = this.MaxPageSize;
                        preferenceHeader.ContinueOnError = this.ContinueOnError;

                        requestMessage.HttpWebRequest.Proxy = this.WebProxy;
                    }
                };
        }
    }
}

I have been asked to build a backup domain controller in an offsite location for the purposes of DR.  I'm wondering if there is a way to do this using Azure.  We currently use it for daily off site backups.

This is a 30 person company with one File/Print/DC server.  I have both local backups and backups to Azure.  But other then the local backup I have no bare metal backup nor do I have AD replication offsite.  Can somebody point me toward the best way to accomplish this?  I know you can do a bare metal backup to Azure it it is very confusing as to how you do it.  I also think I can stand up a VM to use as a replication for AD, but I can't find a way to do it.  Is there someone at Azure that I can arrange a pre-sales call to explain this?

Jim Θ¿Θ¬

Hi All!

I had been trying to configure the password reset using the password writeback but I hadnt get luck.

I had successfully sync two AD forest to my Azure tenant



I am using AR\aadsync as the service account to sync between AD Azure an AD onprem

I had granted the proper permission to that service account

But when the user try to change his password they got these errors:

By the way, I already have below permissions set at Domain level for AD MA account:

• Reset Password
• Change Password
• Write lockoutTime
• Write pwdLastSet

And the user that trying to change his password has not check the option password never expire.

Any ideas? 

Thanks in advance.

Cheers,

Javier.

 I have created app registration in azure aad. I want to add a app role using Microsoft Graph API programtically. is this functionality supported by microsoft graph api?

I have added a custom domain to my Azure Free Trial Subscription the custom domain name is globalrescue.com 
I have added the TXT record in DNS and also verified that the DNS propogation is complete 
however when i verify the domain i get: 
Unable to verify domain name. Ensure you have added the record above at the registrar 'globalrescue.com', and try again in a little while.  

TXT with value MS=ms5 

is added to public dns server and i have used several online dns propogation tools to verify that the same is published throughout 
for example: https://dnschecker.org/#TXT/globalrescue.com/MS=ms5 

shows that record is published on all severs in its list 

usually it takes less than 15- 20 mins 
I have added many domains in the past 
but this one wont validate 
Directory is grplxxxxoutlook.xxxx.com 
subscription id is b26575a7-02b3-4e97-86b7-xxxx 

====================================================================

Site: https://azure.microsoft.com/en-us/resources/knowledge-center/technical-chat/

2018-09-04 12:27 AM PDT
Transcript ID: q86p5vJMmtSHQvDX1b6pq0K66j13ik6B
Your recent chat with David
You 
Hello 
U there? 

David
;Hello! This is David from Azure Technical Chat. Happy to help you today

You
Hey David.
I have added a custom domain to my Azure Free Trial Subscription
the custom domain name is globalrescue.com
I have added the TXT record in DNS and also verified that the DNS propogation is complete
however when i verify the domain i get:
Unable to verify domain name. Ensure you have added the record above at the registrar 'globalrescue.com', and try again in a little while.

David
ok let me take a look

You
TXT with value MS=ms598xxx 
is added to public dns server and i have used several online dns propogation tools to verify that the same is published throughout
for example: https://dnschecker.org/#TXT/globalrescue.com/MS=ms598xxxx

shows that record is published on all severs in its list

David
When was the domain created/added?

You
Its been two days now

David
ok thanks for that

You
usually it takes less than 15- 20 mins
I have added many domains in the past
but this one wont validate
Directory is grpxxxxxtlook.onmicrosoft.com
subscription id is b26575a7-02b3-4e97-86b7-xxxxxx

David
Can you tell me where this message about unable to verify domain main is showing?

You
I go to portal.azure.com

David
Im looking at the site now, looks good.

You
Then go to Azure Active Directory
Then to Add Custom Domains
I the custom domains list i see globalrescue.com as unverified
i click on GlobalRescue.com and click verify
and then this error is displayed
uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/513cab62-f513-4366-b7ed-82dxxxxx5dd10e69e.png 

uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/e47592e8-1d22-487e-8f69-64dxxxxxe5cc5d120.png 


David
Perfect thanks for that

You
welcome

David
Did you use godaddy for this?

You
no. This domain is from Network Solutions and DNS is also hosted by Network Solutions
Used the Network Solutions site to create the TXT record

David
Is it possible to verify on the network solution site as well, you can do this on GoDaddy which is why I asked about it previously?

You
on the netsol site all we can do is add dns records
which i have done

David
Did you follow this guide https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#troubleshooting 


You
and the dns records are published correctly

David
ok perfect

You
Yes, we are Microsoft Partners. I have added many domains for many customers and have never come across this issue
usually domains verify within minutes some take a few hours but this one wont complete its verificaiton and we cannot continue wiht POC until the domain is verified

David
Can you try the command on this page and let me know what it comes back with please
https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddomainverificationdnsrecord?view=azureadps-2.0 


You
ok.
give me a sec

David
just to rule out a couple of things also, i know its basic but just to check anyway, was www added in Azure or the Records of TXT on network solutions and can you try a different browser or clear your cache just to rule that out also

You
PS Azure:\> Get-AzureADDomainVerificationDnsRecord cmdlet Get-AzureADDomainVerificationDnsRecord at command pipeline position 1 Supply values for the following parameters: Name: globalrescue.com Get-AzureADDomainVerificationDnsRecord : Error occurred while executing GetDomainVerificationDnsRecord Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:1 char:1 + Get-AzureADDomainVerificationDnsRecord+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADDomainVerificationDnsRecord], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomainVerificationDnsRecord\

David
Did you used powershell in Admin mode?

You
used cloud shell
its already in admin mode
used powershell in azure portal

David
Just to confrim did you use -Name?
ok perfect
thansk for that

You
to run the command
yes used the -name switch
command i typed is as follows:
Get-AzureADDomainVerificationDnsRecord -name globalrescue.com

David
ok thats correct.
O I ve just read that a user had a similar issue and on the txt record they removed the @ and could then verify, can you try that please
http://gerryhampsoncm.blogspot.com/2015/03/could-not-verify-domain-in-azure.html 


You
I first added with @ and it did not work then i deleted doamin and re-added in Azure then created record without @ and it still wont verify

David
ok thanks for trying that

You
wait i am trying to run the command a different way

David
no problem

You
nope
still getting same rror

David
hmm ok, again thanks for trying.

You
Get-AzureADDomainVerificationDnsRecord : Error occurred while executing GetDomainVerificationDnsRecord Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:1 char:1 + Get-AzureADDomainVerificationDnsRecord + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADDomainVerificationDnsRecord], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomainVerificationDnsRecord
article says to give read / wrtite permissons to direcotry
let me try this
wai
wait

David
That sounds promising

You
please wait i am trying

David
No problem

You
almost there
Nope
i tired my partner account which has owner rights on subscription
but got sam eresult
PS Azure:\> Get-AzureADDomainVerificationDnsRecord -Name globalrescue.com Get-AzureADDomainVerificationDnsRecord : Error occurred while executing GetDomainVerificationDnsRecord Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:1 char:1 + Get-AzureADDomainVerificationDnsRecord -Name globalrescue.com + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Get-AzureADDomainVerificationDnsRecord], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomainVerificationDnsRecord
lastly i can try azure power shell on my pc
wait
in admin mode

David
That was my next suggestion!!

You
Installing Azure Powershell as i had older versoin

David
perfect

You
installed
connecting to azure subscription
connected
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\WINDOWS\system32> Connect-AzureRmAccount Account : grpl2018@outlook.com SubscriptionName : Free Trial SubscriptionId : b26575a7-02b3-4e97-86b7-6d4011a9cb3b TenantId : 673db1a0-9530-46cc-b16a-6496aa84810b Environment : AzureCloud

David
excellent
Did the commandGet-AzureADDomainVerificationDnsRecord -name globalrescue.com return anything in the local powershell?
Any update?
I understand if you had to step away from your computer. Unfortunately, I will need to close this chat. Please re-open it if you would like to continue our discussion!

You
I am here

Ewelina
Hello, this is Ewelina from Azure Portal Chat. What can I help with today?

You
I am guessing that David is not there any more
its ok just wanted to update him on the progress

Ewelina
yes, he is not available at the moment.
he will be able to see our conversation later on.
so did you manage to connect?

You
well
same error even with local powershell
in admin mode
uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/9f30ec12-4d2f-46b6-a1ff-xxxxx.png 

I have shared screenshot of error with local powershell in admin mode
uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/58e5feaa-82ae-43ee-97f8-xxxxx.png 

add the above is the error in online cloud shell
i am trying with different user (local shell)
as the error says user not found

Ewelina
ok, so in that case, we would like this to be checked by our engineering team. As at this point, this seems to in depth to troubleshoot over the chat. Can you please post this issue on this forum and provide me with the link to your post so I can escalate this to our experts team: aka.ms/azadMSDNforumq
I will also send them the full transcript of your conversations so they can see all the steps you have completed and all the screenshots

You
smae
ok i will send them details

Join over 10,000 companies who rely on Olark Live Chat to chat directly with customers. 
Olark Live Chat 

Is there a process to disconnect using a 3rd party identity provider like godaddy, we have a LOT of issues on one of our domains where they simply cannot use some of the services and programs, including visual studio is intermittent in its authentication, outlook2016 - forget about it.  There are others, but these are the main two.

We would like to continue using the logins (we can withstand a password change, etc if needed); but want to completely remove godaddy from the middle of things.

Thanks,

John

Attempting to install Azure Active Directory Connect.  We are using a separate SQL server, SQL Server 2016 instance and a Managed Services Account for the setup.

We have fond and unblocked all related ports.  When using setup we are specifying the port for the instance.

Have gone through a number of other articles, including Component Services and Registry adjustments, as well as a full uninstall, deletion of folders and registry entries included.

We keep getting back to this error:

Unable to install the Synchronization Service. Please see the event log for additional details.

Log: