Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

SQL Azure Integrated Authentication with a cloud-only Azure Active Directory user fails

September 6, 2018, 2:00 pm
$
0
0

I'm having trouble connecting to a SQL Azure DB using Active Directory Integrated Auth from a VM that is joined to my Azure AD.

Basically what I'm trying to do is the following:

- I have a VM joined to the domain that has IIS running in it
- I have an ASP.NET application running on the VM under a specific user identity that I configured for the app pool. This identity is part of my Azure AD and it is a cloud native identity (not federated with an on premise AD or anything like that).
- I have a SQL Azure DB that I would like to connect to from my ASP.NET app using integrated authentication. 

I've verified that I can connect to SQL Azure using this identity through SSMS with both Active Directory - Universal with MFA support and Active Directory - Password so I know the user is able to connect to the DB and that works fine. 

However when I try to connect with my app or even through the VM using SSMS - Active Directory - Integrated, I receive an error that looks like this:

Failed to authenticate the user NT Authority\Anonymous Logon in Active Directory (Authentication=ActiveDirectoryIntegrated). Error code 0xCAA9001F; state 10 Integrated Windows authentication supported only in federation flow.

Any help would be greatly appreciated as this is blocking our current project and this authentication scheme is necessary for the requirements of the application.

Thanks in advanced,
Abe

Search

Cannot see profile picture in Azure Portal

May 4, 2018, 10:40 am
$
0
0
I have updated the profile picture in AAD for a user and the same is not being seen when logged into Azure Portal.

Regards, Srivatsa

Azure AD Connect WMI Interface

September 6, 2018, 6:28 pm
$
0
0

Hi, I can see the old wmi interface from FIM is in AADC so I should be able to query it for a connectorspace object by doing:

Get-WmiObject -namespace "root\microsoftidentityintegrationserver" -query "select * from miis_csobject where DN = '<aDN>' and maguid = '<anMAGuid>'"

This works but then when I want to look for all the connector space objects that have the same mvguid as the connectorspace object I found above by doing the below, I get an error: Access Denied.

Get-WMIObject -Query "Select * from miis_csobject where mvguid = '<anMVGUID>'" -namespace "root\microsoftidentityintegrationserver"

I don't think permissions are a problem since the first query works but I checked wmimgmt.msc anyway and I have the following permissions: Execute Methods; Provider Write; Enable Account; Remote Enable; What I don't have is Full Write; Partial Write; Read Security; Edit Security;

I'm aware I can use csexport and csexportanalyzer to get some csv dumps of the connectorspaces and I may have to go down that route but I want something a little more targeted. Any ideas?

Testing federation with Office 365,Azure, and other services that use Azure AD using Microsoft Connectivity Analyzer

September 6, 2018, 9:52 pm
$
0
0

Hi,

I am testing Office 365 federation connectivity (Ws-* configuration with a third arty Idp) using Microsoft Connectivity Analyzer's "I can't set up federation with my office 365, Azure, or other services that use Azure Active Directory" option. The analyzer tests various test cases, and I want to specifically know more details about what each test case tests for? (Especially the last one "Testing silent token issuance from modern client authentication library") s there a source I can gain more information? Or can someone please explain what this last test case tests for?

Dinix195

How to provide an application read permissions to all the data in AAD (including user, groups, assigned roles , all resources) using powershell script?

September 6, 2018, 4:41 am
$
0
0
What i am able to do for now, using the powershell script is create a new application and assign the role to read all resource data in a subscription. I am using Azure RM Powershell 6.8.1 for this, I have read "Select Package Azure Active Directory PowerShell 2.0" documents and found how to give administrative roles to a service principle but i want to limit the role to read only.Select Packag 

Small company on hosted server with E3 - advice?

September 5, 2018, 1:29 pm
$
0
0

Hi all,

Is there any scenario supported by Microsoft where a single 2016 server could provide RD services for 4-5 users and have their user credentials sync between it and 365?

Client has an E3 subscription (non-profit/charity).

Server is being provided by 3rd party with SPLA licensing.

I'm assuming installing AD services and running it as a domain controller isn't supported with an RDS role, and therefore we can't use Azure AD Connect, but is there a free Azure AD service with an E3 subscription that would allow joining the server to AAD and authenticate RDS users against 365?

The alternative is to run the server in workgroup mode with RDS and manage 2 sets of credentials.

Thanks,

David

Error installing AAD PowerShell module

August 17, 2018, 12:24 pm
$
0
0

I have a Windows 7 64bit workstation and I am trying to install AAD PowerShell module. 

I have a PowerShell window opened with elevated privileges and I ran the following command: Install-Module -Name AzureAD

I get the following errors. Help!

WARNING: Unable to download from URI 'https://oneget.org/nuget-2.8.5.208.package.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/nugetv2.feed.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/psl.feed.swidtag' to ''.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 
'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21
+ ...     $null = PackageManagement\Install-PackageProvider -Name $script:N ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider
 
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name 'NuGet'. Try 'Get-PackageProvider -ListAvailable' to 
see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21
+ ...     $null = PackageManagement\Import-PackageProvider -Name $script:Nu ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider
 
WARNING: Unable to download from URI 'https://oneget.org/nuget-2.8.5.208.package.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/nugetv2.feed.swidtag' to ''.
WARNING: Unable to download from URI 'https://oneget.org/psl.feed.swidtag' to ''.
PackageManagement\Get-PackageProvider : Unable to find package provider 'NuGet'. It may not be imported yet. Try 'Get-PackageProvider -ListAvailable'.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30
+ ... tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Microsoft.Power...PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception
    + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider
 
Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that '2.8.5.201' or newer version of NuGet provider is installed.
At line:1 char:1
+ Install-Module -Name AzureAD
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-Module], InvalidOperationException
    + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module

Azure AD Application Proxy 404 error

September 7, 2018, 3:21 am
$
0
0

Hi,

I have 2 web-servers inside my network and trying to publish them to the Internet.

But I'm getting 404 error in any case even if I try to publish it with a custom domain and with .msappproxy.net domain

In the Azure Portal connector is looking connected and "green"

In logs on server with connector  I can't see any errors.

What would you recommend to check?

And some more questions:

And is possible to publish web-servers on Linux in such way?

Is it possible to use one connector for 2 websites?

Thanks.

1


Search

How to Export all objects with all Attributes

September 7, 2018, 4:22 am
$
0
0

My question is regarding the classes and attributes used in Azure AD with their Purpose and usage details,

For example Azure AD has new Group object type Office 365 or Unified Groups (AzureADMSGroup cmdlet, AzureADGroup cmdlet, UnifiedGroup cmdlet),

Which has an attribute ProvisioningOption which has many different value corresponding to the application using which group was created even this detail is not available in entirety,

So once again detail required is Classes – Attributes used in AzureAD with their Purpose and Usage details

P.S. on-premises AD can be also accessed over REST API yes you have to bake one, and you if recall there is an in built Web-Service on the DC’s since Windows 2008,

What I am trying to find it details like following which form the core of the Active-Directory’s functionality,

 6.1.1.2.4.1.2 dSHeuristics

https://msdn.microsoft.com/en-us/library/cc223560.aspx

3.1.1.5.1.3 Uniqueness Constraints

https://msdn.microsoft.com/en-us/library/dn392337.aspx

 3.1.1.5.2.2 Constraints

https://msdn.microsoft.com/en-us/library/cc223443.aspx

 What I need is the complete internal architecture details where is the schema reference that clearly details out

  1. ObjectClasses in Azure AD – what is there Object OID, possSuperior supported by each Object Class etc.. as what you can see for Active-Directory
  2. Attributes in Azure AD – what or which all classes an attribute is associated with, what is the syntax type, what are the rangeUpper / rangeLower values supported basically what is the usage/purpose

  

BR,
/HS

An Extremist

Hard delete an application from Azure AD

September 7, 2018, 5:42 am
$
0
0
When I delete an application from Azure AD, it will be deleted from portal,but still it will be present in the recycle bin and can be revered later if needed. How to delete it permanently or hard delete it from recycle bin?

How to generate "revoke consent" event in Azure AD portal?

September 7, 2018, 5:43 am
$
0
0
When I remove consent from application, it generates update service principal event and not revoke consent.

Add policy to service principal

September 7, 2018, 5:45 am
$
0
0
How to generate "Add policy to service principal" event in Azure AD portal?

"Update external secrets" - How to generate this event in Azure AD?

September 7, 2018, 5:46 am
$
0
0
How to update external secrets for an application in Azure AD portal?

Azure AD Conditional Access Policies use with an Existing MDM Solution such as AirWatch

September 7, 2018, 4:26 am
$
0
0

Hi,

I would like to use conditional access available in Azure AD with the P1/P2 license with an existing third party MDM solution such as Air Watch.

Scenario: Existing MDM Air Watch used in environment. Need to block all devices not managed by Air watch to be restricted from using using office 365 Apps based on Azure AD conditional access based on whether enrolled in Air Watch or not.

If this is not possible what's the alternative method? use conditional access in air watch?

Best Regards,

Michael


Azure AD DS second DNS server listed as forwarder FQDN Failed to resolve

September 7, 2018, 8:21 am
$
0
0

Hi there,

Ever since azure had the lightning strike we are having issues with external DNS resolution to many domains.

The issue is resolved by using something like Google DNS on the NIC or adding it to a DNS Forwarder in DNS Tools, but something is obviously broken about the AD DS and I'm not sure how to fix it.

The way it is setup by default with Azure AD DS is that you get two DNS addresses, 10.0.0.5, and 10.0.0.4.

I can ping 10.0.0.5 but not 4.  And I looked at the Forwarders and it shows 10.0.0.4 is the only Forwarder and it is in an error state.  The Server FQDN fails to resolve and validation times out.  If I add Google DNS it fixes the issue.  Is there a way to reboot the 10.0.0.4 server?  I can't even tell if it's alive...

Search

Azure AD Domain Services ADFS

May 31, 2017, 3:41 am
$
0
0
We have a single sign-on web application that is not in the the Azure Active Directory application gallery.
The sso web application is currently a relying party in ADFS.
Our supplier informs us that their web application cannot be configured with Azure AD SAML 2.0 as described in article below:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
As we are going to use full cloud identities we are demoting ADFS.
So my idea was to build and join the ADFS server in Azure AD Domain Services.

So my question is it supported (and does it actually work) to join an ADFS in Azure AD Domain Services ?

Azure AD Connect not Syncing

August 28, 2018, 6:14 am
$
0
0

Hi,

I have Azure AD connect set up for Syncing to my Azure Active Directory. For some reason, it stopped working and I can't figure out why. If I look at the Synchronization Service Manager, I can see that AD Sync is running a few times a day and all of the statues say success. If I look at them individually for both AD side and Azure side, they show rows being updated in the Export Statistics. However, when I go to my Azure Portal all of my old users are there and none of my group are showing up.

Does anyone know why this might be happening or where I can look to see where an issue might be? My biggest problem is that I don't actually have any errors showing up in the sync manager to start looking at.

Thanks,

Chris

Could not retrieve Azure application's logo using Azure AD Graph API

August 30, 2018, 5:14 am
$
0
0
Hi,

I need help in retrieving Azure application's logo using Azure AD Graph API.

I have tried to retrive application's details from the following URLs both didn't have logo information.

https://graph.windows.net/<TenantID>/applications?api-version=1.6 and 
https://graph.windows.net/<TenantID>/servicePrincipals?$filter=appId eq '<Application's appId>'&api-version=1.6

As per the documentation: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity, the response should havemainLogo attribute. But this attribute is never included in the response. I have tried with external client ans also with Azure AD Graph explorer but this attribute is not included in the response.

However, the response includes logoUrl attribute which is not in the documentation. This attribute has logo URL only when the application has custom logo configured. Otherwise, it is always null.

Any suggestions on how to retrieve the application's logo that is seen in Azure portal?

Thanks,
Ishwar

Stream Azure AD security report to Event hub

September 7, 2018, 11:25 am
$
0
0

Hello experts,

With Azure AD premium P2 or P1 there are the security which includes risky-sign ins, is there are way this can streamed into Azure event hub for further integration with a SIEM such as Qradar.

Thanks

Azure App Proxy - non-domain joined machine prompted by a second time to authenticate by cwap-cu-2.couldapp.net

April 14, 2017, 7:26 am
$
0
0

I have published Exchange 2010 OWA via Azure App Proxy for a client.

I've created a secondary web site on the exchange servers and bound it to a different port - 4443 and prepared a WIA version of OWA per https://blogs.technet.microsoft.com/exchange/2011/01/17/configuring-multiple-owaecp-virtual-directories-on-exchange-2010-client-access-server/.

The site works perfectly from the internal network.

Active Directory is syncing with Azure AD and users can log into other Azure resources via SSO to their adfs.consoto.com.

I've installed an Azure App Proxy Connector and validated connectivity via https://aadap-portcheck.connectorporttest.msappproxy.net/ 

I've configured an on-premises Enterprise application and configured the internal URL in Azure as https://mail.contoso.com:4443/owa

I've set the Internal Application SPN to http/mail.contoso.com and the delegated identity as User Principal Name (which is set to match SMTP).

I've run setspn -A http/mail.contoso.com exchangeserver in Active Directory

When browsing to mail-contoso.msappproxy.net from a domain-joined machine, SSO works successfully and the user is logged in without password prompt.

When browsing to mail-contoso.msappproxy.net from a non-domain joined machine, the user is first prompted for authentication by adfs.contoso.com and then AGAIN bycwap-cu-2.cloudapp.net.  Then the user is allowed access into OWA.

Why is the user being prompted a second time by cwap-cu-2.cloudapp.net?

-David Smith Cloud Consultant Quisitive.com

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>