When I delete an application from Azure AD, it will be deleted from portal,but still it will be present in the recycle bin and can be revered later if needed. How to delete it permanently or hard delete it from recycle bin?
↧
Hard delete an application from Azure AD
↧
How to generate "revoke consent" event in Azure AD portal?
When I remove consent from application, it generates update service principal event and not revoke consent.
↧
↧
Add policy to service principal
How to generate "Add policy to service principal" event in Azure AD portal?
↧
"Update external secrets" - How to generate this event in Azure AD?
How to update external secrets for an application in Azure AD portal?
↧
Error installing configuring AAD Connect for Federation services
Element 'ma-run-data' was not found. Line 1, position 2.
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Element 'ma-run-data' was not found. Line 1, position 2. ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Element 'ma-run-data' was not found. Line 1, position 2.
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateEmptyRunProfile(RunProfile runProfile)
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateRunProfile(RunProfile runProfile)
at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRunProfileCmdlet.ProcessRecord()
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Element 'ma-run-data' was not found. Line 1, position 2. ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Element 'ma-run-data' was not found. Line 1, position 2.
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateEmptyRunProfile(RunProfile runProfile)
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateRunProfile(RunProfile runProfile)
at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRunProfileCmdlet.ProcessRecord()
↧
↧
How to identify unique client using oauth and clientid and clientsecret?
Hi,
I am building a WebApi that will be used by for integration by others and I want to use OAuth for authentication and authorization.
As this WebApi will be called by a service or application at the customer, there is no real user associated to the call.
(and therefor I did not want to force the customer to provide me with a email or similar, as this is not a user account.)
So I decided to use ClientId and ClientSecret and my thought was to generate a ClientSecret for each customer (each "user" of the api).
Here I think I made a mistake.. as I realize that there seem to be no unique Id per generated ClientSecret.
There is only the ClientSecret and a Description.
Okay, maybe I can use the ClientSecret as Id, I tried to see if I could find the ClientSecret in the token, but I could not find it.
(was not really expecting to find it, as I think that would probably violate the security)
And the ClientId used (as you know) is actually the ApplicationId => the Id of my application (WebApi App) in Azure AD .
So going back to the ClientId and ClientSecret authentication model.
Is really a way to know who (unique caller) is authenticated using Oauth ClientId and ClientSecret?
What is the best practice in these case? I bet, I am not the only one having webapis exposed to non-specific users.
Ideas and suggestions appreciated
Regards
-Anders
↧
Disconnect Microsoft Account from Azure AD
Hi,
I connected my Microsoft Account to Azure AD while trying to configure VSTS. I am having a lot of problems every since. For example, I cannot preview or download attachments from outlook.com and I cannot add my email address to Outlook for Windows. Each attempt at these operations result in a generic error message, something along the lines of, "an error has occurred" without any useful details.
Any idea how can I completely disconnect my Microsoft Account from Azure AD please?
↧
Cannot Switch Active Directories within Azure Portal
Hi,
Out of the blue I'm not able to switch between my active directories within the Azure Portal (https://portal.azure.com).
I do have the proper claims/settings as mentioned in: https://t.co/bvxPMdOAou and tried other proposed solutions likehttp://aka.ms/d_KgJdiKZY. In fact 'm currently logged into my customers active directory (which I used the last time) and want to switch to my own active directory.
Technical details:
Browser: Chrome, Brave, Safari (all private and normal sessions)
OS: MacOs
URL: https://portal.azure.com/
Problem: Missing the menu option "Switch Directories"
Anybody any suggestions? Thanks in advance
↧
AD FS with Azure AD Domain Services
Hello,
I'am trying to implement Azure AD Domain Services but I find two doubts:
- Is it possible tom implement +1 Azure AD Domain Services in the same tenant?
- If I have AD Federation Services (on-premise), is it possible to implement Azure AD DS? Is it necessary syncr passwords?
thanks!
↧
↧
How to identify unique client using oauth with clientid and clientsecret?
Hi,
I am building a WebApi that will be used by for integration by others and I want to use OAuth for authentication and authorization.
As this WebApi will be called by a service or application at the customer, there is no real user associated to the call.
(and therefor I did not want to force the customer to provide me with a email or similar, as this is not a user account.)
So I decided to use ClientId and ClientSecret and my thought was to generate a ClientSecret for each customer (each "user" of the api).
Here I think I made a mistake.. as I realize that there seem to be no unique Id per generated ClientSecret.
There is only the ClientSecret and a Description.
Okay, maybe I can use the ClientSecret as Id, I tried to see if I could find the ClientSecret in the token, but I could not find it.
(was not really expecting to find it, as I think that would probably violate the security)
And the ClientId used (as you know) is actually the ApplicationId => the Id of my application (WebApi App) in Azure AD .
So going back to the ClientId and ClientSecret authentication model.
Is really a way to know who (unique caller) is authenticated using Oauth ClientId and ClientSecret?
What is the best practice in these case? I bet, I am not the only one having webapis exposed to non-specific users.
Ideas and suggestions appreciated
Regards
-Anders
↧
Duplicate Computers and Conditional Access (Hybrid Azure AD Join)
https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup#step-5-verify-joined-devices
We have set this up successfully, but we see two entries for the most part for each computer (one for Azure AD registered" and one for "Hybrid Azure AD joined")
We are trying to do some Intune conditional access with "Hybrid" Windows devices, but best we can tell, the computer thinks we are coming from the Azure AD Registered computer, not the Hybrid joined computer, even though they are one in the same.
It was our understanding that activating this would "merge" the entries together, but that doesn't seem to be the case. Can anyone shed some light on this situation? We are in a password hash sync environment with no federation.
↧
Hybrid join Failure reason: Device authentication required-deviceid-devicealtsecid claims are null or no device corresponding to the device identifier exists
Same thing for me at the customer site. Got 209 machines hybrid-joined, of them 25 show up twice or more (one even 5 times). But for me all records are as Hybrid-Joined. CAP fails on these (tries to assess as Intune-compliant instead of using the hybrid join control).
Failed logins have these entries in Azure logs:
Sign-in error code
50097
Failure reason
Device Authentication Required - DeviceId -DeviceAltSecId claims are null OR no device corresponding to the device identifier exists.
↧
Difference between a Device compliance Policy and a Device configuration profile in MS In tune?
Hi,
I was viewing In tunes tutorial on YouTube,
but I was not able to find difference between compliance Policy and a Device configuration profile,
can anyone assist in this?
Best Regards
↧
↧
Hybrid Azure AD joined, state of the device question
Hi,
I am struggling to find clarification on what the end state of a Hybrid AAD joind device looks like. If I use Autopilot Win10 1803 the process allows to register the device in AAD and then carry out an on-prem domain join. So the device is AAD registered and AD joined...is this Hybrid Azure AD joined?
Can a device ever be AD and AAD joined at the same time?
I have come across the following conflicting statements here https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction
Under the description of Hybrid Azure AD Joined devices:
These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
And then later in the summary:
Hybrid Azure AD joined devices for devices that are joined to an on-premises AD
For devices that are joined to an on-premises AD
To automatically register devices with Azure AD
Thanks
↧
Autopilot Machine Join to Local AD
Please suggest as I have an Autopilot Machine Join in Azure AD Located in the Corporate Network needs to join Local AD . I have Gone through all the Links and References suggesting the Hybrid AD and Co managed AD but didn't find and article or Reference to suggest how from an machine which is provisioned through Auto Pilot can Join LOCAL AD .
The Real benefits of Auto Pilot in current scenarios is to reduce the provision time at the same time Machine should be Part of Local AD
Application SME
↧
Unable to get Azure AD OpenID Authentication Exchange mail feild as a claim
Unable to get Azure AD OpenID Authentication Exchange mail feild as a claim
Our emails are different than UPNs.
To check and make sure I have the mail property, I connect via PowerShell to Azure AD and run the following command.
Get-AzureADUser -objectid upn@domain.com | Select-Object Mail
Mail
----
useremail@domain.com
So, in Azure AD I create a new Application Registration. In the app manifest, I enable `"acceptMappedClaims": true,`.
Then in Visual Studio I create an *ASP.NET Web Application* and select *Work or School Accounts* for authentication, point to my cloud domain and after it's created, update `ClientId` to point to the application registration, etc.
I then add a mapping policy:
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mail","JwtClaimType":"email"}]}}') -DisplayName "CustomClaims" -Type "ClaimsMappingPolicy"
I then add the policy to the app:
Add-AzureADServicePrincipalPolicy -Id [Enterprise Application Object Id] -RefObjectId [policy id]
In `Startup.Auth.cs` I add `Scope` list to include `email`
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Scope = "openid profile email roles"
});
Nothing seems to work. I am definitely missing some configuration step here...
Our emails are different than UPNs.
To check and make sure I have the mail property, I connect via PowerShell to Azure AD and run the following command.
Get-AzureADUser -objectid upn@domain.com | Select-Object Mail
----
useremail@domain.com
So, in Azure AD I create a new Application Registration. In the app manifest, I enable `"acceptMappedClaims": true,`.
Then in Visual Studio I create an *ASP.NET Web Application* and select *Work or School Accounts* for authentication, point to my cloud domain and after it's created, update `ClientId` to point to the application registration, etc.
I then add a mapping policy:
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mail","JwtClaimType":"email"}]}}') -DisplayName "CustomClaims" -Type "ClaimsMappingPolicy"
I then add the policy to the app:
Add-AzureADServicePrincipalPolicy -Id [Enterprise Application Object Id] -RefObjectId [policy id]
In `Startup.Auth.cs` I add `Scope` list to include `email`
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Scope = "openid profile email roles"
});
Nothing seems to work. I am definitely missing some configuration step here...
↧
App Registration Portal throws GraphException when adding custom redirect URI
Steps to reproduce the problem:
- Open apps.dev.microsoft.com/#/appList
- Click an application to go to apps.dev.microsoft.com/#/application/...
- Click Platforms -> Add Platform. Click Native Application.
- Click Save. This succeeds.
- Click Platforms -> Native Application -> Custom Redirect URIs -> Add URI.
- Type in the URI: myscheme://microsoftauth
- Click Save. This error appears:
There's a temporary problem
Exception of type 'Microsoft.AppRegPortal.Providers.Graph.GraphException' was thrown.
Error Info: Thu, 06 Sep 2018 00:08:29 GMT | BAASs | Wvw9V
(Reposed here from feedback[dot]azure[dot]com/forums at the request of @AzureSupport on Twitter.)
↧
↧
Stream Azure AD security report to Event hub
Hello experts,
With Azure AD premium P2 or P1 there are the security which includes risky-sign ins, is there are way this can streamed into Azure event hub for further integration with a SIEM such as Qradar.
Thanks
↧
Microsoft cookie banner on AD B2C login page
Hi!
We are planning to start using Azure Active Directory B2C to handle login to our customer-facing web applications. However, last week we noticed that Microsoft has introduced a banner to inform users about cookies on many of Microsoft's web pages, and that this banner is also present on the Azure AD B2C login page which will be fronted to our users. Unfortunately the banner mentions "ads" (which is a quite sensitive subject to the organization I am working for), and there is a link to Microsofts privacy policy which may be confusing to our end users which do not have a connection with Microsoft directly.
Does somebody know if the AD B2C login page was affected by mistake or on purpose, and if there is any mechanism to prevent the banner from being shown?
Regards,
Mats
↧
I am unable to create Azure AD in pay-as-you-go subscription with basic edition.
Please provide steps to create Azure AD with Basic edition.
↧