Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Windows 10 1803 - Join AD via Provisioning Package

August 16, 2018, 5:37 pm
$
0
0

Hello!
Right now we are deploying devices with Windows 10 1709, and joining them to Azure Active Directory using Provisioning packages. This works perfect (except for the fact that the Bulk token needs to be refreshed every 30 days).

However, we wish to make the switch to 1803, but the provisioning package failes while joining the AD. All other settings, like the Upgrade to Enterprise etc are configured correctly, but actually joining AD fails.

I've completely recreated the package in ICD 10.0.17134.1 (1803) and still, to no avail.

The message in the Eventlog *(provisioning-diagnostics-provider) is the one below:

ProvXML category 'DeviceAADJoin' failed with '0x80070057' at CSP node 'AADJ/BPRT'. Provisioning failed

This is from AAD Eventlog:

Error: 0xCAA5001C Token broker operation failed.Operation name: AddAccount, 
Error: -895352821 (0xcaa2000b), Description: AADSTS50001: Resource 'https://enrollment.manage.microsoft.com/' is disabled.
Trace ID: e89d2d37-1a08-40fd-8655-33217cc60700Correlation ID: 68407247-141e-4ad0-bece-143152bfcbcfTimestamp: 2018-08-17 00:14:11Z
Logged at webaccountprocessor.cpp, line: 532, method: AAD::Core::WebAccountProcessor::ReportOperationError.


This happens on 2 different Azure domains (test and production) with confirmed accounts.


The actual XML of the package uses

<Authority>https://login.microsoftonline.com/common</Authority>

(automatically generated by the ICD). This URL however, 404's?

Search

Microsoft cookie banner on AD B2C login page

September 11, 2018, 2:23 am
$
0
0

       Hi!

We are planning to start using Azure Active Directory B2C to handle login to our customer-facing web applications. However, last week we noticed that Microsoft has introduced a banner to inform users about cookies on many of Microsoft's web pages, and that this banner is also present on the Azure AD B2C login page which will be fronted to our users. Unfortunately the banner mentions "ads" (which is a quite sensitive subject to the organization I am working for), and there is a link to Microsofts privacy policy which may be confusing to our end users which do not have a connection with Microsoft directly.

Does somebody know if the AD B2C login page was affected by mistake or on purpose, and if there is any mechanism to prevent the banner from being shown?

           Regards,

           Mats

 

Insufficient privileges to perform certain tasks

August 28, 2018, 4:07 pm
$
0
0

Hi,

I am trying to install an application into my customer's Azure tenant.  So I'm an external user, listed as an Owner in the subscription.  I was able to create a Resource Group and other resources, such as App Services and SQL Severs/Databases, but I can't do the following:

- Create an App Registration

- Validate Custom Domain ownership 

- Access a Key Vault to upload a certficiate

The customer receives their Azure services from another company.  When viewing the subscription in the Azure Portal, there's a message at the top:  "This subscription is managed in the Microsoft Partner Center".  I assume that the customer needs to be given more privileges by this partner, but I'm not sure what to do from here.

Note: the customer has verified that non-admins should have permission to create app registrations (under Azure Active Directory - User Settings, the 'App Registrations' setting is 'Yes' (users can register applications), and the 'Administration Portal' setting is 'No' (Restrict access to Azure AD administration portal).

What is special/different about management via CSP, and how do I get rights to perform the above tasks?

Thanks,

Phil


    accountExpires set error help

    September 12, 2018, 11:52 am
    $
    0
    0

    dirEntry.Properties["userAccountControl"].Value = val & ~0x2; //enable user
    //above line no error but below line get error
    dirEntry.Properties["accountExpires"].Value = DateTime.UtcNow.AddDays(1).ToFileTimeUtc();

    The error thrown is
    errMsg = "System.Runtime.InteropServices.COMException (0x80004005): Unspecified error\r\n\r\n   at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.PutEx(Int32 lnControlCode, String bstrName, Object vProp)\r\n   at System.DirectoryServices.PropertyValueColl...

    Please advise. If it was permission issue I would have got error on first line ..Thanks


    Find all Azure Subscriptions associated with an Azure AD Tenant?

    September 11, 2018, 1:31 pm
    $
    0
    0

    I have seen the other post about using 

    Login-AzureRMAccount
Get-AzureRMSubscription

    But I am wondering if this requires that I have permissions to the subscription (of any form) to be able to see it listed?

    I'm doing an assessment and have some permissions, but may not have permissions to some subscriptions.  The client isn't exactly sure how things are setup, so I'm trying to find out how many subscriptions they have (there may be some they don't remember), and if they're associated with the Azure AD tenant.

    In other words, is there a way that I can simply list all Azure subscriptions associated with an Azure AD tenant when I may not have rights to some of those subscriptions?

    Hybrid join Failure reason: Device authentication required-deviceid-devicealtsecid claims are null or no device corresponding to the device identifier exists

    September 10, 2018, 2:29 am
    $
    0
    0

    Same thing for me at the customer site. Got 209 machines hybrid-joined, of them 25 show up twice or more (one even 5 times). But for me all records are as Hybrid-Joined. CAP fails on these (tries to assess as Intune-compliant instead of using the hybrid join control).

    Failed logins have these entries in Azure logs:

    Sign-in error code
    50097
    Failure reason
    Device Authentication Required - DeviceId -DeviceAltSecId claims are null OR no device corresponding to the device identifier exists.


    Error while creating user for AzureAD via Powershell

    September 4, 2018, 3:01 am
    $
    0
    0
    While trying to create new user, using the commands mentioned on the website
    "https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureaduser?view=azureadps-2.0"
    and providing the necessary parameters, I get the following issue:
    Error while processing: CREATE for url: /azurescript/Users, Exit Value: 1, output: Connect-AzureAD : One or more errors occurred.: AADSTS50034: To sign into this \r\napplication the account must be added to the XXXX directory.\r\nTrace ID: 4e44e39f-76f3-4258-816a-4f8b1d7f5d00\r\nCorrelation ID: 8235f094-ec2d-43c3-8d94-2c4565b5909c\r\nTimestamp: 2018-09-04 09:26:52Z
    How is this resolved?

    Configure AAD Sync: Element 'ma-run-data' was not found

    August 8, 2017, 5:25 am
    $
    0
    0

    Configure AAD Sync

    "An error occurred executing Configure AAD Sync task: Element 'ma-run-data' was not found. Line 1, position 2."

    I get this error when I try to configure AAD connect client on my domain controller.  It was working before but when I tried to configure SSO it began to give me this error.  I tried step back and disable SSO again but it keeps giving me this error and the sync service doesn't work.  It seems to be referring to some log file that has no data.

    Any ideas?

    Search

    SSPR Status/Reporting

    September 13, 2018, 1:29 am
    $
    0
    0
    I know there is currently a limit of 30 days to see logging data for self-service password reset, but are there any tell tale attributes or signs that would suggest a user has at least registered for the service? I have a customer who would love to see who has actually registered for the service, but they have not kept constant logging. I was hoping to see some attributes that would maybe suggest the user has registered. Does anyone know of anything I am missing?

    Alert notification when adding or deleting a subscription

    September 13, 2018, 1:50 am
    $
    0
    0
    Hello, is there a method to receive a notification when i added or delete a subscription. ?

    Necesito ayuda para eliminar un directorio de AD B2C

    September 7, 2018, 6:18 pm
    $
    0
    0

    No puedo eliminarlo, intente de todo pero sigue ahi, me dice que elimine los registros de aplicaciones pero no se puede

    Nota: parece que elimine por accidente b2c-extensions-app y no puedo recuperarlo

    Migrate our local ERP server into azure which is connected with Local AD

    September 7, 2018, 2:27 pm
    $
    0
    0

    Hi,

    We have a local domain controller which is windows 2012 R2 and we have two servers which is loaded with our company ERP application which is already joined to above domain controller. Our client machines which are using our ERP application also joined our domain controller. Now I would like to move our two ERP servers to Azure and our users (client machines) also will be connected to our local AD and same time they will use our ERP in azure after migration. But our ERP servers will be working under domain only. In this case, how can I setup that local AD and local machine with ERP will be in Azure with domain connectivity which is mandatory. Can anyone help for this. 

    How to associate an Office 365 tenant with an Azure subscription

    September 13, 2018, 6:29 am
    $
    0
    0

    Short version...

    I created an Azure subscription using my MSDN credit (nyname@company.com)

    Separately I created an Office 365 subscription, which also creates its own Azure subscription for Azure AD (myname@company.onmicrosft.com)

    Really I'd like to combine these 2 so that I keep my O365 tenant, but use the original Azure subscription.

    I found a couple of links:

    https://channel9.msdn.com/Series/Microsoft-Azure-Tutorials/Associate-an-Office-365-tenant-with-an-Azure-subscription

    https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Creating-and-Managing-Multiple-Windows-Azure-Active-Directories/ba-p/243428

    But these are both based on an old Azure UI, and I don't see the options in Azure to use an existing directory mentioned.

    I tried a few things and e.g. when I switch to the .onmicrosoft.com directory my subscriptions etc disappear, when I change the default directory used by those subscriptions then it also doesn't seem to be working correctly.

    Help please! :)

    AADSync Password Reset

    September 6, 2018, 9:42 am
    $
    0
    0

    Hi All!

    I had been trying to configure the password reset using the password writeback but I hadnt get luck.

    I had successfully sync two AD forest to my Azure tenant

    

    I am using AR\aadsync as the service account to sync between AD Azure an AD onprem

    I had granted the proper permission to that service account

    But when the user try to change his password they got these errors:

    By the way, I already have below permissions set at Domain level for AD MA account:

    • Reset Password
    • Change Password
    • Write lockoutTime
    • Write pwdLastSet

    And the user that trying to change his password has not check the option password never expire.

    Any ideas? 

    Thanks in advance.

    Cheers,

    Javier.


    Azure AD password protection, Register Proxy command failing

    September 13, 2018, 7:21 am
    $
    0
    0
    When I follow the instructions to deploy Azure AD password protection, the registration of the proxy fails. When I use the commands

    $tenantAdminCreds = Get-Credential
    Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds

    it fails, although the server has internet connectivity. OS is Windows Server 2016 Datacenter. The server is a member server in the domain.

    In the RegisterProxy.log in C:\Program Files\Azure AD Password Protection Proxy\Logs, I see this section:

    [15:56:26.883] [INFO] [00000008] RegisterProxy: Successfully authenticated to Azure authToken.Length:2367
    [15:56:26.883] [INFO] [00000008] RegisterProxy: Authentication succeeded
    [15:56:26.883] [INFO] [00000008] RegisterProxy: Creating a new proxy certificate CSR
    [15:56:27.648] [INFO] [00000008] RegisterProxy: Created a new proxy certificate CSR
    [15:56:27.648] [INFO] [00000008] RegisterProxy: Calling Azure to register the proxy
    [15:56:27.648] [INFO] [00000008] RegisterProxy: Calling Azure to register the proxy
    [15:56:27.648] [INFO] [00000008] BPLServiceProxy: RegisterProxy starting
    [15:56:27.648] [INFO] [00000008] BPLServiceProxy: Calling Azure RegisterProxy endpoint: https://enterpriseregistration.windows.net/aadpasswordpolicy/c1ed8b13-8975-44f6-b918-149236657b19/proxy?api-version=1.0&traceid=b8fc1b6d-f3ff-43d5-9eb5-02f16dc3fbb2
    [15:56:27.789] [ERR ] [00000008] BPLServiceProxy: Received error response code from the server:Unauthorized
    [15:56:27.789] [INFO] [00000008] RegisterProxy: Register proxy request returned failure code:Unauthorized
    [15:56:27.789] [INFO] [00000008] RegisterProxy: Restoring original trace id
    [15:56:27.789] [INFO] [00000008] RegisterProxy: RegisterProxy.ExecuteInternal ending
    [15:56:27.789] [ERR ] [00000008] RegisterProxy: ExecuteInternal threw an exception:
    [15:56:27.789] [ERR ] [00000008] RegisterProxy: System.Management.Automation.PSArgumentNullException: Cannot process argument because the value of argument "exception" is null. Change the value of argument "exception" to a non-null value.
       at System.Management.Automation.ErrorRecord..ctor(Exception exception, String errorId, ErrorCategory errorCategory, Object targetObject)
       at ProxyPowershell.Commands.RegisterProxy.ExecuteInternal()
       at ProxyPowershell.CmdletBase.ExecuteActualBusinessLogic()
    [15:56:27.789] [INFO] [00000008] RegisterProxy: Uninitializing logging

    Please advise.
    Thanks & regards,
    Martin


    Search

    AD Connect Server High CPU

    September 5, 2018, 9:26 am
    $
    0
    0
    We started having high CPU for our AD Connect server, found the article below. Removed KB4054566 and KB4338605 which are the only KB on the server installed from the website and still seeing high cpu caused by the monitoring service.


    https://support.microsoft.com/en-us/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync


    Any other KB to check outside that list



    Azure AD Application Proxy 404 error

    September 7, 2018, 3:21 am
    $
    0
    0

    Hi,

    I have 2 web-servers inside my network and trying to publish them to the Internet.

    But I'm getting 404 error in any case even if I try to publish it with a custom domain and with .msappproxy.net domain

    In the Azure Portal connector is looking connected and "green"

    In logs on server with connector  I can't see any errors.

    What would you recommend to check?

    And some more questions:

    And is possible to publish web-servers on Linux in such way?

    Is it possible to use one connector for 2 websites?

    Thanks.

    1


    Unable to change company branding

    September 13, 2018, 9:36 am
    $
    0
    0

    I am unable to change company branding or add company branding even when i am the owner.

    I have O365 subscription as well.

    Find all Azure Subscriptions associated with an Azure AD Tenant?

    September 11, 2018, 1:31 pm
    $
    0
    0

    I have seen the other post about using 

    Login-AzureRMAccount
Get-AzureRMSubscription

    But I am wondering if this requires that I have permissions to the subscription (of any form) to be able to see it listed?

    I'm doing an assessment and have some permissions, but may not have permissions to some subscriptions.  The client isn't exactly sure how things are setup, so I'm trying to find out how many subscriptions they have (there may be some they don't remember), and if they're associated with the Azure AD tenant.

    In other words, is there a way that I can simply list all Azure subscriptions associated with an Azure AD tenant when I may not have rights to some of those subscriptions?

    Unable to Add Enterprise Application from Gallery

    September 13, 2018, 9:34 am
    $
    0
    0

    I am an owner of an Azure account and am not able to add new Enterprise application.

    See attached screenshot.

    Viewing all 16000 articles
    Browse latest View live
    Search
    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>