Hello All, 

We have the latest version of Azure AD connect, and I'm only syncing a few OU's.  Is there any impact of turning on the sync for all AD Ou's?

Thanks,

We have many existing AD Groups on our network that we want to sync with Azure AD. We have no problem in synchronizing individual users. So when we sync an individual user, he/she shows up as "Security" Group in Azure AD. But we want the entire AD Group (which has several users) to become part of Azure AD as a "Office 365" Group.

Microsoft told us that it cannot be done. Are there ways around it?

Thanks in advance!

Mayank

Hi,

I've been trying to find the answer to this question, but have been unsuccessful. If a customer has a laptop that is Domain Joined and Azure AD Joined, and the user needs to reset their password via the Windows 10 Login page, when they are outside the office (I already have the reset password link setup on the Windows 10 Machine) will the user be able to login to the computer using the new password? What is the proper way of setting this up for the Customer?

Here is the Scenario;

<g class="gr_ gr_1135 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1135" id="1135">User</g> is in the office, and <g class="gr_ gr_1194 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1194" id="1194">user</g> logs into their Windows 10 using domain\username. The user is offsite and connected to the internet. User clicks on reset password, and the password resets successfully. User tries to <g class="gr_ gr_954 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="954" id="954">login</g> to the Windows <g class="gr_ gr_953 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="953" id="953">computer,</g> but gets an error saying <g class="gr_ gr_952 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="952" id="952">password</g> is incorrect. <g class="gr_ gr_1233 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1233" id="1233">User</g> is logging in domain\username.

Should the customer start using their Azure AD account going forward for users who are most of the time remote, instead of their domain account? 

What is the best practice so users who are both working locally in the office and also working off-site? Should we set it up so they use their Azure AD Account only?

Thank you

Hello,

I need to configure Azure AD DS and LDAP, but I alredy have configured AD Connect. I found docs that I just need to run PS script in order to enable NTLM and Kerberos for password hash, but I couldn't find what need to be entered for parameter AD CONNECTOR NAME and AZURE AD CONNECTOR NAME? Is that Server name / Tenant name or something other?

P.S.

With cloud only users, everything works fine.

Regards,

MCSA, MCSE, MCT, IAMCT Country Leader

I  have free subscription and trying to follow some tutorial, during that I need to grant a permission. When I try to do it get following error. Please let me know what can be done?

{"errorCode":"Authorization_RequestDenied","localizedErrorDetails":{"errorDetail":"This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."},"operationResults":null,"timeStampUtc":"2018-09-13T21:05:20.6954829Z","clientRequestId":"XXXXXXXXXXXXXXXXXX","internalTransactionId":"XXXXXXXXXXX","upn":"user@org.com","tenantId":"XXXXXXXXXXXX","userObjectId":null}

Hi there,

Is there anyone out here that can help me get the usersettings from the Azure AD portal?

I found out that I can get the group settings through the new v2 PowerShell Module for Azure AD, but the Usersettings seem to be missing in there.

Also tried REST calls, but somehow my cookies / authorisation tokens that I get from logging in to portal.azure.com are not valid for the REST api endpoint that Microsoft seem to be using: https://main.iam.ad.ext.azure.com/api/Directories/Properties

Hello we followed the commands , instructions and example provided in document and found that they work but not as expected.  For eg:

1. we set policy for Single-Factor Session Token Max Age and Multi-Factor Session Token Max Age for 15 mins and I was expecting it will sign me out but it didn't rather it signed me out after 1 hour which is the token lifetime of id token.
2. PS C:\WINDOWS\system32> Set-AzureADPolicy -Id ae87a997-7cbe-4a09-8796-6525671207c9 -Definition @('{"TokenLifetimePolicy"
   :{"Version":1,"AccessTokenLifetime":"00:10:00","MaxInactiveTime":"00:15:00","MaxAgeSessionSingleFactor":"00:17:00","MaxA
   geSessionMultiFactor":"00:17:00"}}')
   This policy setting signed me out after 17 minutes the second time. I mean the first time access token got refreshed which increased expiry time for id token as well after 10 mins and it kicked me out 2nd time irrespective of I am working actively or not.

why does the above setting doesn't do idle session timeout.  if user is actively using application ,  access token will get refreshed and so should session token if it is checking the id token validity  and if I am inactive access token will not refresh and it will timeout .

As above settings are not working , can someone please suggest how to implement idle session timeout using token lifetime policies?

Thank you!

Hello,

When I try to authorize my graph api account for my azure register app using hello.js it throws error:

"Cannot read 'response_type' property of 'undefined'"

Can anyone know how to do oAuth for Graph API? Is there any alternative for oAuth except hello.js?

My code looks like as below:

Thank you in advance.

Can we use Azure AD Application Proxy to publish applications hosted on servers in Azure, or is it for on-premise servers only? The doco seems to suggest on-prem only, but is the word on-prem used here more meaning "internal company network"?

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal

We installed the Connector on the same server in Azure as the application to be published, meaning the Connector IP is a generic Azure IP I think, not an IP specfic to my organization. Would it maybe work if we used a connector on an actual on-prem server to create the connection to our internal network and the application that way?

Atm, the connection to the external URL just time out.

Hi,

This is a bit of an emergency... 

I have an azure tenant that is having issues with Azure AD Domain Services.

As it is suggested, the DNS server were configured in the Vnet as custom DNS.

However, recently there was a complaint that Internet was not accessible from the Azure hosted VM.

I removed the custom DNS servers from the Vnet and switched to "Default (Azure Provided)" and Internet was accessible.  However, I could not log on to the VM using my user@customdomain.com account; only with the local Admin account.

Looking at the Azure AD Domain Services Health, there are 2 Monitor messages:

And 3 Alerts

Alert 1:

Alert 2:

Alert 3:

After doing some research, I was able to ascertain that all 3 ports required for AD Synchronisation (443, 3389, 5986) are defined in the incoming rules of the NSG.

From the Monitor message, the synchronisation was done but the backup was not done for less than a week (if you compare the 2 dates between the backup and the sync).

Apparently, according to https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-suspension, if the issue is not resolved, the managed domain is at risk of being deleted in less than 15 days.

Of course we would like to avoid this but it seems that the only way we can get this resolved is by having the domain controllers backed up.  BUT HOW CAN WE DO THIS!!!?? This is an Azure AD DSmanaged domain.

The same above-mentioned article says the following about a managed domain that is in a "suspended" state:

The "Suspended" state

A managed domain is put in the Suspended state for the following reasons:

• One or more critical alerts haven't been resolved in 15 days. Critical alerts can be caused by a misconfiguration that blocks access to resources that are needed by Azure AD DS.
  • For example, the alert AADDS104: Network Error has been unresolved for more than 15 days in the managed domain.
• There's a billing issue with your Azure subscription or your Azure subscription has expired.

Managed domains are suspended when Microsoft is unable to manage, monitor, patch, or back up the domain on an ongoing basis.

What to expect

• Domain controllers for your managed domain are de-provisioned and aren't reachable within the virtual network.
• Secure LDAP access to the managed domain over the internet (if it's enabled) stops working.
• You notice failures in authenticating to the managed domain, logging on to domain-joined virtual machines, or connecting over LDAP/LDAPS.
• Backups for your managed domain are no longer taken.
• Synchronization with Azure AD stops.

After you resolve the alert, your managed domain goes into the "Suspended" state. Then you need to contact support. Support might restore your managed domain, but only if a backup that is less than 30 days old exists.

The managed domain only stays in a suspended state for 15 days. To recover your managed domain, Microsoft recommends that you resolve critical alerts immediately.

We have a 'Basic' support plan and there were absolutely no change made in Azure portal.  So in order for us to have this investigated by Azure support, we have to buy a Support Plan? For something that we didn't break?

Thank you all for your help,

Karim.

Hi,

This is a bit of an emergency... 

I have an azure tenant that is having issues with Azure AD Domain Services.

As it is suggested, the DNS server were configured in the Vnet as custom DNS.

However, recently there was a complaint that Internet was not accessible from the Azure hosted VM.

I removed the custom DNS servers from the Vnet and switched to "Default (Azure Provided)" and Internet was accessible.  However, I could not log on to the VM using my user@customdomain.com account; only with the local Admin account.

Looking at the Azure AD Domain Services Health, there are 2 Monitor messages:

Message 1:

Backup: Last backed up on Sat, 08 Sep 2018 18:51:57 GMT

Message 2: 

Synchronization with Azure AD: Synchronized on Thu, 13 Sep 2018 05:59:39 GMT.

And 3 Alerts

Alert 1:

Name: The managed domain is experiencing a network error

Severity: Critical 

ID: AADDS104

Raised: 9/13/2018, 10:44:19 AM

Last Detected: 9/13/2018, 5:02:03 PM

Issue: Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user defined route that blocks incoming traffic from the internet.

Resolution:  Refer to the following article to resolve this issue Troubleshooting Alerts - Network Error

Alert 2:

Name: The managed domain has not been backed up for a long time

Severity: Warning

ID: AADDS501

Raised: 9/14/2018, 4:51:57 AM

Last Detected: 9/14/2018, 3:36:16 PM

Issue: The managed domain was last backed up on 9/8/2018 6:51:57 PM.

Resolution: Refer to the following article to resolve this issue Active Directory Domain Services article

Alert 3:

Name: The managed domain is suspended

Severity: Critical

ID: AADDS504

Raised: 9/13/2018, 5:06:11 PM

Last Detected: 9/14/2018, 3:36:16 PM

Issue: The managed domain is suspended due to an invalid configuration. The service has been unable to manage, patch, or update the domain controllers for your managed domain for a long time.

Resolution: Refer to the following article to resolve this issue Active Directory Domain Services article

After doing some research, I was able to ascertain that all 3 ports required for AD Synchronisation (443, 3389, 5986) are defined in the incoming rules of the NSG.

From the Monitor message, the synchronisation was done but the backup was not done for less than a week (if you compare the 2 dates between the backup and the sync).

Apparently, according to https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-suspension, if the issue is not resolved, the managed domain is at risk of being deleted in less than 15 days.

Of course we would like to avoid this but it seems that the only way we can get this resolved is by having the domain controllers backed up.  BUT HOW CAN WE DO THIS!!!?? This is an Azure AD DSmanaged domain.

The same above-mentioned article says the following about a managed domain that is in a "suspended" state:

The "Suspended" state

A managed domain is put in the Suspended state for the following reasons:

• One or more critical alerts haven't been resolved in 15 days. Critical alerts can be caused by a misconfiguration that blocks access to resources that are needed by Azure AD DS.
  • For example, the alert AADDS104: Network Error has been unresolved for more than 15 days in the managed domain.
• There's a billing issue with your Azure subscription or your Azure subscription has expired.

Managed domains are suspended when Microsoft is unable to manage, monitor, patch, or back up the domain on an ongoing basis.

What to expect

• Domain controllers for your managed domain are de-provisioned and aren't reachable within the virtual network.
• Secure LDAP access to the managed domain over the internet (if it's enabled) stops working.
• You notice failures in authenticating to the managed domain, logging on to domain-joined virtual machines, or connecting over LDAP/LDAPS.
• Backups for your managed domain are no longer taken.
• Synchronization with Azure AD stops.

After you resolve the alert, your managed domain goes into the "Suspended" state. Then you need to contact support. Support might restore your managed domain, but only if a backup that is less than 30 days old exists.

The managed domain only stays in a suspended state for 15 days. To recover your managed domain, Microsoft recommends that you resolve critical alerts immediately.

We have a 'Basic' support plan and there were absolutely no change made in Azure portal.  So in order for us to have this investigated by Azure support, we have to buy a Support Plan? For something that we didn't break?

Thank you all for your help,

Karim.

Please suggest as I have an Autopilot Machine Join in Azure AD  Located in the Corporate Network  needs to join Local AD . I have Gone through all the Links and References suggesting the Hybrid AD and Co managed AD but didn't find and article or Reference to suggest how from an machine which is provisioned through Auto Pilot can Join LOCAL AD .

The Real benefits of Auto Pilot in current scenarios is to reduce the provision  time at the same time Machine should be Part of Local AD 

Application SME

Short version...

I created an Azure subscription using my MSDN credit (nyname@company.com)

Separately I created an Office 365 subscription, which also creates its own Azure subscription for Azure AD (myname@company.onmicrosft.com)

Really I'd like to combine these 2 so that I keep my O365 tenant, but use the original Azure subscription.

I found a couple of links:

https://channel9.msdn.com/Series/Microsoft-Azure-Tutorials/Associate-an-Office-365-tenant-with-an-Azure-subscription

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Creating-and-Managing-Multiple-Windows-Azure-Active-Directories/ba-p/243428

But these are both based on an old Azure UI, and I don't see the options in Azure to use an existing directory mentioned.

I tried a few things and e.g. when I switch to the .onmicrosoft.com directory my subscriptions etc disappear, when I change the default directory used by those subscriptions then it also doesn't seem to be working correctly.

Help please! :)

We have exactly the same problem as this person: https://social.msdn.microsoft.com/Forums/azure/en-US/9930dec8-4cc0-445f-9a0e-e2db7c3336b5/duplicate-computers-and-conditional-access-hybrid-azure-ad-join?forum=WindowsAzureAD (but that forum post isn't answered).

Why are all devices duplicates? All devices now have a "registered" entry and a "hybrid" entry.

Some devices say Intune compliant on the "hybrid" device, others on the "registered" device. 

We just want one entry. Can we clean things up? Or merge the devices?

Thanks.

I cannot get the a user to be hidden from the address list in office 365. The sync is working but just not syncing the  msExchHideFromAddressLists.

So far I have changed the msExchHideFromAddressLists attribute to True

Also tried following this guide to add it to the sync - https://gertkjerslev.com/howto-sync-msexchhidefromaddresslists-attribute-office-365

I'm running Azure AD Connect Version 1.1.880.0 - Don't think that matters but I thought I'd Include it.

Regards Jake Gardner If you found this post helpful, please give it a helpful vote. If it answered your question, remember to mark it as an Answer.

Hi,

We have a local domain controller which is windows 2012 R2 and we have two servers which is loaded with our company ERP application which is already joined to above domain controller. Our client machines which are using our ERP application also joined our domain controller. Now I would like to move our two ERP servers to Azure and our users (client machines) also will be connected to our local AD and same time they will use our ERP in azure after migration. But our ERP servers will be working under domain only. In this case, how can I setup that local AD and local machine with ERP will be in Azure with domain connectivity which is mandatory. Can anyone help for this. 

Is there a process to disconnect using a 3rd party identity provider like godaddy, we have a LOT of issues on one of our domains where they simply cannot use some of the services and programs, including visual studio is intermittent in its authentication, outlook2016 - forget about it.  There are others, but these are the main two.

We would like to continue using the logins (we can withstand a password change, etc if needed); but want to completely remove godaddy from the middle of things.

Thanks,

John

Hi,

I'm currently trying to get group-writeback working. Although we do have a subscription for Azure AD Premium and I've used the script from https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74 to configure the advanced permissions, I'm still seeing permission-issue-errors in Synchronization Service Manager. I've also checked the permissions using the script and the steps described here:

https://blogs.technet.microsoft.com/dkegg/2018/01/30/testing-aad-connect-write-back-permissions-on-an-ou/

Trying to further narrow down the cause of this issue, I remembered that it seemed impossible to explicitly specify an OU for group-writeback when I ran the AzureADConnect-Wizard, as the field was not editable / greyed out. Therefore, I've manually set the OU-value using Powershell:

$gs = Get-ADSyncGlobalSettings
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.GroupWriteBack.Container", String, SynchronizationGlobal, $null, $null, $null
$p.Value = "OU=Office365-Cloudgroups,DC=xyz,DC=net"
$gs.Parameters.Remove($p.Name)
$gs.Parameters.Add($p)
Set-ADSyncGlobalSettings -GlobalSettings $gs

$a = Get-ADSyncGlobalSettings
$a.parameters | where {$_.Name -eq "Microsoft.GroupWriteBack.Container"}



Name                   : Microsoft.GroupWriteBack.Container
InputType              : String
Scope                  : SynchronizationGlobal
Description            :
RegexValidationPattern :
DefaultValue           :
Value                  : OU=Office365-Cloudgroups,DC=xyz,DC=net
Extensible             : False
PageNumber             : 0
Intrinsic              : False
DataType               : String

However, the permission errors still persists :-( How can I find further details / debug this?