Hi All!

I had been trying to configure the password reset using the password writeback but I hadnt get luck.

I had successfully sync two AD forest to my Azure tenant



I am using AR\aadsync as the service account to sync between AD Azure an AD onprem

I had granted the proper permission to that service account

But when the user try to change his password they got these errors:

By the way, I already have below permissions set at Domain level for AD MA account:

• Reset Password
• Change Password
• Write lockoutTime
• Write pwdLastSet

And the user that trying to change his password has not check the option password never expire.

Any ideas? 

Thanks in advance.

Cheers,

Javier.

I configured azure AD as an identity provider for my organization's application

whenever i try to access the application its redirecting the request to azure login. But I am getting a bad request error and its showing the below message

AADSTS50003: No signing key is configured.

Am I missing something in the configuration

Hi,

I've been trying to find the answer to this question, but have been unsuccessful. If a customer has a laptop that is Domain Joined and Azure AD Joined, and the user needs to reset their password via the Windows 10 Login page, when they are outside the office (I already have the reset password link setup on the Windows 10 Machine) will the user be able to login to the computer using the new password? What is the proper way of setting this up for the Customer?

Here is the Scenario;

<g class="gr_ gr_1135 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1135" id="1135">User</g> is in the office, and <g class="gr_ gr_1194 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1194" id="1194">user</g> logs into their Windows 10 using domain\username. The user is offsite and connected to the internet. User clicks on reset password, and the password resets successfully. User tries to <g class="gr_ gr_954 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="954" id="954">login</g> to the Windows <g class="gr_ gr_953 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="953" id="953">computer,</g> but gets an error saying <g class="gr_ gr_952 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="952" id="952">password</g> is incorrect. <g class="gr_ gr_1233 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1233" id="1233">User</g> is logging in domain\username.

Should the customer start using their Azure AD account going forward for users who are most of the time remote, instead of their domain account? 

What is the best practice so users who are both working locally in the office and also working off-site? Should we set it up so they use their Azure AD Account only?

Thank you

Hello,

Testing on a Win10 1803 client, domain joined, Azure AD joined (hybrid), all output from the client appears to indicate everything working properly.  However, when using Microsoft Edge to access Office 365, the browser prompts for a username and password.  Chrome appears to do the SSO correctly.  We also have the seamless sign-on configuration enabled, but from what I read, Hybrid AD Join is supposed to take precedence and provide a SSO experience in MS Edge.

Thanks for your help!

I hope this is the right place for B2C questions, since it kind of ties to AAD (but didn't see a specific forum for B2C).

I have some questions on customization of the UI for B2C portals.  I've looked at both of the following links:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-customize-ui-custom
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-ui-customization-custom

But it doesn't seem like my question is answered from those documentation links. 

Question 1: What I'm wondering is if it's possible to customize the "Sign in with your social account" string?  I looked through the policy XML files and did not see that string being generated anywhere, and it did not look like I could customize it through one <MetaData> tags of the <ContentDefinition> block in the TrustFrameworkExtensions.xml file.  So is this string editable?  I attempted to add a Metadata Item tag who's key was "language.intro" hoping  that would override the string on the "api.signuporsignin" ContentDefinition block...but it did not override. 

Question 2: Somewhat related to the above...is it possible to customize the display strings of the built-in fields for the Sign Up / Profile Edit pages?  For example, we would like "Surname" to be "Last Name" and "Given Name" to be "First Name".  Is it possible to customize those display name strings,without creating all new/custom fields to get the display name we want? 

Thanks for the help, I appreciate it!

What kind of the licnese is required to be able to manage enterprise applications in azure? Currently we only have office365 license. Will it cover this feature? Please advise. Thank you very much!

Hi,

I have configured a conditional access policy that allows on-premises domain joined devices to login to Office 365 from locations outside of the corporate network. However, every time I try to log in to the Office 365 portal, my login been denied with following error.

The public IP of the corporate network is listed in Named Locations as well as MFA Trusted IPs.

You can't get there from here

This application contains sensitive information and can only be accessed from:

·        COMPANY domain joined devices. Access from personal devices is not allowed.

Please contact your administrator.

The following information might be useful to your administrator:

• Access rules set by COMPANY require device to be domain joined
• App name: Office 365 Exchange Online
• App id: 00000002-0000-XXXX-YYYY-000000000000
• IP address: 12.345.678.90
• Device identifier: XXXXXXXXXXXXXXXXXXXX
• Device platform: Windows 10
• Device state: Registered
• Signed in asuser@domain.com
• Correlation ID: XXXXXXXXXXXXXXXXXXXX
• Timestamp: 2017-08-29 19:42:53Z

Anyone has any insight?

Muditha Jayath Chathuranga
MVP: Office Servers and Services

MCT | MCSE: Productivity (Charter) | MCSA: Office 365

Blog: The Cloud Journal

If my answer helped you, kindly propose as answer and/or mark as answer where applicable.

My question is regarding the classes and attributes used in Azure AD with their Purpose and usage details,

For example Azure AD has new Group object type Office 365 or Unified Groups (AzureADMSGroup cmdlet, AzureADGroup cmdlet, UnifiedGroup cmdlet),

Which has an attribute ProvisioningOption which has many different value corresponding to the application using which group was created even this detail is not available in entirety,

So once again detail required is Classes – Attributes used in AzureAD with their Purpose and Usage details

P.S. on-premises AD can be also accessed over REST API yes you have to bake one, and you if recall there is an in built Web-Service on the DC’s since Windows 2008,

What I am trying to find it details like following which form the core of the Active-Directory’s functionality,

 6.1.1.2.4.1.2 dSHeuristics

https://msdn.microsoft.com/en-us/library/cc223560.aspx

3.1.1.5.1.3 Uniqueness Constraints

https://msdn.microsoft.com/en-us/library/dn392337.aspx

 3.1.1.5.2.2 Constraints

https://msdn.microsoft.com/en-us/library/cc223443.aspx

 What I need is the complete internal architecture details where is the schema reference that clearly details out

1. ObjectClasses in Azure AD – what is there Object OID, possSuperior supported by each Object Class etc.. as what you can see for Active-Directory
   
2. Attributes in Azure AD – what or which all classes an attribute is associated with, what is the syntax type, what are the rangeUpper / rangeLower values supported basically what is the usage/purpose

BR,
/HS

An Extremist

Hi,

I would like to use conditional access available in Azure AD with the P1/P2 license with an existing third party MDM solution such as Air Watch.

Scenario: Existing MDM Air Watch used in environment. Need to block all devices not managed by Air watch to be restricted from using using office 365 Apps based on Azure AD conditional access based on whether enrolled in Air Watch or not.

If this is not possible what's the alternative method? use conditional access in air watch?

Best Regards,

Michael

i have an azureAD join machine, i configured MFA for all my users but lately i see i dont get the mfa prompt. i check the sign in logs and i see this information "MFA requirement satisfied by claims in the token", from what i understand MFA is been done for me. which leads to my question

1. does SSO overrides the MFA challenge, because if i am unable to get an mfa prompt with a device that belongs to me that defeats the whole process of MFA which requires a challenge from a personal device.

i Await your prompt response .

Hello,

I need to configure Azure AD DS and LDAP, but I alredy have configured AD Connect. I found docs that I just need to run PS script in order to enable NTLM and Kerberos for password hash, but I couldn't find what need to be entered for parameter AD CONNECTOR NAME and AZURE AD CONNECTOR NAME? Is that Server name / Tenant name or something other?

P.S.

With cloud only users, everything works fine.

Regards,

MCSA, MCSE, MCT, IAMCT Country Leader

When I try to install  AAD Connect I get the following error log.

[17:11:04.639] [  1] [INFO ]
[17:11:04.639] [  1] [INFO ] ================================================================================
[17:11:04.639] [  1] [INFO ] Application starting
[17:11:04.639] [  1] [INFO ] ================================================================================
[17:11:04.639] [  1] [INFO ] Start Time (Local): Tue, 11 Sep 2018 17:11:04 GMT
[17:11:04.639] [  1] [INFO ] Start Time (UTC): Wed, 12 Sep 2018 00:11:04 GMT
[17:11:04.639] [  1] [INFO ] Application Version: 1.1.819.0
[17:11:04.639] [  1] [INFO ] Application Build Date: 2018-05-02 16:19:11Z
[17:11:05.764] [  1] [INFO ] Telemetry session identifier: {ba1b49de-ed67-4ceb-869c-3b811762d3df}
[17:11:05.764] [  1] [INFO ] Telemetry device identifier: CEnI82SN9T2/b49MTvDqyjVassIcuUb1rRN4aVe/av8=
[17:11:05.764] [  1] [INFO ] Application Build Identifier: AD-IAM-HybridSync master (38ad783d9)
[17:11:05.889] [  1] [INFO ] machine.config path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.
[17:11:05.889] [  1] [INFO ] Default Proxy [ProxyAddress]: <Unspecified>
[17:11:05.889] [  1] [INFO ] Default Proxy [UseSystemDefault]: Unspecified
[17:11:05.889] [  1] [INFO ] Default Proxy [BypassOnLocal]: Unspecified
[17:11:05.889] [  1] [INFO ] Default Proxy [Enabled]: True
[17:11:05.889] [  1] [INFO ] Default Proxy [AutoDetect]: Unspecified
[17:11:05.936] [  1] [VERB ] Scheduler wizard mutex wait timeout: 00:00:05
[17:11:05.936] [  1] [INFO ] AADConnect changes ALLOWED: Successfully acquired the configuration change mutex.
[17:11:06.030] [  1] [INFO ] RootPageViewModel.GetInitialPages: Beginning detection for creating initial pages.
[17:11:06.061] [  1] [INFO ] Loading the persisted settings .
[17:11:06.124] [  1] [INFO ] Checking if machine version is 6.1.7601 or higher
[17:11:06.170] [  1] [INFO ] The current operating system version is 6.3.9600, the requirement is 6.1.7601.
[17:11:06.170] [  1] [INFO ] Password Hash Sync supported: 'True'
[17:11:06.217] [  1] [INFO ] DetectInstalledComponents stage: The installed OS SKU is 7
[17:11:06.436] [  1] [INFO ] ServiceControllerProvider: GetServiceStartMode(seclogon) is 'Manual'.
[17:11:06.436] [  1] [INFO ] DetectInstalledComponents stage: Checking install context.
[17:11:06.452] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure Active Directory Module for Windows PowerShell
[17:11:06.452] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.467] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bbf5d0bf-d8ae-4e66-91ab-b7023c1f288c}: no registered products found.
[17:11:06.483] [  1] [INFO ] Determining installation action for Microsoft Azure Active Directory Module for Windows PowerShell
[17:11:06.780] [  1] [INFO ] CheckInstallationState: Packaged version (1.1.819.0), Installed version (1.1.819.0).
[17:11:06.780] [  1] [INFO ] CheckInstallationState: AAD PowerShell is up to date (1.1.819.0 <= 1.1.819.0).
[17:11:06.780] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[17:11:06.780] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.780] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[17:11:06.780] [  1] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[17:11:06.780] [  1] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[17:11:06.780] [  1] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[17:11:06.780] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Directory Sync Tool
[17:11:06.780] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.780] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[17:11:06.780] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[17:11:06.780] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[17:11:06.780] [  1] [INFO ] Determining installation action for Microsoft Directory Sync Tool UpgradeCodes {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}, {dc9e604e-37b0-4efc-b429-21721cf49d0d}
[17:11:06.780] [  1] [INFO ] DirectorySyncComponent: Product Microsoft Directory Sync Tool is not installed.
[17:11:06.780] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Sync Engine
[17:11:06.780] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.780] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[17:11:06.780] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[17:11:06.780] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[17:11:06.796] [  1] [INFO ] Determining installation action for Azure AD Sync Engine (545334d7-13cd-4bab-8da1-2775fa8cf7c2)
[17:11:06.889] [  1] [INFO ] Product Azure AD Sync Engine is not installed.
[17:11:06.889] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Synchronization Agent
[17:11:06.889] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.889] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {3cd653e3-5195-4ff2-9d6c-db3dacc82c25}: no registered products found.
[17:11:06.889] [  1] [INFO ] Determining installation action for Azure AD Connect Synchronization Agent (3cd653e3-5195-4ff2-9d6c-db3dacc82c25)
[17:11:06.889] [  1] [INFO ] Product Azure AD Connect Synchronization Agent is not installed.
[17:11:06.889] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Health agent for sync
[17:11:06.889] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.889] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {114fb294-8aa6-43db-9e5c-4ede5e32886f}: no registered products found.
[17:11:06.889] [  1] [INFO ] Determining installation action for Azure AD Connect Health agent for sync (114fb294-8aa6-43db-9e5c-4ede5e32886f)
[17:11:06.889] [  1] [INFO ] Product Azure AD Connect Health agent for sync is not installed.
[17:11:06.889] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[17:11:06.889] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.889] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {0c06f9df-c56b-42c4-a41b-f5f64d01a35c}: no registered products found.
[17:11:06.889] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (0c06f9df-c56b-42c4-a41b-f5f64d01a35c)
[17:11:06.889] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[17:11:06.889] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Command Line Utilities
[17:11:06.889] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.889] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {52446750-c08e-49ef-8c2e-1e0662791e7b}: verified product code {89ca7913-f891-4546-8f55-355338677fe6}.
[17:11:06.889] [  1] [VERB ] Package=Microsoft SQL Server 2012 Command Line Utilities , Version=11.4.7001.0, ProductCode=89ca7913-f891-4546-8f55-355338677fe6, UpgradeCode=52446750-c08e-49ef-8c2e-1e0662791e7b
[17:11:06.889] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Command Line Utilities (52446750-c08e-49ef-8c2e-1e0662791e7b)
[17:11:06.889] [  1] [INFO ] Product Microsoft SQL Server 2012 Command Line Utilities (version 11.4.7001.0) is installed.
[17:11:06.889] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Express LocalDB
[17:11:06.889] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.889] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {c3593f78-0f11-4d8d-8d82-55460308e261}: verified product code {72b030ed-b1e3-45e5-ba33-a1f5625f2b93}.
[17:11:06.889] [  1] [VERB ] Package=Microsoft SQL Server 2012 Express LocalDB , Version=11.4.7469.6, ProductCode=72b030ed-b1e3-45e5-ba33-a1f5625f2b93, UpgradeCode=c3593f78-0f11-4d8d-8d82-55460308e261
[17:11:06.889] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Express LocalDB (c3593f78-0f11-4d8d-8d82-55460308e261)
[17:11:06.889] [  1] [INFO ] Product Microsoft SQL Server 2012 Express LocalDB (version 11.4.7469.6) is installed.
[17:11:06.889] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Native Client
[17:11:06.889] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.889] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {1d2d1fa0-e158-4798-98c6-a296f55414f9}: verified product code {b9274744-8bae-4874-8e59-2610919cd419}.
[17:11:06.889] [  1] [VERB ] Package=Microsoft SQL Server 2012 Native Client , Version=11.4.7001.0, ProductCode=b9274744-8bae-4874-8e59-2610919cd419, UpgradeCode=1d2d1fa0-e158-4798-98c6-a296f55414f9
[17:11:06.889] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Native Client (1d2d1fa0-e158-4798-98c6-a296f55414f9)
[17:11:06.889] [  1] [INFO ] Product Microsoft SQL Server 2012 Native Client (version 11.4.7001.0) is installed.
[17:11:06.889] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[17:11:06.889] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.889] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {fb3feca7-5190-43e7-8d4b-5eec88ed9455}: no registered products found.
[17:11:06.889] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (fb3feca7-5190-43e7-8d4b-5eec88ed9455)
[17:11:06.889] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[17:11:06.889] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connection Tool.
[17:11:06.967] [  1] [WARN ] Failed to read DisplayName registry key: An error occurred while executing the 'Get-ItemProperty' command. Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftAzureADConnectionTool' because it does not exist.
[17:11:06.967] [  1] [INFO ] Product Microsoft Azure AD Connection Tool is not installed.
[17:11:06.967] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure Active Directory Connect
[17:11:06.967] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:11:06.967] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {d61eb959-f2d1-4170-be64-4dc367f451ea}: verified product code {0f4d6650-8a7c-4c9d-8449-2431b8dff372}.
[17:11:06.967] [  1] [VERB ] Package=Microsoft Azure AD Connect, Version=1.1.819.0, ProductCode=0f4d6650-8a7c-4c9d-8449-2431b8dff372, UpgradeCode=d61eb959-f2d1-4170-be64-4dc367f451ea
[17:11:06.967] [  1] [INFO ] Determining installation action for Azure Active Directory Connect (d61eb959-f2d1-4170-be64-4dc367f451ea)
[17:11:06.967] [  1] [INFO ] Product Azure Active Directory Connect (version 1.1.819.0) is installed.
[17:11:06.967] [  1] [INFO ] Checking for DirSync conditions.
[17:11:06.967] [  1] [INFO ] DirSync not detected. Checking for AADSync/AADConnect upgrade conditions.
[17:11:06.967] [  1] [INFO ] Initial configuration is incomplete.
[17:11:17.470] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180911-171104.log

How to list down all aliases/proxyAddresses of Office365 account using Microsoft Graph API?

I know beta APIs have a field called proxyAddresses however is there anything available in v1.0 where I can see all the proxyAddresses or aliases?

I have a simple C#/MVC 5 Azure app with a redirect sign-on and I am trying to simply get the Azure Active Directory Groups to which my authenticated User belongs.

I am having a devil of a time navigating all the various conflicting tutorials and MSDN content relating to:  AAD Groups, Claims, Graph API, Azure Portal App Registration, etc...

All I want to do is loop through a User's Groups that they are a member of.

Does anyone have a clean, simple explanation of how to do only this (without all kinds of extra Role/Claims stuff)?

Does my Azure App have to be converted into a Registered Azure Application in the portal in order to be able to do this?

It seems inordinately hard to figure out...

This call:
https://graph.windows.net/myorganization/groups/{object_id}/$links/members?api-version

produces an Access Token missing or malformed.

Then somewhere people say I need to send a token from somewhere else...