We have errors with duplicate UPN's.
We have user XXX@YYY.com and somewhere user XXX1947@yyy.com. But there seems no place to delete the wrong one. Everything is fine in ActiveDirectory.
Is there a way to delete these?
All suggestions are welcome.
↧
How to delete UPN doubles?
↧
Office 365 OR Unified Group Properties & Behaviors
Well the Current Microsoft Office 365 Groups documentation now directs you in the direction the type of Group(s) you should create considering one of the 3 types of requirement and only three app they recommend to create Office 365 groups from are Outlook,
Teams and Yammer,
However there is no clear documentation with respect to the properties or attributes which are set on a group and at the same what all tenant level settings govern settings on the group being created and that's not all most confusing is which all apps this group is visible and why and which one(s) this will not be visible why ?
If one has to prepare a report / inventory as which group was created using which application and in which all application(s) this group will be visible/accessible ?
I have researched on this and found at the azure ad level there is an attribute on these office 365 group type objects provisioningoption for there is no clear-complete information-documentation available how many values this attribute does accepts and there corresponding purposes
There is one info-graphic available at An everyday guide to Office 365 Groups
http://icansharepoint.com/everyday-guide-office-365-groups/
However better will be to prepare a complete landscape table clearly showing or rather say depicting where the group is created and what all features it will have and which will it inherit
See https://office365foritpros.com/2018/09/15/office-365-groups-provisioningoption-property/ - Don't depend on the provisioningoption property.
My count is that there are 19 different ways to create Office 365 Groups today. There are probably more if I looked... The point is that there's many different ways to create an Office 365 Group and that number i increases over time.
What I need is a table showing a O365 group when created from a specific O365 App,
Which all other Office 365 Apps this group will be visible and Why ?
What all features will this group will support and why ?
What all factors as in the settings at the tenant level or for that matter at any other level affect the functioning of a group and how ?
When is Microsoft going to publish this documentation ?
There are more options these i think are related to the type of tenant once has
https://serverfault.com/questions/926670/values-of-get-unifiedgroup-output-property-provisioningopti...
However there is no clear documentation with respect to the properties or attributes which are set on a group and at the same what all tenant level settings govern settings on the group being created and that's not all most confusing is which all apps this group is visible and why and which one(s) this will not be visible why ?
If one has to prepare a report / inventory as which group was created using which application and in which all application(s) this group will be visible/accessible ?
I have researched on this and found at the azure ad level there is an attribute on these office 365 group type objects provisioningoption for there is no clear-complete information-documentation available how many values this attribute does accepts and there corresponding purposes
There is one info-graphic available at An everyday guide to Office 365 Groups
http://icansharepoint.com/everyday-guide-office-365-groups/
However better will be to prepare a complete landscape table clearly showing or rather say depicting where the group is created and what all features it will have and which will it inherit
See https://office365foritpros.com/2018/09/15/office-365-groups-provisioningoption-property/ - Don't depend on the provisioningoption property.
My count is that there are 19 different ways to create Office 365 Groups today. There are probably more if I looked... The point is that there's many different ways to create an Office 365 Group and that number i increases over time.
What I need is a table showing a O365 group when created from a specific O365 App,
Which all other Office 365 Apps this group will be visible and Why ?
What all features will this group will support and why ?
What all factors as in the settings at the tenant level or for that matter at any other level affect the functioning of a group and how ?
When is Microsoft going to publish this documentation ?
There are more options these i think are related to the type of tenant once has
https://serverfault.com/questions/926670/values-of-get-unifiedgroup-output-property-provisioningopti...
An Extremist
↧
↧
Azure AD Schema Reference or Technical Specification
Just as there is Microsoft Technical Specification available for Microsoft Active Directory Domain Services,
Why is same not available for Azure AD,
How and where this detail be found for Azure AD which clearly explains the details about all Classes / Objecttype and Attributes supported by Azure AD with details of there functioning again as it explained for Active-Directory
BR,
/HS
An Extremist
↧
Differences to SCIM specification
I am trying to integrate SCIM support for Azure AD into an existing web application. At the moment I struggle with several points.
- Azure Ad is sending PATCH request for simple attributes with complex attribute as value. E.g.
{"op": "Replace","path": "userName","value": [
{"$ref": null,"value": "blubb2@mysignavio.onmicrosoft.com"
}
]
} This is in contrast to the SCIM specification.- Azure AD is upper casing operations in PATCH request, e.g. "Add" instead of "add"
{"op": "Add","path": "name.formatted","value": [
{"$ref": null,"value": "Blubb Blabb"
}
]
}- The urls for Users and Groups have to have "scim" as a prefix, e.g. https://examplewebapp.com/.../scim/Users. The specification does not mention a "scim" prefix. This can force additional adjustments for existing implementations that don't have such a prefix in the url.
- When A AD sends PATCH requests, the add operation sometimes contains filters in the path. This is not part of the SCIM specification and is not supported by many frameworks.
- Azure AD is using the schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User. Is there a way to choose the core User schema of SCIM? Is it enough to support the core schema when only core attributes are mapped?
↧
Connecting Meraki Client VPN to Azure Active Directory Domain Services (AADDS)
<p>I need to connect our Cisco Meraki Client VPN to Azure Active Directory Domain Services (AADDS) for authentication via Azure MFA. The below articles describe how this connection is supposed to be made but I cannot seem to be able to get
it to work.</p><p>I am putting in the external IP address but it cannot seems to connect to the domain controller. Packet capture shows that there is no SYN-ACK response during attempts to connect.</p><p></p><p>Any
help would be much appreciated.</p><p><a href="https://t.co/SHdRiMA5BZ"></a><br /></p>&nbsp;
↧
↧
IDX20803: Unable to obtain configuration from: '[PII
I followed a tutorial here and working fine when running in local:
https://docs.microsoft.com/en-us/azure/active-directory/develop/GuidedSetups/active-directory-aspnetwebapp-v1#configure-your-webconfig-and-register-an-application
When I transfer it in our server, I encountered this error.
IDX20803: Unable to obtain configuration from: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
What configuration did I miss? Thanks in advance.
↧
AADSTS90056: This endpoint only accepts POST requests. Received a GET request.
Our company web-pages at sharepoint.com suddenly got an error for some of our users in the start of february. When users connect to our webpage. We use https://login.microsoftonline.com/login.srf?wa=wsignin1.0 (...) smart login URL as startup page in IE and this asks our ADFS serveres (I think) to authenticate our users. The webpages have worked 100% fine until these problems started and we are struggling to get the root cause. The issue is that the webpage loads and then the users are redirected to a
"Cannot login" (translated from norwegian).
AADSTS90056: This endpoint only accepts POST requests. Received a GET request.
"
But if the users close their IE and then re-open IE, then it often works fine! Also, this only happens on some users. Most users have no problems.
Anybody have a clue? We have done nothing with our ADFS infrastructure so I think it's not the root cause of this problem. And the problem only happens on some users, especially in the morning when they boot up their computer. I've never seen this problem on my user, for example. Do anybody know if there has been any changes to sharepoint online on 1-2. february 2018?
↧
Azure Active Directory Groups for Authenticated User
I have a simple C#/MVC 5 Azure app with a redirect sign-on and I am trying to simply get the Azure Active Directory Groups to which my authenticated User belongs.
I am having a devil of a time navigating all the various conflicting tutorials and MSDN content relating to: AAD Groups, Claims, Graph API, Azure Portal App Registration, etc...
All I want to do is loop through a User's Groups that they are a member of.
Does anyone have a clean, simple explanation of how to do only this (without all kinds of extra Role/Claims stuff)?
Does my Azure App have to be converted into a Registered Azure Application in the portal in order to be able to do this?
It seems inordinately hard to figure out...
This call:
https://graph.windows.net/myorganization/groups/{object_id}/$links/members?api-version
produces an Access Token missing or malformed.
Then somewhere people say I need to send a token from somewhere else...
↧
SSO Advice
Hello, I'm not sure I am in the right place?
I have an Enterprise App in Azure using Federated SSO for authentication. (hope I said that right...)
Works GREAT both internally and externally.
But I have concerns. I love that users on our domain have SSO, and the option to save their credentials on their mobile devices at the same time I don't want that to happen publically or at a kiosk.
Any Advice?
↧
↧
Change passthrough authentication to use login.microsoftonline.com instead of login.windows.net
I have an Azure App Service based website that calls an Azure App Service based API (both Node.js based), but fails due to CORS issues. Both App Services are protected by Azure Active Directory but have no authentication code, rather relying on implicit passthrough authentication.
This issue is almost identical to what is raised below:
https://github.com/Azure-Samples/active-directory-java-webapp-openidconnect/issues/7
However, in that case authentication was explicitly written into the code and was apparently resolved by simply changing reference to login.windows.net to use login.microsoftonline.com instead.
So my question is, is it possible to get the App Services/AAD to redirect to login.microsoftonline.com for passthrough authentication instead of login.windows.net?
↧
Move users, computers, objects from One domain to another hosted in Azure Active Directory (NO On-Premise AD)
Move users, computers, objects from One domain to another hosted in Azure Active Directory (NO On-Premise AD)
Current Scenario:
Custom Domain name 1: abc.com
Azure Active Directory License: P1
Office365 actively used by all users
Users authenticate using Azure Active Directory (no on-premise Active Directory)
Client OS: Windows 10 and connected with the Azure Active Directory
Future state:
Migrate all users from abc.com to the new domain name: xyz.com (part of the same Azure Active Directory)
Explanation:
The company is planning to have a facelift in the brand name and thus change of domain name for all users. Wherein users AD properties should be updated from old domain name: abc.com to the new domain name: xyz.com.
My research suggest ADMT can be used.
however, its applicable for OnPremise Active Directory.
As this is a pure Azure Active Directory Environment, therefore not sure as how can I smoothly migrate :
- Users
- Computer Objects
- Printers
- Office365 (all sub-services)
- MFA
- VPN Access
Looking for Advice on what all to be considered for the migration or movement to occur?
Any pointer will be greatly appreciated.
Thanks in advance for your time and assistance.
Regards, Dematri
Current Scenario:
Custom Domain name 1: abc.com
Azure Active Directory License: P1
Office365 actively used by all users
Users authenticate using Azure Active Directory (no on-premise Active Directory)
Client OS: Windows 10 and connected with the Azure Active Directory
Future state:
Migrate all users from abc.com to the new domain name: xyz.com (part of the same Azure Active Directory)
Explanation:
The company is planning to have a facelift in the brand name and thus change of domain name for all users. Wherein users AD properties should be updated from old domain name: abc.com to the new domain name: xyz.com.
My research suggest ADMT can be used.
however, its applicable for OnPremise Active Directory.
As this is a pure Azure Active Directory Environment, therefore not sure as how can I smoothly migrate :
- Users
- Computer Objects
- Printers
- Office365 (all sub-services)
- MFA
- VPN Access
Looking for Advice on what all to be considered for the migration or movement to occur?
Any pointer will be greatly appreciated.
Thanks in advance for your time and assistance.
Regards, Dematri
↧
How do I read the “UserProperty” value in Outlook using MS Graph
We have legacy code that writes custom data to the "UserProperties" collection of an Outlook AppointmentItem object. We've now switched to using Outlook on the Web (OWA).
Using MS Graph, how does one retrieve these values?
I've been pouring over this documentation (Outlook extended properties overview) but I can't get it to work. I'm using the MS Graph Explorer.
Here is the event for which I'm trying to retrieve information custom data.
{"@odata.context": "https://graph.microsoft.com/beta/$metadata#users('45d5e17d-348a-4ca8-b53c-c7d353b928b3')/events","value": [
{"@odata.etag": "W/\"GKUifH9QgE6zbEa7VG6rswABBwIJDw==\"","id": "AAMkADU4MzkxN2RmLTdiZDAtNDIwYS04NjQzLTUzNzMyMjM0Y2VkNQBGAAAAAABGjw0ByCaySL6aUxJmew3qBwDwiT27qO5xT6RMWiWBhwRzAAAADIqqAADdUihFgnKFTYATejxXFszxADsYsAgxAAA=","createdDateTime": "2018-07-11T19:17:12.340183Z","lastModifiedDateTime": "2018-09-17T19:50:10.7118964Z",I assume the "id" value of this event is the one that I should be using.
Here is the REST call I'm making (Note: using BETA)
https://graph.microsoft.com/beta/me/events('AAMkADU4MzkxN2RmLTdiZDAtNDIwYS04NjQzLTUzNzMyMjM0Y2VkNQBGAAAAAABGjw0ByCaySL6aUxJmew3qBwDwiT27qO5xT6RMWiWBhwRzAAAADIqqAADdUihFgnKFTYATejxXFszxADsYsAgxAAA=')?$expand=SingleValueExtendedProperties($filter=id%20eq%20'Integer%20{0006303D-0000-0000-C000-000000000046}%20Name%20TaskID' )The UserProperty name is "TaskID" and it holds an Integer. I'm not clear about what the GUID value should be.
I've tried the GUID of the AppointmentItem itself; then the GUID of the "UserProperties" collection contained within the AppointmentItem, and finally the GUID of the "UserProperty" property contained within the "UserProperties" collection. Nothing has worked.
Any clues?
↧
Azure Active Directory Apps basics
I'm new to AAD and getting my head around the set up. I have a couple of basic (probably!) questions:
What's the difference between the 2 ways of creating an App? – Via Azure AD Connect and Enterprise Applications?
Do I need to set up separate Apps for Dev/UAT/Prod or can I use replay addresses to allow the different environments to access the same App?
cheers
↧
↧
Register New User via Easy Auth and Azure AD, Support Limited Anonymous or Unregistered Access
I am trying to use Azure AD and openid in an AspNet Core website I'm building. The site is part of a larger project which will implement some Azure Functions to handle telemetry gathered from a smartphone while riding a motorcycle, as part of a crash monitoring application. Azure AD, open ID, etc., are new to me, so I'm not sure I'm even using the right terminology here, so bear with me.
What I'd like to do as a first step is to use Easy Auth to register new users on the site. The current VS 2017 (15.8) template implements Azure AD (at least) by default, and I've confirmed that it works: I can log into the site using my Microsoft Windows credentials.
Where I'm having a problem is understanding how that authentication fits into registering, and then authenticating, a user onto my site. In other words, I want the login process to check to see if a user is registered with my site (user info to be stored in a SqlServer database). In all the AspNet websites I've written heretofore, that's been implicitly done, because I've been authenticating users against the site database. Now that I'm authenticating against other sources (e.g., Microsoft, Google, Facebook), I'm unclear how to implement the site-specific stuff.
I've tried inserting site-specific authentication when the OpenID service is configured during startup (from Startup.cs):
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
// Instead of using the default validation (validating against a single issuer value, as we do in
// line of business apps), we inject our own multitenant validation logic
ValidateIssuer = false,
// If the app is meant to be accessed by entire organizations, add your issuer validation logic here.
//IssuerValidator = (issuer, securityToken, validationParameters) => {
// if (myIssuerValidationLogic(issuer)) return issuer;
//}
};
options.Events = new OpenIdConnectEvents
{
OnTicketReceived = context =>
{
// If your authentication logic is based on users then add your logic here
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
context.Response.Redirect("/Error");
context.HandleResponse(); // Suppress the exception
return Task.CompletedTask;
},
OnTokenValidated = context =>
{
// throwing an exception here when the user is not in the site database
// just causes the authentication request to be repeated, endlessly
}
};
});
When a user is not registered locally, do I just return a redirect to a page that allows them to register?
Related to this, I'd also like to allow some level of anonymous access, directing anonymous users to a page describing the site, how to register, etc. I'm not sure how to do that, either. Is there a way to inject specific claims into the authorization, and then control access to controller actions based on claims?
Sorry about the vague questions here. But, as I mentioned, I'm new to Azure AD, open id, easy auth and, for that matter, AspNet Core 2.0 :)
- Mark
↧
Domain Join AAD
Hi All,
We have some strange behavior.
When we re-image a device (laptop eg desktop) we have the problem that the doamin join is not processed well in AAD.
The problem we then have is that Office365 products say that the device is not trusted.
When we delete the device in AAD and do a new domain join al is fine again.
We have on prem AD servers and we sync to AAD.
Why is AD not updating AAD with the right details?
regards
↧
Manually configure Azure Active Directory with advanced settings B2C
Followed the tutorial/guide on "(Alternative method) Manually configure Azure Active Directory with advanced settings"
and this allows us to use a different tenant AD for authentication. However can't access AD B2C. Is this possible?
↧
permission
I have free subscription and trying to follow some tutorial, during that I need to grant a permission. When I try to do it get following error. Please let me know what can be done?
{"errorCode":"Authorization_RequestDenied","localizedErrorDetails":{"errorDetail":"This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."},"operationResults":null,"timeStampUtc":"2018-09-13T21:05:20.6954829Z","clientRequestId":"XXXXXXXXXXXXXXXXXX","internalTransactionId":"XXXXXXXXXXX","upn":"user@org.com","tenantId":"XXXXXXXXXXXX","userObjectId":null}
↧
↧
Azure AD user objects - Clear off immutable ID
Is there a way to clear off immutable ID from user object synced from local AD?
I tried this:
Get-MsolUser -UserPrincipalName userid@mytenant.onmicrosoft.com | Set-MsolUser -ImmutableId "$null"
But it returns this error:
Set-MsolUser : Unable to update parameter. Parameter name: IMMUTABLEID. At line:1 char:65 + Get-MsolUser -UserPrincipalName userid@mytenant.onmicrosoft.com | Set-MsolUser -Im ... + ~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyNotSettableException,Microsoft.Online .Administration.Automation.SetUser
Please suggest.
Thanks, Shobhit Vaish
↧
Azure AD Connect - Update AD FS SSL certificate missing
We are running version 1.1.819.0 (test and prod environments) and we have the same issue. The Update AD FS SSL certificate is missing.
Also noticed that Repair AAD and ADFS Trust from the list of additional tasks is missing.
↧
Problem Install Azure AD Connect
im trying to install the Azure AD Connect in Windows server 2016 standard.
The installation stops in the Configuring step with the error:
[12:59:04.387] [ 11] [VERB ] ServiceControllerProvider: Initial service status: Stopped
[12:59:04.388] [ 11] [VERB ] ServiceControllerProvider: Starting service and waiting for completion.
[12:59:04.389] [ 11] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (2).
Exception Data (Raw): System.InvalidOperationException: Impossibile avviare il servizio ADSync sul computer '.'. ---> System.ComponentModel.Win32Exception: Il servizio non è stato avviato a causa di un errore in fase di accesso
--- Fine della traccia dello stack dell'eccezione interna ---
in System.ServiceProcess.ServiceController.Start(String[] args)
in Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[12:59:04.389] [ 11] [VERB ] ServiceControllerProvider: Initial service status: Stopped
[12:59:04.389] [ 11] [VERB ] ServiceControllerProvider: Starting service and waiting for completion.
[12:59:04.390] [ 11] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (3).
Exception Data (Raw): System.InvalidOperationException: Impossibile avviare il servizio ADSync sul computer '.'. ---> System.ComponentModel.Win32Exception: Il servizio non è stato avviato a causa di un errore in fase di accesso
--- Fine della traccia dello stack dell'eccezione interna ---
in System.ServiceProcess.ServiceController.Start(String[] args)
in Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[12:59:04.391] [ 11] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync). The system event log may contain more details for this issue.
[12:59:07.050] [ 11] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
in the System log I have Events ID 7000 and 7041
↧