Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

AADSync Password Reset

September 6, 2018, 9:42 am
$
0
0

Hi All!

I had been trying to configure the password reset using the password writeback but I hadnt get luck.

I had successfully sync two AD forest to my Azure tenant



I am using AR\aadsync as the service account to sync between AD Azure an AD onprem

I had granted the proper permission to that service account

But when the user try to change his password they got these errors:

By the way, I already have below permissions set at Domain level for AD MA account:

  • Reset Password
  • Change Password
  • Write lockoutTime
  • Write pwdLastSet

And the user that trying to change his password has not check the option password never expire.

Any ideas? 

Thanks in advance.

Cheers,

Javier.


Search

Azure AD Enterprise App "User Assignment Required?" option does nothing

February 15, 2018, 2:00 pm
$
0
0

I have added a 3rd party app from the Application Gallery for the purposes of SAML SSO.  This app is configured and the SSO works properly so I am getting ready to deploy it to my users.  Initially I had set the "User assignment required?" option to yes during testing so only I could see it.  I then assigned the application to myself and was able to see it in my app list and sign in to it from the link in the app list.

I have now set "User assignment required?" to no since this is an application to which all users in my organization should have access.  I don't want to have to assign every user to it.  According to the tooltip for this setting it claims that when the option is set to no as I have done then any user who navigates to the application link will be able to access it.  

This is not the case.  When I look at the my apps list for another user they cannot see it and when I try to go to the app url directly as that user I get the message

Oops, this link isn’t working…
This link to Citra University is invalid. Click the link below to see what applications you have access to. Otherwise, contact your administrator or the person who gave you this link to resolve this issue.

Which seems to suggest that user assignment is still required even though I have disabled the option.

Why is this happening when I have disabled the user assignment requirement?

Error Verifying Domain in Azure Active Directory

September 18, 2018, 12:22 pm
$
0
0

I am getting an error when attempting to verify a custom domain.  In the Custom domain names user interface, I am seeing the following error:

Unable to verify domain name. Ensure you have added the record above at the registrar 'XXXX', and try again in a little while.

However in PowerShell I am seeing:

Confirm-AzureADDomain : Error occurred while executing ConfirmDomain
Code: Request_BadRequest
Message: Domain verification failed with the following error: 'VerifyDomain. Cannot verify an email-verified domain with non-whitelisted service plans.[WINDOWS_STORE;MCOBASIC;ONEDRIVELITE_IW] paramName: NonWhitelistedServicePlan, paramValue:
WINDOWS_STORE;MCOBASIC;ONEDRIVELITE_IW, objectType: '.

How to best organize externals into AAD

September 18, 2018, 2:25 pm
$
0
0

Philosophical question here as we have just started the road to Azure as IDP.

I work for an event organisation and we have (some) onprem AD's and a massive number of external users. Some thousands of them are direct contractors for larger events, some hundreds of them are working as team extensions, again some ten thousands to a couple hundred thousands are external stakeholders that might do business with us at some point. Today we have a bunch of externals administered in our AD as "fake employees" as they needed access to company resources.

We would want to give them a single Company Identity to work with a single account across the IT landscape. Book example of AAD so far.

We already have an AADC syncing our company.com onprem AD into Azure.

I've been weighing in some options on how to best approach all these externals and I'd love to hear some input to these. Technically these are all doable (I believe), I'd like to hear your experience or "best practices" with these, if you will.

0) Treat everyone internal: same AD (different OU's), same AAD, same Displayname

- Externals grouped in a different OU in the same AD domain

- Sync all employees + the external companies as needed to the AAD

- John.Doe@company.com and the external Jane.Doe@company.com has virtually no difference, but in the onprem 

This is basically the concept we want to get away from, but there might be good reasons to keep it.

1) Same AAD, same domain, different Displaynames.

- Put everyone in the company.com AD + sync'ed AAD,

- make the company name part of the display name like "Jane Doe (OTHERCOMPANY)".

This way all employees would know that she is an external, but all 3rd parties to the company would just see a company.com email (at first).

2) Same AAD, different domains

- Put everyone in the company.com AD + sync'd AAD, plus add custom domains and cloud-born identities to the AAD

- We're going to have "John.Doe@company.com" and "Jane.Doe@affiliatecompany.com" in the same AAD

Advantage: same AAD simplicity

Disadvantage: everyone knows that Jane is not an employee of Company, someone needs to admin the externals along with the core employees (admin segregation needs to be planned well)

3) Different AADs, different domains

- Put only employees in the AD

- Put all externals into an "company-ext" AAD and invite them to the company AAD as guests as needed 

- Jane.Doe@company-ext.com will still look like an external address

Advantage: different AD allows for proper segregation of admin tasks

Disadvantage: introduces federation complexity (will everything work properly?)

Or any combination of the above? I've seen 0) and 1) working, I've yet to experience 2 and 3.

Register New User via Easy Auth and Azure AD, Support Limited Anonymous or Unregistered Access

September 4, 2018, 9:28 am
$
0
0

I am trying to use Azure AD and openid in an AspNet Core website I'm building. The site is part of a larger project which will implement some Azure Functions to handle telemetry gathered from a smartphone while riding a motorcycle, as part of a crash monitoring application. Azure AD, open ID, etc., are new to me, so I'm not sure I'm even using the right terminology here, so bear with me.

What I'd like to do as a first step is to use Easy Auth to register new users on the site. The current VS 2017 (15.8) template implements Azure AD (at least) by default, and I've confirmed that it works: I can log into the site using my Microsoft Windows credentials.

Where I'm having a problem is understanding how that authentication fits into registering, and then authenticating, a user onto my site. In other words, I want the login process to check to see if a user is registered with my site (user info to be stored in a SqlServer database). In all the AspNet websites I've written heretofore, that's been implicitly done, because I've been authenticating users against the site database. Now that I'm authenticating against other sources (e.g., Microsoft, Google, Facebook), I'm unclear how to implement the site-specific stuff.

I've tried inserting site-specific authentication when the OpenID service is configured during startup (from Startup.cs):

 

          services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // Instead of using the default validation (validating against a single issuer value, as we do in
                    // line of business apps), we inject our own multitenant validation logic
                    ValidateIssuer = false,

                    // If the app is meant to be accessed by entire organizations, add your issuer validation logic here.
                    //IssuerValidator = (issuer, securityToken, validationParameters) => {
                    //    if (myIssuerValidationLogic(issuer)) return issuer;
                    //}
                };

                options.Events = new OpenIdConnectEvents
                {
                    OnTicketReceived = context =>
                    {
                        // If your authentication logic is based on users then add your logic here
                        return Task.CompletedTask;
                    },

                    OnAuthenticationFailed = context =>
                    {
                        context.Response.Redirect("/Error");
                        context.HandleResponse(); // Suppress the exception
                        return Task.CompletedTask;
                    },

                    OnTokenValidated = context =>
                    {
                        // throwing an exception here when the user is not in the site database
                        // just causes the authentication request to be repeated, endlessly

                    }
                };
            });

When a user is not registered locally, do I just return a redirect to a page that allows them to register?

Related to this, I'd also like to allow some level of anonymous access, directing anonymous users to a page describing the site, how to register, etc. I'm not sure how to do that, either. Is there a way to inject specific claims into the authorization, and then control access to controller actions based on claims?

Sorry about the vague questions here. But, as I mentioned, I'm new to Azure AD, open id, easy auth and, for that matter, AspNet Core 2.0 :)

- Mark

Azure AD DS second DNS server listed as forwarder FQDN Failed to resolve

September 7, 2018, 8:21 am
$
0
0

Hi there,

Ever since azure had the lightning strike we are having issues with external DNS resolution to many domains.

The issue is resolved by using something like Google DNS on the NIC or adding it to a DNS Forwarder in DNS Tools, but something is obviously broken about the AD DS and I'm not sure how to fix it.

The way it is setup by default with Azure AD DS is that you get two DNS addresses, 10.0.0.5, and 10.0.0.4.

I can ping 10.0.0.5 but not 4.  And I looked at the Forwarders and it shows 10.0.0.4 is the only Forwarder and it is in an error state.  The Server FQDN fails to resolve and validation times out.  If I add Google DNS it fixes the issue.  Is there a way to reboot the 10.0.0.4 server?  I can't even tell if it's alive...

Non-Hybrid, AD and AAD Joined Device

September 7, 2018, 2:02 pm
$
0
0
I am curious as to what would happen if the .ppkg for bulk enrollment is ran on an AD-Joined device? Would the resulting AAD node be Azure-Joined or Hybrid Joined? If it depends on Azure AD Connect, what happens when devices are and aren't synced?

Azure AD Connect - Update AD FS SSL certificate missing

August 27, 2018, 11:59 am
$
0
0
We are running version 1.1.819.0 (test and prod environments) and we have the same issue. The Update AD FS SSL certificate is missing. Also noticed that Repair AAD and ADFS Trust from the list of additional tasks is missing.
Search

Azure AD password protection, Register Proxy command failing

September 13, 2018, 7:21 am
$
0
0
When I follow the instructions to deploy Azure AD password protection, the registration of the proxy fails. When I use the commands

$tenantAdminCreds = Get-Credential
Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds

it fails, although the server has internet connectivity. OS is Windows Server 2016 Datacenter. The server is a member server in the domain.

In the RegisterProxy.log in C:\Program Files\Azure AD Password Protection Proxy\Logs, I see this section:

[15:56:26.883] [INFO] [00000008] RegisterProxy: Successfully authenticated to Azure authToken.Length:2367
[15:56:26.883] [INFO] [00000008] RegisterProxy: Authentication succeeded
[15:56:26.883] [INFO] [00000008] RegisterProxy: Creating a new proxy certificate CSR
[15:56:27.648] [INFO] [00000008] RegisterProxy: Created a new proxy certificate CSR
[15:56:27.648] [INFO] [00000008] RegisterProxy: Calling Azure to register the proxy
[15:56:27.648] [INFO] [00000008] RegisterProxy: Calling Azure to register the proxy
[15:56:27.648] [INFO] [00000008] BPLServiceProxy: RegisterProxy starting
[15:56:27.648] [INFO] [00000008] BPLServiceProxy: Calling Azure RegisterProxy endpoint: https://enterpriseregistration.windows.net/aadpasswordpolicy/c1ed8b13-8975-44f6-b918-149236657b19/proxy?api-version=1.0&traceid=b8fc1b6d-f3ff-43d5-9eb5-02f16dc3fbb2
[15:56:27.789] [ERR ] [00000008] BPLServiceProxy: Received error response code from the server:Unauthorized
[15:56:27.789] [INFO] [00000008] RegisterProxy: Register proxy request returned failure code:Unauthorized
[15:56:27.789] [INFO] [00000008] RegisterProxy: Restoring original trace id
[15:56:27.789] [INFO] [00000008] RegisterProxy: RegisterProxy.ExecuteInternal ending
[15:56:27.789] [ERR ] [00000008] RegisterProxy: ExecuteInternal threw an exception:
[15:56:27.789] [ERR ] [00000008] RegisterProxy: System.Management.Automation.PSArgumentNullException: Cannot process argument because the value of argument "exception" is null. Change the value of argument "exception" to a non-null value.
   at System.Management.Automation.ErrorRecord..ctor(Exception exception, String errorId, ErrorCategory errorCategory, Object targetObject)
   at ProxyPowershell.Commands.RegisterProxy.ExecuteInternal()
   at ProxyPowershell.CmdletBase.ExecuteActualBusinessLogic()
[15:56:27.789] [INFO] [00000008] RegisterProxy: Uninitializing logging

Please advise.
Thanks & regards,
Martin


Using Enterprise Applications to publish an app on an Azure server?

September 13, 2018, 6:48 am
$
0
0

Can we use Azure AD Application Proxy to publish applications hosted on servers in Azure, or is it for on-premise servers only? The doco seems to suggest on-prem only, but is the word on-prem used here more meaning "internal company network"?

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-publish-azure-portal

We installed the Connector on the same server in Azure as the application to be published, meaning the Connector IP is a generic Azure IP I think, not an IP specfic to my organization. Would it maybe work if we used a connector on an actual on-prem server to create the connection to our internal network and the application that way?

Atm, the connection to the external URL just time out.


Find all Azure Subscriptions associated with an Azure AD Tenant?

September 11, 2018, 1:31 pm
$
0
0

I have seen the other post about using 

Login-AzureRMAccount
Get-AzureRMSubscription

But I am wondering if this requires that I have permissions to the subscription (of any form) to be able to see it listed?

I'm doing an assessment and have some permissions, but may not have permissions to some subscriptions.  The client isn't exactly sure how things are setup, so I'm trying to find out how many subscriptions they have (there may be some they don't remember), and if they're associated with the Azure AD tenant.

In other words, is there a way that I can simply list all Azure subscriptions associated with an Azure AD tenant when I may not have rights to some of those subscriptions?

Devices in your organization can't sync settings and enterprise app data. The feature is turned off.

December 17, 2015, 4:44 am
$
0
0

Hi,

I noticed in the AAD portal, under each user, that one is able to view "Device syncing and enterprise app settings" (preview). For all my users it states "Devices in your organization can't sync settings and enterprise app data. The feature is turned off."

There doesn't seem to be a settings within AAD Configuration to enable this either, at least not in an obvious fashion.

Any pointers? How I ended up with this was that I was investingating why two AAD joined laptops could not synchronize Edge's Reading List (both seem to have their own copies and no way to figure out why they do not sync)

Thanks.

How to add existing AD Groups on premise to Azure AD (Office 365)

September 13, 2018, 12:14 pm
$
0
0

We have many existing AD Groups on our network that we want to sync with Azure AD. We have no problem in synchronizing individual users. So when we sync an individual user, he/she shows up as "Security" Group in Azure AD. But we want the entire AD Group (which has several users) to become part of Azure AD as a "Office 365" Group.

Microsoft told us that it cannot be done. Are there ways around it?

Thanks in advance!

Mayank

Redirect to https

August 21, 2018, 1:15 am
$
0
0

Hi!

I have a microservice with AAD authentication. My service is located on AKS.Have moved it to ASP.NET Core 2.1 and now using

app.UseHsts();
and
app.UseHttpsRedirection();

Currently when I am log in I can see "redirect_uri=http%3A%2F%2Fmycustomname-ingress.westeurope.cloudapp.azure.com"

And I am a little bit stuck on changing this http to https.

B2B Guest Users to Azure Subscriptions for non-mail enabled accounts

September 19, 2018, 5:32 am
$
0
0

Hello All,

I am trying to configure security settings within an Azure subscription using B2B guest accounts. High level overview is:

2x AAD Tenants (O365 and Azure)

2x Subscriptions - both trust Azure AAD Tenant

Users within O365 who are mail enabled can be invited as a guest user, follow the invitation link and then be given the relevant access. Makes sense. 

Now, here is my issue. In the O365 tenant, we have a number of Administrative accounts that are not mail enabled and use MFA. 

I can add them as a guest user, and add them to the relevant security groups that are assigned to the required role. However, as they cannot receive the invitation link, when they log into portal.azure.com, they cannot see the subscritions. The Azure portal shows the users as 'invitation sent'.

I have read the article on invitation redemption, that says to send a direct link to the relevant app. Issue is... I dont have any apps other than the Azure portal? 

Any ideas?

Thanks

Paul 

Kind Regards, Paul Sanders | MCSE PC | MCITP EA, VA | MCTS SCCM/SCOM | My Blog: http://tameyourcloud.com

Search

thumbnailPhoto is too big

August 31, 2016, 6:40 am
$
0
0

Hello,

I'm using Azure AD Sync to keep my on-premises AD in sync with Azure. I keep getting the following error:

Unable to update this object in Azure Active Directory, because the attribute
[extension_ebad079fee3145b286669fc781788c1b_thumbnailPhoto], in the local Directory
exceeds the maximum allowed length. If you want to update, reduce the length in the
local directory services, and then try again

I tried to clear the attribute locally via ADSI (I assume is thumbnailPhoto attribute in the user's AD profile), and also to replace with another image, but I keep getting the same error. Do you have any idea, please?

Thanks,
Luca

Unable to login with the new password after resetting the old password

September 19, 2018, 7:13 am
$
0
0


Though it is showing that the password is successfully changed, it is not allowing me to login with the new password and it is still accepting old password only. Can someone help me on this

  

Thanks

Global Administrator missing

September 19, 2018, 7:48 am
$
0
0
I just created our Azure account.  received emails and confirmed.  Installed AD sync to DC and credentials fail.  I log into Azure.com using same credentials and get in.  When I go to ROLES and ADMINISTRATORS and GLOBAL ADMINISTRATORS, it is blank.  It shows my account as a Member User.   I just created this in the last hour.  Need global admin to sync with my domain.  Ideas ?

Unable to verify a custom domain

September 19, 2018, 7:54 am
$
0
0

Hello 

we are not able to verify a specific domain 

Other domains worked very well 

Error Messages :

Portal : 

Unable to verify domain name. Ensure you have added the record above at the registrar '***', and try again in a little while.

Powershell:

 Cannot safely verify an email-verified domain with the non-whitelisted service plan

DNS TXT record is present and worked very well for other domains

Regards

Add policy to service principal

September 7, 2018, 5:45 am
$
0
0
How to generate "Add policy to service principal" event in Azure AD portal?
Viewing all 16000 articles
Browse latest View live
Search