Hi,

This is a bit of an emergency... 

I have an azure tenant that is having issues with Azure AD Domain Services.

As it is suggested, the DNS server were configured in the Vnet as custom DNS.

However, recently there was a complaint that Internet was not accessible from the Azure hosted VM.

I removed the custom DNS servers from the Vnet and switched to "Default (Azure Provided)" and Internet was accessible.  However, I could not log on to the VM using my user@customdomain.com account; only with the local Admin account.

Looking at the Azure AD Domain Services Health, there are 2 Monitor messages:

Message 1:

Backup: Last backed up on Sat, 08 Sep 2018 18:51:57 GMT

Message 2: 

Synchronization with Azure AD: Synchronized on Thu, 13 Sep 2018 05:59:39 GMT.

And 3 Alerts

Alert 1:

Name: The managed domain is experiencing a network error

Severity: Critical 

ID: AADDS104

Raised: 9/13/2018, 10:44:19 AM

Last Detected: 9/13/2018, 5:02:03 PM

Issue: Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user defined route that blocks incoming traffic from the internet.

Resolution:  Refer to the following article to resolve this issue Troubleshooting Alerts - Network Error

Alert 2:

Name: The managed domain has not been backed up for a long time

Severity: Warning

ID: AADDS501

Raised: 9/14/2018, 4:51:57 AM

Last Detected: 9/14/2018, 3:36:16 PM

Issue: The managed domain was last backed up on 9/8/2018 6:51:57 PM.

Resolution: Refer to the following article to resolve this issue Active Directory Domain Services article

Alert 3:

Name: The managed domain is suspended

Severity: Critical

ID: AADDS504

Raised: 9/13/2018, 5:06:11 PM

Last Detected: 9/14/2018, 3:36:16 PM

Issue: The managed domain is suspended due to an invalid configuration. The service has been unable to manage, patch, or update the domain controllers for your managed domain for a long time.

Resolution: Refer to the following article to resolve this issue Active Directory Domain Services article

After doing some research, I was able to ascertain that all 3 ports required for AD Synchronisation (443, 3389, 5986) are defined in the incoming rules of the NSG.

From the Monitor message, the synchronisation was done but the backup was not done for less than a week (if you compare the 2 dates between the backup and the sync).

Apparently, according to https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-suspension, if the issue is not resolved, the managed domain is at risk of being deleted in less than 15 days.

Of course we would like to avoid this but it seems that the only way we can get this resolved is by having the domain controllers backed up.  BUT HOW CAN WE DO THIS!!!?? This is an Azure AD DSmanaged domain.

The same above-mentioned article says the following about a managed domain that is in a "suspended" state:

The "Suspended" state

A managed domain is put in the Suspended state for the following reasons:

• One or more critical alerts haven't been resolved in 15 days. Critical alerts can be caused by a misconfiguration that blocks access to resources that are needed by Azure AD DS.
  • For example, the alert AADDS104: Network Error has been unresolved for more than 15 days in the managed domain.
• There's a billing issue with your Azure subscription or your Azure subscription has expired.

Managed domains are suspended when Microsoft is unable to manage, monitor, patch, or back up the domain on an ongoing basis.

What to expect

• Domain controllers for your managed domain are de-provisioned and aren't reachable within the virtual network.
• Secure LDAP access to the managed domain over the internet (if it's enabled) stops working.
• You notice failures in authenticating to the managed domain, logging on to domain-joined virtual machines, or connecting over LDAP/LDAPS.
• Backups for your managed domain are no longer taken.
• Synchronization with Azure AD stops.

After you resolve the alert, your managed domain goes into the "Suspended" state. Then you need to contact support. Support might restore your managed domain, but only if a backup that is less than 30 days old exists.

The managed domain only stays in a suspended state for 15 days. To recover your managed domain, Microsoft recommends that you resolve critical alerts immediately.

We have a 'Basic' support plan and there were absolutely no change made in Azure portal.  So in order for us to have this investigated by Azure support, we have to buy a Support Plan? For something that we didn't break?

Thank you all for your help,

Karim.

Hello. 

Im the admin for this account. 

I logged in to the azure account to reset a users account, because she forgot her password.

but when I logged in and went to the AAD users. I only see one user. Myself. 

the user contacted me and said she remembered her password and was able to log in(?)

wierd because I don’t see any other user but myself. 

Please help. Why am I not able to see all my AAD userea 

my AAD is not syncs with my local AD

Hi There,

We are planning to publish and authenticating on-premises J2EE application(JDK1.7 + JBoss 6.1.0) via azure app proxy. The user will be authenticated with on-premises AD (Windows 2012)

We have found this link "https://azure.microsoft.com/en-in/resources/samples/active-directory-java-webapp-openidconnect/"

Please let us know this is the right approach or any better straight forward approach.

The other options we have already tried and got stuck are as below.

We have created Enterprise Application in azure AD and setting of this application we have selected integrated windows auth(IWA) for Single sign-on option. we have configured app proxy in this and pre-authentication set to AAD and internal URL is my java based web application URL.

On other side AAD connector is install with federation as ADFS(Custom install).

Now the flow is : when we hit User access URL(URL for enterprise application) it challenge for domain verification and after successful verification it redirect to my on-premises AD form. after successful authentication to ADFS it again redirects app proxy(SAML response) and app proxy redirect to my web app with some token named "authorizationNegotiate".

Can anyone confirm, if this is the access token? If so, we haven't found any lib to decode this.

Any help in this direction would be of a great help.

Thanking you in advance,

Regards,

TFS Queries

Hi All,

We have a scenario where an IDP like Azure AD B2C redirects a user to Azure AD for authentication.

We have a federation trust between Azure AD and on-premises ADFS.

The user login to their device using "Hello for Business" - fingerprints or facial authentication.

I assume SAML token generated by ADFS will include authentication context for Azure AD.

The question - Can Azure AD persist authentication context claim from SAML token on the identity token it is going to generate for Azure AD B2C (e.g. through the amr claim on the id token)? If yes, will it be done by default?

Regards,

Ajay 

Now that you bought GitHub I would love to an integration betweet GitHub and Azure AD.

The hosted GitHub Business plan (which supports SAML) is very expensive.

Maybe you can provide a cheaper alternative so that users can easily sign into Github based on Azure AD. 

Followed the tutorial below but received the error "Your request included an invalid SAML response" after the AzureAD login.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial

Follow me on Twitter - @chief7

Hi All

I am executing the call flow for getting the access token & refresh token as per below link. The flow is executed from mobile app Brower. Its a native app (ios & android). However, I am getting error code 

AADSTS 51058. 

For getting authorization code

https://login.microsoftonline.com/35c6458c-1877-41d0-bd1e-c1432aa58511/oauth2/authorize?

From above API request in response I am getting 'Code' which I pass in below URL along with Client ID and Resource to get access token. Here I an getting above error code (external security challenged not satisfied).

https://login.microsoftonline.com/35c6458c-1877-41d0-bd1e-c1432aa58511/oauth2/token

I don't see enough literature to fig out  details on this error code AADSTS 51058. Has anyone encountered same and knows how to address this issue?

P.S: This flow works perfectly fine if executed via Web browser.

Hi,

I'm using OpenID Connect with Azure AD. I have an app on apps.dev.microsoft.com and things are working. Now I'm trying to add the verified_primary_email optional claim. Usually "upn" is the user's e-mail address, but sometimes it's not, for customers with various ADFS setups, so I'm trying to get the email attribute.

When I edit the manifest, add an "optionalClaims" property to the body, and save, I get an error message:

The request body contains unexpected characters/content for the specified content type and encoding.

Here's the block I'm trying to add to the manifest:

"optionalClaims": {"idToken": [
        {"name": "given_name","essential": false
        },
        {"name": "family_name","essential": false
        },
        {"name": "verified_primary_email","essential": false
        }
    ]
}

I've also tried simpler variations. For example, this no-op block gives the same error message:

"optionalClaims": {}

This one gives a slightly different error ("One or more property values specified are invalid"):

"optionalClaims": null

Can I get a hint as to how to add optionalClaims to the manifest?

Mike

I am using following URL to get the Auth Token with user information

https://login.microsoftonline.com/:tenant_id/oauth2/token

tenant_id:TENANT-GUID
grant_type:password
client_id:CLIENT-GUID
client_secret:CLIENT-SECRET
resource:RESOURCE-ID
username:username
password:password

But getting following error:

AADSTS50034: To sign into this application the account must be added to the {TENANT-GUID} directory

Please advice.

I am trying to sign in with the bot emulator and I'm getting this error:

https://www.dropbox.com/s/26hplmzh5nr4ean/Screenshot%202018-09-28%2002.32.07.png?dl=0

I signed up using azure web portal so this is odd. :)

I am looking to create a custom role in Azure so that the security guys can look at the "Risky Log-ins" in Azure AD.

I've looked through the resource providers and there isn't anything related to the Risky Logins......

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Does anyone know which option I need to select to allow Risky Logins?

Thanks

Below you will find the code required to create the property required.

REQUIREMENTS:  Desktop Version of Outlook (e.g. 2013, 2016),  Visual Studio compiler (e.g. 2015, 2017)

STEPS:
1. Create an appointment in your calendar.
2. Set the subject line of that appointment to MS Graph - Extended Properties Test
3. Save and close outlook
4. Create a VSTO for Outlook project in Visual Studio and copy/paste the code below into "Program.cs"
5. Compile and F5 to run.
6. Open The Appointment Item you created in step 1.  Make some change (Don't change the subject line) and hit save.
7. The code will post the custom data in the body of the Appointment.
8. Try and retrieve that data from MS Graph.

Please only post the actual call to MS graph that you make.  I've been through several Links on Microsoft that explain how this is done, and I've also been through Links on Stack Overflow.  

using System;
using System.Runtime.InteropServices;
using Outlook = Microsoft.Office.Interop.Outlook;

namespace AddCustomProperty
{
    public partial class ThisAddIn
    {
        Outlook.Items _items;
        Outlook.Folder _calendar;
        Outlook.Inspectors _inspectors;
        const string sCustomData = "MyCustomData";

        private void ThisAddIn_Startup(object sender, System.EventArgs e)
        {
            _calendar = this.Application.Session.GetDefaultFolder(Outlook.OlDefaultFolders.olFolderCalendar) as Outlook.Folder;

           _items = _calendar.Items;

           _items.ItemChange += eventChange;

           _inspectors = this.Application.Inspectors;
           _inspectors.NewInspector += newInspectorWindow;


        }

        private void newInspectorWindow(Outlook.Inspector Inspector)
        {
            Object oAppointmentItem = null;
            Outlook.UserProperties userProperties = null;
            Outlook.UserProperty userProperty = null;

            try
            {
                oAppointmentItem = Inspector.CurrentItem;
                if (oAppointmentItem is Outlook.AppointmentItem)
                {
                    userProperties = ((Outlook.AppointmentItem)oAppointmentItem).UserProperties;
                    userProperty = userProperties.Find(sCustomData);
                    if( userProperty != null)
                    {
                        ((Outlook.AppointmentItem)oAppointmentItem).Body = string.Format("MY CUSTOM DATA FOUND [{0}]: {1}\n", DateTime.Now, userProperty.Value);                    
                    }
                }
            }
            catch(Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e.Message);
            }
            finally
            {
                if (userProperty != null) { Marshal.ReleaseComObject(userProperty); userProperty = null; }
                if (userProperties != null) { Marshal.ReleaseComObject(userProperties); userProperties = null; }
                if (oAppointmentItem != null) { Marshal.ReleaseComObject(oAppointmentItem); oAppointmentItem = null; }
            }
        }

        private void eventChange(object Item)
        {
            Outlook.AppointmentItem apptItem = null;
            Outlook.UserProperties userProperties = null;
            Outlook.UserProperty userProperty = null;

            try
            {
                apptItem = Item as Outlook.AppointmentItem;

                if (apptItem.Subject == "MS Graph - Extended Properties Test") 
                {
                    userProperties = apptItem.UserProperties;
                    userProperty = userProperties.Find(sCustomData);
                    if( userProperty == null)
                    {
                        userProperty = userProperties.Add(sCustomData, Outlook.OlUserPropertyType.olInteger);
                        userProperty.Value = 10;
                    }
                    else
                    {
                        ((Outlook.AppointmentItem)apptItem).Body = string.Format("MY CUSTOM DATA FOUND [{0}]: {1}\n", DateTime.Now, userProperty.Value);

                    }

                }
            }
            catch( Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e.Message);
            }
            finally
            {
                if( userProperty != null) { Marshal.ReleaseComObject(userProperty); userProperty = null; }
                if (userProperties != null) { Marshal.ReleaseComObject(userProperties); userProperties = null; }

            }            
        }

        private void ThisAddIn_Shutdown(object sender, System.EventArgs e)
        {
            // Note: Outlook no longer raises this event. If you have code that 
            //    must run when Outlook shuts down, see https://go.microsoft.com/fwlink/?LinkId=506785
        }

        #region VSTO generated code

        /// <summary>
        /// Required method for Designer support - do not modify
        /// the contents of this method with the code editor.
        /// </summary>
        private void InternalStartup()
        {
            this.Startup += new System.EventHandler(ThisAddIn_Startup);
            this.Shutdown += new System.EventHandler(ThisAddIn_Shutdown);
        }

        #endregion
    }

Germán Hayles

We are trying to configure user provisioning to Salesforce via Azure AD, and have gotten most of the configuration to work.  One thing we are stuck on and have not been able to find any documentation for is how to send more than 1 permission set value to Salesforce.  We have been able to send a single value to salesforce and it was set correctly.  However, all attempts to find the correct syntax to send more than one value to the PermissionSets attribute have all returned with an invalid value error.

The Attribute of PermissionSets as configured in the Salesforce application in Azure AD is configured as a Multi-Value attribute, however there is no documentation that i've been able to find on how to correctly send multiple values to that attribute.

Does the value have to source from a multiple value source attribute in order to be sent correctly?  Is there a way to dynamically create a multi-value set of values to send to the PermissionSets attribute?

We haven't been able to find anything that works, we have only found solutions that fail.  We would like to know what the possibilities and limitations are within the target attribute when it is a multi-value attribute, but haven't gotten much of anywhere yet.

Any guidance will be appreciated.  Please help us out.  Thanks.

We have registered Azure APP(App Registrations) in Azure active directory.  From the APP took the APP ID & Secret Key and Tenant ID, Subscription ID.Using these 4 items we are making API request to azure portal and collecting the reports for available resources in each subscription. And as we are collecting other reports as well such as resource status.

Alternatively, We have some PowerShell & python scripts as well and directly hard-coded these 4 items for authentication(instead of normal Sign-in Authentication), then execute the script from local machine and get the report. I want to know is there any azure pricing involved on each request triggered?

Reference : https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

Apologise if you are not able understand about my question. Comment me i will re explain with other comment.

I tried to update aad connect in a customer environment where I don't have domain admin permissions. The wizard started and gave me 4 steps instead of 3. The additional step was connecting to the local directory with admin credentials, which I did with the help of an enterprise admin from the customer team.

Upon updating the application stops with the following error

[13:11:41.897] [  4] [INFO ] Examining domain abc.local (:0% complete)
[13:11:41.901] [  4] [INFO ] ValidateForest: using ADC01.abc.local to validate domain abc.local
[13:11:41.905] [  4] [INFO ] Successfully examined domain abc.local GUID:b3317fa0-eacc-4944-abb3-b4580a9f9c76  DN:DC=intranet,DC=local
[13:11:41.924] [  4] [INFO ] Page transition from "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel] to "Configure" [PerformConfigurationPageViewModel]
[13:11:41.926] [  4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize in Page:"Ready to configure"
[13:11:41.927] [  4] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:5868
[13:11:42.932] [  4] [VERB ] PerformConfigurationPageViewModel:ExecuteAutoUpgradeCheck: context.WizardMode UpgradeFromAADConnect.
[13:11:42.940] [  4] [ERROR] GetProductName: Unexpected exception occurred. Details System.Security.SecurityException: Requested registry access is not allowed.
   at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
   at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.RegistryKeyGetSubKeyValue(RegistryKey baseKey, String subKeyName, String valueName, Object defaultValue)
   at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.GetStringValue(RegistryKey baseKey, String subkeyName, String valueName, String defaultValue)
   at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetMonitoringConfigurationPath()
   at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetProductName()
The Zone of the assembly that failed was:
MyComputer
Exception Data (Raw): System.Security.SecurityException: Requested registry access is not allowed.
   at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
   at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.RegistryKeyGetSubKeyValue(RegistryKey baseKey, String subKeyName, String valueName, Object defaultValue)
   at Microsoft.Azure.ActiveDirectory.Client.Framework.RegistryAdapter.GetStringValue(RegistryKey baseKey, String subkeyName, String valueName, String defaultValue)
   at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetMonitoringConfigurationPath()
   at Microsoft.Azure.ActiveDirectory.Synchronization.UpgraderCommon.MonitoringAgentProvider.GetProductName()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteAutoUpgradeCheck()
The Zone of the assembly that failed was:
MyComputer
[13:11:42.954] [ 18] [ERROR] A terminating unhandled exception occurred.
Exception Data (Raw): System.AggregateException: One or more errors occurred. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.SecurityException: Requested registry access is not allowed.
   at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
   at Microsoft.Identity.Health.Common.FileUploader.GetHealthAgentInstallPath()
   at Microsoft.Identity.Health.Common.FileUploader..ctor(UploadSourcePolicy agent, Action`1 logLine)
   at Microsoft.Online.Deployment.Types.Utility.AutoUpgradeEligibilityProvider..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)
   at System.Activator.CreateInstance(Type type)
   at Microsoft.Online.Deployment.Framework.ProviderRegistry.CreateInstance[TProvider]()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteAutoUpgradeCheck()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize(Object obj)
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
---> (Inner Exception #0) System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.SecurityException: Requested registry access is not allowed.
   at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
   at Microsoft.Identity.Health.Common.FileUploader.GetHealthAgentInstallPath()
   at Microsoft.Identity.Health.Common.FileUploader..ctor(UploadSourcePolicy agent, Action`1 logLine)
   at Microsoft.Online.Deployment.Types.Utility.AutoUpgradeEligibilityProvider..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)
   at System.Activator.CreateInstance(Type type)
   at Microsoft.Online.Deployment.Framework.ProviderRegistry.CreateInstance[TProvider]()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteAutoUpgradeCheck()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize(Object obj)
   at System.Threading.Tasks.Task.Execute()<---

[13:11:42.996] [  1] [INFO ] Page transition from "Configure" [PerformConfigurationPageViewModel] to "Error" [ErrorPageViewModel]
[13:11:48.736] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180409-131036.log

Has anybody seen this Registry Error before and can point me in the right direction?

If it helps I am local Admin and Sync Admin on the machine and I was able to manage connection settings Like the selected OUs before without any permission errors.

In the meantime I restored the server to a new vm (without the update) and shut down the defective one.

Any help would be greatly appreciated.