I am trying the steps listed in the link below to Connect to Azure SQL Database by obtaining a token from Azure Active Directory (AAD)Azure SQL authentication with a Managed Service Identity I created a web application and enabled MSI on it and Obtained the service principal for it. However, while creating an AADGroup, I get the below error Azure:/ PS Azure:\\> New-AzureRmADGroup -DisplayName 'MyDevAppUsers' -MailNickname 'MyDevAppUsers' New-AzureRmADGroup : Insufficient privileges to complete the operation. At line:1 char:1+ New-AzureRmADGroup -DisplayName 'MyDevAppUsers' -MailNickname 'SSPDe ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : InvalidOperation: (:) [New-AzADGroup], Exception+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADGroupCommand So, I tried creating the group manually from the portal and tried to add the service principal to the group but getting the below error Add-AzureADGroupMember : Error occurred while executing AddGroupMember Code: Request_BadRequest Message: Only Users can be members of a Unified Group. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group RequestId: b11e8d64-2387-4132-9825-7958979a17ce DateTimeStamp: Sat, 29 Sep 2018 07:36:31 GMT Details: PropertyName - members, PropertyErrorCode - InvalidValue HttpStatusCode: BadRequest HttpStatusDescription: Bad Request HttpResponseStatus: Completed At line:3 char:1+ Add-AzureADGroupMember -ObjectId $($AADGroup.ObjectId) -RefObjectId $ ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Add-AzureADGroupMember], ApiException+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShe ll.AddGroupMember Please help with the issue.
↧
Issue while creating AD Group and adding service principal
↧
Extend Cloud-Only Azure AD - Add On-Premises
Hi,
There are loads of articles about adding Azure AD to On-Premises domains. I'd like to do it the other way and add an on-premises domain to a cloud only Azure AD domain already in place. Are there any articles / R&D covering this scenario?
For anyone wondering why I'm trying to do this I run a consultancy with just a couple of people and a dozen or so resources. The minimum pricing of ADDS is £80 a month which is nuts for such low usage.
Cheers
Nick
Nick Colebourn (MCM / MCSM SQL Server)
↧
↧
NON-Azure Windows 10 PC Keeps Giving the Error "Remote machine is AAD Joined..." NOT using Azure
Hi, My customer, who is not tech-savvy is 900 miles away. I cannot remote into her laptop. I keep getting the error "Remote machine is AAD Joined..). Azure is not in the loop. The laptop is not joined to their domain. It never was. Does it have to be joined to the domain in order to remote into it? This is the boss's laptop and she uses it on the road to connect to her office Windows 10 PC via VPN. Once there, she works as usual.
Any clues why this is not working? I do connect, but cannot login. I am presented with the login screen. I have tried using every variation of login scenarios I can thing of (local PC name\user, etc). I've never had to remote into this laptop, so I cannot say if it ever worked before.
Thanks,
Billy
Billy
↧
AAD - Is it possible to create demo user in AAD?
Is there a way to create a read only demo user in AAD? The demo user's password is assigned by AAD admin and it cannot be changed. Thanks!
↧
Azure AD Logout is not working - Angular SPA
I am using Azure AD authentication for my angular based single page application. Sign in functionality works fine and facing issues with the logout. Once the user logged out from the session, its hang on the Azure AD sign out page itself and not get redirected back to the URI given in the post_logout_redirect_uri and allowing users to login without entering credentials again.
I spent almost a week of time to search for this issue over the web but didn't find any useful information to resolve this.
My question is that What should be the better approach for single page applications (Angular ADAL) to logout from the active session and redirect back to the custom logout screen of the application.
↧
↧
Exchange mail public folder duplicate attributes
Hi,
After turning on Exchange mail public folder synchronisation in Azure AD Connect I have started to receive error notification about a few mail enabled public folders which have duplicate attributes.
The error message shown in the email is:
"Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses smtp:xxxxxx@tenantname.onmicrosoft.com;]. Correct or remove the duplicate values in your local directory."
Which makes sense, I just have a mail enabled public folder or other object using the same email address?
The interesting part is that if I look at the AD Synchronisation Service Manager, I can see these extra details:
ExtraErrorDetails:
[{"Key":"ObjectIdInConflict","Value":["727d27bc-c5ab-4d8b-868b-69f8da066ef8"]},
{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},
{"Key":"AttributeConflictValues","Value":
The GUID value shown does not seem to exist anywhere, not on premise or in Azure AD. Does anyone have any ideas how I can track down what the root cause of this is?
Many Thanks!
↧
Register proxy failing with certificate error
Running the Register-AzureADPasswordProtectionProxy cmdlet returned no errors, but my Agents were reporting no registered proxy service found.
Enabling the Trace log and re-running Register-AzureADPasswordProtectionProxy returns the following error:
ProxyCertificatesPopulator: Microsoft.DeviceRegistration.JOSE.JoseException: The certificate validator indicated that the signingCertificate is not trusted
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidationWorker2(String JWS, X509Certificate2 expectedSigningCert, ICertificateValidator certValidator, X509Certificate2& signingCert, Byte[]& payload)
at Microsoft.DeviceRegistration.JOSE.JWSHelper.ValidateSignature(String JWS, ICertificateValidator certValidator, String& payload) at ServiceCommon.Converters.ProxyCertAndChainConverter.Convert(ProxyCertAndChainSerialized proxyCertAndChainSerialized) at
ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessaryWorker(FileContentAndPath1
latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.UpdateCurrentPublicDataIfNecessary(FileContentAndPath1
latestContent, Boolean fromBackup) at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.PopulateDirectoryFiles()
at ServiceCommon.ServiceInfrastructure.DataPopulatorServiceComponent3.HandlePopulateDirectory(Object state, Boolean timedOut)
Proxy and AD servers are 2012 R2 with latest updates, including the Universal C update. AD is using DFSR replication.
↧
Azure AD - Single Sign On
Dears,
We have developed C# Azure web application and we have used Azure AD for authentication. We have used Graph API method for Azure AD authentication.
If user accessing the application every time, the login prompt will shown to enter the username and password.
Now we are planning to authenticate the application via Single Sign On.
Please let us know the possibilities to make the Single Sign On authentication without changing the Graph API method.
Please provide steps to achieve this process / provide any suggestions.
Thank you.
Nandhakumar R
↧
AADSTS50011 login error, unsure of correct Reply URL
Hello,
I'm looking to make a PowerApp app that conditions some elements based on whether the user is part of one of several Active Directory Group. Now, I'm not very technically versed, but I found an article (can't enter hyperlinks, but it's the first result if you google "Implementing Role Based Security In Your PowerApps App") which should provide the exact steps to do what I'm looking for, which is to "Register an app in the Azure Active Directory and request permission to use the right Graph API". However, when I reach step 3.10 and I'm trying to test the custom connector, it gives me the "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application". The article mentions this problem but it says you can just copy the reply address from the error in the Reply URL, but my error doesn't mention any address and just says "the reply url specified in the request".
Any suggestions how to bypass this error, what the correct reply address I should be using is?
Thanks!
I'm looking to make a PowerApp app that conditions some elements based on whether the user is part of one of several Active Directory Group. Now, I'm not very technically versed, but I found an article (can't enter hyperlinks, but it's the first result if you google "Implementing Role Based Security In Your PowerApps App") which should provide the exact steps to do what I'm looking for, which is to "Register an app in the Azure Active Directory and request permission to use the right Graph API". However, when I reach step 3.10 and I'm trying to test the custom connector, it gives me the "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application". The article mentions this problem but it says you can just copy the reply address from the error in the Reply URL, but my error doesn't mention any address and just says "the reply url specified in the request".
Any suggestions how to bypass this error, what the correct reply address I should be using is?
Thanks!
↧
↧
Azure Access Control Service Outage?
I know the Azure Access Control Service is being retired on November 7, 2018 — but as of today, October 1, we seem to get no response from the https://{your-namespace}.accesscontrol.windows.net site (using our namespace, of course), either for using the management portal, or for production use to deliver the identityProviders.js file for web app login.
We've made no code or configuration changes to the website using ACS.
The error message we see for both the management portal and loading the client-side identity providers JavaScript is that the site can't be reached / the IP address can't be found / can't find the server (depending on browser).
I don't see any outage reported on this page: https://azure.microsoft.com/en-us/status/
Is anyone else having issues? Can anyone from the Azure team confirm whether this is a service-wide issue, or isolated to us?
↧
Using ADFS 3.0 for 3rd party apps while using Seamless Sign On for Office 365
Hi,
We have ADFS 3.0 in place, with AAD Connect, for O365 and a number of 3rd party apps that are not in Azure. Can we remove Office 365 from using ADFS and have it use Seamless Sign On with Password Write Thru (or password sync), while at the same time leave the 3rd party apps using ADFS for Same Sign On?
We would look to migrate the 3rd party apps to Seamless Sign On over time also.
We are running an Exchange 2010 SP3 hybrid. There is only 1 email domain in O365, with user UPNs matching this.
Thanks,
↧
Creating Policy to disallow employees to access email after hours.
We use a mixture of Azure, Intune, and O365 to administer our users. I'd like it to allow users (who do not have overtime) to access their emails through our BYOD program. The problem is that I need to keep them from accessing email after hours and unsure how to do so.
Through contacting Azure support (via Twitter) they supplied me with an article on restricting tenant access to SasS cloud applications. In the article, it says that anyone with an O365 subscription should be able to use this feature, but when inside the Azure application, it requests that you have the Premium P2 suite for Azure. Not sure what the best route to take and I'm willing to take any suggestions!
Thanks!
- CodeNeedsCoffee
↧
Facing an error configuring Azure Site recovery - VMware to Azure - Insufficient privileges to configure server identity in Active Directory
The long title says it all. Can't upload the screenshot but, I have downloaded the configuration server OVA file, and have installed the server. The Azure Site Recovery tool starts up, and wants me to sign in with an ID to register my server with Azure. I keep getting the error:
Configuring identity for server in Azure Active Directory
Insufficient privileges to complete the operation.
Have tried with many different forms of IDs. It doesn't seem to follow any set pattern. Can anyone tell me exactly WHAT role does an ID require, to be able to create this identity in AAD? I have had no luck with our orginization's ID. I don't want to ask for a global administrator account.
Any help would be great.
↧
↧
Managed Service Identity and On-Prem Resources
I'm working at a company which has implemented a one-way sync between on-prem Active Directory and Azure AD. What steps could be taken so that Azure Managed Service Identities (MSI) could be granted access to on-prem resources, if any? A high-level
answer to point me in the right direction would be appreciated.
↧
Redirect the user to the login page based on the directory - Azure AD B2C
My application contains users from B2B and B2C directory. It is using Azure B2C Login which is created using build-in policy for this purpose. Currently, it displays the B2B directory button in B2C Login screen. <o:p></o:p>
My requirement is that if the user is identified as B2B user then it should redirect to the respective organization login screen directly after entering his/her email id. <o:p></o:p>
Is there any way by which I can accomplish this in my application?<o:p></o:p>
↧
Deleting Azure AD B2C User Programatically using Graph API
For GDPR purposes I need to allow my website users to delete their site account and their underlying entry in the site Azure B2C Active Directory tenant. I plan to do this calling the delete method on the graph API. I am aware that in order to do
that I need to add my app (Website?) to the "Company administrators" role. It is not really clear how I do that. I have installed the AAD PowerShell tool and tried to run a cmdlet that I found for adding my APP to the "Company administrators"
role. After I provide my credentials in the PowerShell when i run that cmdlet to addrolemember it errors with a message along the the lines of Company Administrator does not exist. Can anyone help with this please. Are there any clear instructions out
there as to how to grant my web app sufficient previlages to call the delete user method on the Graph API.
↧
How do I retrieve Extended Properties from a Calendar Event using MS Graph?
Below you will find the code required to create the property required.
REQUIREMENTS: Desktop Version of Outlook (e.g. 2013, 2016), Visual Studio compiler (e.g. 2015, 2017)
STEPS:
1. Create an appointment in your calendar.
2. Set the subject line of that appointment to MS Graph - Extended Properties Test
3. Save and close outlook
4. Create a VSTO for Outlook project in Visual Studio and copy/paste the code below into "Program.cs"
5. Compile and F5 to run.
6. Open The Appointment Item you created in step 1. Make some change (Don't change the subject line) and hit save.
7. The code will post the custom data in the body of the Appointment.
8. Try and retrieve that data from MS Graph.
Please only post the actual call to MS graph that you make. I've been through several Links on Microsoft that explain how this is done, and I've also been through Links on Stack Overflow.
Sample Call that did not work:
https://graph.microsoft.com/v1.0/me/events('AAkADU4MzkxN2RmLTdiZDAtNDIwYS04NjQzLTUzNzMyMjM0Y2VkNQBGAAAAAABGjw0ByCaySL6aUxJmew3qBwDwiT27qO5xT6RMWiWBhwRzAAAADIqqAADUF4-ptss2TI8vcfE7QLIxADaishaUAAA=')?$expand=singleValueExtendedProperties($filter='String%200x863E0003%20eq%20MyCustomData')using System;
using System.Runtime.InteropServices;
using Outlook = Microsoft.Office.Interop.Outlook;
namespace AddCustomProperty
{
public partial class ThisAddIn
{
Outlook.Items _items;
Outlook.Folder _calendar;
Outlook.Inspectors _inspectors;
const string sCustomData = "MyCustomData";
private void ThisAddIn_Startup(object sender, System.EventArgs e)
{
_calendar = this.Application.Session.GetDefaultFolder(Outlook.OlDefaultFolders.olFolderCalendar) as Outlook.Folder;
_items = _calendar.Items;
_items.ItemChange += eventChange;
_inspectors = this.Application.Inspectors;
_inspectors.NewInspector += newInspectorWindow;
}
private void newInspectorWindow(Outlook.Inspector Inspector)
{
Object oAppointmentItem = null;
Outlook.UserProperties userProperties = null;
Outlook.UserProperty userProperty = null;
try
{
oAppointmentItem = Inspector.CurrentItem;
if (oAppointmentItem is Outlook.AppointmentItem)
{
userProperties = ((Outlook.AppointmentItem)oAppointmentItem).UserProperties;
userProperty = userProperties.Find(sCustomData);
if( userProperty != null)
{
((Outlook.AppointmentItem)oAppointmentItem).Body = string.Format("MY CUSTOM DATA FOUND [{0}]: {1}\n", DateTime.Now, userProperty.Value);
}
}
}
catch(Exception e)
{
System.Diagnostics.Debug.WriteLine(e.Message);
}
finally
{
if (userProperty != null) { Marshal.ReleaseComObject(userProperty); userProperty = null; }
if (userProperties != null) { Marshal.ReleaseComObject(userProperties); userProperties = null; }
if (oAppointmentItem != null) { Marshal.ReleaseComObject(oAppointmentItem); oAppointmentItem = null; }
}
}
private void eventChange(object Item)
{
Outlook.AppointmentItem apptItem = null;
Outlook.UserProperties userProperties = null;
Outlook.UserProperty userProperty = null;
try
{
apptItem = Item as Outlook.AppointmentItem;
if (apptItem.Subject == "MS Graph - Extended Properties Test")
{
userProperties = apptItem.UserProperties;
userProperty = userProperties.Find(sCustomData);
if( userProperty == null)
{
userProperty = userProperties.Add(sCustomData, Outlook.OlUserPropertyType.olInteger);
userProperty.Value = 10;
}
else
{
((Outlook.AppointmentItem)apptItem).Body = string.Format("MY CUSTOM DATA FOUND [{0}]: {1}\n", DateTime.Now, userProperty.Value);
}
}
}
catch( Exception e)
{
System.Diagnostics.Debug.WriteLine(e.Message);
}
finally
{
if( userProperty != null) { Marshal.ReleaseComObject(userProperty); userProperty = null; }
if (userProperties != null) { Marshal.ReleaseComObject(userProperties); userProperties = null; }
}
}
private void ThisAddIn_Shutdown(object sender, System.EventArgs e)
{
// Note: Outlook no longer raises this event. If you have code that
// must run when Outlook shuts down, see https://go.microsoft.com/fwlink/?LinkId=506785
}
#region VSTO generated code
/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InternalStartup()
{
this.Startup += new System.EventHandler(ThisAddIn_Startup);
this.Shutdown += new System.EventHandler(ThisAddIn_Shutdown);
}
#endregion
}Germán Hayles
↧
↧
How to Request VM to VM access within an Azure vNet When Using Just in Time Access Policy
Enabling a just in time access policy blocks access from both public and private IP. How do I request access to a VM within Azure vNet with only private IP?
For example, I have two VMs within an Azure vNet. VM1 is a jump box with a public IP. VM2 has only private IP and therefore can be accessed only by VM1 through RDP. If both VMs have just in time access policy enabled, how do I RDP from VM1 to VM2?
↧
Azure Active Directory B2B User & Intune MAM Without Enrollment (MAM-WE)
Hi,
We have a number of B2B users in our Azure AD tenant. We would like to distribute an Android application that is protected with the Intune App Wrapping tool (MAM policies) which wont require the B2B users enroll their BYOD device with our Intune instance.
Can the Azure B2B users have access to our MAM-WE application without needing a separate Intune license?
Or is there another way to secure our app and distribute to our partners?
Thanks,
Stephen
↧
AAD Join + Onpremise SSO Using Okta
I have been trying hard to implement the scenario described in the article https://jankesblog.com/2016/01/single-sign-on-to-on-premises-resources-from-azure-ad-joined-when-onprem/
I have 2 labs
Lab1: AD 2016, AAD Connect for synchronization & Okta for Authentication
Lab2: AD 2016, Okta for synchronization & Okta for Authentication
When I test the mentioned scenario in Lab1, it works perfectly well as AAD Connect synchronizes attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme.
When I test the same in Lab2 On-premise SSO doesn't work as okta could not update the attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme, When I looked at these attributes through graph explorer these attributes are empty for the users synced through Okta
Is there a way to get on-premise SSO for Lab2.
I have contacted okta but they are unable to help as Microsoft documentation says these attributes are available for AAD Connect and for rest of the systems it is Read-only
I have 2 labs
Lab1: AD 2016, AAD Connect for synchronization & Okta for Authentication
Lab2: AD 2016, Okta for synchronization & Okta for Authentication
When I test the mentioned scenario in Lab1, it works perfectly well as AAD Connect synchronizes attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme.
When I test the same in Lab2 On-premise SSO doesn't work as okta could not update the attributes DomainDNSName, NetBIOS name & Onpremisesamaccoutnanme, When I looked at these attributes through graph explorer these attributes are empty for the users synced through Okta
Is there a way to get on-premise SSO for Lab2.
I have contacted okta but they are unable to help as Microsoft documentation says these attributes are available for AAD Connect and for rest of the systems it is Read-only
↧