Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Intune Post OOBE AAD joined Windows10 cached credentials

October 9, 2018, 4:43 pm
$
0
0

Hi, I was wondering if someone would be able to shed some light on a issue I am seeing with a cached credential scenario. We are testing the deployment of Intune Autopilot with AAD. The issue we are having goes as follows:

Environment:

Windows 10 Ent 1709\1803

Autpilot

AAD Joined

AAD Connect Syncing users and devices

Steps to recreate the problem:

1. Autopilot begins and we are presented with the basic OOBE questions (Region, Keyboard...)

2. We then need to enroll with the users UPN (test.user@company.com. which is also the users AD credentials)

3. We are then directed to to enter the username 

4. after the above username and password are entered, OOBE eventually completes, automatically logs in the user to the desktop with the above credentials provided.

This is all good. Though, the issue is if the user shuts down or get disconnected from internet (at autologn), the credentials that OOBE automatically logged in with (the username and password from Step 2 &3), do not get cached. Which leads to the user NOT be able to physically hit ctrl-ALt-Del to login for the first time. The problem seems to lie in the first Post OOBE autologon, that is does not cache credentials. The only way to cache credentials, is the user has to be internet connected, then logout and log back in. Then the credentials will become cached, other then the above steps, the credentials will not get cache, and if the user is NOT connected to internet, at first physical logon, they will NOT be able to login, as the credentials we not stored.

I hope I was able to paint a proper picture in describing the issue. Please let me know if anything I left out.

Thank you!

 

Search

How to do single sign OUT, with Azure AD

October 8, 2018, 11:40 am
$
0
0
Hi Group !.

Does someone know how I can do single sign out, with Azure AD?

I am looking for a way to ask Azure if the user is still signed in, or (better) to get Azure to call an URL (webservice) on the application when the user signs out. 

Is that posible?

All the best and thanks :) 


AzureAD B2B single sign on with multi-tenant application

October 5, 2018, 4:36 am
$
0
0

I am building a multi-tenant Azure web app for our customers to access, and want it to feature single sign-on for our customers who are on Office 365 (most are). We want to get the authentication and authorization aspect of the site out of the way first. Our desire is to assign an “admin” role within our app to one user at each company, that will allow them to invite other users within their organization to use the app with different but less privileged roles. It is our understanding after reading the documentation on the Graph API, that we can use the User.ReadBasic.All() delegated user permission to return a list of the email addresses and names of the users within their organization. According to the documentation here, the signed-in user would have to consent to allow the app to access that list of users, but an Admin within their organization would not. That is what we want. Our customers are very concerned with data privacy, so our app should not request any more privileges than are required.

We’ve got the sign-in part working, but as soon as a test user in the external org is authenticated they get a popup box requesting nearly full access to their Graph.

How to we get delegetated access to only basic email addresses and names, without consent of their IT Admin?

Azure AD b2b “Read all users' basic profiles” permission

October 5, 2018, 4:41 am
$
0
0

I have delegated user permission "User.ReadBasic.All". In the microsoft document, they have mentioned "Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user."

How can I get all users with basic profiles?

var accessToken = authContext.AcquireTokenAsync(graphResourceId,newClientCredential(clientId, secret)).Result.AccessToken;var graphserviceClient =newGraphServiceClient(newDelegateAuthenticationProvider(requestMessage =>{
         requestMessage.Headers.Authorization=newAuthenticationHeaderValue("bearer", accessToken);returnTask.FromResult(0);}));

Can you please confirm my "Authority" URL is correct or not?

string authority ="https://login.microsoftonline.com/{tenantId}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.Read%20User.ReadWrite%20User.ReadBasic.All";AuthenticationContext authContext =newAuthenticationContext(authority);var accessToken = authContext.AcquireTokenAsync(graphResourceId,newClientCredential(clientId, secret)).Result.AccessToken;

Thank you in Advance

Azure AD Password Protection DC Agent service not starting

October 10, 2018, 2:50 am
$
0
0

We are trying out the Azure AD Password Protection service and so far looks great.  We've now decided to install the agent across all of our DC's and move from audit mode to enforced.  However, 2 of our DC's won't run the DC agent service.  All of the DC's are 2016, and one of these 2 is also running the Proxy service which is running fine.  We have 6 other DC's which are working fine, and one of those others is also the second Proxy service.

Every few seconds the DC Agent service tries to start, then terminates.  In the application event log we are getting event ID's 1026 & 1000.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name=".NET Runtime" /> <EventID Qualifiers="0">1026</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-10-10T09:43:24.321706200Z" /> <EventRecordID>197932</EventRecordID> <Channel>Application</Channel> <Computer>*BLANKED OUT*</Computer> <Security /> </System>
- <EventData><Data>Application: DCAgentServiceExe.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: exception code e0434352, exception address 00007FFB85A23C58 Stack:</Data> </EventData></Event>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-10-10T09:43:24.524824300Z" /> <EventRecordID>197933</EventRecordID> <Channel>Application</Channel> <Computer>*BLANKED OUT*</Computer> <Security /> </System>
- <EventData><Data>DCAgentServiceExe.exe</Data> <Data>1.1.10.3</Data> <Data>5b2431e7</Data> <Data>KERNELBASE.dll</Data> <Data>10.0.14393.2457</Data> <Data>5b7e2adb</Data> <Data>e0434352</Data> <Data>0000000000033c58</Data> <Data>df8</Data> <Data>01d4607dafd56f38</Data> <Data>C:\Program Files\Azure AD Password Protection DC Agent\Service\DCAgentServiceExe.exe</Data> <Data>C:\Windows\System32\KERNELBASE.dll</Data> <Data>d4c1ac27-3ae7-4cf1-aabc-55ecaafc399b</Data> <Data /> <Data /> </EventData></Event>
I can't figure out why these 2 x DC's are any different.  In the troubleshooting it suggests a cause could be an issue with connectivity with the Proxy service, but one of these 2 servers is actually running the Proxy service.


Support for foreign characters in password

December 21, 2017, 3:19 am
$
0
0
We use the On-prem server (7.3.0.3) today with our NetScaler Gateway (12.0 53.13) with a Radius connection. We have seen that users with passwords that contains foreign characters like the swedish ÅÄÖ gets a failed login, any advice if this is a known limitation or can be changed?

Access Token

October 10, 2018, 7:16 am
$
0
0

Hi,

Our administrator registered Dynamic 365 instance in Azure Active Directory.

In microsoft flow HTTP action, I am doing HTTP Post to https://login.microsoftonline.com/tenantID/oauth2/token

The body in the POST is:

client_id=CRMClientID&resource=https://CRMURI&username=MyCRMUserName&password=MyCRMPassword&grant_type=password

The exception I am getting in Flow is "Unauthorized".

Is this becuase the credentials I used is mine which only has access the Dynamic 365 CRM.

Do I have to use the credentials that my adminstrator used to register the Dyanmic 365 in Azure AD. That credentials is Admin to both Azure and Office 365.

Thanks

ADFS Migration to 2016 and Windows 10

October 10, 2018, 7:44 am
$
0
0

Hi,

We are in the process of migrating out ADFS server from 2012 to 2016. With user computers also starting to use Windows 10 I can see that the device registration is not working on Windows 10. 

During testing, I can see from the event logs that Windows 8.1 passes through the parameter "isregistereddevice" however when logging in with Windows 10, that parameter is not passed. 

I believe this may be because prior to Windows 10, the device is registered to the user and the user is registered. However with Windows 10 the device itself is registered not the user. 

Is there a different claim I should be using? I need this to work for existing windows 8.1 users and windows 10 users. 

Any help is much appreciated. 

thanks,

Vishal

Search

Unable to get Bulk Token - Windows Config Designer

May 22, 2017, 7:33 am
$
0
0

Afternoon,

I've just downloaded and installed the new Windows Configuration Designer, and am trying to set up bulk enrollment to Azure AD, but whenever I click "Get Bulk Token", I get the prompt to sign into my account but then come back to the first screen with the error:

Bulk token retrieval failed

Bad Request

Have tried on a couple of machines, and get the same error each time. 

Thanks in advance,

Dan

AAD Identity Protection - old risk events

March 19, 2018, 11:47 am
$
0
0

What happens with risk events that are older than 90 days? In the Azure portal in the AADIP filter I only have the ability yo see 7 days, 1 month, or 90 days.  There is no "custom" or "all".   And on a related note, how about the "Users flagged for risk".  When a risk event gets older than 90 days it no longer shows up in the Users flagged for risk section either, but the user remains there with no way to see that the user had a previous risk event, nor a way to remediate the user and get them off this report.  How would you go about removing the users flagged for risk where the risk event is older than 90 days and seemingly no longer accessible? 

Thanks!



Azure AD proxy Connector gateway Timeout

October 10, 2018, 11:32 am
$
0
0

As per Azure AD guideline, Only "Default" and "Long" Application time out value can be assigned to Azure application. Default = 85 seconds and Long = 180 Minutes. But i have few application which takes more than 3 minutes to respond on few UI actions. I am wondering, if there is a way to override the proxy connector application time out settings.

Can we make any change in Proxy Connector window service installed on server to increase Backend application timeout.

node module passport-azure-ad id_token validation

October 10, 2018, 12:37 pm
$
0
0

I am usin passport-azure-ad to authenticate a user through AzureAD.  I looked at the code in oidcstrategy.js, and it seems to validate the returned id_token using the kid returned in JWT header.  This seems pretty silly.  Is there an example of stronger validation using this module?  Seems like I ought to be able to directly query AzureDS for the public key that should be used to validate the token.

AADSTS50195: Token binding information is required.

October 8, 2018, 12:12 pm
$
0
0

Here's my process:

1. Go to Azure website

2. Click on >_ to open up the console. 

Requesting a Cloud Shell.Succeeded.

Connecting terminal...

 

Your Cloud Shell session will be ephemeral so no files or system changes will persist beyond your current session.

VERBOSE: Authenticating to Azure ...

WARNING: Azure Authentication failed.

So I try connecting with Connect-AzureRmAccount. When I try authenticating, I get AADSTS50195: Token binding information is required.

I've tried creating Personal Access Tokens and that doesn't help. What do I need to do to stop this error?

Joining Azure VM to on Premise domain

October 10, 2018, 2:07 pm
$
0
0

HI,

i have done a lot off research on the below described problem and have got numerous pointers but with no success. Problem statement:

  • I have Azure AD setup done and all on-premise entities are synced on to Azure via Azure AD connect.
  • Federated Authentication in implemented using ADFS.
  • In nutshell this is how the architecture is ( which is half done as of now) https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
  • Now I am trying to domain joined the VM created in Azure VNET and the objective is to access the VM with domain admins ID. 

Can anyone please help me point to the right approach.

-Sarab

Invalid Grant on PowerBI Accces token

October 11, 2018, 5:21 am
$
0
0

I'm try to embed Power BI reports and dashboards using ASP.NET Core 2.0.  Since UserPasswordCredential does not work in Core, I'm using the API to get the access token.  However, I'm getting invalid_grant error. 400 bad request.

The username and password is correct since I'm using the same with my MVC app and it is working.  {

    "error": "invalid_grant",
    "error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: d1c17227-cc20-4520-a60f-f71ffa252a00\r\nCorrelation ID: f0254317-1ebd-43d4-84e4-422ffad6f833\r\nTimestamp: 2018-10-10 19:57:41Z",
    "error_codes": [
        70002,
        50126
    ],
    "timestamp": "2018-10-10 19:57:41Z",
    "trace_id": "d1c17227-cc20-4520-a60f-f71ffa252a00",
    "correlation_id": "f0254317-1ebd-43d4-84e4-422ffad6f833"
}

POST: https://login.microsoftonline.com/common/oauth2/token

Content-Type:application/x-www-form-urlencoded

grant_type: password

scope:openid

resource:https://analysis.windows.net/powerbi/apiclient_id: myclientid

username: myusername

password: mypassword

Search

Locked out of Azure/Office 365 through Conditional Access

October 11, 2018, 6:36 am
$
0
0
We accidentally put a conditional access rule which doesn't allow any type of devices to log in except Outlook. 

Cannot verify custom domain - tool says it is in use

October 11, 2018, 7:13 am
$
0
0

I am trying to activate a custom domain, and have added the appropriate DNS TXT record to our site. After this I am still unable to verify the custom domain.

I was pointed to this site (https://account.windowsazure.com/organization?correlationId=9770ca98-c928-448e-bf57-eafe149cb17a) by Azure Chat support and it tells me the domain is already in use. However we do not have (or at least remember ever having) Office 365 or an Azure account before, so this should not be the case. I would like to know where or with which service our domain is currently in use with so we can de-register it and re-register with Azure AD.

Domain: citizensalliancebank.com

Trying to set "User Assignment required" to "No" in AAD Enterprise app gives me the error "Error detail: Unable to complete the request due to data validation error."

October 11, 2018, 7:50 am
$
0
0

Like the title says. When try to set "User Assignment required" to "No" in AAD Enterprise app gives me the error "Error detail: Unable to complete the request due to data validation error."

See screenshot. Anyone know why and how to fix?

Login problem at https://www.microsoft.com/en-us/mwf

October 11, 2018, 7:51 am
$
0
0

Hi,

I had a problem while trying to access the "hero module" at https://www.microsoft.com/en-us/mwf.

The exception was:

 Request Id: 9599877c-8c61-4f6b-9ce9-4d6fabaf4200
Correlation Id: 1159eb05-a725-4640-b053-33e6005aff28
Timestamp: 2018-10-11T14:45:22Z
Message: AADSTS50020: User account '%myname%@hotmail.it' from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application '71dada86-21db-493b-93e4-1a902601f30f' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Diagnostica avanzata: Disabilita
Se si prevede di richiedere supporto tecnico per un problema, attivare questa opzione e provare a riprodurre l'errore. Verranno raccolte informazioni aggiuntive utili per la risoluzione del problema

Do I need an 'outlook.com' domain mail to access?

Thanks,

Leonardo



Azure AD Connect SSO works for Outlook and Web, but not Skype

October 11, 2018, 10:20 am
$
0
0

We have our domain setup in Office 365. All email is in Office 365; no local exchange servers. We use AD Connect with Pass-Thru Authentication. Workstations have Office 365 Pro (2016).

We want users to auto-login to Skype at login.

We have Skype loading on login.

We have set the SIP address for the local domain user accounts to their UPN.

We enabled AD Connects Single Sign On.

We created a new test user. When logging in for the 1st time, Skype loads, it's username field is correctly populated with the test users UPN, but the password field is blank, Save Password is checked and it's waiting for the Sign-On button to be clicked. If we load Outlook, it configures itself perfectly. Only need to click a few buttons.

Is Skype special?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>