Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Nesting an Office 365 Group in an Azure AD Group

October 9, 2018, 8:39 am
$
0
0

I have a scenario where I'm using Microsoft Stream which for each group in Stream, creates an Office 365 group. What I need to do is nest an AAD Group for group membership purposes as the Stream interface will not allow you to add a group, only individual members.

I'm in the AAD group I'm attempting to add to the O365 group. Going to Group Memberships, I find the O365 group and add it to the AAD group. The portal reports as this activity was successful, however when refreshing the Group Membership list, no groups are present (i.e. the AAD group does not show as a member of the O365 group). The same thing happens if I go into the O365 group -> Membership and attempt to add the AAD group. It will show as successful in the portal, but not show that it is a member.

Ideas?

Trevor Seward

Office Servers and Services MVP



Author, Deploying SharePoint 2016

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Search

Azure AD Password Protection DC Agent service not starting

October 10, 2018, 2:50 am
$
0
0

We are trying out the Azure AD Password Protection service and so far looks great.  We've now decided to install the agent across all of our DC's and move from audit mode to enforced.  However, 2 of our DC's won't run the DC agent service.  All of the DC's are 2016, and one of these 2 is also running the Proxy service which is running fine.  We have 6 other DC's which are working fine, and one of those others is also the second Proxy service.

Every few seconds the DC Agent service tries to start, then terminates.  In the application event log we are getting event ID's 1026 & 1000.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name=".NET Runtime" /> <EventID Qualifiers="0">1026</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-10-10T09:43:24.321706200Z" /> <EventRecordID>197932</EventRecordID> <Channel>Application</Channel> <Computer>*BLANKED OUT*</Computer> <Security /> </System>
- <EventData><Data>Application: DCAgentServiceExe.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: exception code e0434352, exception address 00007FFB85A23C58 Stack:</Data> </EventData></Event>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-10-10T09:43:24.524824300Z" /> <EventRecordID>197933</EventRecordID> <Channel>Application</Channel> <Computer>*BLANKED OUT*</Computer> <Security /> </System>
- <EventData><Data>DCAgentServiceExe.exe</Data> <Data>1.1.10.3</Data> <Data>5b2431e7</Data> <Data>KERNELBASE.dll</Data> <Data>10.0.14393.2457</Data> <Data>5b7e2adb</Data> <Data>e0434352</Data> <Data>0000000000033c58</Data> <Data>df8</Data> <Data>01d4607dafd56f38</Data> <Data>C:\Program Files\Azure AD Password Protection DC Agent\Service\DCAgentServiceExe.exe</Data> <Data>C:\Windows\System32\KERNELBASE.dll</Data> <Data>d4c1ac27-3ae7-4cf1-aabc-55ecaafc399b</Data> <Data /> <Data /> </EventData></Event>
I can't figure out why these 2 x DC's are any different.  In the troubleshooting it suggests a cause could be an issue with connectivity with the Proxy service, but one of these 2 servers is actually running the Proxy service.


Invalid Grant on PowerBI Accces token

October 11, 2018, 5:21 am
$
0
0

I'm try to embed Power BI reports and dashboards using ASP.NET Core 2.0.  Since UserPasswordCredential does not work in Core, I'm using the API to get the access token.  However, I'm getting invalid_grant error. 400 bad request.

The username and password is correct since I'm using the same with my MVC app and it is working.  {

    "error": "invalid_grant",
    "error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: d1c17227-cc20-4520-a60f-f71ffa252a00\r\nCorrelation ID: f0254317-1ebd-43d4-84e4-422ffad6f833\r\nTimestamp: 2018-10-10 19:57:41Z",
    "error_codes": [
        70002,
        50126
    ],
    "timestamp": "2018-10-10 19:57:41Z",
    "trace_id": "d1c17227-cc20-4520-a60f-f71ffa252a00",
    "correlation_id": "f0254317-1ebd-43d4-84e4-422ffad6f833"
}

POST: https://login.microsoftonline.com/common/oauth2/token

Content-Type:application/x-www-form-urlencoded

grant_type: password

scope:openid

resource:https://analysis.windows.net/powerbi/apiclient_id: myclientid

username: myusername

password: mypassword

Locked out of Azure/Office 365 through Conditional Access

October 11, 2018, 6:36 am
$
0
0
We accidentally put a conditional access rule which doesn't allow any type of devices to log in except Outlook. 

Cannot verify custom domain - tool says it is in use

October 11, 2018, 7:13 am
$
0
0

I am trying to activate a custom domain, and have added the appropriate DNS TXT record to our site. After this I am still unable to verify the custom domain.

I was pointed to this site (https://account.windowsazure.com/organization?correlationId=9770ca98-c928-448e-bf57-eafe149cb17a) by Azure Chat support and it tells me the domain is already in use. However we do not have (or at least remember ever having) Office 365 or an Azure account before, so this should not be the case. I would like to know where or with which service our domain is currently in use with so we can de-register it and re-register with Azure AD.

Domain: citizensalliancebank.com

Note: this post was made as a request from Azure Chat Support

Login to computer not recognized as Azure AD login - Windows Enterprise upgrade problem

October 5, 2018, 6:44 am
$
0
0

Hi,

A computer (end user workstation) in a hybrid environment (Azure + onprem) is not recognizing user logons as Azure logons.

Judging from what I see in Azure and on the computer, computer seems to be correctly joined to Azure AD. User account seems to be also fine in Azure AD.
I tried with 2 user accounts and a test account, which I know to be free of this problem - but on this particular machine, the problem still occurs (so I don't think the problem is related to user's account).
This is causing Windows to refuse to upgrade to Enterprise edition based on the user's license.
In event viewer I am getting the event 360 and it contains this line : "User has logged on with AAD credentials: No"
I wanted to paste screenshots of dsregcmd /status but I am unable to. Interesting bit seems to be :

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
               NgcSet : NO
      WorkplaceJoined : NO
        WamDefaultSet : ERROR
           AzureAdPrt : NO
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
        IsUserAzureAD : NO
        PolicyEnabled : NO
       DeviceEligible : YES
   SessionIsNotRemote : YES
       CertEnrollment : none
         PreReqResult : WillNotProvision

Would anyone be able to share some wisdom with me on this?
I've read everything I could find on the internet and still failed to solve this.

Thanks!
Michał

iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

September 24, 2018, 1:46 am
$
0
0

--

When authenticating with ASP.NET Core 2.0 with OpenID Connect, the Identity cookie doesn't seem to be set when returning back from IdP which results in redirect loop. This same process works with iOS 11.

1. Visit site, access some protected resource
2. Set nonce, dedirect to IdP
3. Authenticate at IdP
4. Return back with POST request
5. Validate id_token, set identity cookie with samesite=lax policy
6. Redirect to the protected resource
7. Check for identity cookie - missing, return to step 2

I tested the same flow on PC (Edge, Firefox, Chrome) everything works fine. Any idea why Safari treats this case different?

This is probably going to affect quite a lot of users accessing Microsoft's own services as well - once again, this site works just fine on Chrome or Edge.
--
By Jan Hajek see: https://bugs.webkit.org/show_bug.cgi?id=188165

Convert a user from "Synced AD" to "Cloud ID" with preserving the user original password!

August 22, 2017, 7:59 am
$
0
0

Hi,

The only way to convert a user from "Synced with AD" to "In cloud", is to delete the user from on-prem AD then restore it from AAD "Deleted users"! The problem with this procedure is the password forced to reset!

How can I preserve the user original password?

TIA

Search

Multi-Forest AAD Connect to New Azure AD tenant

October 13, 2018, 5:18 am
$
0
0

Hello Experts,

Looking for your expertise on following scenario :

We have two on-premise Active Directory Forest with separate Azure Tenant (Office 365)

1. Forest A.Com -->AADConnect-->Azure AD (Tenant A)

2. Forest B.Com-->AADConnect-->Azure AD (Tenant B)

Now, we want to consolidate both Azure AD (Tenant A and Tenant B) to a single tenant called "Tenant C", but on-premises AD DS will be remain same.

As, we can go "Multiple forests, separate topologies" scenario on below post:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-separate-topologies

But, same time we have to migrate the mailboxes from Tenant A and Tenant B to Tenant C, 

Here are the steps what we are planning:

  1. We can do initial sync Forest A -->AAD Sync --> Azure AD Tenant C ( for creating the users in Tenant C) "The UPNs of the users in the on-premises Active Directory instance must also use separate namespaces"
  2. Use the 3rd party tool to move mailboxes from Tenant A to Tenant C (to map the UPN) -Stage-Sync (95%)
  3. Same process for Forest B and Tenant B.
  4. Configure AAD Connect (multi-forest A & B) to Azure AD Tenant C and start sync (over night/weekend) with matching the namespace.
  5. Cutover the mailbox migration to Tenant C
  6. Remove the Azure AD Tenant A and Tenant B from AAD Connect

Your expertise will highly appreciate to correct me on this.

Thank you!


Dinesh https://ucservice.blogspot.com

Login problem at https://www.microsoft.com/en-us/mwf

October 11, 2018, 7:51 am
$
0
0

Hi,

I had a problem while trying to access the "hero module" at https://www.microsoft.com/en-us/mwf.

The exception was:

 Request Id: 9599877c-8c61-4f6b-9ce9-4d6fabaf4200
Correlation Id: 1159eb05-a725-4640-b053-33e6005aff28
Timestamp: 2018-10-11T14:45:22Z
Message: AADSTS50020: User account '%myname%@hotmail.it' from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application '71dada86-21db-493b-93e4-1a902601f30f' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Diagnostica avanzata: Disabilita
Se si prevede di richiedere supporto tecnico per un problema, attivare questa opzione e provare a riprodurre l'errore. Verranno raccolte informazioni aggiuntive utili per la risoluzione del problema

Do I need an 'outlook.com' domain mail to access?

Thanks,

Leonardo



AAD Connect Multi Forest Scenario

October 25, 2016, 5:29 am
$
0
0
Hi Team,

We have two forest Forest A and Forest B.
For forest A we have synced the user objects to Azure AD and provisioned mailboxes in O365.
We have configured AAD connect and ADFS servers on Azure for Forest A for SSO.
In AAD connect we had selected the attribute for matching as 'mail' as user principle name and selected the option as users exist only once per forest.

Now we want to bring our Forest B users to Azure AD and migrate their mailboxes in the same O365 tenant.
We do not have trust between Forest A and Forest B.
We do not want use ADFS server for Authentication of Forest B users.
We need to configure the same AAD connect server as it supports multi forest topology.

Later once all the mailboxes are migarted to O365 for Forest B we plan to consolidate Forest A and Forest B.

Can you guide me with some articles which can help me configure AAD connect for multi forest and in future will help me consolidate both the forest.
Also can we have such a topology where we sync two forest through the same AAD connect and one forest uses ADFS for SSO and the other forest uses just the password sync through AAD connect.

Thanks,
Mitesh Jain

Azure AD, recovery of deleted devices

October 14, 2018, 12:11 pm
$
0
0

Hi,

can any one help me with steps to recovery the  deleted device from Azure AD, mainly looking Bitlocker recovary key? 

Thanks 

Rajesh

Add Office 365 tenant to my Azure AD Tenant

April 21, 2015, 1:05 pm
$
0
0

Hi I have a Office 365 Tenant up and running and I just configured Azure AD. I would like to be able to have Dirsync establish between the two. I has in some documentation that I need to Add my Office 365 Microsoft ID user name @onmicrosoft.com to my Azure AD tenant. When I do this, in Azure, it tells me that my Microsoft ID does not exist. I'm at a lost as I'm able to login to my Office 365 with it.

Thanks

SSPR - Unlock account with out resetting password from sign in screen Windows 10 1803

October 15, 2018, 1:41 am
$
0
0
I would like to know if it is possible, like from the SSPR website, to unlock the account with out resetting the password from the sign in screen on Windows 10 1803. Please the thread from Github too, https://github.com/MicrosoftDocs/azure-docs/issues/16642

How to prohibit access of non-administrator users to Azure AD using PowerShell

October 11, 2018, 2:20 am
$
0
0

Our university uses a common Office 365 tenant for students, faculty, and staff.

In our university policy, IT systems are required to prevent students from accessing other student's personal information.  This kind of policy is common in many universities.

In the default setting of Office 365 tenant, any user can retrieve all user information in Azure Active Directory by accessing with PowerShell.  To avoid this, we set UsersPermissionToReadOtherUsersEnabled to false in our Azure AD.  Under this setting, non-administrator users can access to Azure AD using PowerShell but can't read other user's information in Azure AD.

However, as described in Known issues for Microsoft Teams <https://docs.microsoft.com/en-us/microsoftteams/known-issues>, when UsersPermissionToReadOtherUsersEnabled is set to false, Teams can't be used practically.

Is there any way to prohibit access itself of non-administrator users to Azure AD using PowerShell?

Search

dmarc-ruf account?

October 15, 2018, 3:05 am
$
0
0

Hello,

a customer reported that there is a dmarc-ruf account in their Azure AD. What is this account and is it safe to delete it?

it was created by exo_evo_migration@support.onmicrosoft.com


ADFS Setup in Azure Using Internal Load Balancer

October 15, 2018, 5:12 am
$
0
0

Hello

I am hoping someone could advise me, if and where I am going wrong.

Using this link https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-azure-adfs <g class="gr_ gr_128 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="128" id="128">i</g> am trying to setup ADFS within Azure as part of a POC.

Both the DC's and ADFS VM's have been created without any issues, when I create an Azure Internal Load Balancer and configure it, for I can't work out why the request to https://adfs.mydomain/adfs/ls/idpinitiatedsignon.htm is not going through the loadbalancer, even though I have configured a rule, which includes the frontend and backend pools.

I have created an A record for host adfs to point to the frontend ip of my load balancer, still no luck.

Hence, reaching out for help, has anyone faced a similar issue?

Much Appreciated

Regard

Jit

B2B guest permissions to security groups

October 15, 2018, 5:17 am
$
0
0

Hi,

Is it possible to have guests be able to add guests only to a security group that they are a member of, but be blocked from adding them to other security groups within the same Azure AD?

Some detail. We have a number of subscriptions on a single Azure AD. We want to publish apps to these separate subscriptions, and allow external support companies to access their respective subscription for troubleshooting, should any problems arise. We want each external company to also be able to invite guests in from their own company as well (so one person from each external support company will be in charge of inviting in their colleagues, without us having to have any interaction).

We have created a number of security groups, one for each external company. However, when we invite one in as a guest, and use a dynamic rule to add them to their respective security group, they can invite guests in and then add them to not only the group that they are a member and owner of, but also to other security groups which they are neither owners nor members of, which is a security issue for us.

Right now it appears the only way to do this is to have separate Azure AD's for each subscription, but we would rather keep our single Azure AD and add subscriptions per customer as necessary then publish our app to that subscription, create a security group for each subscription or app, invite the 3rd party support rep in, then leave them to it to invite additional colleagues as required so they can work on any issues with the app by themselves, without involving us. Is this scenario possible?

Thanks,


Azure AD Connect Installation ERROR

April 24, 2018, 2:32 am
$
0
0

Hello

When I try installing the AAD Connect I get the error 

"An error occurred executing Configure AAD Sync task: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000002-0000-0000-c000-000000000000'."

I already have multi-factor authentication enabled.

What could cause this error?

Thank you


Office 365 ProPlus Auto Activation with Seamless Sign on and Pass-Through Authentication

October 12, 2018, 4:55 am
$
0
0

Hello,

We have Azure AD setup with Pass through authentication with Seamless SSO setup. When users run Office 365 Pro plus (Click to run), it prompts the end user for account info. End user skips the steps and places the office app as unlicensed. If they close the app then re open it, it activates it correctly. I know the SSO is working as they can access the portal without any problems.

We are running Office365ProPlus (deployment) with a shared license setup and auto activation within our xml file.  I've followed the setup and added the required zones as per the setup document.

I'm wondering if there is a fix for the double prompt before it activates the app correctly? Basically trying to eliminate them from entering their info and utilize the SSO for auto activation.

Are there any registry or addition settings required? 

Viewing all 16000 articles
Browse latest View live
Search