Azure AD Federation with Custom IDP installed On Prem (Without User or Password Sync)

November 1, 2018, 1:09 am

≫ Next: Get access without a user for Microsoft Graph/online share point API

≪ Previous: iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

Looking forward to configure Azure AD to use custom IDP installed On Prem for SAML federation.

Is it possible that user logs into Salesforce (partnership configured in azure in enterprise apps ) is redirected to azure login page, azure redirects to custom IDP login page using federated domain in user ID.
Authentication takes place on premise and token is returned to azure which further processes, redirects and logs the user in Salesforce.

I have tried using AD Connect and ADFS and it works but requires user sync.

I am not looking to sync users from On Prem to Azure AD.

↧

Get access without a user for Microsoft Graph/online share point API

October 25, 2018, 6:15 am

≫ Next: Create organisational SIP enabled Contacts

≪ Previous: Azure AD Federation with Custom IDP installed On Prem (Without User or Password Sync)

Hi,

I have registered my app under azure active directory. I have granted permission to "Microsoft Graph" and "Office 365 sharepoint online".

I have implemented API (Node js) which has bearer authentication (need to pass authentication token).

In my UI I am authenticating user, and pass his token to API. everything working fine.

But now requirement is

1) I have to call share point API, through my back end scheduler. As no user details are available, I have generated token using "Client Credential".
but when I pass that token its giving me error as "=\"There has been an error authenticating the request.\";category=\"invalid_client\"",

2) 2nd requirement is I have one back end scheduler, which call my API.
So Scheduler trying to generate token using "Client Credential", but its not working. I am able to generate token , but when I pass that token I am getting unauthorized message

Please help.

↧

Create organisational SIP enabled Contacts

October 31, 2018, 2:13 am

≫ Next: Azure AD Enterprise App "User Assignment Required?" option does nothing

≪ Previous: Get access without a user for Microsoft Graph/online share point API

Hi All,

I know this might seem quite a specific task but I have a very large client that would like to have the ability to create SIP enabled contacts at an organisational level in Azure AD which is not Synchronized from on-premise AD.

We can create mail enabled contacts using the Exchange PowerShell commands New-MailContact but we can't add the SIP address so it will show in the list of contacts from within Skype for Business Online/Teams.

We have looked into the Microsoft Graph API but there is no option to add a organisational SIP contact.

I have asked the question in the Skype for Business forum and I have been pointed to this forum to give it a try.

Thanks,

Dan

↧

Azure AD Enterprise App "User Assignment Required?" option does nothing

February 15, 2018, 2:00 pm

≫ Next: Bind to Azure LDAPS via Azure AD Domain Services always returns Invalid credential

≪ Previous: Create organisational SIP enabled Contacts

I have added a 3rd party app from the Application Gallery for the purposes of SAML SSO. This app is configured and the SSO works properly so I am getting ready to deploy it to my users. Initially I had set the "User assignment required?" option to yes during testing so only I could see it. I then assigned the application to myself and was able to see it in my app list and sign in to it from the link in the app list.

I have now set "User assignment required?" to no since this is an application to which all users in my organization should have access. I don't want to have to assign every user to it. According to the tooltip for this setting it claims that when the option is set to no as I have done then any user who navigates to the application link will be able to access it.

This is not the case. When I look at the my apps list for another user they cannot see it and when I try to go to the app url directly as that user I get the message

Oops, this link isn’t working…
This link to Citra University is invalid. Click the link below to see what applications you have access to. Otherwise, contact your administrator or the person who gave you this link to resolve this issue.

Which seems to suggest that user assignment is still required even though I have disabled the option.

Why is this happening when I have disabled the user assignment requirement?

↧

Bind to Azure LDAPS via Azure AD Domain Services always returns Invalid credential

October 29, 2018, 8:33 am

≫ Next: Unlink unused directory from my azure subscription

≪ Previous: Azure AD Enterprise App "User Assignment Required?" option does nothing

I've read a lot of messages in these forum questions, but I've not find any right answer to my problem.

I've configured my domain "domain.onmicrosoft.com" following the documentation steps here described:

- https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap

- https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started

My target was cloud-only user accounts configuration.

After task 1 to 4 I've managed to connect to LDAP server on port 636 and got response (good!)

I volountary missed the task 5 because I don't need to authenticate users on the manages domain

What I want to do now is to test with a generic LDAP client (Softerra, ldap.exe) the bind, but it always gives me "Invalid Credential"

res = ldap_simple_bind_s(ld, 'CN=administrator.email,OU=AAD DC Administrators,DC=domain,DC=onmicrosoft,DC=com', <unavailable>); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credential
Server error: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

I've tryed these DNs as Principal value for LDAP binding:

CN=administrator.email,OU=AAD DC Administrators,DC=domain,DC=onmicrosoft,DC=com'

CN=administrator.email,OU=AADDC Users,DC=domain,DC=onmicrosoft,DC=com'

CN="administrator name",OU=AAD DC Administrators,DC=domain,DC=onmicrosoft,DC=com'

CN="administrator name",OU=AADDC Users,DC=domain,DC=onmicrosoft,DC=com'

CN=other.administrator.email,OU=AAD DC Administrators,DC=domain,DC=onmicrosoft,DC=com'

administrator.email

What is wrong?

Thanks

↧

Unlink unused directory from my azure subscription

August 30, 2017, 1:03 am

≫ Next: ADB2C token from Msal not accepted

≪ Previous: Bind to Azure LDAPS via Azure AD Domain Services always returns Invalid credential

Hi there,

I've got a bunch of unused directories linked to my account and I'd love to get rid of them without contacting their administrators.

Hope it's not big deal.

Thanks.

↧

ADB2C token from Msal not accepted

October 28, 2018, 11:34 am

≫ Next: Azure AD B2C SAML IDP how to include sessionIndex as and include it in OAuth2 JWT

≪ Previous: Unlink unused directory from my azure subscription

We have created a function app in the main tenant. The function app is protected by an ADB2C instance which is linked to this main tenant.

What works:

- calling a function (e.g. https:/<myfunction-app>.azurewebsites.net/api/test) via browser redirects to the ADB2C login. After successful login the function runs correctly.

- Login into ADB2C tenant via Msal from an angular app works. We get a token after login and we get a token when calling an uri or function such as https://<myfunction-app>.azurewebsites.net/api/test

- These tokens can be visualized with https://jwt.ms and look fine

What doesn't work:

- Calling a function in the function app with the token from Msal (e.g. this.http.get(https://<myfunction-app>.azurewebsites.net/api/test)...) returns a 401 error (unauthorized). The token is included in the http header

- testing the function and inserting the received token manually in the Azure portal also returns a 401

Summary

- Function app protection via ADB2C works
- Msal login in ADB2C works

It is only the path "Msal -> token -> function-app"which leads to a 401.

Has anyone successfully implemented the protection of an function/web app via ADB2C and Msal? Any hints where to look are most welcome.

Thank you.

↧

Azure AD B2C SAML IDP how to include sessionIndex as and include it in OAuth2 JWT

November 1, 2018, 8:35 am

≫ Next: Redirect UIR - wildcard is not valid

≪ Previous: ADB2C token from Msal not accepted

I have integrated SAML2 Idp with Azure AD B2C. I am able to perform oAuth2 authentication and obtain id_token and access_token successfully.

I have a requirement to extract sso sessionIndex or session ID from SAML assertion into id_token/access_token. I noticed sessionIndex/ID are not coming as `<saml:Attribute>`. But it is available under `<saml:AuthnStatement>`:

<saml:AuthnStatement AuthnInstant="2018-10-30T18:28:42Z"
			SessionIndex="A659D5A1B123456BA0EA744B80CB1AFA2EB6BBD14"
			SessionNotOnOrAfter="2018-10-31T02:30:42Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>

Here is my custom policy settings:

<ClaimsProvider><Domain>samlIdp</Domain><DisplayName>samlIdp</DisplayName><TechnicalProfiles><TechnicalProfile Id="samlIdpProfile"><DisplayName>samlIdpProfile</DisplayName><Description>Login with your account</Description><Protocol Name="SAML2" /><Metadata><Item Key="RequestsSigned">false</Item><Item Key="WantsEncryptedAssertions">false</Item><Item Key="WantsSignedAssertions">false</Item><Item Key="PartnerEntity">https://samlIdp.com/.well-known/samlidp.xml</Item></Metadata><CryptographicKeys><Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAMLSigningCert" /><Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert" /></CryptographicKeys><OutputClaims><OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="userId" /><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="username" /><!-- newly added claims --><OutputClaim ClaimTypeReferenceId="sessionId" DefaultValue="na" PartnerClaimType="ID" /><OutputClaim ClaimTypeReferenceId="sessionIndex" DefaultValue="na" PartnerClaimType="sessionIndex" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /><OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /><OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /></OutputClaimsTransformations><!--<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> --><UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml" /></TechnicalProfile></TechnicalProfiles></ClaimsProvider>

I need to get this sessionIndex as part of my oauth2 JWT. Any help would be appreciated.

↧

Redirect UIR - wildcard is not valid

November 1, 2018, 9:09 am

≫ Next: Azure AD B2C SAML IDP how to include sessionIndex as

≪ Previous: Azure AD B2C SAML IDP how to include sessionIndex as and include it in OAuth2 JWT

Someone saw the following validation message (ex. "https://something.com/*" ) while manually configuring a Redirect URI (reply URL), but I have not been able to find documentation on it. Everything I do find says wildcards are valid.

"Does not contain wildcard characters"

I was told this is Azure Commercial with previews enabled. Any idea? Please advise.

https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Authentication/appId/7b47a8de-3e7c-4d68-87aa-846d0414e86c/objectId/3b9f5e93-4cc0-4694-aa81-aace81af44d2/isMSAApp/

↧

Azure AD B2C SAML IDP how to include sessionIndex as

November 1, 2018, 8:35 am

≫ Next: Remove AAD Application Proxy connector from Azure Portal

≪ Previous: Redirect UIR - wildcard is not valid

<saml:AuthnStatement AuthnInstant="2018-10-30T18:28:42Z"
			SessionIndex="A659D5A1B123456BA0EA744B80CB1AFA2EB6BBD14"
			SessionNotOnOrAfter="2018-10-31T02:30:42Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>

Here is my custom policy settings:

<ClaimsProvider><Domain>samlIdp</Domain><DisplayName>samlIdp</DisplayName><TechnicalProfiles><TechnicalProfile Id="samlIdpProfile"><DisplayName>samlIdpProfile</DisplayName><Description>Login with your account</Description><Protocol Name="SAML2" /><Metadata><Item Key="RequestsSigned">false</Item><Item Key="WantsEncryptedAssertions">false</Item><Item Key="WantsSignedAssertions">false</Item><Item Key="PartnerEntity">https://samlIdp.com/.well-known/samlidp.xml</Item></Metadata><CryptographicKeys><Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAMLSigningCert" /><Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert" /></CryptographicKeys><OutputClaims><OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="userId" /><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="username" /><!-- newly added claims --><OutputClaim ClaimTypeReferenceId="sessionId" DefaultValue="na" PartnerClaimType="ID" /><OutputClaim ClaimTypeReferenceId="sessionIndex" DefaultValue="na" PartnerClaimType="sessionIndex" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /><OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /><OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /></OutputClaimsTransformations><!--<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> --><UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml" /></TechnicalProfile></TechnicalProfiles></ClaimsProvider>

I need to get this sessionIndex as part of my oauth2 JWT. Any help would be appreciated.

↧

Remove AAD Application Proxy connector from Azure Portal

October 30, 2018, 4:25 pm

≫ Next: Azure RiskySignIns vs Office365 Audit log search

≪ Previous: Azure AD B2C SAML IDP how to include sessionIndex as

Hi,

Issues just like this post. But, I've now had one inactive for well over 10 days and its still showing in the portal albeit 'inactive'. Should it now no have gone away?

Thanks

↧

Azure RiskySignIns vs Office365 Audit log search

October 23, 2018, 11:55 pm

≫ Next: Upgrading from early version of Azure AD Connect. ArgumentNullException error

≪ Previous: Remove AAD Application Proxy connector from Azure Portal

Hi there. We have started getting some troubles with hackers getting passwords of our users (probably trick them through fake websites). We are currently starting to roll out Multifactor, but this takes time. In the meantime we are trusting to look at Azure RiskySignIns ( https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RiskySignIns ) however we have discovered that this does not pick up nearly enough. When we go to audit log search ( https://protection.office.com/#/unifiedauditlog ) of a user, then we often find that his IP has been successfully logged in from many countries.

Is RiskySignIns broken, or do Azure not log users logging in through Office365? Could somebody explain me the differences between these services?

↧

Upgrading from early version of Azure AD Connect. ArgumentNullException error

November 1, 2018, 2:59 pm

≫ Next: Who will be announced as the next Azure Active Directory Guru? Read more about November 2018 competition!!

≪ Previous: Azure RiskySignIns vs Office365 Audit log search

Tried upgrading to the newest version of Azure AD Connect. Getting: An error has occurred on the Connect to Azure AD page. ArgumentNullException Value cannot be null. Parameter name: state

This is on a Server 2008R2, .NET is updated

↧

Who will be announced as the next Azure Active Directory Guru? Read more about November 2018 competition!!

November 1, 2018, 3:08 pm

≫ Next: Azure AD Connect group writeback and msExchnHideFromAddressLists

≪ Previous: Upgrading from early version of Azure AD Connect. ArgumentNullException error

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in November 2018 and must be in English. However, the original blog or forum content can be from beforeNovember 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Syed Shanu.

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

↧

Azure AD Connect group writeback and msExchnHideFromAddressLists

October 30, 2018, 9:25 am

≫ Next: User received invite in Spanish instead of English

≪ Previous: Who will be announced as the next Azure Active Directory Guru? Read more about November 2018 competition!!

Latest version of AADC in use with group writeback enabled. After AADC creates the O365 Groups in AD, I run update-recipient on the group to give it mail attributes so it can be used by on-prem mail users.

I've created Office 365 Groups and hidden them from the GAL using set-unifiedgroup "group@domain.com" -HiddenFromAddressListsEnabled $True and this works to hide the O365 Group from cloud mailboxes in O365

The problem is that on-prem mailboxes are still able to see the Office 365 Group in the GAL. If I modify the group in AD and set msExchHidefromAddressLists to TRUE than on-prem users no longer see the O365 Group in the GAL, BUT, on the next AADC Sync, the msExchHidefromAddressLists attribute is overwritten and set back to <not set>

In reviewing sync rules, the Inbound rule named "Out to AAD - Group SOAinAAD" does NOT include msExchHidefromAddressLists int he transformations, so this attribute is never getting into metaverse for any O365 Group objects. To try and address this issue I modified a custom version of this rule and added a transformationf or msExchHidefromAddressLists and did a full sync but this attribute never comes intot he Metaverse on O365 Group objects. I've tried a number of different ways to make this work but none do.

This seems like some kind of bug as there is an Outbound rule named "Out to AD - Group SOAinAAD" includes the msExchHidefromAddressLists attribute in it. This implies MSFT intends for this setting to push from AAD to AD, but since the Inbound rule doesn't have this attribute (nor can I get it to work by manually adding it), the "hide in GAL" setting of an O365 Group set in the cloud can never come down to AD.

Is there some way to resolve this so the msExchnHideFromAddressLists attribute can be sync'd in from Azure AD as part of group writeback?

↧

User received invite in Spanish instead of English

October 25, 2018, 7:04 am

≫ Next: Windows 7 Workplace Join and AD

≪ Previous: Azure AD Connect group writeback and msExchnHideFromAddressLists

A new guest user was added in Azure AD and they received the invite in Spanish instead of English

↧

Windows 7 Workplace Join and AD

October 18, 2018, 11:26 am

≫ Next: Azure AD SAML App access to corporate user using custom IDP

≪ Previous: User received invite in Spanish instead of English

Hi All,

We're currently using AD connect and seamless SSO to join hybrid Azure AD and workplace join on our windows 7 computers in prep for an o365 migration. The issue is that we have hundreds of windows 7 computer and we're pushing out workplace join to all windows 7 computers however, we can't tell for sure all windows 7 computers will get the software.

How can we be sure all windows 7 computer will by hybrid AD joined before we move to o365?

Thanks,

↧

Azure AD SAML App access to corporate user using custom IDP

October 30, 2018, 10:45 pm

≫ Next: How to get the access_token to call REST APIs on Azure Portal

≪ Previous: Windows 7 Workplace Join and AD

I want to provide access to all SAML application in Azure to the on premise user without synchronizing users in Azure AD

Flow should be when user access the app, it is redirected to Azure login page, once the user provide the user id ( without entering password ) user is redirected to IDP login page and user enter creds on idp login page. After successful authentication user is redirected to Application.

Please let me know How to implement using Azure.

Thanks,

Ankit

↧

How to get the access_token to call REST APIs on Azure Portal

October 17, 2018, 7:05 pm

≫ Next: Azure AD Connect Health Sync Monitor High CPU Usage

≪ Previous: Azure AD SAML App access to corporate user using custom IDP

How can I call APIs on Azure portal?

I have some requirements that need to call rest APIs on Azure Portal in my code. I noticed that some actions can be done on the Portal but there are no associated API or SDK provided by Microsoft.

↧

Azure AD Connect Health Sync Monitor High CPU Usage

June 5, 2018, 4:45 am

≫ Next: Connect-AzureAD failed with error message "An existing connection was forcibly closed by the remote host."

≪ Previous: How to get the access_token to call REST APIs on Azure Portal

Hello. I have Azure AD Connect installed on my server to sync our on-premise domain with Office 365 and I'm noticing the Azure AD Connect Health Sync Monitoring Service is always running high CPU usage. The actual process is Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe. Is there a reason for this or a way to fix it? Right now, I'm just stopping the Azure AD Connect Health Sync Monitoring Service(AzureADConnectHealthSyncMonitor) and my resources go back to normal. I'm running Azure AD Connect 1.1.819.0 so it is the latest version. If I restart the service, things are normal for a few minutes before this process spikes again. Any help would be appreciated. Thanks!

↧