Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Connect-AzureAD failed with error message "An existing connection was forcibly closed by the remote host."

October 31, 2018, 8:17 pm
$
0
0

Hi Guys,

I have a customer who is using AzureAD module to access the AzureAD information. He is using the latest version of AzureAD module. When he executing cmdlet:

Connect-AzureAD -AzureEnvironmentName AzureCloud -Credential <cred>

It's failed with error message: 

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.

We got the error log from AppData, and get the detailed error message as follows:

2018-10-25T23:35:53.8456383ZError     InnerException                         System.Net.Http.HttpRequestException - An error occurred while sending the request..    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.<GetResponseAsync>d__31.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.WsTrust.MexParser.<FetchMexAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.WsTrust.MexParser.<FetchWsTrustAddressFromMexAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenNonInteractiveHandler.<PreTokenRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__37.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.<AcquireTokenAsync>d__0.MoveNext()
2018-10-25T23:35:53.8456383ZError     InnerException                         System.Net.WebException - The underlying connection was closed: An unexpected error occurred on a send..    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

We have checked the firewall is not block the AzureAD. Any suggestions, please? Thanks!

Thanks

-Justin

Search

Azure AD Connect Health Sync Monitor High CPU Usage

July 24, 2018, 3:24 am
$
0
0

once again, on WinServer2016 after KB4345418 ...

Is the recommendation to uninstall KB4345418

or wait for the repair Update?

Thx, Paul

Map users default email address in Active Directory to Azure Active Directory Alt email field

November 2, 2018, 7:08 am
$
0
0
I would like to map an Active Directory users email address to the Azure Active Directory Alt-email.   Do I need to write a custom rule in Azure Synchronization manager? I am not able locate the alt email field in the sync rules editor. Need some help...

Allowing bespoke applications to work on Azure AD joined Windows 10 devices

October 31, 2018, 6:02 am
$
0
0

Hi,

We are having a technical challenge when using one of our vendor managed, custom application after logging onto Windows 10 devices which are Azure AD joined.

The application is installed on the Windows 10 client and the authentication/operations carried out on the application is through VPN to a server hosted in a server farm. The application doesn't use any type of OAuth2 processes and access is validated by sending the login information typed in the login screen through VPN. 

Therefore, when I access the application it returns Error connecting (1312) which I suspect is talking about "a specified logon session doesn't exist". Technically speaking, we don't want the application to be linked to Azure AD as the app permissions are maintained in its own database in the server.

It feels like a moot point for Azure AD joined devices as I ended up setting some other laptop as Azure AD Registered which meant that I will create a local administrator account and simply register with Azure AD under Work or School options. This is not ideal because it doesn't give us complete control over organisation's devices (these Windows 10 devices are not BYOD).

Is there anyway to get around this problem without changing the application's architecture as that would mean additional cost for us for little benefit (as we don't own the application)? I am not sure if we are missing something either about this setup.

So please feel free to point me with all your suggestions/questions.

Thank you


Export and Import Conditional Policies

November 2, 2018, 8:34 am
$
0
0

Hi all.

I am trying to figure out How to pull list of all my Conditional Access Policies from my Azure Active Directory. I couldn't Find any Powershell command or an API. Could Some one help me with any kind of way to import that list????

Dot-walked ServiceNow attributes being reset

November 2, 2018, 8:30 am
$
0
0

Hi,

Maybe the title sounds weird but the issue is the following.
At many customers we implemented the ServiceNow application in the Azure AD to provision the users in ServiceNow.
Now a customer wants to map one of their extensionAttributes to the user managers employee number.
So I expected this would be quite easy: just modify the ServiceNow manager attribute in the application, to have it referenced to sys_user.employee_number instead of just sys_user.
Now I discovered that if I modify (or add) any field which is a reference to a dot walking field, it will be reset to the parent field after I saved it.
At first it looks like it's still sys_user.employee_number after I saved it, but when I reload the page it shows me just sys_user.
When I wait for the synchronization to complete, I see an error saying that something went wrong while mapping the manager to a user and that the manager with a certain name (!) can not be found. Which is not what I intended because I want to map to an employee number of a manager.
So it looks like that it is indeed reset to just sys_user.

This issue occurs at the customer and in my own development environment.
How can I fix this? Is it even fixable or is this a bug in the application?

Greetings,

Richard
Plat4mation

Administrative Unit - Role User Account Administrator - Create user

November 2, 2018, 8:57 am
$
0
0

Is it possible for user with the role User Account Administrator scoped on an Administrative unit to create a user ?

In Azure portal, when I look at the role description, the user/create right is there (see https://framapic.org/CrD8yjSzN9aH/d8ToqzVMLhOH.png)

But when I try to create a user in power shell, it fails with an access denied error:

PS C:\Users\pdl> New-AzureADUser -UserPrincipalName "user4@mytenant.onmicrosoft.com" -DisplayName "User 4" -UsageLocation "FR" -AccountEnabled $true -PasswordProfile $passwordProfile -MailNickName "user4"
New-AzureADUser : Error occurred while executing NewUser
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

Other operations like Set-AzureADUser are OK.

Azure AD B2C: : Error: "AADSTS50049: Unknown or invalid instance" after setting redirect URL to use b2clogin.com

November 1, 2018, 1:48 pm
$
0
0

I'm trying to adapt the new b2clogin.com before login.microsoftonline.com is deprecated but keep getting Error: "AADSTS50049: Unknown or invalid instance".

I'm making an authentication call from a Xamarin.Android app to an ASP.Net Core 2.1.1 web api.

I can make a successful call with PostMan using mytenant.b2clogin.com so I believe the AD B2C tenant and the web api are setup correctly.  Also, I've been using the login.microsoftonline.com successfully.

It seems as though my problem is in how to format the authority for the PublicClientApplication I'm using to acquire authorization.

//Current code to make the call:

AuthenticationResult ar;

PublicClientApplication PCA;

UIParent uiParent = new UIParent(this);

string[] Scopes = { "https://mytenant.onmicrosoft.com/api/read" };

string ClientID = "00000-000-00000-000000;

string Authority = "https://mytenant.b2clogin.com/tfp/mytenant.onmicrosoft.com/b2c_1_signupin";

PCA = new PublicClientApplication(ClientID, Authority);

ar = await App.PCA.AcquireTokenAsync(Scopes, uiParent);

Any feedback on how this should be formatted/assigned will be appreciated.  Thanks.




Search

Intune Device Clean up rules

November 2, 2018, 9:21 am
$
0
0

Hello,

I was directed here by @AzureSupport.

Do the automatic clean up rules just delete the device record from Intune, or does it issue a retire/wipe command before deleting the record?

I've checked the documentation available in docs.microsoft.com, and cannot find a definitive answer. For example, from docs.microsoft.com /en-us /intune /devices-wipe (Sorry, can't post URLs until my account is verified)

"You can configure Intune to automatically delete devices that appear to be inactive, stale, or unresponsive. These cleanup rules continuously monitor your device inventory so that your device records stay current. Devices deleted in this way are removed from Intune management."

Unlock accounts in Azure Active Directory Domain Services

May 22, 2018, 9:06 am
$
0
0

I've just set up Azure Active Directory Domain Services and noticed that accounts get locked out after 5 failed attempts even though the default domain group policy lockout threshold is set to 0.  I'm also not able to unlock user accounts when logged in as a member of the AAD DC Administrators group.

Is there a way to modify the lockout threshold and to unlock accounts?

Add role in web.config

October 18, 2018, 8:04 am
$
0
0

Hi,

I have a web.config that looks like this:

<configuration><system.web><authorization><allow roles="skaredom\se-eos users"/><deny users="*"/></authorization></system.web></configuration>

This works on premise, but now I want it to work in Azure. I have an Azure web site where it works to change allow roles to <allow user="myemail.address@skaredom.com" (actually I had to change this from skaredom\myaccount when onprem). But when adding the skaredom\se-eos users group it won't work. 

Regarding my network/Azure guys at work, they have added a synchronization of that specific group to Azure AD.

So should it work similar to this? Should I change the name to a "FQDN" address, as se-eos-users@skaredom.com or similar? Is there a FQDN name for groups/roles? If so, what to do with the space in the group name?

Best regards
/Magnus

Magnus Burk

Azure Active Directory cannot be deleted due to (invisible) registered app

October 17, 2018, 9:26 am
$
0
0

I have a problem in deleting one of my Active Directories.

When I try deleting the directory from its dashboard, it shows there are still some registered apps and I cannot proceed to the next step.

I confirmed that there are no apps shown as the pictures indicate, and am not sure how to resolve the problem.

Seamless SSO - A couple of questions?

October 8, 2018, 1:20 pm
$
0
0
Hello, 

We've just implemented AAD Password Hash sync with Seamless SSO, and in browsers its working like it should. 

But I have some questions I cant seem to find the anwsers for. 

When we are outside of the corporate network (Outside of LAN and VPN) the SSO aren't working in the browser, when we are reaching portal.office.com, we are asked for credentials, should'nt Seamless SSO work internal and external the same way? 

When we install Office 365 and start Outlook for the first time, we are prompted for password, and after that login to Office 365 to activate Business premium licens, why is that? It seems that SSO not working in the office applications. 

ForceDelete Custom Domain

October 25, 2018, 4:43 pm
$
0
0
I need to remove a custom domain from Azure AD. I am unable to do so because the Azure account login is an email address on the same domain as the custom domain I am trying to remove. The Azure account was created long before the custom domain was added and verified. https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-manage states that the custom domain can be ForceDeleted, but it doesn't say how to go about doing this. How do I remove this custom domain?

Azure Active Directory Connect - email addresses

October 7, 2018, 8:51 am
$
0
0

Hi,

*My plan is to migrate emails from onpremises exchange to 365. Azure AD Connect is syncing passwords.*

I wonder why email addresses arent synced. All attributes are triple checked already. Domain is verified and licenses are also setted up.

If i create in cloud user, it will immediatly have email address as supposed. Synced users email is empty. Is this becouse they still have email in onpremise exchange? Will the email address popup after big bang to 365?

-LeMuk

Search

MS Azure AD Sync

October 31, 2018, 7:51 am
$
0
0

I am having a problem with my secondary ADFS services.  I can not get sync service to start on my secondary.  I get an error that Windows could not start the service. When I look at the event log I see.  

The description for Event ID 7024 from source Service Control Manager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

Microsoft Azure AD Sync
%%2149781504

Azure AD

October 5, 2018, 7:35 am
$
0
0
Extended attributs not showing in Azure AD user profile but showing in metaverse search, what the problem can be ?

How to become global admin in AAD for partner network

October 19, 2018, 5:25 am
$
0
0

Hallo,

We have 2 accounts, one microsoft account for more thant 10 years and one AAD account we added. To move to the new partner environment i need to set the AAD account at the level of Global administrator. how i do this?

Regards

Alain Grijseels

User is not a Member

October 17, 2018, 8:05 am
$
0
0

The problem I am having is how do I make a User a member?

The Field is under Profile > Identity > User type

An for some users this field is blank and for some it lists them as members.

Azure AD B2C Increase Request Limit

October 26, 2018, 12:54 pm
$
0
0
Currently it is able to support around 6,000 requests per minute post which it fails with Too Many Requests status code. We are in the process of load testing Identity Management service. For this we need the request limit to be increased at Azure ADB2C to support around 40,000 requests per minute.
Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>