Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD Hybrid Join Risks

November 5, 2018, 5:08 am
$
0
0

Hello,

I am implementing a project for a customer where I am doing conditional access based on if the device is domain joined or not, then I need to configure Azure AD hybrid Join.

The customer is asking about the risks of configuring Azure AD Hybrid Joined.

I know it's a simple process, but As you know in corporate, details are important.

  • What attributes are synced to Azure AD?
  • Is the device authenticate to Azure? How?
  • What common issues, problems that might raise.
  • Any other risk.

thanks in advance

Abdelmonem Elbawab

Search

AAD sync includes the mailboxGUID

November 6, 2018, 3:41 am
$
0
0

Hi, 

A few questions and best practice recommendations. 

I have synced Local AD with Azure using AAD. This works. UPN is soft matched and all ID's is correct. 

We still have an Exchange 2010 locally, and the MailboxGUID is synced with the Azure AD. 

50% of the users have been registered as Contacts in Exchange Online. Their Mail address is correct.

After some research I see the issue is with the MailboxGUID is matched the user online. Removing the MailboxGUID locally is not an option as this will result in issues with the mailbox itself. 

In the rules editor I can "choose" to not include this attribute, but what will the result be for the users existing Online and ?

Is there a way to "test" this with only one user ?

Any recommendations ?

Active directory Application Permissions Config

November 6, 2018, 6:15 am
$
0
0

let me explain my situation

i have one api app and two consumers

in ad

one consumer have permission for api app

but other not

but when i m trying to call both client are able to call api app

and i m calling api app using apim

for calling api i m using postman

using this as reference

https://docs.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication

Delegating Permissions Assignment

November 6, 2018, 8:36 am
$
0
0
I have a scenario where the user is not a co-sub/sub owner and O365 Global Admins do not have full rights over Azure. What I need to be able to grant a specific user with rights to grantother users Contribute access to Azure Resource Groups (and whatever they may contain, often Azure Websites and associated services like Insights). What is the proper way to go about this through RBAC?

Trevor Seward

Office Servers and Services MVP



Author, Deploying SharePoint 2016

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Upgrading from early version of Azure AD Connect. ArgumentNullException error

November 1, 2018, 2:59 pm
$
0
0

Tried upgrading to the newest version of Azure AD Connect.  Getting: An error has occurred on the Connect to Azure AD page.  ArgumentNullException  Value cannot be null.  Parameter name: state

This is on a Server 2008R2, .NET is updated

Works on Postman but fails from Spring DSL call.

November 5, 2018, 10:27 am
$
0
0

I get the following error using Camel Spring DSL

2018-11-05 23:15:59ERRORError running Integration flow IntgOneLoginGetAccessToken_AzureAD 
2018-11-05 23:15:59ERRORError Variable: errors: org.apache.camel.http.common.HttpOperationFailedExceptionMessage: 
HTTP operation failed invoking https://login.microsoftonline.com/{{Tenant ID}}/oauth2/v2.0/token with statusCode: 400
INTEGRATION_FLOW
2018-11-05 23:15:59ERRORorg.apache.camel.http.common.HttpOperationFailedExceptionMessage: 

This is the php code from Postman. 

<?php


$request = new HttpRequest();
$request->setUrl('https://login.microsoftonline.com/dc91a4f8-7b3f-4192b/oauth2/v2.0/token');
$request->setMethod(HTTP_METH_POST);


$request->setHeaders(array(
  'Postman-Token' => '156803b1-d102-42fd-b6f5-4c0f0edcc70b',
  'cache-control' => 'no-cache',
  'content-type' => 'multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW'
));


$request->setBody('------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Dis name="grant_type"


client_credentials
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Dis name="scope"


https://graph.microsoft.com/.default
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Dis name="client_id"


40264a72-840-a3d79349209b
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Dis name="client_secret"


wcixfXmBVDS5683$
------WebKitFormBoundary7MA4YWxkTrZu0gW--');


try {
  $response = $request->send();


  echo $response->getBody();
} catch (HttpException $ex) {
  echo $ex;
}

Can you please assist?

*Learning--Forgetting--Learning*

Request.IsAuthenticated is false after logging into Active Directory

November 6, 2018, 11:20 am
$
0
0

Hello,

I have an ASP.NET WebAPI project. When a user authenticates against Microsoft, he should be redirected to my app. After successfully logging into Microsoft, Request.IsAuthenticated is false. I used this tutorial and this example but I don't know what is happening so that it doesn't work for me.

Help please.


ESR not tracking device usage

November 5, 2018, 2:27 pm
$
0
0

I have several devices where I am roaming with ESR validated by changing theme and watching it propagate across at least 3 devices. So, it would appear that ESR is enabled and working at least from that perspective. However, when I pull up the user in the Azure portal, check out their devices, I don't see any of the devices I am roaming on listed in that window. I am using the filter 'Devices syncing settings and App data' and I don't see any machines. If I use the 'Devices' filter, then I see the five AAD joined machines I am testing with.

I am wondering what, if anything, I have configured wrong, or if I should even expect to see the devices I am roaming on in this blade.

Thanks for any information on this.

Search

Powerbi Report is not authenticating by using Azure AD

November 7, 2018, 12:40 am
$
0
0

Hi,

I am trying to automate the powerbi report when the data table is loaded then the report should be refreshed. I was able to get the access token some days in production and reports are get refreshed. After some days that same process is failing with the below error. But the process is working in development without any interruption. In production same program is executing manually but not with trigger. Please assist me to resolve this issue. Thanks...

Error:Exception calling "AcquireToken" with "3" argument(s):
"accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed"
At D:\myfolder\RefreshPowerbiReport.ps1:101 char:2
+  throw $_.Exception.Message
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Exception calli...xchange fai
   led":String) [], RuntimeException
    + FullyQualifiedErrorId : Exception calling "AcquireToken" with "3" argume
   nt(s): "accessing_ws_metadata_exchange_failed: Accessing WS metadata excha 
  nge failed"

Join on-prem windows server to azure AD DS?

February 13, 2018, 1:04 am
$
0
0

I support a small Company that has no local domain controller, uses office 365, Intune and Azure AD.

Now the need for a local RDS has arrived. I'm wonering if it's a supported solution to setup a IPsec VPN tunnel to Azure and utilize the Azure AD DS to join this on-prem server so the users can sign into it with their Azure AD accounts?

AD Sync with AD Connect

November 7, 2018, 6:38 am
$
0
0

Hi, so we use AD Connect to sync our directory into the cloud. This includes all AD distribution groups.

One problem I have is when in 365 admin console some users accounts are cloud only. How do I add these users to a distribution group that is synced from our on prem active directory?

Currently online there is no option to make changes to any group and I am directed toward our on prem AD to make changes. Obviously I cannot add these users as they are cloud only accounts and so don't appear in our on prem directory. 

What do I do? 

Thanks!  

Azure Load Balancer - Issue with Applications using ViewState and "InProc" Session

November 7, 2018, 6:50 am
$
0
0
Recently I registered my legacy on-Premise applications on Azure for SSO and 2FA. But Since Now we have 2 load balancer, one F5 and other Azure. Currently F5 is setup for sticky sessions to avoid issue with Applications using ViewState and "InProc" Session. But Now we also have Azure load balancer so these applications have started breaking and throwing "ViewState is invalid" error very frequently. Please let me know if there is a way to avoid this problem with having F5 and Azure Load balancer in-place.

Azure AD Smart Lockout

November 7, 2018, 8:19 am
$
0
0

Hey all, I've been having the hardest time find answers to some Azure AD Smart Lockout questions and I'm hoping someone has some experience with it.  I'm looking to move away from ADFS to PTA but there are lingering questions about Smart Lockout and how it functions.

  • Basic Azure AD from O365 with on prem DirSync (Smart Lockout can't be modified with this - 10 failed login attempts - 60 second lockout.)
  • On premise password policy is set higher than the thresholds above.

What is the calculation after the next failed login attempt? (Microsoft does not supply the increase, just that it does increase the duration after each failed attempt after lockout) 

At what point does the increase in lockout duration meet a maximum value and what is that value?

How do you unlock an account that's locked out via Smart Lockout?  Will a valid on-premise login to O365 unlock the account and reset the lockout counters for Smart Lockout?

Are bad login attempts logged anywhere in a DC or server running the PTA agent? (Basic Azure AD does not have auditing available for Smart Lockout that I know of.)

Is it possible, if logged somewhere visible, to block an IP from even being able to try to attempt a login?

Azure AD - Provisioning MFA and SSPR information - What to do?

November 7, 2018, 8:26 am
$
0
0

Hello everyone!

I have the following scenario; Azure AD users with existing security details in their user attributes (StrongAuthenticationUserDetails, PhoneNumber and Email). 

I've searched for many hours how to reset this in bulk but I can't get a straight answer. What i would like is to reset all the information and import new information through Powershell. (for example, I know you can pre-provision this information for SSPR) Is there a Powershell / graph API function to reset this information / re-provision this information for SSPR and MFA?  

Best Regards,

Berry Waanders.




Azure B2C: How do I get Custom Attributes back in the token without them being part of the signup attributes?

November 7, 2018, 10:55 am
$
0
0

I have created custom attributes in my B2C instance and have added them to my Sign In or Up policy but I noticed that they are only returned in the token if they are part of the Signup Attributes. If I remove them from Signup and only have them as part of the Application Claims, they do not return with the token. I can however query them with Graph API but the goal is to set Roles and other information that I do not want to be part of the signup experience but would like back with the token so I can save the extra calls to Graph API.

What is the best way to achieve this or is this a bug?

Search

Azure SSO vs ADFS

November 5, 2018, 10:35 am
$
0
0

I'm looking for advice.  I have setup SSO for Office 365 with ADFS and Azure AD Connect a couple of years ago.  Since then I have added 3 more Relying Party Trusts to ADFS.  

I am now learning that Azure SSO is something completely different.  I have a couple more services I wish to configure with SSO and don't know if I should continue with ADFS or "switch" to Azure SSO.  I put "switch" in quotes because I'm not even sure if that is what I need to do.  I contacted Azure support and was unable to understand their explanation of my options, only that they recommend I keep using ADFS and it "will be alright".  

I have read every Microsoft documentation which has only confused me more.  I guess I'm looking for real world examples and/or explanations.

thanks,

AADC in staging mode verify

November 7, 2018, 11:26 am
$
0
0
upgrading our current AADC server connected to external SQL DB. The new server is in staging mode, but the connections operations doesn't show the delta syncs every 30 minutes. It only shows the ones I have manually done. Is there a way to verify it's doing the delta and updating the DB? Makes me a little nervous swapping over to new server if I don't see the deltas in the connector operations screen.

Azure Proxy Connectors - Issue with Applications using ViewState and "InProc" Session

November 7, 2018, 6:50 am
$
0
0

Recently I registered my legacy on-Premise applications on Azure for SSO and 2FA. But Since Now we have 2 load balancer, one F5 and other Azure Proxy Connector Servers. Currently F5 is setup for sticky sessions to avoid issue with Applications using ViewState and "InProc" Session. But Now we also have Azure lproxy connector servers so these applications have started breaking and throwing "ViewState is invalid" error very frequently. Please let me know if there is a way to avoid this problem with having F5 and Azure proxy connector servers  in-place.

We have 2 proxy connector Servers.

Problem:<u5:p></u5:p>

Suppose  Some user accesses application A. Initial request to this application goes to A proxy connector server. Now User hits some action in that application and that request goes to B proxy connector server For F5, Both these requests will be different even though they are coming from same user session.  F5 may forward these request to different load balanced web servers. Since few applications are using “ViewState” and “InProc” session state and for these applications to work properly all the request from same session should come on same web server.<u5:p></u5:p>

 

Solution:<u5:p></u5:p>

If somehow we can tune our proxy connector servers that all the request from same user session should go on same proxy connector server then we should be able to fix this problem.<u5:p></u5:p>

<u5:p></u5:p>

AD sync with Azure active directry

November 5, 2018, 5:48 pm
$
0
0

We are small company and running two Windows 2012 r2 as domain controllers. We are planning to use Microsoft cloud services and will sync our active directory to Azure Active directory. We have some questions.

1. To answer some questions from the form sent to us, what are the Forest Name,Forest, site. I can search for the concepts, but can someone give me the example or where can I find them?

The article I read are example, forest name=forest.local, domain name is domain.local, Forest=corporate.local, domain=corporate.local, site=datacenter. I assume since we have only one forest and one domain, all forest name, forest, domain name and domain are the same, for example mydomain.com. The site is Default-First-Site-Name? Not sure.

2. Can we sync our Windows 2012 r2 AD to azure AD 2016?

Bob Lin, MCSE & CNE Networking, Internet, Routing, VPN Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com

Error# AADSTS50072: We could not add account due to configuration change made by your admin. Must enroll multifactor authenctication

November 5, 2018, 1:25 pm
$
0
0

Hello All,

I am not able to login my azure subscription from VS2015

It gives me below error.

We could not add the account ********* AADSTS50072: Due to a configuration change made by your administrator, or because 

you moved to a new location, you must enroll in multi-factor authentication to access 'some code'

traceid: 'some code'

Sanjay

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>