Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

How can I specify a directory (or all directories accessible) to query over REST API?

November 5, 2018, 10:20 am
$
0
0

Using the  PowerShell Azure module, it returns all subscriptions to which I have access, or "x" number of subscriptions.

Connect-AzureRmAccount
(Get-AzureRmSubscription).count ### = 'x'

Using PowerShell to access the REST API, it only returns the subscriptions in my default directory; or a count of "x-y".  How can I either, have the API return all the subscriptions accessible by the account, or let me specify which directory I want to query?

$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$azureRmProfileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
$azureRmContext = Get-AzureRmContext
$token = $azureRmProfileClient.AcquireAccessToken($azureRmContext.Subscription.TenantId)
$subsApi= 'https://management.azure.com/subscriptions?api-version=2016-06-01'
$headers = @{"Authorization"="bearer "+ $token.AccessToken}

$subs = Invoke-RestMethod -Uri $subsApi -Headers $headers
($subs.value).count  ### returns "x-y" where y > 0



Search

Active directory Application Permissions Config

November 6, 2018, 6:15 am
$
0
0

let me explain my situation

i have one api app and two consumers

in ad

one consumer have permission for api app

but other not

but when i m trying to call both client are able to call api app

and i m calling api app using apim

for calling api i m using postman

using this as reference

https://docs.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication

Conditional Access MFA for Azure Management is also catching Powerapps

November 7, 2018, 11:07 pm
$
0
0

Hi all,

We've setup a conditional access rule to force MFA for access to "Microsoft Azure Management" (i.e. azure portal + powershell), however we find that this rule also catches and forces MFA for "web.powerapps.com".

Does anyone have an insight into this behaviour and whether there is a workaround?

I've tried putting "Microsoft Powerapps" as an exception but it doesn't work.

Support ticket is in but I have more confidence in the collective wisdom here.

Thanks,
Ben

Active directory Application Permissions Config

November 6, 2018, 6:15 am
$
0
0

let me explain my situation

i have one api app and two consumers

in ad

one consumer have permission for api app

but other not

but when i m trying to call both client are able to call api app

and i m calling api app using apim

for calling api i m using postman

using this as reference

https://docs.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication

Let no-GUI app access to only a single mailbox

November 8, 2018, 1:26 am
$
0
0

Hi there

We have developed a daemon service in Azure Functions that has no GUI or user interaction. Currently the app uses client credential flow and has application permissions Mail.ReadWrite.All for graph.microsoft.com (read/write all users mailboxes). The permission has been granted by a global admin and everything works as expected.

However, we don't really want the app to have full access to all mailboxes since it is only supposed to monitor a single (shared) mailbox.

Is it, in some way, possible to restrict the access without requiring someone to login as the shared mailbox user?

Allowing bespoke applications to work on Azure AD joined Windows 10 devices

October 31, 2018, 6:02 am
$
0
0

Hi,

We are having a technical challenge when using one of our vendor managed, custom application after logging onto Windows 10 devices which are Azure AD joined.

The application is installed on the Windows 10 client and the authentication/operations carried out on the application is through VPN to a server hosted in a server farm. The application doesn't use any type of OAuth2 processes and access is validated by sending the login information typed in the login screen through VPN. 

Therefore, when I access the application it returns Error connecting (1312) which I suspect is talking about "a specified logon session doesn't exist". Technically speaking, we don't want the application to be linked to Azure AD as the app permissions are maintained in its own database in the server.

It feels like a moot point for Azure AD joined devices as I ended up setting some other laptop as Azure AD Registered which meant that I will create a local administrator account and simply register with Azure AD under Work or School options. This is not ideal because it doesn't give us complete control over organisation's devices (these Windows 10 devices are not BYOD).

Is there anyway to get around this problem without changing the application's architecture as that would mean additional cost for us for little benefit (as we don't own the application)? I am not sure if we are missing something either about this setup.

So please feel free to point me with all your suggestions/questions.

Thank you


Unlock accounts in Azure Active Directory Domain Services

May 22, 2018, 9:06 am
$
0
0

I've just set up Azure Active Directory Domain Services and noticed that accounts get locked out after 5 failed attempts even though the default domain group policy lockout threshold is set to 0.  I'm also not able to unlock user accounts when logged in as a member of the AAD DC Administrators group.

Is there a way to modify the lockout threshold and to unlock accounts?

[tenant_name].b2clogin.com throws 404 errors

November 8, 2018, 4:50 am
$
0
0

NOTE: I am filing this as requested by Azure Support (Twitter).

I have been following the tutorial documentation at:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/ 

And trying out the Azure AD B2C feature using the samples and walkthroughs there. However, when as indicated by the document:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin 

I try to replace the URI for "login.microsoftonline.com" with the "[tenant_name].b2clogin.com", the requests failswith 404 errors.(PS: Requests as in, I am trying to access these using the Web browser)

For example, to retrieve the sign-in policy configuration, the documentation says, the URI:

https://[tenant_name].b2clogin.com/[tenant_name].onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in

provides the information. However, this throws a 404 for me. BUT... I can use the old URI just fine:

https://login.Microsoft online.com/[tenant_name].onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in

Regards,

Sujay

Sujay Sarma {Unbounded;} Blog: http://blog.sujay.sarma.in

Search

Allow users to pick their own self service password reset answers

March 17, 2016, 7:06 am
$
0
0

Hello,

Is it possible to allow end users to pick their own Azure self service password reset answers in Azure?

I know an admin can create custom questions, but I haven't seen anything which allows an end user to specify their own.

Thanks

unable to connect to Azure AD

August 12, 2018, 9:31 am
$
0
0

How to connect to Azure AD with MFA enabled. We are using exchange hybrid environment. we have enabled MFA few days back.

when i login to Windows Azure Active Directory Module for Windows PowerShell
when i use the below syntax

Connect-MsolService

Connect-MsolService : This account is blocked. Contact your Tenant administrator.
At line:1 char:1
+ Connect-MsolService
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineExc
   eption
    + FullyQualifiedErrorId : 0x80048823,Microsoft.Online.Administration.Automation.ConnectMs
   olService

------------------------------------------------

i have even connected to exchange online using MFA and typed the command Connect-MsolService, i am getting the same error

experts help me

Unable to load adalsql.dll C# Custom Activity. adalsql 64x + .system.data 86x

November 8, 2018, 8:09 am
$
0
0

Hello,

I'm working on deploying a custom activity to Azure.

It's a C# script that writes to Azure Sql Database.

At this point, it runs fine on my machine. 

When I deploy I get an "Unable to load adalsql.dll" Error.

I've been researching like a mad man, and currently I know that:

  • My System.Data.dll is x86 version
  • My adalsql.dll version is x64 version

I tired uninstalling the Microsoft Active Directory Authentication and reinstalling it again from the link provided in the error.

I tired both the X64 and the x86.

My best guess is that the adalsql.dll isn't getting loading into the project??

My understanding is they're found in the:

C:\Windows\SysWOW64\adalsql.dll
C:\Windows\System32\adalsql.dll

File paths. I can't seem to add these as references to the the project.

Any guidance appreciated.

Azure information protection

November 5, 2018, 11:16 am
$
0
0

Hi Experts

I have to apply API on out environment. I have exchange online that has all users. 

Is there any need to apply something on exchange online side?or just do the configuration on Azure portal that has AIP ?

For example, If I need to apply classification, label and protection on some users on exchange online, like  reply, print and forward

Is there any need to apply anything on exchange onlie?

Regards

Every FSMO role in AZure

November 8, 2018, 9:12 am
$
0
0

Hello

I have DC's on-premise and DC's in Azure. Every FMSO role is located on-premise. I would like to move every FMSO role to Azure DC's but I am not sure if I can do that.

Following this link: https://docs.microsoft.com/es-es/azure/architecture/reference-architectures/identity/adds-extend-domain

We can read:

We recommend you do not assign operations masters roles to the domain controllers deployed in Azure.

Only say "recommend" and does not say "don't do it" also no explanation about why is not recommended. Any Microsoft guy can please provide me with an answer? Can I move my roles to Azure or not? Also, why is not recommended?

Thanks a lot in advance

Regards




Senior Software QA Engineer

November 8, 2018, 12:29 pm
$
0
0

We are trying to provisioning users from Azure AD to our system via SCIM. When setup the connection according to your online doc, we got stack at step-8. After clicked Test Connection, the requests sent to our system are:

/scim/Groups/5a3cbc2e-991a-43f0-9cc4-81c9b54bf661?excludedAttributes=members

/scim/Users/5a3cbc2e-991a-43f0-9cc4-81c9b54bf661

Since the groupID (5a3cbc2e-991a-43f0-9cc4-81c9b54bf661?excludedAttributes) and userID (5a3cbc2e-991a-43f0-9cc4-81c9b54bf661) sent in the connection requests do not exist in our system, so we return 404 for group and 400 for user. 

If the requests are sent without the groupID and userID, we will return 200 OK.

Please advise how should we resolve this issue!

Thank you,

Wei Li

Azure SSO integration with ServiceNow

November 8, 2018, 1:07 pm
$
0
0

Hi,

I have integrated Azure SSO with ServiceNow but I am unable to open service now directly, it again asks me to re-authenticate with credentials. I am guessing the problem might be with the user attributes. I am not sure how Azure SSO is communicating with ServiceNow user table. If it is using any web services for that, how can I alter the attributes? 

Is there anyone out there who has already implemented Azure SSO with  ServiceNow. I am looking for a solution to this.

Thanks in advance

Search

ADFS to Password Sync + Seamless SSO or Pass-through Authentication(PTA) + Seamless SSO

November 8, 2018, 5:01 pm
$
0
0

Hello All,

I'm evaluating ADFS on premise infrastructure migration to Password Sync + Seamless SSO or Pass-through Authentication + SSO

I have to make a choice and I'm more in favour of Pass-through Authentication + SSO.

I'm not sure if password Sync + Seamless SSO is a solution I need to consider, I believe password Sync + Seamless SSO is more a backup solution.

I've read a lot but still can't make up my mind hence looking for suggestions not to consider  password Sync + Seamless SSO as a replacement for on premise ADFS.

Any help will be appreciated.

Regards,

T


Azure Workplace Join on Ubuntu Device

November 2, 2018, 8:12 am
$
0
0

Hi all,

I have this Ubuntu device and i am looking for a way to perform workplace join and add it to my company Azure AD. I was looking online, but most of the articles are related to creating linux VM on Azure.

So again i need a way to join Ubuntu hardware to Azure AD.

Conditional access not prompting users for MFA

May 17, 2018, 1:16 am
$
0
0
Hi,

Hoping someone has seen this and can point me in the right direction.

We have a couple of conditional access policies set up in AAD, one that blocks users that arent on a trusted site and another that allows users access from untrusted locations if MFA is applied. Users are assigned one policy or the other not both. The block policy works fine, but the MFA policy allows the user to connect regardles of location.

The What IF tool shows the users getting the policy correctly based on IP:

Windows10_Allow_Untrusted_MFA
Require multi-factor authentication

And according to the sign in log MFA was required and done, the result says:
  • USER
     
    Kathryn Janeway
  • USERNAME
     
    kat.janeway@blahblahblah.com
  • APPLICATION ID
     
    00000006-0000-0ff1-ce00-000000000000
  • APPLICATION
    Microsoft Office 365 Portal
  • CLIENT
     
    ;Windows 10;Edge 16.1629;
  • LOCATION
     
    Somewhere
  • IP ADDRESS
     
    ::Untrusted IP::
  • DATE
     
    5/17/2018, 8:44:37 AM
  • MFA REQUIRED
     
    Yes
  • MFA AUTH METHOD
     
  • MFA AUTH DETAIL
     
  • MFA RESULT
    MFA requirement satisfied by claim in the token
  • SIGN-IN STATUS
     
    Success

I'm obviously missing something but we need the users to be prompted for MFA every time they sign in when not on once of our sites.

IDX10511: Signature validation failed. Keys tried: '[PII is hidden]'. kid: '[PII is hidden]'.

November 5, 2018, 1:24 pm
$
0
0

Hi I get the above error on my Azure 365 authentication. It works with my development machine but after moving to the server it does n't work. I installed 4.7.2 (version) on windows 2008 r2 server. Can anyone solve this?

Thanks a lot.

Holy


Connect company-owned PC to Azure AD Domain Services

November 9, 2018, 3:08 am
$
0
0

I am new to Azure. Forgive me if my question is already answered

Overview
Our company does not have any on-premises infrastructure and we would like to mange company-owned devices through a cloud solution.
we have settled on Azure platform and are tenants through Office 365 subscription.

What we have achieved so far
We have been following available documentation on how to set up virtual network, V.M. and domain services. Our V.M. is joined to the domain and we are able to see users who are in the Azure Active directory using ADAC. There are no viewable computers because none is joined to the domain.
We are currently stuck on this guide:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-ldaps-configure-dns

We don't know how to update this entry.
 

What we would like to achieve
After this step is completed, we would like to join user PCs to the managed domain.

What we would like to know
For us to connect user PCs, do they need to be on the same network with the V.M. and Domain Services(this would mean connecting through VPN)?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>