Hi all,
When I tried to launch AAD Connect Synchronization Service, I getting the below error:
Understand that I need to add my domain admin ID to local group "adsyncadmins", but my AAD Connect is installed on Domain Controller, Domain controller didn't come with Local User and Group.
I tried to run the below command, but still failed too.
net localgroup adsyncadmins /add domain\user
Appreciate if someone can help me on the issue, thanks!
Regards,
CheeWai
Since yesterday some of our SAML configurations in Azure AD for our Enterprise Apps have started misbehaving.
Everything looks correct but the Reply URL being used is an old one. i.e. it used to be the configured Reply URL - but we changed it at some point (usually as part of the configuration process) and it's been working fine ever since.
Now, the old reply URL is being used in SAML Responses. You can't see this from the Azure Portal UI (still shows the correct Reply URL) - but changing the URL to something wrong, saving it, and then changing it back to the right value and saving it resolves the problem.
Crazy - huh?!
This has caused loss of access to production systems for our users.
- Matt Symes
the link in the article is not found:
Azure AD Connect sync: Attributes synchronized to Azure Active Directory (https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-attributes-synchronized/)
Thanks, Bruce
***Note I originally tried to submit with embedded images and links to help explain but cannot until my account is verified***
Hi,
I am trying to deploy Azure Information Protection Scanner on a Windows Server 2016 VM following the instructions here:
https://docs.microsoft.com/en-us/azure/information-protectiondeploy-aip-scanner
I have completed the Pre-Requisites and Install the scannersections and the Azure Information Protection Scanner service is running with an AD account that is synced to Azure AD and has logon locally rights as a local administrator on the VM.
I am now trying to complete the Get an Azure AD token for the scanner section.
I have created the 2 Azure applications that the above guide describes, noted the details and then tried to run the following PowerShell command to acquire an Azure AD token:
Set-AIPAuthentication -webAppId "<The ID of my Web app / API app>" -webAppKey" <The Key value generated by my Web app / API app>" -nativeAppId "<The ID of my Native app>"
When prompted I then enter Azure AD credentials for the service account. These are accepted and I see the following in the Sign in to your account popup:
===============================
Permissions requested
AIPClient
This app would like to
- Access AIPOnBehalfOf (AIPOnBehalfOf)
- Sign you in and read your profile
CANCEL | ACCEPT
===============================
I click on accept and then see the following PowerShell error:
Set-AIPAuthentication : Error acquiring token At line:1 char:1+ Set-AIPAuthentication -webAppId "I have removed the value in here ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : AuthenticationError: (:) [Set-AIPAuthentication], PowershellException+ FullyQualifiedErrorId : Microsoft.InformationProtection.Powershell.AIP.Commandlets.SetAIPAuthenticationCmdLet
The MSIPPowershell.iplog shows the following errors:
Error 2018-11-14 15:14:31.4437 MSIP.ServiceClient powershell (4996) Failed to bootstrap to azure rights management service server https://b69c1d0c-2d7f-47d9-a438-410f53dcdd38.rms.eu.aadrm.com/_wmcs/licensing "System.Threading.ThreadPoolWorkQueue.Dispatch System.Threading.Tasks.Task.ExecuteEntry System.Threading.Tasks.Task.ExecuteWithThreadLocal System.Threading.Tasks.Task.Finish System.Threading.Tasks.Task.FinishContinuations System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction System.Runtime.CompilerServices.AsyncMethodBuilderCore+MoveNextRunner.Run System.Threading.ExecutionContext.Run System.Threading.ExecutionContext.RunInternal Microsoft.InformationProtection.ServiceClient.Bootstrapping.Bootstrapper+<BootstrapAzureRMS>d__66.MoveNext" "Microsoft.InformationProtectionAndControl.InformationProtectionException: The request is not supported. HRESULT: 0x80070032 at Microsoft.InformationProtectionAndControl.SafeNativeMethods.ThrowOnErrorCode(Int32 hrError) at Microsoft.InformationProtectionAndControl.SafeNativeMethods.IpcGetTemplateList(ConnectionInfo connectionInfo, Boolean suppressUI, Boolean offline, Boolean hasUserConsent, IntPtr parentWindow, CultureInfo cultureInfo, GetTemplateListFlags flags, Object credentialType, WaitHandle cancelCurrentOperation) at Microsoft.InformationProtection.RMS.MSIPC.Msipc.GetTemplateList(ConnectionInfo connectionInfo, Boolean forceDownload, Boolean suppressUI, Boolean offline, IntPtr parentWindow, CultureInfo cultureInfo, Object credentialType, CancellationToken cancellationToken) at Microsoft.InformationProtection.RMS.MSIPC.RightsPolicyTemplate.GetAll(ConnectionInfo connectionInfo, Boolean forceDownload, Boolean suppressUI, Boolean offline, IntPtr parentWindow, Object credentialType, CancellationToken cancellationToken) at Microsoft.InformationProtection.ServiceClient.Bootstrapping.Bootstrapper.ListTemplates(ConnectionPoint connectionPoint, Boolean silent, Boolean forceDownloadTemplates, String oauth2AccessToken, IntPtr parentWindow, CancellationToken cancellationToken) at Microsoft.InformationProtection.ServiceClient.Bootstrapping.Bootstrapper.<>c__DisplayClass68_0.<BootstrapRMS>b__0() at System.Threading.Tasks.Task.Execute() --- End of stack trace from previous location where exception was thrown ---
...and:
Error 2018-11-14 15:14:31.4594 AIP powershell (4996) Error acquiring token "System.Management.Automation.Interpreter.Interpreter.Run System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run System.Management.Automation.Interpreter.ActionCallInstruction`6.Run System.Management.Automation.PipelineOps.InvokePipeline System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate System.Management.Automation.CommandProcessorBase.DoExecute System.Management.Automation.CommandProcessor.ProcessRecord Microsoft.InformationProtection.Powershell.AIP.Commandlets.SetAIPAuthenticationCmdLet.ProcessRecord Microsoft.InformationProtection.Powershell.AIP.Commandlets.AIPBaseCmdlet.HandleTerminatingException" "Microsoft.InformationProtectionAndControl.InformationProtectionException: The request is not supported. HRESULT: 0x80070032 at Microsoft.InformationProtection.Powershell.AIP.Commandlets.SetAIPAuthenticationCmdLet.ProcessRecord()" DS\svc-aip-scanner 10
Can you advise are there further steps that are required to acquire the Azure AD token for the AIP scanner?
I can provide screenshots and links if you are able to verify my account.
Kind regards,
Gareth
Has anyone switch to full Azure AD and got rid of local AD?
What's your experience like, implementation and user experience wise?
Thank you,
Wasabi.z
I setup condition access to block all countries except my given ones in AAD. everything seems work as expected. But, soon later, all our mobile phone's users got message mentioned their device has been blocked or quarantined to access server... etc. So I went to Exchange online portal, Mobile , Mobile device access, Quarantined Devices. They are all listed as quarantined devices. I tried to approved them. but no luck.
Called MS support, they instruct me to install Outlook for mobile. and it worked. but the built-in email app for iPhone or Android were left over and no access any more.
It's ok to use Outlook for mobile for emails but it doesn't sync the built-in calendar and contact. Any idea or solution?
Thanks.
Cliff
CliffZ
I am working on a feasibility study to switch over to Azure AD in the company I am working with :
- number of users about 500
- All user accounts are synced with Azure AD
-All mailboxes are migrated to Exchange Online.
-We have web-based and local applications
I know that Azure AD is not designed to replace the on-prem <g class="gr_ gr_739 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="739" id="739">AD .</g> But can someone please direct me to a path that can give me more details about the possibility to use Azure AD instead of on-prem?
Thank you!
Hi,
I have an on-premise SharePoint 2016 farm which I have setup for Azure App Proxy following the MS instructions. This works absolutely fine except links to user profiles don't work, as they are in the OneDrive web application.
Effectively, I have docs.xyz.com (published as docs.msappproxy.net) as my main sharepoint site collection, and onedrive.xyz.com (published as onedrive.msappproxy.net as the user onedrive web app. When accessing via docs.msappproxy.net, if I click on a user's name it tries to take me to onedrive.msappproxy.net and times out.
Is there a way of getting this to work.
Bonus Point - is it possible to publish an app as docs.msappproxy.net/sites/docsX, and still be able to navigate to the root site collection?
Thanks
V
I setup conditional access to block all countries except my given ones in AAD. everything seems work as expected. But, soon later, all our mobile phone's users got message mentioned their device has been blocked or quarantined to access server... etc. So I went to Exchange online portal, Mobile , Mobile device access, Quarantined Devices. They are all listed as quarantined devices. I tried to approved them. but no luck.
Called MS support, they instruct me to install Outlook for mobile. and it worked. but the built-in email app for iPhone or Android were left over and no access any more.
It's ok to use Outlook for mobile for emails but it doesn't sync the built-in calendar and contact. Any idea or solution?
Thanks.
Cliff
CliffZ
I can't manage to permanetly delete a user from Azure AD.
For example. We have added a user with email: test@täst.com.
We don't want to use this account with swedish char ä. Then i try to add test@tast.com wich is the correct address. Thats not possible cuz the account already exists. I assume that our "ä" being parsed as "a". And we can't verify and login
with test@tast.com
For that reason i would like to delete test@täst.com and then add test@tast.com.
I follow these steps to permanently delete a user. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-restore
It's then gone from the UI.
But if i then add test@tast.com it still says the account already exists.
How do a really delete that user?
/Fredrik
Hello.
I used this tutorial to learn about Microsoft authentication (Add sign-in with Microsoft to an ASP.NET web app)
https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp
Worked fine and I was able to see my user's claims.
If I was logging in with an account that originated from an on-premise AD exposed through Azure AD Domain Services, would the Payload Claims objectidentifier value be the same as the on premise AD objectGUID property value?
Regards,
Francisco
Hi,
We are using Azure AD and Azure AD DS (without on-prem).
We've got a problem with password synchronizations. Sometimes it's quick, sometimes it takes up to 3 hours to sync from Azure AD to Azure AD DS.
Of course, we can't change sync time or make manual sync, but there is a question.
Is there are any options which we can try to speed-up process?
I'm sorry for the chosen Forum category, it was the most close to my question.
Thanks!
1
I registered a bot using Bot Channels Registration on Azure portal. I then generated a password for the bot. Now my requirement is to update this password programmatically.
I tried removing the password using Remove-AzureRmADAppCredential powershell api and also using Azure Active Directory Graph API. In the both the approaches I get the same error.
Updates to converged applications are not allowed in this version
I learnt that my app is registered as converged application and above apis cannot be used. But alternatively, I could not find how can I update the bot app password? Can somebody please help me with this.
What is recommended approach of updating Bot App Secrets programmatically?
Someone saw the following validation message (ex. "https://something.com/*" ) while manually configuring a Redirect URI (reply URL), but I have not been able to find documentation on it. Everything I do find says wildcards are valid.
"Does not contain wildcard characters"
I was told this is Azure Commercial with previews enabled. Any idea? Please advise.
https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Authentication/appId/7b47a8de-3e7c-4d68-87aa-846d0414e86c/objectId/3b9f5e93-4cc0-4694-aa81-aace81af44d2/isMSAApp/
Hi,
I am successful creating a local account on Azure AD B2C by api https://graph.windows.net/myorganization/users?api-version
But I am failed to log on my app(registered on the Azure AD) with created local account by following url, it give error "user name or password is incorrect" while I am sure the credentials are correct.
https://login.microsoftonline.com/[my tenant]/oauth2/v2.0/authorize?client_id=[my client id]&response_type=code&redirect_uri=[redirect url]&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
Hello, we have a problem with inviting guest users to Azure AD, namely, they receive the invitation link but they got an error when they click it. The error on webpage says :
"Redeeming of invitation failed. An error has occurred. Please retry again shortly"
We have tried couple times with different users. The "source filed" in the user profile in Azure says "user invited.
Here's data from the last invitation redemption try :
Timestamp:2018-06-19 13:12:19Z
Thanks.
Hi, how do you hide an Azure AD user from address lists via Microsoft Graph API?
I am working on a project to manage Azure AD user objects via Microsoft Graph API. Development starts well and the user attributes and licenses can be updated rather easily.
However, we hit a problem when we try to hide the user from address book. We used to do that by setting the "msExchHideFromAddressList" in on-prem active directory and let Azure AD Connect to sync that attribute to Azure AD. But we couldn't find relevant attributes from the Microsoft Graph API reference:
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/user
Is it possible to hide user from address list via Microsoft Graph API? Any pointers would be very useful. Thanks a lot!
Hi all,
We've setup a conditional access rule to force MFA for access to "Microsoft Azure Management" (i.e. azure portal + powershell), however we find that this rule also catches and forces MFA for "web.powerapps.com".
Does anyone have an insight into this behaviour and whether there is a workaround?
I've tried putting "Microsoft Powerapps" as an exception but it doesn't work.
Support ticket is in but I have more confidence in the collective wisdom here.
Thanks,
Ben
Hi,
After disabling dirsync on my E3 dev tenant. Users that where synced from my ActiveDirectory are still different then users created in the cloud.
The problem is that local policys are not applied on the local machine. (gpedit.msc) for the users that where synced to AzureAD.
Current setup.
Office365 E3 dev AzureAD free
Windows 10 AAD Joined devices. (Fresh install) full cloudbased no servers only Windows 10 and AzureAD)
net config rdr shows AzureAD as the LOGON SERVER for the users that are created in the cloud, for users that where synced to Azure it still shows the OLD AD AS LOGON SERVER
I already talked many hours with Microsoft Tech Support. I replicated the issue on an developer E3 tenant, but microsoft is closing my incident. (117071716047589)
WORKING USER LOG
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. Alle rechten voorbehouden.
C:\Users\TESTUSER>hostname
PP17
C:\Users\TESTUSER>set u
USERDOMAIN=AzureAD
USERDOMAIN_ROAMINGPROFILE=AzureAD
USERNAME=TESTUSER
USERPROFILE=C:\Users\TESTUSER
C:\Users\TESTUSER>set l
LOCALAPPDATA=C:\Users\TESTUSER\AppData\Local
LOGONSERVER=\\PP17
C:\Users\TESTUSER>net config rdr
Computernaam \\PP17
Volledige computernaam PP17
Gebruikersnaam TESTUSER@xxxxxxxxx.nl
Werkstation actief op
NetBT_Tcpip_{9C8B964B-2BCE-4D73-B293-14C7D51CE644} (00155D015514)
Softwareversie Windows 10 Enterprise 2016 LTSB
Werkstationdomein WORKGROUP
Aanmeldingsdomein AzureAD
Time-out voor openen van COM (sec) 0
Aantal verzonden bytes 16
Time-out voor verzenden van COM (msec) 250
De opdracht is voltooid.
SYNCED USER NON WORKING USER
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. Alle rechten voorbehouden.
C:\Users\Harry>hostname
PP17
C:\Users\Harry>set u
USERDNSDOMAIN=OLDSERVERNAME.nl
USERDOMAIN=OLDSERVERNAME
USERDOMAIN_ROAMINGPROFILE=OLDSERVERNAME
USERNAME=Harry
USERPROFILE=C:\Users\Harry
C:\Users\Harry>set l
LOCALAPPDATA=C:\Users\Harry\AppData\Local
LOGONSERVER=\\PP17
C:\Users\Harry>net config rdr
Computernaam \\PP17
Volledige computernaam PP17
Gebruikersnaam Harry
Werkstation actief op
NetBT_Tcpip_{9C8B964B-2BCE-4D73-B293-14C7D51CE644} (00155D015514)
Softwareversie Windows 10 Enterprise 2016 LTSB
Werkstationdomein WORKGROUP
Aanmeldingsdomein OLDSERVERNAME
Time-out voor openen van COM (sec) 0
Aantal verzonden bytes 16
Time-out voor verzenden van COM (msec) 250
De opdracht is voltooid.
C:\Users\Harry>