Having enabled Hybrid Azure AD device join through the AD Connect Wizard (Seamless SSO and hash sync, no ADFS) and having deployed GPs I am seeing the following in the AAD event log

AAD Cloud AP plugin call Plugin initialize returned error: 0xC00484B2

Device is not cloud domain joined: 0xC00484B2

Jimmy White, MCSE Consultant Gigasoft Ltd.

There were two DCs before. One of them was dead a while back. So I deleted the dead one from AD and AD sites and services. But event viewer still generates the error saying 

I checked dfs replication and only one server exists. Does it mean that I should delete the existing one from dfs replication since it is the only DC there and nowhere to replicate to?

Please advise!

Thank you very much!

Hello,

I recently tested Asure AD Connect with my local test AD and it worked fine.

I removed the service after testing an now want to install it in my production AD.

The problem is I cannot install the Connect App, it always fails with this log entry:

I guess there is something wrong because I had a Sync working before - but with another AD ?

I removed everything from Azure AD before I tried to sync the new local AD. At least everything that I could find.

How can I resolve this issue?

Thanks a lot.

We enabled MFA requirement for our admin user on Azure AD. 2 users have successfully setup the authentication but the 3rd gets an error when attempting to create the security verification. I have reset the users password and that did not resolve the issue. I have tried setting up authentication via text, call and the app. The call when hitting # to confirm says it was successful but I always get the same message on the webpage.

Hi folks,

This is my first time using AD (B2C) as the user authentication back-end in any of my projects. I'm brand new to the concepts and am trying to piece together my understanding of them. I'm using the Azure AD B2C server. I'm developing a set of applications that all will ultimately use B2C as the user authentication engine. I have an ASP.NET Core API server that exposes my back-end SQL data to end-users. I have a JavaScript React application that uses the B2C implicit workflow to authenticate and get tokens from. Last, I have a C# desktop application that uses the resource owner password credentials flow to obtain my B2C tokens.

So, as you can see, I have several different B2C applications of different types. I have a web app that can leverage the implicit interactive workflow. I have a desktop application that can leverage the ROPC workflow to get the tokens.

My confusion though is regarding my back-end API server and its own validation of the provided B2C bearer tokens from users.

It's my understanding that I need to configure my API server so that it requires a particular policy, as the authority, to have issued the token. That's simple enough - I currently just have it expect the interactive, default B2C-provided sign in policy.

My web application, the browser-based React application, can simply use that same sign in policy user flow and provide the access token to the API server and everything works because both have been granted tokens via the same policy.

My GUI application though does not use that same sign in policy, it uses the ROPC policy which fails to pass the API server's authority check because the server expects the sign in policy to have granted the token.

My question is ...

How do I reconcile all these policies? Am I correct in thinking that my various "client applications" should be free to generate tokens via whichever policy (user flow) makes sense for them? But then which policy should my API server use as the authority since it requires one single policy to have been used?

Thanks!

Hi, 

In the Azure Portal, under 

Home > TenantName - Azure AD Connect > Azure Active Directory Connect Health - Sync services >TenantName > Azure Active Directory Connect (Sync) Alerts > Health service data is not up to date.

I am seeing the Warning as

Health service data is not up to date. Warning Servers (2) 10/9/2018, 22:01:39 11/26/2018, 14:32

As troubleshooting step i tried following:

1. Running "Test-AzureADConnectHealthConnectivity -Role Sync" command. below is the success outcome. 

PS C:\Windows\system32> Test-AzureADConnectHealthConnectivity -Role Sync
Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://login.windows.net
Endpoint validation for https://login.windows.net is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Testing dependent service endpoints completed successfully.

Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
Tenant Id is successfully collected during agent registration.
Connectivity Test Step 2 of 3 - Blob data upload procedure completed successfully.

Connectivity Test Step 3 of 3 - EventHub data upload procedure begins ...
Tenant Id is successfully collected during agent registration.
Connectivity Test Step 3 of 3 - EventHub data upload procedure completed successfully.

Test-AzureADConnectHealthConnectivity completed successfully...

2. Restarted the services 

Azure AD Connect Health Sync Monitoring Service
Azure AD Connect Health Sync Insights Service

Srill the same issue. How to get rid of this warning. It is also not sending any other alerts, it used to send earlier, e.g. "no export in last 2 hours" etc.

Hello,

My company have many servers  on premise including the AD servers, At same time 2 servers in Azure ( first for Azure AD working as DC as redundancy for the on premise DC , second server works as ADFS for SSO ). Servers onsite and in Azure are connected using Azure VPN gateway.

is it possible to stop using both servers in Azure and stop the VPN and use  User sign-in with Azure Active Directory Pass-through Authentication. I dont want to try things here as this is a production company.

Your advice and suggestions are highly appreciated.

Thanks.

Ali

--

When authenticating with ASP.NET Core 2.0 with OpenID Connect, the Identity cookie doesn't seem to be set when returning back from IdP which results in redirect loop. This same process works with iOS 11.

1. Visit site, access some protected resource
2. Set nonce, dedirect to IdP
3. Authenticate at IdP
4. Return back with POST request
5. Validate id_token, set identity cookie with samesite=lax policy
6. Redirect to the protected resource
7. Check for identity cookie - missing, return to step 2

I tested the same flow on PC (Edge, Firefox, Chrome) everything works fine. Any idea why Safari treats this case different?

This is probably going to affect quite a lot of users accessing Microsoft's own services as well - once again, this site works just fine on Chrome or Edge.
--
By Jan Hajek see: https://bugs.webkit.org/show_bug.cgi?id=188165

Hello. I've been following this document...

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens

and I have an app which prototypes the validation of tokens. I just want to be sure that I'm validating everything that needs to be checked.

From what I understand, the claims I need to check are...

Then I need to validate the signature. That's how I know that the token came from Microsoft.

The algorithm (RS256)

The issuer -- This is how I know that the token is for one of my apps in Azure AD. This prevents somebody from registering my app in Azure AD and providing my app URI as the URI for their own app, then requesting a token from their own app.

The Resource -- This is essentially how I check that the client is trying to access my app specifically, not some other app in my tenant.

Any other validation that I decide is necessary such as roles

So have I got this all right?
Also, is it possible that my tenant ID (and thus the issuer that my app needs to check against) might change? I ask because the above document mentions checking the value against what's in the OpenID discover document for my tenant. I'm wondering if I can skip checking it and just set the issuer ID directly in my app.
Thanks!

Hello. I'm trying to restrict access to an API  using Azure AD. I've been following this guide to get it set up...
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis

I have set up my scopes and granted permissions to another app which I did using the following link...https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

Finally, I have tried to access my web api as I would in the following guide...

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow

So what I've done so far is...

Created an application to represent the API and added scopes

Created an application to represent a client calling the API and granted permissions to the scopes

Made a request to get an access token to my API

My request params are as follows...

POST https://login.microsoftonline.com/XXXXXXXXXXXXXXXX/oauth2/token

client_id: <App ID in the directory for the client app>

client_secret:<A secret I generated for this app>

grant_type: client_credentials
resource: https://xxxxxxxlonmicrosoft.com/db9e27d7-02c1-4597-86b5-1fae160cda8f

When I send this request I get a token back. The problem is that when I try to send a request for any of the scopes I defined when I exposed my API, I get an error back...

AADSTS50001: The application named https://xxxxxxxx.onmicrosoft.com/db9e27d7-02c1-4597-86b5-1fae160cda8f/.default was not found in the tenant named xxxxxxxx.  This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.  You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 798a4ac1-2ef8-475c-84c9-c4f20d213800\r\nCorrelation ID: cd448c8e-8a62-417a-9859-af6def67c7f2\r\nTimestamp: 2018-11-21 00:22:45Z

This happens for any of the scopes and not just ./default. This seems to indicate to me that when I make the request, it is not using the permissions I had set. Furthermore, if I create a new client application and send a request with a valid client ID and secret, I still get a token back even though I haven't set any permissions.

Any idea what might be going on?
Thanks

--Drew

Hi, 

In the Azure Portal, under 

Home > TenantName - Azure AD Connect > Azure Active Directory Connect Health - Sync services >TenantName > Azure Active Directory Connect (Sync) Alerts > Health service data is not up to date.

I am seeing the Warning as

Health service data is not up to date. Warning Servers (2) 10/9/2018, 22:01:39 11/26/2018, 14:32

As troubleshooting step i tried following:

1. Running "Test-AzureADConnectHealthConnectivity -Role Sync" command. below is the success outcome. 

PS C:\Windows\system32> Test-AzureADConnectHealthConnectivity -Role Sync
Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://login.windows.net
Endpoint validation for https://login.windows.net is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Testing dependent service endpoints completed successfully.

Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
Tenant Id is successfully collected during agent registration.
Connectivity Test Step 2 of 3 - Blob data upload procedure completed successfully.

Connectivity Test Step 3 of 3 - EventHub data upload procedure begins ...
Tenant Id is successfully collected during agent registration.
Connectivity Test Step 3 of 3 - EventHub data upload procedure completed successfully.

Test-AzureADConnectHealthConnectivity completed successfully...

2. Restarted the services 

Azure AD Connect Health Sync Monitoring Service
Azure AD Connect Health Sync Insights Service

Srill the same issue. How to get rid of this warning. It is also not sending any other alerts, it used to send earlier, e.g. "no export in last 2 hours" etc.

I setup conditional access to block all countries except my given ones in AAD. everything seems work as expected. But, soon later, all our mobile phone's users got message mentioned their device has been blocked or quarantined to access server... etc.  So I went to Exchange online portal, Mobile , Mobile device access, Quarantined Devices. They are all listed as quarantined devices. I tried to approved them. but no luck.

Called MS support, they instruct me to install Outlook for mobile. and it worked. but the built-in email app for iPhone or Android were left over and no access any more. 

It's ok to use Outlook for mobile for emails but it doesn't sync the built-in calendar and contact. Any idea or solution?

Thanks.

Cliff

CliffZ

I signed up for a new Azure account, but it's not allowing me to create a new User under 'Azure Active Directory'. The button is greyed out. I keep seeing 'Access Denied' when <g class="gr_ gr_9 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" data-gr-id="9" id="9">i</g> click on things like Billing. How is that possible when I'm the one who signed up for the account? The email address I signed up with is azure.banyanlab@gmail.com

Using the  PowerShell Azure module, it returns all subscriptions to which I have access, or "x" number of subscriptions.

Connect-AzureRmAccount
(Get-AzureRmSubscription).count ### = 'x'

Using PowerShell to access the REST API, it only returns the subscriptions in my default directory; or a count of "x-y".  How can I either, have the API return all the subscriptions accessible by the account, or let me specify which directory I want to query?

$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$azureRmProfileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
$azureRmContext = Get-AzureRmContext
$token = $azureRmProfileClient.AcquireAccessToken($azureRmContext.Subscription.TenantId)
$subsApi= 'https://management.azure.com/subscriptions?api-version=2016-06-01'
$headers = @{"Authorization"="bearer "+ $token.AccessToken}

$subs = Invoke-RestMethod -Uri $subsApi -Headers $headers
($subs.value).count  ### returns "x-y" where y > 0

the link in the article is not found:

 Azure AD Connect sync: Attributes synchronized to Azure Active Directory (https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-attributes-synchronized/)

Thanks, Bruce

Hiya, 

I am attempting to write back the CloudSourceAnchor to On premise users mS-DS-ConsistencyGuid. I can't seem to be able to find a convert expression for this which will work. I could map a custom attribute instead but I'd like to use the mS-DS-ConsistencyGuid if possible.

BTW we are not permitted to change the source anchor to be the mS-DS-ConsistencyGuid in this environment. 

Flow Type: Expression

Target: mS-DS-ConsistencyGuid

Source: ConvertFromBase64([cloudSourceAnchor])

<extension-error-info><extension-name>SyncRulesEngine</extension-name><extension-callsite>not available</extension-callsite><extension-context>not available</extension-context><call-stack>Attribute type - value mismatch. Received a string value, expecting Binary value. Property name = mS-DS-ConsistencyGuid

I want to use a full SQL for my Azure AD Connect, if I pre-create a database in SQL Server, what'll be the database name?

Thank you!

Hello Expert,

 Currently I have O365 E3 with Azure Active Directory and AD Connect to sync users groups. We are in the process of adding a full Azure subscription to allow us create Azure resources, can this new Azure subscription use the existing Azure Active Directory associated with the O365 tenant?

Hi,

We have implemented Azure AD Connect Health for AD FS and it shows the Extranet Account Lockouts only occurring from one of the two servers we have in our internal farm.  We have the policy set and it appears to be working (we can see the event 516 in the security logs showing the soft lockouts).  We have two internal AD FS servers and the logs indicate both are processing success and failure logon attempts, and the charts in the Connect Health tool shows everything else is pretty well balanced.  But I have one person who insists we have a corrupt server because only one server logs the Extranet Account Lockout events.  This also happens to be the server that is our primary AD FS server, so I'm wondering if that's the reason why they are logged only on that server?

Thanks in advance for any information, I cannot seem to find that answer in any documentation.

GK

skigirl1

Hi

Should I install a version of windows that does not have skype as the office 365 will install its own version, ie Windows 10 Enterprise N or another version?