We enabled MFA requirement for our admin user on Azure AD. 2 users have successfully setup the authentication but the 3rd gets an error when attempting to create the security verification. I have reset the users password and that did not resolve the issue. I have tried setting up authentication via text, call and the app. The call when hitting # to confirm says it was successful but I always get the same message on the webpage.
↧
Unable to authenticate MFA for an Admin
↧
Azure AD Roles are being overwritten by Microsoft 365 Roles
If you add a user role from the Azure AD portal and then make changes to user roles using the Microsoft 365 portal, once you apply them they remove the roles given from Azure AD.
To test this:
- From the Azure AD portal, add Application Administrator to a user (Directory Role).
- Switch over to the Microsoft 365 portal and edit the users roles (User > Account blade > Roles).
- Uncheck and check a role and save (you don't have to add or remove anything, just make a change so you can save)
- Switch back to Azure portal - Application Admin is gone.
Not all roles in Azure AD are available in Microsoft 365 portal (this is understandable) but it seems that they take precedence over Azure AD (or the back-end command is doing a complete overwrite of permissions and not add)
↧
↧
How to add and configure AAD application from the gallery programatically?
Hi team,
I am currently working on configuring federation from Azure AD to the AWS Management Console. Following the instructions in the below link works with some modifications
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-amazon-web-service-tutorial
Now, I need to be able to do the same configuration programmatically. I checked AAD Powershell commands but I could not find out how to use it to provision a pre-integrated applications from the Azure AD gallery like the AWS App. The commands seem limited in what they can do and are targeted at managing applications that have been already provisioned from the gallery or working with applications being developed in-house. (e.g. New-AzureADApplication).
The idea here is that I need to add 50 of these apps from the gallery and configure them programmatically. Any direction here would be appreciated.
Ihab
↧
Azure AD integration with AWS - need to export list of roles for creating AD groups
Hi,
I am trying to automate the Azure AD SSO for AWS. Need to assign roles to AD groups instead of users as explained in the Microsoft guide (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial)
Anybody know how to export the list of roles through powershell? so that I can use it for creating groups
Thanks
Dhan
↧
HISCONNECTORregistration Certificate Expired
I have just noticed that all my servers running as PTA agent including AD connect server all have this certificate as expired. Authentication is working but i am worried there is something broken somewhere. Has another had any experience with this?
↧
↧
windows activation
my school account will not activate Selected user account does not exist in tenant 'Microsoft' and cannot access the application '71dada86-21db-493b-93e4-1a902601f30f' in that tenant. The account needs to
be added as an external user in the tenant first. Please use a different account.
↧
Powershell Connect-MsolService fails to authenticate with Microsoft Graph access token
Hi,
I am trying to authenticate with the MSOnline powershell module using Connect-MsolService. I obtain a user's access token via a web application using the Azure AD Graph (graph.windows.net). If I authenticate with that token (Connect-MsolService -AccessToken <token>), things work fine.
However, since it's recommended to use the newer Microsoft Graph (graph.microsoft.com) I want to switch over to it, but the Connect-MsolService fails with the token granted by it. If I run Connect-MsolService -MsGraphAccessToken <token>, I get the following error:
Connect-MsolService : The given key was not present in the dictionary.
To obtain the access token, I send users to the https://login.windows.net/common/oauth2/authorize end point with the correct client id, redirect_uri and resource set to https://graph.microsoft.com. The authentication succeeds and I get a valid token back (for example, a request to https://graph.microsoft.com/v1.0/me works fine).
What am I doing wrong here?
Thanks for your help!
Best,
Steven
↧
Azure AD single logout configuration
I am using azure ad saml 2.
I want my application need to logout when the azure ad logged out. I am trying to find out a way to configuration however, not able to find one. please suggest me some good document
Logout need to be done from IDP to SP.
↧
How to set user's assignedPlans, provisionedPlans and onPremisesExtensionAttributes with Graph API?
When GET- https://graph.microsoft.com/beta/users/{id}, I got array of assignedPlans, provisionedPlans and onPremisesExtensionAttributes.
I wonder how to set them with Graph API after create a new user?
Thanks!
↧
↧
Azure B2C - Custom Policy - SAML SignIn - Generic Error Message
Hello
I've set up a test B2C Tenant (the IDP) and created then uploaded a set of custom policies with the goal of supporting SSO.
The B2C tenant as well as all other information on this thread was set up for testing purposes exclusively, and does not contain any private/production information.
The SAMLP endpoint is working as expected, and I'm able to access the metadata.
Whenever I submit the authentication request below, I get the generic exception message mentioned below. Going through the audit logs and application insights DOES NOT return any records related to the correlation ID below.
Are there any other ways to troubleshoot this issue ?
Samlp AuthnRequest (raw XML as well as the deflated, base64 encoded and URL encoded Get request).
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_d570611c-fda2-4a62-a18c-2d9bd64b65ce"
Version="2.0"
IssueInstant="2018-12-05T01:53:01Z"
AssertionConsumerServiceIndex="1">
<saml:Issuer>https://spsampletest.azurewebsites.net/sampleapp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
Deflated + Base64 + URL Encoded AuthnRequest:
ZlpGZlM4TXdGTVhmQmIvRHlIdldwcTUxaG5WUU5vU0Jpamp4d1JkSjJ6dFdTSk9ZZStPbW45N3NIMHdmbHJmY2UzN25rSk1KcWw0N1dRVmFteGY0RElCMGZUV0laOXRyZzNLL0xWbndSbHFGSFVxamVrQkpqVnhXanc4eUc2YlNlVXUyc1pyOTV5NWpDaEU4ZGRZY3VjVzhaQjl0ZnBzV1FqUjgxYXFNajFTUmNTWEdEYy9hdTdvdFJuV1JOM0RVdjRISFNKY3NtcDBzRUFNc0RKSXlGT2VwR0hPUjhUUi9UWVhNYjJRcTNvL0M2cFE5c3daREQzNEovcXRySXR2Q3RtU0NUUSs2eWU0WmNtL3JwMnNpaHpKSjBNV3AwMEN4cXFINkNSNDJVR01YcjBNRGxCeVd5cmxKY2s2ZkdUcjVGTnRZekordDdwcnZRYVcxM2N3OEtJS1NrUS9BQnZmVzk0b3U5N2ViZEMxZjdhV1N2RExZZ1NHV3hLaEQ5TjlmbmY0Qw%3D%3D
URL used for the GET request:
https://login.microsoftonline.com/te/testb2csaml.onmicrosoft.com/B2C_1A_signin_TST_MemXP/samlp/sso/login?SAML_Request=ZlpGZlM4TXdGTVhmQmIvRHlIdldwcTUxaG5WUU5vU0Jpamp4d1JkSjJ6dFdTSk9ZZStPbW45N3NIMHdmbHJmY2UzN25rSk1KcWw0N1dRVmFteGY0RElCMGZUV0laOXRyZzNLL0xWbndSbHFGSFVxamVrQkpqVnhXanc4eUc2YlNlVXUyc1pyOTV5NWpDaEU4ZGRZY3VjVzhaQjl0ZnBzV1FqUjgxYXFNajFTUmNTWEdEYy9hdTdvdFJuV1JOM0RVdjRISFNKY3NtcDBzRUFNc0RKSXlGT2VwR0hPUjhUUi9UWVhNYjJRcTNvL0M2cFE5c3daREQzNEovcXRySXR2Q3RtU0NUUSs2eWU0WmNtL3JwMnNpaHpKSjBNV3AwMEN4cXFINkNSNDJVR01YcjBNRGxCeVd5cmxKY2s2ZkdUcjVGTnRZekordDdwcnZRYVcxM2N3OEtJS1NrUS9BQnZmVzk0b3U5N2ViZEMxZjdhV1N2RExZZ1NHV3hLaEQ5TjlmbmY0Qw%3D%3D&RelayState=https://postadataviewer.azurewebsites.net/
Error Message :
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 9d2d4b24-6c5c-429a-a0f0-c5a56b54defe
Timestamp: 2018-11-29 00:18:21Z
AADB2C: An exception has occurred.
↧
User sign-in with Azure Active Directory Pass-through Authentication
Hello,
My company have many servers on premise including the AD servers, At same time 2 servers in Azure ( first for Azure AD working as DC as redundancy for the on premise DC , second server works as ADFS for SSO ). Servers onsite and in Azure are connected using Azure VPN gateway.
is it possible to stop using both servers in Azure and stop the VPN and use User sign-in with Azure Active Directory Pass-through Authentication. I dont want to try things here as this is a production company.
Your advice and suggestions are highly appreciated.
Thanks.
Ali
↧
Windows 10 Azure AD joined cannot see NAS
I need to be able to enable my Azure AD users to access local network resources.
When I log into an Azure AD joined Windows 10 machine (Version 1607, build 14393.693), I am unable to navigate through File Explorer to a NAS.
I have turned on network discovery and file and printer sharing and it can see other items on the network like a printer, but not the NAS.
If I log onto that same computer with a local account, the NAS can easily be accessed.
↧
Azure MFA, Conditional Access and Oauth2
I'm having trouble getting an access token for a test user who I've enabled Azure MFA and Conditional Access. When I try to use the curl call below, I'm issued a response with a claims attribute. After reading all the documentation I could find on how to use the claims attribute, I can't find any concrete examples on how to structure a new request for the user to perform MFA to then be able to get an access token.
I was wondering if anyone's seen something similar or if they know the structure of the subsequent request to be able to get to prompt the user for MFA.
Thanks!
Curl Request:
curl -vk -X POST -d '
resource=https://graph.windows.net&client_id=${clientId}&client_secret=${clientSecret}&scope=openid&grant_type=password&username=${mfaUser}&password=${mfaPassword}
'
https://login.microsoftonline.com/common/oauth2/token
Response:
{
"error": "interaction_required","error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.\r\nTrace ID: 7e56a4f2-0a6d-4666-a322-25c96e961b00\r\nCorrelation ID: c7b1d42f-e796-4547-9704-4d971e71d4e2\r\nTimestamp: 2018-11-20 15:05:16Z","error_codes": [50076],"timestamp": "2018-11-20 15:05:16Z","trace_id": "7e56a4f2-0a6d-4666-a322-25c96e961b00","correlation_id": "c7b1d42f-e796-4547-9704-4d971e71d4e2","claims": "{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"${GUID}\"]}}}","suberror": "basic_action"
}↧
↧
AD Connect high availability
Hello,
Our current AD Connect server is outdated. We are making plans to update. Currently we have only one AD Connect server. We want the environment more high available. We have a Azure subscription so It’s possible to use that.
Question: I am looking for information and best practice to make AD Connect high available.
Your advice and suggestions are highly appreciated.
Kind Regards,
Finn
↧
Connect-MsolService -Credential and Connect-AzureAD -Credential with PSCredential issue
Hi,
I am trying to connect to Azure by PowerShell by either using the Connect-MsolService -Credential or Connect-AzureAD -Credential statement. Both statements below give an error:
$credential = Get-Credential
Connect-MsolService -Credential $credential
Connect-MsolService : An error occurred while sending the request.
At line:2 char:1
+ Connect-MsolService -Credential $credential
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], HttpRequestException
+ FullyQualifiedErrorId : System.Net.Http.HttpRequestException,Microsoft.Online.Administration.Automation.ConnectMsolService
$credential = Get-Credential
Connect-AzureAD -Credential $credential
Connect-AzureAD : One or more errors occurred.: An error occurred while sending the request.
At line:2 char:1
+ Connect-AzureAD -Credential $credential
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AadAuthenticationFailedException
+ FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Everything works fine when I leave out the -Credential part, Windows is presenting a different login box (office 365 webpage) when I leave out the -Credential part.
How can I solve this? I need to be able to pass the credential by the PSCredentials object so I can build an unattended maintenance script.
↧
Useless option of "Don't ask again for 3 days" while logging in to Azure Account
Hello,
I tried multiple times to login Azure Account and chosen the option "Don't ask again for 3 days" in order to avoid repeated code entries for 3 days but it still ask me to enter a code which sent to my phone. Kindly check the snapshot to get better understanding of the issue. You may also notice the time that how frequent i tried the test.
Hope i have explained the issue clearly. could you please suggest me how i can bypass or suppress the text code entry pop-up for said days.
Kind Regards,
Ajay.
↧
HTTP options command to ActiveServer returns unauthorized for oauth authentication method
Hi,
As per the authorization documentation, it mentions we can use normal http method, oauth and also using a certificate. Calling up options command on Active Sync Server using normal http method of authentication, the server returns http response code 200. But if i am using oauth method, i pass the bearer + token in the "Authorization" header, but the command request returns 401. I am also passing the host, which is office365 in my case.
What could i be missing or doing wrong? Does this work if i use oauth method?
Please guide.
Thanks
↧
↧
Azure Active Directory without Global Admin
I have an Active Directory with 2 users but no Global Admin configured. I want to use this Directory for the new Partner Center but I can't add it without an Global Admin. I also can't change anything else or delete the Directory because it has no Admin.
↧
Unable to connect Azure AD during upgrade to version 1.2.67.0
Hi -
well MS support alerted and "solution" was trad.
luckily we had already ongoing project to move sync to an another machine - so guys "moved" configuration to another harware andanother Windows version....
...hunch is that Win2008 (std at least) might get you somewhere you really don´t want to go.
highly recommended to put that staging server waiting next to prod one.
/jc - Have a nive weekend
EOF
hi - were getting error after "upgrade part" of the upgrading AADConnect to version 1.2.67.0 - so the latest and gratest .msi package is used ..
Have you heard any errors when connecting to Azure ??
or any ideas where this might come...?
Br,
/jc - jc@clavert.fi
Error message received in phase "Connect to Azure AD"
-->
Unable to retrieve the Azure Active Directory configuration. Field not Found:
"Microsoft.Azure.ActiveDirectory.Client.Framework.MicrosoftOnlineInstance.AzureOneBox"
↧
SSPR - Unlock account with out resetting password from sign in screen Windows 10 1803
I would like to know if it is possible, like from the SSPR website, to unlock the account with out resetting the password from the sign in screen on Windows 10 1803. Please the thread from Github too, https://github.com/MicrosoftDocs/azure-docs/issues/16642
↧