Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

[URGENT] HTTP options command to ActiveServer returns unauthorized for oauth authentication method

December 5, 2018, 5:36 am
$
0
0

Hi,

As per the authorization documentation, it mentions we can use normal http method, oauth and also using a certificate. Calling up options command on Active Sync Server using normal http method of authentication, the server returns http response code 200. But if i am using oauth method, i pass the bearer + token in the "Authorization" header, but the command request returns 401. I am also passing the host, which is office365 in my case. 

What could i be missing or doing wrong? Does this work if i use oauth method? 

Please guide.

Thanks


Search

Azure sync errors

November 30, 2018, 4:46 am
$
0
0

Hello!

Sorry if I choose wrong section. Not found a more appropriate.

Problem №1

I have two uses - makarov_ai.otk and makarov_ai.vst. On portal.azure.com i receive synchronization error QuarantinedAttributeValueMustBeUnique

Proxy-adresses 
<svg aria-hidden="true" class="fxs-portal-svg" focusable="false" role="presentation" style="fill:rgb(0, 0, 0);" viewBox="0 0 9 9" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g style="fill:#000;"><circle class="msportalfx-svg-c22" cx="4.5" cy="4.5" r="4.5" style="fill:#e81123;"></circle><circle class="msportalfx-svg-c01" cx="4.5" cy="6.438" r="0.697" style="fill:#fff;"></circle><path class="msportalfx-svg-c01" d="M 4.604 2.186 h -0.729 l 0.186 3.232 h 0.878 l 0.186 -3.232 Z" style="fill:#fff;"></path></g></svg>
smtp:makarov_ai.vst@pharm.onmicrosoft.com

smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com

smtp:makarov_ai.otk@pharm.com;smtp:makarov_ai.otk@XN--80AF0AGCBOAFGH.XN--P1AI;SMTP:makarov_ai.otk@pharm.ru;X500:/o=First
Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user91f3b7ee;smtp:makarov_ai.vst@pharm.onmicrosoft.com


get-aduser -Identity makarov_ai.vst -Properties * | fl -Property SamAccountName,UserPrincipalName,mail,proxyAddresses

SamAccountName    : makarov_ai.vst
UserPrincipalName : makarov_ai.vst@hq.pharm.com
mail              : makarov_ai.vst2@pharm.ru
proxyAddresses    : {smtp:makarov_ai.vst@pharm.mail.onmicrosoft.com, smtp:makarov_ai.vst2@pharm.com, SMTP:makarov_ai.vst2@pharm.ru}
get-aduser -Identity makarov_ai.otk -Properties * | fl -Property SamAccountName,UserPrincipalName,mail,proxyAddresses

SamAccountName    : makarov_ai.otk
UserPrincipalName : makarov_ai.otk@pharm.ru
mail              : makarov_ai.otk@pharm.ru
proxyAddresses    : {smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com, SMTP:makarov_ai.otk@pharm.ru, smtp:makarov_ai.otk@pharm.com}
Makarov_ai.vst couldn't be found on 'AMSPR07A002DC03.EURPR07A002.prod.outlook.com'.

Get-Recipient makarov_ai.otk@pharm.ru | fl -Property WindowsLiveID,PrimarySmtpAddress,EmailAddresses


WindowsLiveID      : makarov_ai.otk@pharm.ru
PrimarySmtpAddress : makarov_ai.otk@pharm.ru
EmailAddresses     : {smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com, smtp:makarov_ai.otk@pharm.com, SMTP:makarov_ai.otk@pharm.ru...}
Get-MsolUser

Get-msoluser -UserPrincipalName makarov_ai.otk@pharm.ru | fl -Property UserPrincipalName,ProxyAddresses

UserPrincipalName : makarov_ai.otk@pharm.ru
ProxyAddresses    : {smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com, smtp:makarov_ai.otk@pharm.com, SMTP:makarov_ai.otk@pharm.ru...}

I've tried to make full synchonization, but got "exported-change-not-reimported" error



Azure canot export makarov_ai.vst@pharm.onmicrosoft.com value.

Problem №2

I have two users Olga and Disp. The error is that in Azure Olga have UPN and mail specified data of Disp. And Disp have Olga's UPN and mail. But in local AD they both have correct values.

Powershell Connect-MsolService fails to authenticate with Microsoft Graph access token

December 4, 2018, 2:16 am
$
0
0

Hi,

I am trying to authenticate with the MSOnline powershell module using Connect-MsolService. I obtain a user's access token via a web application using the Azure AD Graph (graph.windows.net). If I authenticate with that token (Connect-MsolService -AccessToken <token>), things work fine.

However, since it's recommended to use the newer Microsoft Graph (graph.microsoft.com) I want to switch over to it, but the Connect-MsolService fails with the token granted by it. If I run Connect-MsolService -MsGraphAccessToken <token>, I get the following error: 

Connect-MsolService : The given key was not present in the dictionary.

To obtain the access token, I send users to the https://login.windows.net/common/oauth2/authorize end point with the correct client id, redirect_uri and resource set to https://graph.microsoft.com. The authentication succeeds and I get a valid token back (for example, a request to https://graph.microsoft.com/v1.0/me works fine). 

What am I doing wrong here?

Thanks for your help!

Best,
Steven


block upload to onedrive using conditional access

December 5, 2018, 6:08 pm
$
0
0

hello,

I am trying to block upload to onedrive using conditional access in Azure AD, any thoughts.

Thanks

Difference between Service Principal (SP) and Managed Identity (MI)

November 29, 2018, 2:18 am
$
0
0

https://docs.microsoft.com/en-us/learn/modules/design-for-security-in-azure/4-infrastructure-protection

From this knowledge base, it seems SP is different to MI, MI sounds more robust and quick to deploy and dedicated to fewer resources by default. However, in this article : 

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

The SP now at the picture at MI - and it's suddenly confusing to me now. Can any one guide me through:

1) Are they the same thing? If yes, why inventing MI as we already have SP?

2) If I already have an Application registered under AAD, how do i tell it's MI or SP?

Thank you.

How to send multiple values when provisioning users in a Multi-Value target attribute?

September 28, 2018, 1:45 pm
$
0
0

We are trying to configure user provisioning to Salesforce via Azure AD, and have gotten most of the configuration to work.  One thing we are stuck on and have not been able to find any documentation for is how to send more than 1 permission set value to Salesforce.  We have been able to send a single value to salesforce and it was set correctly.  However, all attempts to find the correct syntax to send more than one value to the PermissionSets attribute have all returned with an invalid value error.

The Attribute of PermissionSets as configured in the Salesforce application in Azure AD is configured as a Multi-Value attribute, however there is no documentation that i've been able to find on how to correctly send multiple values to that attribute.

Does the value have to source from a multiple value source attribute in order to be sent correctly?  Is there a way to dynamically create a multi-value set of values to send to the PermissionSets attribute?

We haven't been able to find anything that works, we have only found solutions that fail.  We would like to know what the possibilities and limitations are within the target attribute when it is a multi-value attribute, but haven't gotten much of anywhere yet.

Any guidance will be appreciated.  Please help us out.  Thanks.

How to know/find which Azure AD edition do we have?

December 5, 2018, 4:26 pm
$
0
0

Hello

We have Office 365 tenant with many users, and we do not have nor use Enterprise Mobility + Security (EMS).

My question is: How can I find out what Azure AD edition do we have? Is there any option in the UI that tells what Azure AD edition e.g. Basic, Premium P1, or Premium P2 that we have?

Thank you & Please let me know!

Use new converged MFA SSPR portal when migrating to Azure MFA cloud

December 3, 2018, 11:09 pm
$
0
0

Hi,

 

We are about to start using Azure MFA from the cloud. One thing we need to do is ask our users to complete MFA proofup by going here

 

https://account.activedirectory.windowsazure.com/proofup.aspx

 

Last week I discovered that there's a new "converged portal for MFA and SSPR" in Public Preview. SSPR is also enabled in our environment.

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-converged

 

Since we need to ask our users to complete MFA, why not to get them registered to SSPR at the same time. Our users are currently registered to onprem Azure MFA server.

 

Has anyone here enabled this new portal same time when migrating to Azure MFA cloud? Would it work in my scenario?

Search

Test Java code on Azure with Windows AD

December 6, 2018, 1:28 am
$
0
0

Hello,

               You read the title ! I have this unique requirement. Our access to Windows AD is denied in our corporate environment. And I can also learn some Azure features. Please note that this is not about accessing Azure AD. They are different. Right ?

How do I run a Java library I am creating to access the 'ldap' URL of Windows AD on Azure ? Will I get access to the 'trust store' of the JVM to store my SSL certificate. I assume the 'ldap' access is through SSL.

I can utilize free credit or wangle a paid account from someone here.

Thanks,

Mohan

How long to wait for deployment/provisioning?

December 6, 2018, 2:07 am
$
0
0

Hi, I created an Azure AD Domain Services yesterday and it is still provisioning.

In the portal it says: "The managed domain is being provisioned. This operation will take a while."

It's been 16 hours now... is it normal that it take this long?

AzureDevOps Community Forums down??!?!?!?

December 6, 2018, 3:34 am
$
0
0

Hi,

Im trying to ask a question regarding azure devops, but i cant access the developer forums, are the forums really down?

I have an urgent problem, dont know where im supposed to ask now.

Thanks

schh

AAD Connect to sync users/ groups from samba 4.4

August 21, 2017, 1:40 pm
$
0
0

Dear all,

I'd like to sync some Active Directory and Samba "Active Directory" servers with AzureAD. While that is no worries with Active directory, I found that I cannot use AAD Connect when I tried to connect to one of my Samba 4.4 servers.

If I tried to sync that kind of directory the following error occurs, and I cannot figure out how to resolve that:

[13:40:08.143] [  5] [ERROR] Out to AD - Device STKKey (ed0474a7-ca1c-4dbc-8a6a-67ceefab1c82): Synchronization Rules must specify a target object type that exists in the target Connector's schema.

Out to AD - Device STKKey (ed0474a7-ca1c-4dbc-8a6a-67ceefab1c82): Synchronization Rules must specify a target object type that exists in the target Connector's schema.,Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet

 

A deadlock occurred in SQL Server while trying to acquire an application lock.

A deadlock occurred in SQL Server while trying to acquire an application lock.,Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet

 

Exception Data (Raw): Microsoft.Online.Deployment.PowerShell.PowerShellInvocationException: Out to AD - Device STKKey (ed0474a7-ca1c-4dbc-8a6a-67ceefab1c82): Synchronization Rules must specify a target object type that exists in the target Connector's schema.

Out to AD - Device STKKey (ed0474a7-ca1c-4dbc-8a6a-67ceefab1c82): Synchronization Rules must specify a target object type that exists in the target Connector's schema.,Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet

 

A deadlock occurred in SQL Server while trying to acquire an application lock.

A deadlock occurred in SQL Server while trying to acquire an application lock.,Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet

 

 ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: A deadlock occurred in SQL Server while trying to acquire an application lock.

   bei Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.SetSynchronizationRule(SynchronizationRule synchronizationRule)

   bei Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet.ProcessRecord()

   --- Ende der internen Ausnahmestapelüberwachung ---

   bei Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)

   bei Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)

   bei Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRuleUpgradeEngine.PersistSyncRules(Guid connectorIdentifier, String pathToLogFiles, List`1 syncRuleActions)

   bei Microsoft.Online.Deployment.Types.Providers.TemplateEngineProvider.PersistSyncRules(Guid connectorID, List`1 syncRuleActions)

   bei Microsoft.Online.Deployment.Types.Configuration.Utility.ConnectorUtility`1.UpdateConnector(IAdSyncConfigExecutionContext`1 executionContext, ConfigurationItem configChange, ConnectorAdapterBase connectorAdapter, IAadSyncContext syncContext, Boolean isNewConnector, Boolean forceUpdateSchema, IAadSyncConfigurationResults& results, List`1 attributeExclusions, ConnectorSpecificPolicy connectorPolicy, Boolean retryOnFailure)

   bei Microsoft.Online.Deployment.Types.Configuration.AdConnectorConfigurationItem.Execute[TContext](IAdSyncConfigExecutionContext`1 executionContext, IAadSyncConfigurationResults& results)

   bei Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)

   bei Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()

   bei Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()

 

I think synchronizing users and groups for Samba to use them with AzureAD/Exchange Online  is a common problem. Can someone please let me know either how to resolve the problem mentioned above or provide me with some RTFM link for a how to on how to achieve that?

I appreciate your help!

Thanks,
Martin Gudel

 

Azure AD connect set to different directory in Azure

December 6, 2018, 7:47 am
$
0
0

Hey guys -

Apologies if this was answered before but when Azure AD connect was set up, it was configured to the default directory in Azure. We have a second directory (unsure why) that has all of our storage items and everything I'd want to tie to Azure AD. Is there a way to merge these and/or change the target directory in Azure for the sync?

Thanks

Why do Azure AD Roles not match the roles visible in IAM?

December 6, 2018, 7:52 am
$
0
0

Heya, 

I'll start small and spread my question as I see where the wind blows but in short I was wondering why the roles I can grant to users through the Azure Active Directory (portal.azure.com dashboard -> Azure Active Directory -> Users -> [select a user] -> Directory Role -> Add Role) do not match IN THE SLIGHTEST the roles I can view from a resources (let's say Virtual Machine) IAM menu (eg: portal.azure.com dashboard -> Virtual Machines -> [select a VM] -> Access Control (IAM) -> Add Role Assignment).

Does this mean that, for example, I cannot assign the Virtual Machine Contributor role to a user, and I can only do so to a combination of User + Resource (weaksauce)?

Regards,

Jaime


ADFS and integrated authentication with both SAML and OpenID Connect

December 6, 2018, 8:24 am
$
0
0

Hi,

We are using ADFS 4.0 and have one site using SAML, with IP restrictions, and another site using OpenID Connect. When using IE/Edge the windows integrated authentication is enabled. We get an internal error in ADFS when you first sign in to the site using SAML and then try to sign in to the other site using OpenID Connect. The sign in to the OpenID Connect site works if you clear cookies and go straight to that site. 

It appears ADFS gets into an internal error state trying to use single sign-on between the first site (SAML) and second site (OpenID Connect), or gets into some internal conflict trying to track session for the user. Our intent is to really treat these sites as completely different logins, with SSO being driven by windows integrated authentication through the browser.

Search

Unable to authenticate MFA for an Admin

November 15, 2018, 2:46 pm
$
0
0

We enabled MFA requirement for our admin user on Azure AD. 2 users have successfully setup the authentication but the 3rd gets an error when attempting to create the security verification. I have reset the users password and that did not resolve the issue. I have tried setting up authentication via text, call and the app. The call when hitting # to confirm says it was successful but I always get the same message on the webpage.

Failed to configure secure LDAP on Azure AD Domain Services

January 30, 2018, 5:34 am
$
0
0
     I'm trying to enable secure LDAP on Azure AD Domain Services with the result getting below
     "Failed to validate the provided secure LDAP certificate. Confirm that the certificate is valid and the password specified is correct."
    Steps I have followed,
       1. Created a self-signed certificate using PowerShell
       2. Exported the secure LDAP certificate to PFX file
       3. Enabled secure LDAP for the managed domain using the Azure portal by providing PFX and password
         

   Please advise me to succeed in this configuration.

   -Thanks





Pass-through Authentication

December 4, 2018, 9:16 am
$
0
0

Hi

We currently have an ADFS server that provides cert based authentication to mobile phones.

The question is if we switch to Pass through authentication, can we still use CBA?

Thanks

Very big trouble after domain join

December 4, 2018, 5:32 am
$
0
0

Hello All, I have also opened a ticket for over a week but I have not yet had feedback and I hope someone here can help me.

 

In company we have adopted Office 365 and users commonly have the business premium license.

One user, the only one currently running Windows 10 Pro, has recently been joined to the new domain (previously it was standalone in workgroup) Windows 2016.

After this step, the user was no longer able to use some Office 365 Sharepoint created by him or the TODO application by Microsoft, which previously used pre-join regularly used.

 

In the Azure AD logs I see as if the device were added and then automatically removed, that is how much in the image below.

 

If instead of the user, who uses his email as an account, I try to do the same operation with the same domain user but using the Office 365 admin user of the tenant, ie the one who has login with admin@xxxxx.onmicrosoft.com the operation takes place regularly.

Any Idea?

Reply url specified in the request does not match the reply urls

December 6, 2018, 12:58 pm
$
0
0

I cannot access my new site due to this error: The reply url specified in the request does not match the reply urls configured for the application: '24040405-fea5-43cc-ab22-beb711598378'.

I've already added the redirect URI as specified in this article; https://docs.microsoft.com/en-us/skype-sdk/websdk/docs/troubleshooting/auth/aadauth-replyurls

Is there anything else I am missing?

Viewing all 16000 articles
Browse latest View live
Search