Hello,

I've followed MS and a few other sites links on how to setup Cloud Printing within Azure AD. 

I'm running into this error and wondering if anyone else has? I've not figure it out, it seems like its a permission issue.

Hi - 

I inherited a really old Azure AD Connect server (v1.1.343.0).  Per Microsoft's suggestion, because it was so old, I created a new server and did a swing migration onto it (v1.2.65.0).  I'd like to retire the original v1.1.343.0 server, but can't seem to find doc on the proper way to do it.  Because I inherited this implementation, I don't want to retire this old server incorrectly and mess up our synchronization.

Can someone share the proper way to retire this old server?  

Thanks,

Gina

skigirl1

Hi,

I have been having issues with the free for OSS AzureDevOps.

Mainly it has proven impossible to add another user, due to AAD permissions. 

When adding another user to the organisation a message is displayed:

"You are trying to invite a user from outside the directory but you are not allowed to make common user tasks. Please contact your directory admin".

Being an OSS project I have not setup any AAD, or this is linked to any subscription, whilst I understand that AAD is in the background, there is no way to configure this from the "DevOps" UI.

I have confirmed that I am a member of the "Projects Collection Administrators" an I am the owner of the organisation.

Thanks,

Juan

I am trying to configure an SCIM service (BYOA) with AzureAD Enterprise Application from Azure Portal (new). My SCIM endpoint is 'https://scim.myapp' where resources can be accessed as'https://scim.myapp/scim/Users'. So the base URL I am trying to set is 'https://scim.myapp'. 

But when I try to configure with a valid token, and do a 'Test Connection' it gives an error saying,

'You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.'

What does this 'Test Connection' trying to do? is there a way I can see these requests? 

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
        .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    services.AddSpaStaticFiles(c => { c.RootPath = "ClientApp/dist";});

     services.AddAuthorization(options =>
    {
        options.AddPolicy("Admins",
            policyBuilder =>
            {
                policyBuilder.RequireClaim("groups",
                    Configuration.GetValue<string>("AzureSecurityGroup:AdminObjectId"));
            });
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("Employees",
            policyBuilder =>
            {
                policyBuilder.RequireClaim("groups",
                    Configuration.GetValue<string>("AzureSecurityGroup:EmployeeObjectId"));
            });
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("Managers",
            policyBuilder => policyBuilder.RequireClaim("groups", Configuration.GetValue<string>("AzureSecurityGroup:ManagerObjectId")));
    });

    services.Configure<AzureADOptions>(Configuration.GetSection("AzureAd"));
}
// And if I want to restrict access for non-admin user to Contacts page I do this:

public class HomeController : Controller
{
    [Authorize(Policy = "Admins")]
    public IActionResult Contact()
    {
        ViewData["Message"] = "Your contact page.";

        return View();
    }
}

[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{    // GET api/values    [HttpGet]    public ActionResult<IEnumerable<string>> Get()    {        return new string[] {"value1", "value2"};    }    // GET api/values/5    [Authorize(Policy = "Admins")]    [HttpGet("{id}")]    public ActionResult<string> Get(int id)    {        return "value";    }
}

When I try to Set up a work or school account on a Win10 device, using my Azure AD creds, I get the error, "Something went wrong. We weren't able to register your device and add your account to Windows. Your access to org resources may be limited.

I find four entries in the AAD Event Log.  All are Event ID 1098.  I also find a failure logged in the Azure AD Sign-Ins Log (last log entry at the bottom).

Also

When I try to use Azure OOBE I get the error: "Looks like we can't connect to the URL for your organization's MDM terms of use. Try again, or contact your administrator with the problem information from this page"

That error is repeated if I try to join the Azure AD from Settings > Accounts > Access work or school > Connect > Join this device to Azure Active Directory.

In my environment, I'm using the Airwatch MDM app.  I have it properly configured with the enrollment and terms of use URLs.  The scope is set to all.  I have tried setting the scope to none, and then creating on On-Prem MDM app and setting the scope to ALL for that one.  NOTE:  The errors below do NOT appear in the event logs when I try this.  I get no errors beyond the message I've mentioned above. 

Going off the information from the Azure AD Sign-Ins log, I connected to my tenant with powershell and tried to search for the app ID (29d9ed98-a469-4536-ade2-f981bc1d605e) for Microsoft Authentication Broker.  I couldn't find it listed at all.

Any thoughts were I should go from here? 

Log Name:      Microsoft-Windows-AAD/Operational
Source:        Microsoft-Windows-AAD
Date:          12/13/2018 9:03:51 AM
Event ID:      1098
Task Category: AadTokenBrokerPlugin Operation
Level:         Error
Keywords:      Operational,Error
User:          DESKTOP-OIKD7A1\rickboyett
Computer:      DESKTOP-OIKD7A1
Description:
Error: 0xCAA2000B The resource is invalid due to configuration state or not existing.
Code: invalid_resource
Description: AADSTS50001: The application named https://enrollmentUrl/ was not found in the tenant named a4912529-4a73-4fc3-94b9-5f54a0fb2cda.  This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.  You might have sent your authentication request to the wrong tenant.
Trace ID: b2563cb9-b23e-43db-8633-353474915700
Correlation ID: 056db927-f8af-4144-8ce0-06b32f0da014
Timestamp: 2018-12-13 16:03:54Z
Logged at addaccounttokenrequest.cpp, line: 248, method: AddAccountTokenRequest::ProcessAuthCodeResponse.

Request: authority: https://login.microsoftonline.com/common, client: 29d9ed98-a469-4536-ade2-f981bc1d605e, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin, resource: 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9, correlation ID (request): 056db927-f8af-4144-8ce0-06b32f0da014


Log Name:      Microsoft-Windows-AAD/Operational
Source:        Microsoft-Windows-AAD
Date:          12/13/2018 9:03:51 AM
Event ID:      1098
Task Category: AadTokenBrokerPlugin Operation
Level:         Error
Keywords:      Operational,Error
User:          DESKTOP-OIKD7A1\rickboyett
Computer:      DESKTOP-OIKD7A1
Description:
Error: 0xCAA9003A Request for authorization code for MDM is failed.
Logged at addaccounttokenrequest.cpp, line: 233, method: AddAccountTokenRequest::ProcessAuthCodeResponse.

Request: authority: https://login.microsoftonline.com/common, client: 29d9ed98-a469-4536-ade2-f981bc1d605e, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin, resource: 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9, correlation ID (request): 056db927-f8af-4144-8ce0-06b32f0da014

Log Name:      Microsoft-Windows-AAD/Operational
Source:        Microsoft-Windows-AAD
Date:          12/13/2018 9:03:51 AM
Event ID:      1098
Task Category: AadTokenBrokerPlugin Operation
Level:         Error
Keywords:      Operational,Error
User:          DESKTOP-OIKD7A1\rickboyett
Computer:      DESKTOP-OIKD7A1
Description:
Error: 0xCAA2000B The resource is invalid due to configuration state or not existing.
Code: invalid_resource
Description: AADSTS50001: The application named https://enrollmentUrl/ was not found in the tenant named <Tenant ID GUID Removed>.  This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.  You might have sent your authentication request to the wrong tenant.
Trace ID: b2563cb9-b23e-43db-8633-353474915700
Correlation ID: 056db927-f8af-4144-8ce0-06b32f0da014
Timestamp: 2018-12-13 16:03:54Z
Logged at addaccounttokenrequest.cpp, line: 248, method: AddAccountTokenRequest::ProcessAuthCodeResponse.

Request: authority: https://login.microsoftonline.com/common, client: 29d9ed98-a469-4536-ade2-f981bc1d605e, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin, resource: 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9, correlation ID (request): 056db927-f8af-4144-8ce0-06b32f0da014

Log Name:      Microsoft-Windows-AAD/Operational
Source:        Microsoft-Windows-AAD
Date:          12/13/2018 9:03:51 AM
Event ID:      1098
Task Category: AadTokenBrokerPlugin Operation
Level:         Error
Keywords:      Operational,Error
User:          DESKTOP-OIKD7A1\rickboyett
Computer:      DESKTOP-OIKD7A1
Description:
Error: 0xCAA2000B The resource is invalid due to configuration state or not existing.
Code: invalid_resource
Description: AADSTS50001: The application named https://enrollmentUrl/ was not found in the tenant named <Tenant ID GUID Removed>.  This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.  You might have sent your authentication request to the wrong tenant.
Trace ID: b2563cb9-b23e-43db-8633-353474915700
Correlation ID: 056db927-f8af-4144-8ce0-06b32f0da014
Timestamp: 2018-12-13 16:03:54Z
Logged at addaccounttokenrequest.cpp, line: 248, method: AddAccountTokenRequest::ProcessAuthCodeResponse.

Request: authority: https://login.microsoftonline.com/common, client: 29d9ed98-a469-4536-ade2-f981bc1d605e, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin, resource: 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9, correlation ID (request): 056db927-f8af-4144-8ce0-06b32f0da014


Log Name:      Microsoft-Windows-AAD/Operational
Source:        Microsoft-Windows-AAD
Date:          12/13/2018 9:03:51 AM
Event ID:      1098
Task Category: AadTokenBrokerPlugin Operation
Level:         Error
Keywords:      Operational,Error
User:          DESKTOP-OIKD7A1\rickboyett
Computer:      DESKTOP-OIKD7A1
Description:
Error: 0xCAA9003A Request for authorization code for MDM is failed.
Logged at addaccounttokenrequest.cpp, line: 233, method: AddAccountTokenRequest::ProcessAuthCodeResponse.

Request: authority: https://login.microsoftonline.com/common, client: 29d9ed98-a469-4536-ade2-f981bc1d605e, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin, resource: 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9, correlation ID (request): 056db927-f8af-4144-8ce0-06b32f0da014

I posted the following in the Microsoft Teams forum, but they said I needed to post this here as it's a B2B issue. It appears someone in the Microsoft org needs to remove my guest account from their Azure AD, but how can you make this request to such a large org? Where do you post it? I'm starting here... 

I've been invited as a guest into another org (the Microsoft org none-the-less). However, when I try to accept the invite, I always get the following error (screenshot below): Invitation redemption failed. An error has occurred. Please retry again shortly. I've tried this multiple times with the same result. Searching yields no resolution as many others have the same issue with no resolution. I'm a guest in multiple other <g class="gr_ gr_262 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="262" id="262">orgs</g> and can connect to them just fine. I've tried accepting this on the following clients: MacOS, iOS (two different devices) & web. Tried logging out and logging in again in an incognito browser... the person who sent the invite removed me from the team and tried to re-invite, but <g class="gr_ gr_266 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="266" id="266">same</g> result... nothing works.

How do you proceed with this?

-AC [MVP SharePoint Server] http://www.andrewconnell.com

I have an error when trying to delete an ADD B2C. I do not have any application and it indicates to me at the moment of deleting that there one.

I already followed the following links
https://blogs.msdn.microsoft.com/azureadb2c/2017/06/23/delete-b2c-tenant/
https://blogs.technet.microsoft.com/jeffgilb/2017/03/09/deleting-azure-active-directory/
https://stackoverflow.com/questions/43766171/cannot-delete-corrupted-b2c-application-and-tenant

Screenshots

Portal Azure

PorweShell

I hope you can help me out.

Thanks, regards.

Hello

I have  a question. If someone is using AAD On premise, can they use that AAD signing in to Office 365 portal or portal.office.com? If yes, Can they Add multiple users to Office 365 in the Office 365 Admin Center? The reason why I am asking this is because we need to ad multiple user in Partner Center and their is no option for Bulk Association in Partner Center.

Thanks.

Ran through the setup of ADFS through AD Connect setup tool.

According to initial run the setup was successful.

Looking at the ADFS Relying Party Trusts Azure is not listed.

Looked at the domain in the Azure portal and it shows the Federation status as "disabled...please enable through AD Connect..."

Tried running the AD Connect tool again and chose to reset the ADFS settings.

All goes well until it gets to the "Configure" section and the following error is received:

NullReferenceException

Object reference not set to an instance of an object.

Hi everyone,

I've just begun the process of having domain-joined Windows 10 devices auto-enroll in Azure AD. I do not have a federated environment, so the communication is happening via AD Connect.

For machines that are newly-joined for the domain, I am finding that I am having to manually run the command 'dsregcmd' in order for the Azure AD Join to occur.

Prior to running this command manually, if I run a 'dsregcmd /status', the Device State indicates the machine is not AzureAdJoined. Immediately by running 'dsregcmd', the Device State populates, and a reboot populates the information in the User State.

I can confirm Group Policy is pushing the information to automatically join the workplace, and I can see the Scheduled Task on the client machine that is supposedly running to enroll the machine, but nothing happens until I manually type and execute 'dsregcmd'.

Any thoughts?

I created a new Azure Active Directory and added our real domain to it (verified through TXT record in DNS). When I was done playing around with it, I created another one that I intended to use for production purposes. When I tried to add our domain to the new AD instance, it complained that the name is already in use and that I need to remove it from the previous instance first. But when I try to do so, I get the following unhelpful message despite having all of the three prerequisites (Users, Groups, Applications) checked off:

"Deletion of ' ****.com' failed. Please try again."

I have tried again, many times over a few days. A similarly unhelpful message appears in the Notifications.

Does anyone have any ideas?

Edit:

Here is more information on what I did:

1. Signed into portal.azure.com with a personal account.
2. Created a new Azure Active Directory
3. Switched current directory to it (had to refresh the portal for the option to appear)
4. Added a new Global Administrator user with onmicrosoft.com at the end to that directory
5. Signed out and signed in with the new AD account
6. Deleted the personal account from the directory
7. Added a custom domain and verified it
8. Added another user with our custom domain at the end
9. Signed into the new account just to see that it works
10. Created another AD instance (don't remember from which account)
11. Switched to that directory
12. Added a new Global Administrator user with onmicrosoft.com at the end
13. Signed in with the new account
14. Deleted the old account
15. Started the process for adding a custom domain
16. Changed our TXT DNS record to match the new AD
17. Tried to verify the domain, which failed because it was already in use
18. Signed into an account from the first AD
19. Tried to remove the custom domain, which failed because there was a user using it
20. Removed all other users (from the onmicrosoft.com account)
21. Tried to remove the custom domain again, which failed with the unhelpful message above

Edit 2:

The reason I was doing all this is that we needed to migrate from the old Partner Membership Center, which uses personal accounts, to the new Partner Center, which uses work (AD) accounts. All the steps above were taken before I had started the transition process from PMC. I have now switched to the new Center and used the second AD with an onmicrosoft.com account. But I would like to create a new Global Administrator with our real domain in its name. I did not use the first AD because it had the word "experimental" in its default domain.

I use Microsoft Graph (GraphServiceClient) to create/update user data to Azure AD in ASP .NET Core 2.0. There is no problem in creating user, update user details. But not able to change/reset user password through this.

In Azure: I have Azure free subscription and created an APP to get/update user (using clientid and secret). I also provide below permission to Microsoft Graph in Azure portal.

Read and Write directory data, Read and Write directory data, Read all user full profiles, , Read and Write all user full profiles

Still not able to update password by using below code returns error “Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.”

await graphClient.Users["UserId"].Request().UpdateAsync(new User());

Is there any way to update password using Microsoft Graph using c# ?

We are using a custom enterprise application with password-based single sign-on.

But, sign-on activities are not recorded. Is it a specificated restriction, or our miss configuration?

- Nayuta

Hello,

   This info must be buried somewhere in the portal, I just need to know where to find it.   Please don't post "If you don't pay for it, it's not premium, OR here are the licensing levels to choose from".  I would like to know specifically where in the portal it tells me "Azure AD free, P1 or P2".

Thank you!

Hi,

When I want to add on-premises applications via Azure Active Direactory application proxy I get error as described in title.It concerns the next two urls: https://portal.gibitsolutions.be/rdweb and https://portal.gibitsolutions.be/rpc.I know I used this url in my tenant in the past and also removed them.

Would it be possible to validate this issue and provide me some steps to resolve this issue?

Many thanks already for the support

I want to ask that using Azure Active Directory B2C, So Suppose we have a application for company A and I want to login from company B in the application of Company A so is it possible for this scenario using Azure AD B2C 
Kindly reply and if you guide me any best way to achieve or provide me any tutorial.
Thank you! 

Hello,

We currently have an on-prem AD Domain Services-Setup.

It provides basic functionality for our 10 desktop computers, like every user can sign in to every computer and will see exactly the same on all computers. (including user-settings like desktop background)

It is my task to migrate this setup to the cloud.

Is a setup that provides similar funcitonality possible with Azure?

I started looking into it, but was not sure if Intune is the right tool to achieve this?

What is the difference between Intune and AAD DS?

Is there anything else I should look into when starting this project?

After registering Legacy MVC application on Azure AD, MVC applications are throwing "Access to XMLHttpRequest at 'https://login.microsoftonline.com/.....' (redirected from https://abc.xyz.com/......) from origin (redirected from https://abc.xyz.com) has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. This error is impacting most of the Legacy MVC applications. Please let me know if there is an easy workaround for this problem.

Application is set for no-cache. But when i disable browser cache manually, Application works. 

We managed to add the SSPR link on the win10 login screen using GPO (the device is hybrid joined). However when we click on the link we have this error message :the sign in method you are trying to use isn’t allowed…

According to https://community.spiceworks.com/topic/849103-you-cannot-log-on-because-the-method-is-not-allowedwe have to allow log on locally

ð To fix that, we granted to the account the permission to log on locally.

Q1 : is that really necessary? we are using deny log on locally except for legitim accounts (admins).

Now when we click on the link, we have no more this error message and before accessing to the SSPR portal, adefaultuser1 account is created. is that normal? it seems that the problem is known : https://github.com/MicrosoftDocs/azure-docs/issues/15584

Q2 : is that normal? what is the default user used for? 

Thank you in advance.

Best regards,