Hi
I am new to Azure Active Directory tool. I want to automate user creation from my production environment to Azure AD, which is performed manually now. Can you guide me on how to establish a API connection, I have tried Graph API but failing to establish a connection. I was able to successfully GET users through developer.microsoft site. But POST wont work there.
Hi There
Hope someone could provide advice and insight on the following;
Senario
I have a client which i setup in Azure running two VM's joined to Azure ADDS. These VM's run host RDS and SQL Server hosting the clients LoB Applications. In this setup a S2S VPN was configured which gives on Prem users access to the resources stored within the 2 VM's.
The Network is setup in three subnets (Default LAN, AD DS and Gateway).
A Few weeks ago this clients on prem DC failed and has since then been restored from backups. The Single DC hosted Roaming Profiles.
Question
Given that the AD DS Subnet is a restricted subnet and cannot be reached over a VM Connection, has anyone been able to connect physical workstations to AD DS?
I have been looking at Azure AD and the use of enterprise roaming, would this be a better option as Roaming is required given the nature of the business.
Many Thanks
When I invite a guest user to Azure AD in order to provide him access to an Enterprise Application which has set "User assignment required" to YES, the guest user (after registration) gets an error once trying to sign to the application in charge:
Need admin approval
<Enterprise Application Name> YouTrack OnPremise needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
This only happens for guest users (which have not previously signed in to my app successfully) if "User assignment required" is set to yes. Once I set it to no, user can login, it will stay fine for this user even if I set it back to yes afterwards,
but not for new guest users. The user(s) in charge was(where) previously assigned to access this enterprise application. The enterprise application is hosted on-premise. I don't know what other permission I need to grant except assigning the user to the respective
application.
What am I missing?
kind regards,
Dieter
I have added a 3rd party app from the Application Gallery for the purposes of SAML SSO. This app is configured and the SSO works properly so I am getting ready to deploy it to my users. Initially I had set the "User assignment required?" option to yes during testing so only I could see it. I then assigned the application to myself and was able to see it in my app list and sign in to it from the link in the app list.
I have now set "User assignment required?" to no since this is an application to which all users in my organization should have access. I don't want to have to assign every user to it. According to the tooltip for this setting it claims that when the option is set to no as I have done then any user who navigates to the application link will be able to access it.
This is not the case. When I look at the my apps list for another user they cannot see it and when I try to go to the app url directly as that user I get the message
Oops, this link isn’t working…
This link to Citra University is invalid. Click the link below to see what applications you have access to. Otherwise, contact your administrator or the person who gave you this link to resolve
this issue.
Which seems to suggest that user assignment is still required even though I have disabled the option.
Why is this happening when I have disabled the user assignment requirement?
Hello, I wonder if someone can clarify something for me. I am about to do my first AD Connect upgrade and I am trying to find any custom sync rules that was created before my time. Is there a way that I can see which is out-of-the-box and which are custom in the Synchronization Rules editor?
Any help is appreciated.
return fetch("/api/search",
{
mode: "cors",
headers: {"api-key": searchState.config.queryKey,"Access-Control-Allow-Credentials": "true","access-control-allow-origin": "https://mysiteurl.com","Content-Type": "application/json","Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept"
},
method: "POST",
body: JSON.stringify(postBody)
});Hi,
I have setup Azure Domain Services and managed to join a local VM on same subnet to the domain. I was wondering what is the easiest method to join a PC to this domain over the internet.
I have LDAPs in place and relevant ports open back to my own network as able to ldaps to the domain.
Appreciate DNS is running in the Azure network so what's the best way to expose this to my local network so my PC can lookup the appropriate SRV records and join AD?
Lee
We are wanting to complete a Hybrid Office 365 migration from Exchange 2010. Our local active directory looks like this:
My question is: Is it possible to set up AAD Connect in a way to sync the users in def.local, exclude the abc.local AD accounts that have been created for the def.local mailboxes, and successfully migrate the mailbox content through Exchange Hybrid?
Hi and Good day,
We recently (since last week) have some issue signing into a business application which is registered at Azure Active Directory. It has been working before. The application uses the Microsoft Graph API (graph.microsoft.com) and uses version 1 of the API.
When users logon to this application the login page shows an error:
AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope offline_access email User.Read User.ReadBasic.All profile is not valid.
While all rights are granted (within the scope) at the Application Registration page the users are receiving the above error message. We have set these permission on the "Delegated Permission" pane. Application Permissions have not been set. We
have verified that the Password/Public key is unchanged since users were able to login successfully.
Could somebody please assist to help solve this problem for us? Thank you in advance!
With kind regards,
Danny
I have Web api which is used by may applications. Now for some analytics purpose need the app name which is calling my web api.
All applications which are calling my web api are registered in AAD. All clients call my web api with a application generated token. I can get the app id from claims.
I had a solution but i dont want to maintain appid-appname in my config file as these will be changed from environment to environment and its hard to maintain for growing number of clients.
Hi,
is there a way to federate two azure AD B2C instances (from same subscitpion or not).
I've got a Azure AD B2C with users and I want to be able to signin (transparently) in a second Azure AD B2C with the user from the first one.
I've tried to with create a identity provider (OpenId Connect that is in preview) but for the moment it doesn't working
Thanks for your help
In the application consent dialog it always shows the wrong custom domain. I have made the correct custom domainprimary in the associated azure active directory.
Editing the manifest directly doesn't work: "publisherDomain is readonly".
The app is in production and I don't want to have to recreate the app registration in order to correct this.
I would appreciate any help. Thanks.
Fairly new with Azure and Syncing with local AD.
The Problem: several of my clients employees have gotten married, name changed, Email needs to be changed to new name and mad primary. No changes can be made in the 365 Admin Center: Exchange because it is synced from the local Active Directory . I have put in the changes like many as recommended by many different sites "Changing the primary email in a hybrid Office 365 local AD deployment" Using Advanced Features, Attribute Editor, then finding "proxyAddresses attribute.
1) I remove the existing "SMTP:oldname@company.com"
2) I add the new married name "SMTP:newmarriedname@company.com"
3) I readd the old name back for alias "smtp:oldname@company.com"
there are 2 additional records in the local AD: X500: and a "smtp:oldname@companyname.onmicrosoft.com"
Everything looks correct in AD but it never syncs into cloud like it looks in AD. When I go to the Admin Exchange console the old name address still shows Primary with "SMTP" and the new name address is showing "smtp"
Other than the above issue we don't have any syncing issues (that I am aware of)
I downloaded the IDfix, but not really sure what I am to do with it.
The goal is from Outlook 2016/o365 they can send from their new address. and the oldname is an alias.
Thanks in advance, as I have spent way to much time trying to get this done.
Troy
FYI deleting the employee record is not an option as the AD is in sync with other systems like CRM and other databases.
Hi
I am trying to connect Azure AD as a federated identity provider to an AWS Cognito User pool.
I have followed this AWS guide:
http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
When we have gone through the Azure AD login page, we end up with a response saying:
Application with identifier ‘urn:amazon:cognito:sp:eu-west-1_zfYOQp1Hl’ was not found in the directory <uuid>.
It's a similar problem to the linked question:
https://social.msdn.microsoft.com/Forums/SqlServer/en-US/f494fb5b-cbdd-42c8-9d0f-d44e3c9ed44e/aadsts70001-application-with-identifier-was-not-found?forum=WindowsAzureAD
Login in outlook in enterprise environment failed. Outlook stuck at loading profile step for a long time. Tried to switch office365, exchange but with no luck. After search the reasons, final locate the issue may relative to AAD itself. Here are the errors in the vent log:
Error: 0xCAA90022 Could not discover endpoint for Integrate Windows Authentication. Check your ADFS settings. It should support Integrate Widows Authentication for WS-Trust 1.3.
Exception of type 'class Exception' at aggregatedtokenrequest.cpp, line: 362, method: AggregatedTokenRequest::LoadMex.
Log: 0xcaa10080 Load MEX document failed.
Logged at aggregatedtokenrequest.cpp, line: 379, method: AggregatedTokenRequest::LoadMex.
Request: authority: https://login.microsoftonline.com/common, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: https://officeapps.live.com, correlation ID (request):
8c5f79ad-b220-47d3-876d-c1eab360bc11
Error: 0xCAA9002B WS-Trust metadata exchange request failed.
Metadata exchange document (MEX):
<html>
<head><title>
Web Services
</title></head>
<body>
<h1>Web Services</h1>
<table width='100^' border='1'>
<tr>
<td>
Endpoint
</td>
<td>
Information
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td></td></tr><tr><td>Port Name:</td><td></td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://login.microfocus.net:443/nidp/wstrust/sts/mex</td></tr><tr><td>WSDL:</td><td><a href="https://login.microfocus.net:443/nidp/wstrust/sts/mex?wsdl">https://login.microfocus.net:443/nidp/wstrust/sts/mex?wsdl</a></td></tr><tr><td>Implementation
class:</td><td>com.sun.xml.ws.mex.server.MEXEndpoint</td></tr></table>
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust}SecurityTokenService</td></tr><tr><td>Port Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust}STS_Port</td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://login.microfocus.net:443/nidp/wstrust/sts</td></tr><tr><td>WSDL:</td><td><a href="https://login.microfocus.net:443/nidp/wstrust/sts?wsdl">https://login.microfocus.net:443/nidp/wstrust/sts?wsdl</a></td></tr><tr><td>Implementation
class:</td><td>com.novell.nidp.wstrust.service.CustomSTS</td></tr></table>
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/saml}SecurityTokenService</td></tr><tr><td>Port Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/saml}STS_Port_saml</td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://login.microfocus.net:443/nidp/wstrust/sts/saml</td></tr><tr><td>WSDL:</td><td><a href="https://login.microfocus.net:443/nidp/wstrust/sts/saml?wsdl">https://login.microfocus.net:443/nidp/wstrust/sts/saml?wsdl</a></td></tr><tr><td>Implementation
class:</td><td>com.novell.nidp.wstrust.service.CustomSamlSTS</td></tr></table>
</td>
</tr>
<tr>
<td>
<table border="0"><tr><td>Service Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/active12}SecurityTokenService</td></tr><tr><td>Port Name:</td><td>{http://www.netiq.com/nam-4-0/wstrust/active12}STS_Port_active12</td></tr></table>
</td>
<td>
<table border="0"><tr><td>Address:</td><td>https://login.microfocus.net:443/nidp/wstrust/sts/active12</td></tr><tr><td>WSDL:</td><td><a href="https://login.microfocus.net:443/nidp/wstrust/sts/active12?wsdl">https://login.microfocus.net:443/nidp/wstrust/sts/active12?wsdl</a></td></tr><tr><td>Implementation
class:</td><td>com.novell.nidp.wstrust.service.CustomActive12STS</td></tr></table>
</td>
</tr>
</table>
</body>
</html>
Logged at aggregatedtokenrequest.cpp, line: 379, method: AggregatedTokenRequest::LoadMex.
Request: authority: https://login.microsoftonline.com/common, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: https://officeapps.live.com, correlation ID (request):
8c5f79ad-b220-47d3-876d-c1eab360bc11
Error: 0xCAA90022 Could not discover endpoint for Integrate Windows Authentication. Check your ADFS settings. It should support Integrate Widows Authentication for WS-Trust 1.3.
Exception of type 'class Exception' at aggregatedtokenrequest.cpp, line: 362, method: AggregatedTokenRequest::LoadMex.
Log: 0xcaa1007d Failed to acquire token by integrated Windows authentication.
Logged at aggregatedtokenrequest.cpp, line: 157, method: AggregatedTokenRequest::UseWindowsIntegratedAuth.
Request: authority: https://login.microsoftonline.com/common, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: https://officeapps.live.com, correlation ID (request):
8c5f79ad-b220-47d3-876d-c1eab360bc11
Need helps, thank you!
Hi,
We are trying to implement an account synchronization between our application and Azure AD. As this synchronization does not run on behalf of a user on Azure AD, we use the client credentials grant with corresponding application permissions. We are able to create users, read directory roles, activate directory roles, but there's no application permission for adding or removing a directory role member, hence we get 'Insufficient privileges to complete the operation.' when we try to do so.
Are there any plans to add support for adding and removing directory role members via an application permission? The lack of this permission is blocking for our implementation.
Best regards,
Emond Papegaaij
