I have created an SPN on azure.
I am unable to set another key it gives me an error.
Unable to complete the request due to data validation error.
Any idea what might be causing this.
KK
↧
Unable to update the SPN keys hits an error while doing so
↧
Get access token for the APi with Multi tenant
I am implementing an web app with Azure AD MultiTenant. My app will call API once user loggedin .WebApp and WebAPi are both registered in same Tenant. If i loggedin within same tenant user i able to call Api but when i loggedin with different Tenant user i unable to call api.
Error: XXX app id not registered into XXX tenant.
Can any resolve my issue. How can i get the access token.
Thanks
↧
↧
Azure AD Privileged identity Management
Hi,
We are planning to use AD PIM for managing access to Azure resources and wanted to know what/how is the best practice to handle Break glass scenario. So that in a scenario if PIM Role activation is not working, i can still be able to access my resource
scenario
1. I don't have AD tenant Admin permission
2. I am a Subscription owner and want to control access to azure resources in my subscription only.
3. i am planning to remove all users/groups from my subscription owner group.
4. Create a PIM for a group for Owner role for my subscription. So that when needed people in group can active role and be owner for subscription.
5. My question is that since in step 3, i have removed all owners from subscription. If for some reason PIM activation is not working, how will i access my resource. Or i am supposed to leave some group/user as permanent owner for subscription( which defeats the purpose of haing JIT access).
Thanks
↧
Coming away from third party Identity Provider
Hi,
We currently have Office 365 and our Azure Directory sync is managed by a a third party service who do not use AD Connect but their own API. Once we configure ADFS our end and setup AD Connect will this break all the accounts on Azure since they have already been populated from our AD or will this re-enable the sync again once we come away from third party and allow SSO?
Also, would there be an issue with setting up AD Connect before we come away from our third party as Azure will be retrieving the same accounts from our ADFS and our third party identity provider?
Thanks,
Peter
↧
Azure AD with PingAccess Pros and Cons
Hi All,
We are preparing to implement Azure SSO and MFA for a new client (Fresh Build). The plan is to utilize "PingAccess with Azure AD" capability to accomplish the integration for vast range of applications in scope.
1. I would like to understand the pros and cons of using a fully licenced PingAccess against just using the restricted functionalities that come with the "PingAccess with Azure AD" package. I would like to know the pointers in addition to the ones listed in the below link.
https://docs.pingidentity.com/bundle/pa_m_PingAccessOverview_pa50/page/pa_c_PingAccessforAzureAD.html
Appreciate your time and help.
Regards,
Pradeep
We are preparing to implement Azure SSO and MFA for a new client (Fresh Build). The plan is to utilize "PingAccess with Azure AD" capability to accomplish the integration for vast range of applications in scope.
1. I would like to understand the pros and cons of using a fully licenced PingAccess against just using the restricted functionalities that come with the "PingAccess with Azure AD" package. I would like to know the pointers in addition to the ones listed in the below link.
https://docs.pingidentity.com/bundle/pa_m_PingAccessOverview_pa50/page/pa_c_PingAccessforAzureAD.html
Appreciate your time and help.
Regards,
Pradeep
↧
↧
How to view current password expiration age, non persistent session token & persistent session token information on Azure AD/Application
Hello Team,
I am configuring Tableau SSO SAML/ADFS with Azure AD. It was pretty good with documentation provided by Tableau and Microsoft. However, Tableau console intermittently gives session timeout invalid user id and password error. When checked with tableau support, they mentioned this happens when maximum authentication age on tableau server is shorter than maximum authentication age on azure ad / application.
Went through https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes. However this document talks about changing token values and defaults.
Please help me with commands to view existing values so that i can go ahead an make changes on Tableau server accordingly.
Regards.
Vishal Mhatre
↧
AAD join of Win10 leads to crash after boot
After joining Windows 10 devices to Azure AD, the subsequent reboot shows spinning wheel and the loading never ends. The devices are unusable then.
If we turn off ELAM (Early Launch Antimalware) driver in boot menu, the devices will utimately finish booting after some cca 3 hours of waiting, every time.
Steps tried to survive AAD join:
- latest everything. latest Windows (1709) with all updates (as for 28th Feb 2018) installed
- difference in EMS or Intune. Joined via account with Intune licence (EMS E3, but with no policies set) or joined via account with just AAD Premium P2 (so just EMS policies, no Intune) made no difference
- integrity scan. sfc /scannow before and after join (when it booted with disabled ELAM) made no difference
- device name uniquiness. renaming the device to definitely unique computername and restart, before join
But no luck.
This is happening to us with hyperv guests but also with physical laptops we have tried, both Lenovo and Dell.
What we can try next:
1) we are using custom image of Win10 version 1709 with various software installed and policies set. No antivirus there. We will try step by step new image creation process to see which might have an effect
2) install our image to UEFI instead on BIOS partition. This try came from idea that turning of ELAM partially helps for booting
Any ideas anyone?
Keywords: spinning wheel, aad join, stucked, bricked, problem
↧
Azure Active Directory Graph API Microsoft Login
I'm trying to login into a Skype account from windows application. I'm able to sign-in into the Microsoft account using Graph API but in response, I'm unable to get Skype name and the other data.
I'm able to login into Microsoft account from windows form application.
I need to know how I can obtain skype name at login using Graph API. Even the Graph API explorer doesn't contain any info regarding skype handle.
↧
Custom claims in msal.js access token
I have secured my Angular 7 application by using msal.js. I've created a custom policy that returns custom claimtypes in the id_token and in the access_token. To achieve this, I've been following this tutorial: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw.
When I use the acquireTokenSilent() msal.js
method, the JWT token does not contain the custom claims (contract, fileUploadAllowed).
When I use the "Run Now" button on the Custom Policy pane in Azure, I do receive an access_token that has the custom claims.
The payload of the JWT token thats is generated by running the policy in Azure (Changed some of the values):
{"iss": "https://login.microsoftonline.com/guid/v2.0/","exp": 1548416392,"nbf": 1548455092,"aud": "c152h904-835a-496f-8919-e74f5013374c","contract": "Contract03","fileUploadAllowed": false,"sub": "25a6ec11-16fd-477a-8917-e0728c69e1db","nonce": "defaultNonce","scp": "portal.read user_impersonation","azp": "c154c904-835a-496f-8919-e74f5087384c","ver": "1.0","iat": 1542213053
}The payload of the JWT token (access_token) that is generated by msal.js:
{"iss": "https://login.microsoftonline.com/guid/v2.0/","exp": 1548416396,"nbf": 1548455092,"aud": "c152h904-835a-496f-8919-e74f5013374c","sub": "25a6ec11-16fd-477a-8917-e0728c69e1db","nonce": "e6df86c9-7c19-4cb5-a4ac-1aa2a89b1951","scp": "portal.read user_impersonation","azp": "c154c904-835a-496f-8919-e74f5087384c","ver": "1.0","iat": 1542213953
}I want to receive the custom claims in the access_token that is generated by msal.js. Does anyone know what I should do in order to make this work?
Thank you.
↧
↧
Azure AD Connect, ADSyncBootstrap service fails to start event id 0
Hi,
we tried to upgrade from dirsync to ad connect. Installation fails because ADSyncBootstrap service fails to start. Event id 0 is logged with the message:
<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica} </style><style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Helvetica; color: #454545} </style>Service cannot be started. System.ServiceModel.CommunicationObjectFaultedException: The communication object, System.ServiceModel.ServiceHost, cannot be used for communication because it is in the Faulted state.
at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
at Microsoft.Azure.ActiveDirectory.ADSyncBootstrap.ADSyncBootstrap.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)
Any ideas?
↧
Managing SaaS Users & Groups via Azure AD SCIM
Using Azure AD Premium, Enterprise App & SCIM 2.0 Provisioning Scope - Only assigned Users & Groups
I'm trying to work through the use case below:
- SCIM provisioning of users that are assigned to a given AD Group
- When a user is added it correctly fires off a POST /Users to Create the User
- When a user is removed it skips the user a reports - "Details : User details: Skip reason = NotEffectivelyEntitled, Active = True, Assigned = False, Passed scope filter: True;" But does not send a PATCH or a DELETE to inform the saas app that the user is no longer valid.
So question what is the correct mechanism for using SCIM provisioning to manage only a subset of users in the AD as active users of the system.
e.g. only 1 department in company uses saas app so users list for assigning tickets etc should only be those, and if a user changes departments and no longer has access to the saas app they shouldn't be seen as a valid user of the saas app directory. The saas licensing will count all registered users so syncing 20,000 users for no reason is not an option.
Seems like SCIM supports this use case with PATCH & DELETE, but Azure AD isn't propagating changes from the users & groups in the enterprise app as expected.
Any suggestions appreciated.
Thanks
↧
Azure AD B2C accessing user profile info...
I have set up the basic Sign up Sign in for my Web app and everything is working fine.
I would now like to programmatically access then user profile variables from my MVC app.
@User.Identity.Name returns the name of the user. How do I access other variables in the profile....
@User.Identity.City or my custom variable name of @User.Identity.AgencyCode error out and don't return a value. How do I access these fields?
↧
Changing name of AzureAD device?
After having spent several days trying to install a pair of admin users on a new Lenovo Laptop, finally have it almost as I want it but since the laptop was renamed after each OOTB installation it has a different name to the one in AzureAD. How do I change this name to the current and last one? It has the correct user, haven't tried to add me as a global admin to it yet in AzureAD though.
TIA
Paul
↧
↧
splitting up Azure AD B2C sign up / sign in....
I have a web app that is currently working with the sign up/ sign in default pages. What I want to do is be able to email new users the sign up link and just have the login page separately. What is the best way to approach this?
↧
Having to manually run dsregcmd to get domain-joined Windows 10 devices to join Azure AD
Hi everyone,
I've just begun the process of having domain-joined Windows 10 devices auto-enroll in Azure AD. I do not have a federated environment, so the communication is happening via AD Connect.
For machines that are newly-joined for the domain, I am finding that I am having to manually run the command 'dsregcmd' in order for the Azure AD Join to occur.
Prior to running this command manually, if I run a 'dsregcmd /status', the Device State indicates the machine is not AzureAdJoined. Immediately by running 'dsregcmd', the Device State populates, and a reboot populates the information in the User State.
I can confirm Group Policy is pushing the information to automatically join the workplace, and I can see the Scheduled Task on the client machine that is supposedly running to enroll the machine, but nothing happens until I manually type and execute 'dsregcmd'.
Any thoughts?
↧
non gallery in house java app integration with azure active directory single sign on issue
Dear Teach Support,
We have our own inhouse app designed Java tomcat and hosted on Azure in Centos VM, we are using SAML 2.0 and
org.opensaml.saml2.metadata.provider
org.springframework.security.saml
for our SSO needs , while integrating our app with Microsoft Azure active directory sso with non gallaery app, we are receving following error.
We have followed https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications
please help and advise
Error as follows:
HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid
type Status report
message Authentication Failed: Incoming SAML message is invalid
description This request requires HTTP authentication.
Apache Tomcat/7.0.47
We have our own inhouse app designed Java tomcat and hosted on Azure in Centos VM, we are using SAML 2.0 and
org.opensaml.saml2.metadata.provider
org.springframework.security.saml
for our SSO needs , while integrating our app with Microsoft Azure active directory sso with non gallaery app, we are receving following error.
We have followed https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications
please help and advise
Error as follows:
HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid
type Status report
message Authentication Failed: Incoming SAML message is invalid
description This request requires HTTP authentication.
Apache Tomcat/7.0.47
↧
Getting CORS error as per below in MS Edge browser while calling azure search from my custom application.
I have a WebApp hosted in azure and Azure AD is used for authentication and i am am able to login to the application. But while calling a Azure Search Service api i am
getting CORS error as per below only in MS Edge browser in chrome and IE its working fine.
I have tracked the network and below is my observation:
When the Azure search service API is called its redirecting to Azure AD authentication and the CORS error is thrown but this rediection is not happening in chrome or IE so no issue in these browsers.
I have already configured my site url to Azure AD and i guess i can't modify the response header of the AD, then how to overcome this issue.
(Note: 1. I have added the CORS url in azure search as well as web app as well as while calling search api. 2. I am not getting this error in chrome or IE)
Error Message: SEC7120: [CORS] The origin 'https://mysiteurl.com' did not find 'https://mysiteurl.com' in the Access-Control-Allow-Origin response header for cross-origin resource at 'https://login.windows.net/ea80952e-a476-42d4-aaf4-5457852b0f7e/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fmysiteurl.com%2F.auth%2Flogin%2Faad%2Fcallback&client_id=ca68e724-2c3d-4699-82bc-f8a56efa243a&scope=openid+profile+email&response_mode=form_post&nonce=8c756622bc8f4b02b03adcb41fbab33b_20190108150104&state=redir%3D%252Fapi%252Fsearch'.
My search method:
What I have tried:
I have added the CORS url in azure search as well as web app
I have tracked the network and below is my observation:
When the Azure search service API is called its redirecting to Azure AD authentication and the CORS error is thrown but this rediection is not happening in chrome or IE so no issue in these browsers.
I have already configured my site url to Azure AD and i guess i can't modify the response header of the AD, then how to overcome this issue.
(Note: 1. I have added the CORS url in azure search as well as web app as well as while calling search api. 2. I am not getting this error in chrome or IE)
Error Message: SEC7120: [CORS] The origin 'https://mysiteurl.com' did not find 'https://mysiteurl.com' in the Access-Control-Allow-Origin response header for cross-origin resource at 'https://login.windows.net/ea80952e-a476-42d4-aaf4-5457852b0f7e/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fmysiteurl.com%2F.auth%2Flogin%2Faad%2Fcallback&client_id=ca68e724-2c3d-4699-82bc-f8a56efa243a&scope=openid+profile+email&response_mode=form_post&nonce=8c756622bc8f4b02b03adcb41fbab33b_20190108150104&state=redir%3D%252Fapi%252Fsearch'.
My search method:
return fetch("/api/search",
{
mode: "cors",
headers: {"api-key": searchState.config.queryKey,"Access-Control-Allow-Credentials": "true","access-control-allow-origin": "https://mysiteurl.com","Content-Type": "application/json","Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept"
},
method: "POST",
body: JSON.stringify(postBody)
});What I have tried:
I have added the CORS url in azure search as well as web app
↧
↧
Boolean query for dnyamic membership groups taking ages
I've been working on a dynamic membership rule query. It took 5 minutes to get it applied a few hours ago but now it's been going for 30 min + twice and it's shorter than before. What is up?
Seems almost stuck on Processing Updates.
Nothing changed on my side, so i figure it's on yours
if i raise an sr it'll take hours and it may be done by then so hence i reach out on twitter
if there's an issue here you wouldn't notice it in a few hours.
↧
AD user migration from UPN to B2C Local account
Hi,
In continuation to https://github.com/MicrosoftDocs/azure-docs/issues/22778 as per the recommendation posting it here.
Scenario: We have a web application using AD authentication using ADAL and the users created with UserPrincipalName as login (username@domainname.microsoft.com).
I am working on migrating our application to use B2C local account with username. I tried using B2CGraphAPI updateuser as mentioned in this documentation (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). It gives error, but no details of error.
As the application is already in production, we don't want to create the new login for existing users and go thru password reset. How do we convert the existing UPN users to Local Account?
Request:
c:\>B2C Update-User ......\usertemplate-username.json
usertemplate-username.json
{
"signInNames": [
{
"type": "userName",
"value": "converteduser1234"
}
],
"creationType": "LocalAccount"
}
Result:
Error Calling the Graph API:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "An error occurred while processing the write request."
},
"requestId": "4578bc27-1611-4ba0-a740-7742ced632f7",
"date": "2019-01-18T09:34:53"
}
}
Thank you
In continuation to https://github.com/MicrosoftDocs/azure-docs/issues/22778 as per the recommendation posting it here.
Scenario: We have a web application using AD authentication using ADAL and the users created with UserPrincipalName as login (username@domainname.microsoft.com).
I am working on migrating our application to use B2C local account with username. I tried using B2CGraphAPI updateuser as mentioned in this documentation (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). It gives error, but no details of error.
As the application is already in production, we don't want to create the new login for existing users and go thru password reset. How do we convert the existing UPN users to Local Account?
Request:
c:\>B2C Update-User ......\usertemplate-username.json
usertemplate-username.json
{
"signInNames": [
{
"type": "userName",
"value": "converteduser1234"
}
],
"creationType": "LocalAccount"
}
Result:
Error Calling the Graph API:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "An error occurred while processing the write request."
},
"requestId": "4578bc27-1611-4ba0-a740-7742ced632f7",
"date": "2019-01-18T09:34:53"
}
}
Thank you
↧
Unable to invalidate the Asp.Net cookies instantly after logout on Azure AD Cookies authentication,
We are using Azure AD open Id connect cookies based authentication, that is working fine. For log out purpose, We added single sign out and log out the both application and azure portal using below code.
// Sign a user out of both AAD and the Application
public void Logout()
{
HttpContext.GetOwinContext().Authentication.SignOut(
new AuthenticationProperties { RedirectUri = OwinStartup.PostLogoutRedirectUri },
OpenIdConnectAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType);
}
public void LogoutPage()
{
var redirectUrl = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"].ToString() + "Account/Logout/";
var logouturl = string.Format("https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={0}", redirectUrl);
Response.Redirect(logouturl);
}
But this code sign out the application, not in azure portal. If I logout the application then cookies need to be invalidated, but not happening and it's not redirected to logout page. If I took Asp.Net.Cookies from the application before logout(after that logout this session using above code), the same asp.net.cookies validating the application after the logout on new session while replacing with existing new session asp.net.cookies. If I am not using that cookies for next one hour that time it's throwing logout page, with in one hour it's allowing to access the application.
StartUp.cs code
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = Globals.ClientId,
Authority = Globals.Authority,
AuthenticationType = "oidc",
SignInAsAuthenticationType = "Cookies",
ResponseType = "code id_token",
PostLogoutRedirectUri = Globals.PostLogoutRedirectUri,
RedirectUri = Globals.RedirectUri,
TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true },
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthorizationCodeReceived = (context) =>
{
//// Enforce the reference/redirect to be HTTPS
var builder = HttpContext.Current.Request.Url.AbsoluteUri;
context.AuthenticationTicket.Properties.RedirectUri = builder.ToString();
return Task.FromResult(0);
},
RedirectToIdentityProvider = (context) =>
{
context.ProtocolMessage.DomainHint = "My Domain";
return Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
context.AuthenticationTicket.Properties.AllowRefresh = true;
// context.AuthenticationTicket.Properties.IsPersistent = true;
return Task.FromResult(0);
}
}
});
How can I Make Asp.Net.Cookies expired after the logout instantly? Where I made the mistake? I struck due to this last 3 weeks, help me to resolve the issue with code sample.
↧