Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Update to existing credential with KeyId 'XXXXXXXXX' is not allowed.

January 23, 2019, 10:57 am
$
0
0

Hello,


I am wondering if anyone is experiencing this issue, but when i go into App and try to create a new AppKey, i receive

Update to existing credential with KeyId 'xxxxx' is not allowed.

Here is the full error

{"errorCode":"KeyNotUpdatable","localizedErrorDetails":{"errorDetail":"Update to existing credential with KeyId 'xxxxxx' is not allowed."},"operationResults":null,"timeStampUtc":"2019-01-23T18:09:34.7996504Z","clientRequestId":"xxxxxxx","internalTransactionId":"xxxxxx","upn":"xxxxx","tenantId":"xxxx","userObjectId":null,"exceptionType":"AADGraphException"}

I am receiving this via portal.

Any help?


Search

Device Flow doesn't work with App Registrations (preview) ?

January 25, 2019, 11:14 pm
$
0
0

If I register an Azure AD app using "App Registrations (preview)", I can't get it to work with Device Flow. If I use the older "App Registrations", it's fine.

I'm using MSAL .NET library, and device flow, and get this back from the server: AADSTS70002: The request body

must contain the following parameter: 'client_secret or client_assertion'. Only when using (preview), with all 4 suggested native redirects ticked

Azure Multi-factor Authentication (MFA) Configuration

January 26, 2019, 3:15 am
$
0
0

You have a corporate website with Anonymous access enabled. Later you configure Azure Multi-factor Authentication (MFA) and configure it to Enable IIS authentication. A user logs into the web page and is immediately presented the webpage, with no authentication requests or prompts. You need to ensure that users are prompted for MFA when accessing the webpage. What should you do?

A.In the IIS console, on the Default Web Site properties, enable Basic authentication and disable Anonymous authentication

B.In the MFA console, select “Use cookies to cache successful authentications (minutes)”

C.In the IIS console, on the web page properties, enable Basic authentication and disable Anonymous authentication

D.In the MFA console, enable MultiFactorAuthWebServiceSdk

Resource Group management in azure

January 26, 2019, 3:18 am
$
0
0

Your company has one Azure subscription. You create 5 Resource Groups within the subscription: RG1, RG2, RG3, RG4, RG5. You want to give a partner named John rights to fully manage all of the resources within RG3. John’s Live ID is john@outlook.com. John should not be able to manage the resources in any other resource group. What should you do?

A.Logon to the Azure portal, browse to RG3 and add John’s Live ID as an Owner

B.Add John to your Azure Active Directory. Browse to RG3 and add John’s Azure logon as an Onwer

C.Add John to your Azure Active Directory. Click the Subscription and Add John’s Azure logon as an Owner

D.Logon to the Azure portal, click the Subscription, and Add John’s Live ID as an Owner

Azure AD Connect not syncing passwords, keeps losing heartbeat

October 9, 2017, 11:19 am
$
0
0

Hello,

I recently I upgraded Azure AD Connect to 1.1.640.0 and also upgraded the DCs and other servers to 2016.  Ever since I keep having the issue of Office 365 Admin portal saying Password Sync: No Recent Sync.  I run the troubleshooting tool "No password hash synchronization heartbeat is detected".  I mess around with it here and there and get it to sync again, but later in the day it will lose it and have to do the process over again.  Why does this keep happening and how do I fix it? I use ADFS for my auth method, I just want password sync in case of a failure or failover method.

Charlie




Cloud-Only AD/Azure AD Authentication with Group Policy and Shares

August 30, 2017, 10:33 am
$
0
0

Good evening,

I am trying to implement a 50 user remote working cloud-only solution using Office 365 (E3 Subscriptions) and Azure.

Requirements

    Authenticate on all laptops against Azure AD or AD on a VM in Azure.
    Use Office 365 (desktop apps and onedrive) seamlessly using their Azure/Office 365 logon credentials.
    Receive Group Policy to lock down laptops/desktops on the domain.
    Restrict users non-administrator operations on the laptops.
    Ideally access file shares on a file server on Azure in a traditional \\server\share fashion / mapped drive.

Options we have tried..

A) Joining a laptop/desktop to Azure AD - It joins but there doesnt seem to be any benefit other than pass-through authentication to Office 365 desktop apps. You cannot distribute Group Policies over Azure AD and the Azure AD user still remains a local administrator or their local machine. I understand that Azure AD is different to a traditional DC AD but I'm struggling to see any use for it in this scenario?

B) Azure AD Join with Microsoft InTune MDM - User can login with their Azure AD/Office 365 credentials but the policies defined in InTune do not appear to apply correctly. There seems to be some differences between the current and classic InTune portals. We've spent a lot of time working on this one but it became so problematic and buggy we have abandoned this route. We also discovered it does not offer the full range of Group Policies we want/need and also carries further cost per user - If all we want to do is administer laptops in a standard group policy way, this seems a little convoluted and more focused on MDM.

C) DirectAccess / Always-On-VPN (Not Supported!) - The idea was to connect directly to an Azure VM running as a DC and get group policy and authentication this way. However, DirectAccess and Remote Access are not supported on any Windows Server VMs on Azure.

D) Point-To-Site VPN Connection to Azure - Followed the official Microsoft steps to set up a P2S service on Azure and client connection. Got a working connection to the VPN and also connect the AD VM to the same VPN, can ping it and rdp to it no problem, but cannot access file shares (even using the IP). The File Sharing issue appears to be related to a problem with passing-through the credentials to the file server. It is also not possible (without hacking about) to automatically dial an Azure Point-To-Site VPN connection before login like you can with DirectAccess - thus not allowing you to logon to your Azure AD/DC.

In Summary - Next Steps?

At this point I am wondering why what can be achieved with a VPN to a private cloud (non-Azure) seems impossible on Azure?

I feel like I am missing something really fundamental here!

Any help/advice would be gratefully received!

Chris



P.S - Had to remove the links as Microsoft hasnt verified my forum account without, 1st post.

 

Users conflict in Azure AD

January 27, 2019, 2:14 am
$
0
0

So this is a complex one for me to handle so I came here asking for help.

our company had a local AD and it was synced with Azure AD, moving to new offices and got ourselves a new server to manage the local AD, while replicating the servers from old to new, something went wrong, the main server left the domain and the new one didn't get any data from the process, leaving me to create a new local domain, after that I did connect Azure AD with our local AD, imported users from Azure AD into the local server, and after syncing the data, now I have two values for each user and both stated as "Synced with AD". 

<g class="gr_ gr_911 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="911" id="911">i</g> <g class="gr_ gr_908 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="908" id="908">dont</g> know what to do now

Conditional Access: Browser access via MFA unexpected behavior

January 27, 2019, 7:14 am
$
0
0

Hi,

I've created a conditional access policy which forces MFA when my services are accessed using a browser, since we are testing I wanted to exclude the Azure management portal from the applications applicable in order to be sure to be able to access the portal. 

  • Settings:
  • Name: Browser Access via MFA
  • Assignments:
  • Users and Groups: All users included, and specific group for fail safe accounts excluded
  • Cloud apps: All Cloud Apps, Microsoft Azure Management excluded
  • Conditions: 
  • Locations: Any location, all trusted locations excluded
  • Client apps (preview): Browser
  • Access Controls:
  • Grant: Grant access\Require multi-factor authentication

When I enable this Conditional Access policy and logon to the Azure Management Portal I'm receiving errors like: 

The portal is having issues getting an authentication token. The experience rendered may be degraded. Additional information from the call to get a token: Extension: fx Resource: graph Details: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'. Trace ID: f3b74d60-05f7-45a8-9035-8fbffa1d2900 Correlation ID: f6338c63-d5f6-4e8c-b030-7a06e7ea46ae Timestamp: 2019-01-23 13:21:38Z

Working in the portal is not doable, since only partial stuff works. 

If i remove the Azure Management Portal from the exclusion list, all seems to work as expected, I'm being asked for MFA when using the browser as expected.

I hope someone can shed a light on what I'm configuring wrong, it seems that the Microsoft Azure Management cloud app doesn't work as expected in this specific Conditional Access policy. 

What if tooling doesn't give any issues b.t.w. when testing the policy against that... 

Hope someone can help,


/Kenneth

Search

Conditional Access: Block legacy authentication for Exchange Online unexpected behavior

January 27, 2019, 7:04 am
$
0
0

Hi,

I've created a Conditional Access policy with the following settings:

  • Name: block legacy authentication Exchange Online
  • Assignments:
  • Users and Groups: All users (exclude a group called CA Exclude containing my fail safe accounts)
  • Cloud Apps: Office 365 Exchange Online
  • Conditions: Client Apps (preview) -> Enabled Mobile apps and desktop clients\Other clients
  • Access Controls:
  • Grant: Block access

When I enable the policy, after a while my outlook (Office 365 CTR, version 1812) starts asking to provide credentials. When looking in Azure AD sign in I see the following:

  • Basic info:
  • Status: Failure
  • Sign-in error code: 53003
  • Failure reason: Access has been blocked due to conditional access policies
  • Client App: Other clients; Older Office clients
  • Device info:
  • Browser: Microsoft Office 16.0
  • Conditional Access:
  • Policy name: block legacy authentication
  • Grant controls: block
  • Result: Failure

If I disable the Conditional Access policy, the popups for credentials disappear and everything works again. When looking in the logging at that time the Client app is mentioned as: Other clients; MAPI

I noticed that the Client Apps has the word (Preview) - can it be that this functionality is perhaps not working as expected in my tenant yet? Anyone else experiencing these kind of issues?

thanks in advance,

/Kenneth

Creating guest user from Microsoft Graph API

October 5, 2017, 5:08 am
$
0
0

I tried to create a guest user with Microsoft Graph API. I used the property 'UserType'.

user.UserType =  "Guest";

But the response shows 'Invalid User principal Name'. 

I am able to create the same user in portal. 

Get access token for the APi with Multi tenant

January 24, 2019, 12:46 pm
$
0
0

I am implementing an web app with Azure AD MultiTenant. My app will call  API once user loggedin .WebApp and WebAPi are both registered in same Tenant. If i loggedin within same tenant user i able to call Api but when i loggedin with different Tenant user i unable to call api.

Error: XXX app id not registered into XXX tenant.

Can any resolve my issue. How can i get the access token.

Thanks

Azure Licensing for B2B specific Scenario?

January 28, 2019, 1:14 am
$
0
0

Hello, 

We have a tenant (ex: www.contoso.com) at Azure, where we have our Azure AD includes 800 users. We are going to publish a new application (based onSharePoint on-prem) where it will be accessed by guest users (B2B) and scenario as following:

1- This will be a separate domain, lets say (newapp.contoso.com) or (www.newapp.com).

2- Azure AD will be separate also, as we want it to be separate from the original Azure AD (www.contoso.com).

3- We want to assign a specific users to manage the new Azure AD (www.newapp.com) through Azure Admin Portal.

4- We want to allow around 1000 to 5000 users to access our newapp using their different email address (B2B, each couple of users will be in a different organization)

5- We want to allow MFA for each user from the 1000 to 5000 users (B2B).

6- From this 1000 to 5000 users there will be around 10 users where their email from the original tenant (ex: adminuser1@contoso.com, ... )

I have couple of questions now:

1- Is point number 3 above available;  Can I assign one or couple of users to manage only the new Azure AD?

2- How will be the license (how much will we pay) as there will be around 1000-5000 guest users accessing our on-prem app using their emails (different companies) , and around 10 users accessing the on-prem app using (contoso.com) emails?

Thanks in advance.

Managing SaaS Users & Groups via Azure AD SCIM

January 22, 2019, 1:27 am
$
0
0

Using Azure AD Premium, Enterprise App & SCIM 2.0 Provisioning Scope - Only assigned Users & Groups

I'm trying to work through the use case below:

  1. SCIM provisioning of users that are assigned to a given AD Group
  2. When a user is added it correctly fires off a POST /Users to Create the User
  3. When a user is removed it skips the user a reports - "Details : User details: Skip reason = NotEffectivelyEntitled, Active = True, Assigned = False, Passed scope filter: True;" But does not send a PATCH or a DELETE to inform the saas app that the user is no longer valid.

So question what is the correct mechanism for using SCIM provisioning to manage only a subset of users in the AD as active users of the system.

e.g. only 1 department in company uses saas app so users list for assigning tickets etc should only be those, and if a user changes departments and no longer has access to the saas app they shouldn't be seen as a valid user of the saas app directory. The saas licensing will count all registered users so syncing 20,000 users for no reason is not an option.

Seems like SCIM supports this use case with PATCH & DELETE, but Azure AD isn't propagating changes from the users & groups in the enterprise app as expected.

Any suggestions appreciated.

Thanks

How to enforce MFA challenge every 12 or 24 hours as currently we do not have global settings to logout inactive session from Azure Portal?

January 28, 2019, 2:03 am
$
0
0

Hi Team,

How to enforce MFA challenge every 12 or 24 hours as currently we do not have global settings to logout inactive session from Azure Portal?

Thanks a lot Kamal

Azure active Directory not giving encryption certificate for SAP SSO

December 15, 2016, 10:53 am
$
0
0

When i upload the metadata from Azure into SAP only the Signature Cert shows up but the Encryption one does not.

I follwed the instructions from https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-sapbusinessbydesign-tutorial and it still does not work. 

Search

The reply url specified in the request does not match the reply urls

January 28, 2019, 3:42 am
$
0
0

Set up sign-in with an Azure Active Directory account using custom policies in Azure Active Directory B2C

 

I have followed all the steps as given in above article. In the end of the user journey, getting below error. I tried all the possible solutions to fix but couldn’t able to resolve. Even cross checked as given in step 7 (For the Sign-on URL, enter the following URL in all lowercase letters, where your-B2C-tenant-name is replaced with the name of your Azure AD B2C tenant:)

 

Requesting you, please guide on this what could be the reason and most mistakes which may cause this error.

 

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '5c99b906-cb8b-49c4-9242-23c977ab8ce7'.

Microsft 365 AD Join

April 4, 2018, 1:50 pm
$
0
0
We are trying to setup Microsoft 365 and when trying to connect a device to Azure AD we receive the error 8018000a.   After entering the user's account information we receive a confirmation message "make sure this is your organization" it looks correct and we then click "join"  Result: "something went wrong. This device is already enrolled. Contact your admin. 8018000a"  Any insight would be appreciated.

Kevin

MFA authentication with call not working

January 21, 2019, 10:54 pm
$
0
0

Hi,

I think it's already two weeks with calls authentication working inconsistently. When I noticed (as I mostly use Authenticator app) problems, I checked other ways - SMS, Authenticator app - these were (and are) working just fine. Yesterday I received a call once or twice, but # was not accepted. Later on it stopped calling at all. Test from MFA server shows: "Multi-Factor Authentication denied: Phone Unreachable". Tried to change "MFA caller ID number" but it didn't help.

Updating of AppRole Assignment

January 21, 2019, 2:15 am
$
0
0

Hi,

I would like to know if updating of approle assignment is possible. Currently, i can only do a delete of appRole assignment 1st before adding the new appRole assignment through the Azure AD graph API. 

Regards,

Zhi Jian

Azure Credits. Where do you go in Azure to Find all users with Azure Credits

January 28, 2019, 5:59 am
$
0
0

Hi there,

We have a few people in the company creating services in Azure but where do you go to find the list of these people?

Debbie

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>