Ive just been asked by my manager.
We have people with Credit in the company who can create services etc. What if someone is just using services and not creating them. What happens if another team member logs into Azure and try to create a service?
Debbie
Hi We use Office365 for our mail (Exchange online)
And use azure with Azure AD connect.
A couple of weeks ago I installed a new management server and right a way I updated Azure AD connect to the latest version 1.1.751.0
So far so good.
The exchange, and Azure environment telss me the synchronisation works well Pass wordsync is active and succesfully
Yesterday one of our users told me he had changed his onpremise password and was unable to logon to his O365 account.
I aksed him to try it with his old password and he had access. This worked with the outlook client as also with the webinterface.
I overlooked the situation and found no errors in the eventviewer of the server whice provide the AAD connect function.
So I searched the internet and found the ADSyncDiagnostics tool.
I runned the diagnotisc on the tenant and find no problems after that I runned the diagsnostics on the affected user and could The following message:
"There is no Password Hash Synchronization rule for target AAD connector space object"
I didn't found a solition on the internet.
Please can somebody help me?
Best regards,
Peter Vroegop
Hi,
I just signed up for an azure account and bought the free trial subscription ($200 credit for month). What I am trying to accomplish is testing automation with service principals.
Based on https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal a new app registration (service principal) was created. Since I am newbie I do not know how I can use this for automation and what needs to be done to simulate something that automates.
So, what I need is guidance on :
1. Building a test service/app
2. Using service principal to access that app
3. Automate some sort of tasks that uses above service principal. I would want to test for automation from within azure and also for something (I don't know what) to access the app through automation from outside of azure.
Not sure if it makes sense. Basically, trying to create service principal and learn automation in a couple of days span. :)
Thank you.
Our AD FS certificate was set to autorenew at 50 days before expiry, then roll over 10 days later
This didn't auto-rollover in Office 365 as I understand that starts checking at 30 days for a new certificate.
We set the rollover to manual, updated the certificate, forced O365 to use the new certificate, which allowed people to authenticate.
However, when I now check the certificates, there is no NextTokenSigningCertificate listed under AD FS, but there is still a NextTokenSigningCertificate listed in Office 365 - which expires before the current token signing certificate.
If I set this back to to autorollover, will Office 365 try to use the NextTokenSigningCertificate it has listed? Can I remove this?
Secondly, if I change the autorenew at 50 days before expiry, then roll over 21 days later, would this then give Office 365 time to start checking for a new signing certificate (at 30 days), account for any delay by giving it the extra day before rolling over?
And will it then renew the NextTokenSigningCertificate I see in AD FS under Office 365?
https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup#step-5-verify-joined-devices
We have set this up successfully, but we see two entries for the most part for each computer (one for Azure AD registered" and one for "Hybrid Azure AD joined")
We are trying to do some Intune conditional access with "Hybrid" Windows devices, but best we can tell, the computer thinks we are coming from the Azure AD Registered computer, not the Hybrid joined computer, even though they are one in the same.
It was our understanding that activating this would "merge" the entries together, but that doesn't seem to be the case. Can anyone shed some light on this situation? We are in a password hash sync environment with no federation.
Hi,
We have recently signed up to a free edition of Azure AD, initially for the purposes of administering our Home Use Program, but we may be going forward and using other features also.
I am trying to add our corporate domain onto Azure AD as a custom domain, so we can use Azure AD user accounts that tie in with our corporate accounts. We are hitting problems at verify though, the same as many others:
"Unable to verify domain name. Ensure you have added the record above at the registrar 'xxxx', and try again in a little while."
We have added the TXT record via our domain registrar, and I can see the correct details using nslookup. As far as I know our domain is not registered for any other AAD products.
Would someone be able to help? Because of our free subscription, we don't have access to log a support call in any other way!
Thanks,
Dave.
Hi,
I would like to know how to view Azure AD policies in the Azure portal page. Right now, I see that I can get it through powershell command -
Get-AzureADPolicy
PS U:\> Get-AzureADPolicy
Id DisplayName
Type IsOrganizationDefault
-- -----------
---- ---------------------
xxxxeddddddddddddd TokenIssuancePolicy TokenIssuancePolicy False
ddddddddddddddddd TokenIssuancePolicy TokenIssuancePolicy False
f443da96-hhhh9f7f7c3 PreprodTokenTest TokenLifetimePolicy False
I would like to know where all the PreprodTokenTest policy is applied. Could someone let me know where I can find it thro powershell or through the portal?
thanks.
Hello,
We are trying to implement SSO using Azure B2C AD into one of our web sites. We want to migrate our PUBLIC users (NOT related to our company) into the B2C AD database. We want to take advantage of the free 50,000 users and B2C logins.
We have a few questions.
1. Is there a separate database where B2C AD "consumer" users are saved (NOT in the Azure AD)? Or are all "consumer" users also stored in Azure AD along with "work account" users?
2. If there is a separate database for B2C AD "consumer" users then where is it and how can we access it directly? Is there an interface or portal or a connection string, etc. Can it be accessed by PowerShell? Is it a SQL Server database?
3. When looking at users in AD, how do we determine each users type ("work account" or a "consumer" user)?
4. How can we take advantage of the 50,000 free users and/or 50,000 free login? Does this also include self-serve password reset for all user types (including "consumer" users)?
5. Is an Azure AD license required to implement the B2C SSO? If so would our Office 365 license satisfy this requirement?
6. Looking in the Azure Portal under Azure AD there is an application with the name "b2c-extensions-app. Do not modify. Used by AADB2C for storing user data" <-- What is this? What is it used for? How can we get the secret/key for it since it is automatically created and the key is hidden? Can we upload our own public key to replace the default secret/key?
Thank you,
Kris Sebesta
e: kris.sebesta@resene.co.nz
So I'm trying to set up SSO login using Azure's Active Directory as an IdP and
using the simpleSAMLphp module for Mediawiki to implement it, but I run into a
error I have absolutely no idea how to solve.
Context:
I've followed these instructions: https://medium.com/vivritiengineering/mediawiki-and-azure-single-sign-on-e3fbc13d1f46
But instead of a server hosted on AWS servers, I have a virtual machine running
on Azure.
I'm using this image for my VM: https://bitnami.com/stack/mediawiki/cloud
Actions that lead to problem:
I sign onto the mediawiki server, attempt to login, get send to a
login.microsoftonline.com page. I try and login, and then get sent back
to a mediawiki /Special:UserLogin page will an error message of
"User cannot be authenticated".
Logs:
Found within '/opt/bitnami/apache2/logs/error_log':
[Tue Jan 29 04:07:04.007768 2019] [proxy_fcgi:error] [pid 32390:tid 139796580050688] [client my.ip.addr.45:63407]
AH01071: Got error 'PHP message: PHP Notice:
Undefined variable: attributes in /opt/bitnami/apps/mediawiki/htdocs/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php on line 47\n
PHP message: PHP Warning: array_key_exists() expects parameter 2 to be array, null given in /opt/bitnami/apps/mediawiki/htdocs/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php on line 47\n'
, referer: https://login.microsoftonline.com/kmsi
Found within '/opt/bitnami/apache2/logs/access_log':
my.ip.addr.45 - - [29/Jan/2019:04:07:03 +0000] "POST /simplesaml/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.1" 303 850my.ip.addr.45 - - [29/Jan/2019:04:07:03 +0000] "GET /Special:PluggableAuthLogin HTTP/1.1" 302 - my.ip.addr.45 - - [29/Jan/2019:04:07:04 +0000] "GET /index.php?title=Special:UserLogin/return&wpLoginToken=87d0ee94955902b61de847138e89d4ff5c4fd146%2B%5C HTTP/1.1" 302 - my.ip.addr.45 - - [29/Jan/2019:04:07:04 +0000] "GET /Special:UserLogin HTTP/1.1" 200 5472 my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /resources/assets/poweredby_mediawiki_88x31.png HTTP/1.1" 304 - my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /load.php?debug=false&lang=en&modules=mediawiki.htmlform.styles%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.special.userlogin.common.styles%7Cmediawiki.special.userlogin.login.styles%7Cmediawiki.ui%7Cmediawiki.ui.button%2Ccheckbox%2Cinput%2Cradio%7Cskins.vector.styles&only=styles&skin=vector HTTP/1.1" 200 13492 my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /resources/assets/wiki.png?de8c8 HTTP/1.1" 304 - my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /load.php?debug=false&lang=en&modules=startup&only=scripts&safemode=1&skin=vector HTTP/1.1" 200 38569 my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /load.php?debug=false&lang=en&modules=jquery%7Cjquery.lengthLimit%7Cmediawiki.htmlform&skin=vector&version=0g0bm48 HTTP/1.1" 200 163379 my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "POST /mod_pagespeed_beacon?url=https%3A%2F%2Fcompany-wiki.region.cloudapp.azure.com%2FSpecial%3AUserLogin HTTP/1.1" 204 - my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /favicon.ico HTTP/1.1" 200 3076
Comments:
Here is what I think the relevant code of '/opt/bitnami/apps/mediawiki/htdocs/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php' referenced in the error_logs.
``` php
class SimpleSAMLphp extends PluggableAuth {```
Basically, $attributes is not being filled and I have no idea how to fix this.
Any sort of guidance or direction will be most appreciated.
Using Azure AD Premium, Enterprise App & SCIM 2.0 Provisioning Scope - Only assigned Users & Groups
I'm trying to work through the use case below:
So question what is the correct mechanism for using SCIM provisioning to manage only a subset of users in the AD as active users of the system.
e.g. only 1 department in company uses saas app so users list for assigning tickets etc should only be those, and if a user changes departments and no longer has access to the saas app they shouldn't be seen as a valid user of the saas app directory. The saas licensing will count all registered users so syncing 20,000 users for no reason is not an option.
Seems like SCIM supports this use case with PATCH & DELETE, but Azure AD isn't propagating changes from the users & groups in the enterprise app as expected.
Any suggestions appreciated.
Thanks
After having spent several days trying to install a pair of admin users on a new Lenovo Laptop, finally have it almost as I want it but since the laptop was renamed after each OOTB installation it has a different name to the one in AzureAD. How do I change this name to the current and last one? It has the correct user, haven't tried to add me as a global admin to it yet in AzureAD though.
TIA
Paul
I have been working to enable Hybrid Device Join using AD Connect (version 1.2.65.0).
My prior experience of ADHJ is that the SCP record is required but no changes to the AD DS Schema version.
When trying to configure this today the AD Connect wizard presented the warning below:
This has effectively stopped me progressing the deployment until I can get confirmation that the Schema update is not required for ADHJ.
Similar comment on the Docs.com documentation - https://github.com/MicrosoftDocs/azure-docs/issues/18242
Sam
If I register an Azure AD app using "App Registrations (preview)", I can't get it to work with Device Flow. If I use the older "App Registrations", it's fine.
I'm using MSAL .NET library, and device flow, and get this back from the server: AADSTS70002: The request body
must contain the following parameter: 'client_secret or client_assertion'. Only when using (preview), with all 4 suggested native redirects ticked
Hello,
My question is related to this scenario :
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation
I would like to know how to configure the seconde AAdconnect server.
Thank you.
I started this question in the Exchange Online Forum and it was suggested that I ask the question here.
I have a single on premises Exchange server in C1.com that accepts e-mail for C2.com as an alias to users. (me@C1.com has a secondary e-mail address of me@C2.com). There are also a couple of "e-mail only" domains (no AD) that are used as aliases. This works fine and has for many years.
I now want to migrate my Exchange server to Office 365 E3. I logged on to the Office365 portal and added my C1.com to my account using the txt record for verification with no problems. I also added the e-mail only domains. I have not modified the MX records yet.
When I add the C2.com domain I get the message "We have confirmed that you own C2.com, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: UserC2onmicrosoft.com."
All I need is the ability to have the same exchange online server accept e-mail into Office365 from C1.com and C2.com. I don't really care about the C2.com AD users in Office365 since the C1.com users have email address for both domains. I saw this article https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer, but I am not sure if it will accomplish what I want. Would putting both subscriptions under the same owner (and keeping the subscriptions separate) resolve this issue? If not, are there any other suggestions?
Thanks in advance for any help and advice.
Eric Logsdon Cooperative Technologies, Inc.
Hi, I'm trying to configure user provisioning on a new non-gallery-application. When I enter my Tenant URL & Secret key and test the connection I get the following error:
"You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account"
To check that the Tenant URL & Secret Key are correct, I updated an old application and successfully started the SCIM process.
Has anybody else encountered this issue?
So this is a complex one for me to handle so I came here asking for help.
our company had a local AD and it was synced with Azure AD, moving to new offices and got ourselves a new server to manage the local AD, while replicating the servers from old to new, something went wrong, the main server left the domain and the new one didn't get any data from the process, leaving me to create a new local domain, after that I did connect Azure AD with our local AD, imported users from Azure AD into the local server, and after syncing the data, now I have two values for each user and both stated as "Synced with AD".
HELP?
