Set up sign-in with an Azure Active Directory account using custom policies in Azure Active Directory B2C

I have followed all the steps as given in above article. In the end of the user journey, getting below error. I tried all the possible solutions to fix but couldn’t able to resolve. Even cross checked as given in step 7 (For the Sign-on URL, enter the following URL in all lowercase letters, where your-B2C-tenant-name is replaced with the name of your Azure AD B2C tenant:)

Requesting you, please guide on this what could be the reason and most mistakes which may cause this error.

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '5c99b906-cb8b-49c4-9242-23c977ab8ce7'.

Hi,

I am having trouble with receiving the SignIn Logs of Azure Active Directory to a storage account through Azure Active Directory Diagnostics Settings. I enabled the P2 trial license and then configured the storage account to get sign in logs as well but they are not coming. I have tried disabling and then enabling again as well after some time but nope. Could you please check?

Directory ID -- 2dfc6a32-d03c-4504-8d69-f08da326f294

Any idea what is happening?

Thanks,

Pranav

I am trying to setup my SSO connection with Azure and Netsuite. I set up a connection with Netsuite Sandbox and now am trying to connect to Netsuite production. When I attempt to upload the xml file in Netsuite, it gives me the following error:

Identity provider with the entity ID XXX is already used by another account and contains different metadata associated with it. Use IDP with a different entity ID or make sure you have the latest metadata file uploaded in all accounts.

How can I get a new entity id in Azure?

After this installation of Azure AD Connect on a Windows Server 2012 R2 machine, the AD Connect health agent doesn't register. The services on the machine stay disabled and not started. I've read that I need to run the Powershell command: 

Register-AzureADConnectHealthSyncAgent -AttributeFiltering:$false -StagingMode:$false

However, this doesn't work as it comes back with "Configuration failed"

2018-04-17 01:40:54.893 Aquiring Monitoring Service certificate using tenant.cert


Configuration Failed

To retry configuration, type:
Register-AzureADConnectHealthSyncAgent

Monitoring will not start until configuration is successful.

To review installation steps and requirements, please visit:
http://go.microsoft.com/fwlink/?LinkID=518643

Detailed log file created in temporary directory:
C:\Users\admin.inova\AppData\Local\Temp\AdHealthAadSyncAgentConfiguration.2018-04-16_19-40-21.log

Register-AzureADConnectHealthSyncAgent : Failed configuring Monitoring Service using command: C:\Program
Files\Microsoft Azure AD Connect Health Sync
Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft
Azure AD Connect Health Sync Agent\tenant.cert" version="1.1.751.0"
At line:1 char:1+ Register-AzureADConnectHealthSyncAgent -AttributeFiltering:$false -St ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Register-AzureADConnectHealthSyncAgent], InvalidOperationException+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.AadConnect.Health.AadSync.PowerShell
   .ConfigurationModule.RegisterAzureAdConnectHealthSyncAgent

There is no Proxy server used, which can be seen in the log files too:

2018-04-17 01:40:21.175 User Context outbound connections to https://management.azure.com/providers/Microsoft.ADHybridHealthService/ will use proxy address https://management.azure.com/providers/Microsoft.ADHybridHealthService/ (if equal, no proxy is used)
2018-04-17 01:40:21.175 Service Context: Outbound connections to https://management.azure.com/providers/Microsoft.ADHybridHealthService/ will use proxy address https://management.azure.com/providers/Microsoft.ADHybridHealthService/ (if equal, no proxy is used)

So, when I try to run the test-azureadconnecthealthconnectivity, I get the following:

PS C:\Windows\system32> Test-AzureADConnectHealthConnectivity -Role Sync
Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://login.windows.net
Unhandled exception occurred: The operation has timed out
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Failed to connect some service endpoints, please investigate.

Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
Unhandled exception occurred: System.Security.Cryptography.CryptographicException: The parameter is incorrect.

   at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionS
cope scope)
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.LoadI
dentityInfo()
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.TestI
nsightServiceDataUploadProcedure()
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.Proce
ssRecord()

I've used the same account with the registration command as I used with installation of the Azure AD Connect software, of which the sync is running without problems.

There is MFA enabled on that account, but I do not see an issue there.

Hope somebody can assist.

I have created a dynamic rule for users that have a license assigned to them for Microsoft Project Professional.

I have a user that is assigned this license:

According to this article

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#multi-value-properties

I should be able to create a dynamic group and have users with this license assigned/enabled, and have them dynamically added to the group, (or inherited), using hte "assignedPlans" property.

I found the Project Online Professional Service ID here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

Then created the following Dynamic Memebership rule:

The rule created successfully and evaluated, processed, and shows as "update complete".  However, my user has not been added to the group, nor does his user object show him as having inherited the group as a result of this dynamic group rule.

Please help!

Your company has one Azure subscription. You create 5 Resource Groups within the subscription: RG1, RG2, RG3, RG4, RG5. You want to give a partner named John rights to fully manage all of the resources within RG3. John’s Live ID is john@outlook.com. John should not be able to manage the resources in any other resource group. What should you do?

A.Logon to the Azure portal, browse to RG3 and add John’s Live ID as an Owner

B.Add John to your Azure Active Directory. Browse to RG3 and add John’s Azure logon as an Onwer

C.Add John to your Azure Active Directory. Click the Subscription and Add John’s Azure logon as an Owner

D.Logon to the Azure portal, click the Subscription, and Add John’s Live ID as an Owner

Hello,

When we used the Microsoft Application Registration Portal web site to register our application for B2C created it in our Default Directory and there is NO option to create/register the application in another Directory (one of our existing B2C Directories for example). Am I missing something here?  How can we accomplish registering our application in one of our B2C Directories (not the Default Directory)?

https://apps.dev.microsoft.com/portal/register-app

From this article (Option 2: Advanced Mode)

https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp#register-your-application

Thanks,

Kris

I have an ASP.NET MVC Core 2.2 application, that integrates with an Azure AD B2C to authenticate users. I can sign in correctly, and the user is authenticated.

I also have created an ASP.NET Core Web API which is also integrated with the Azure B2C AD, and the goal is to call that web api from an ASP.NET MVC controller action method. So in the MVC app I need to get the access token first. So I added the following test code in the controller of the MVC site:

if(HttpContext.User.Identity.IsAuthenticated){string signedInUserID =HttpContext.User.FindFirst(ClaimTypes.NameIdentifier).Value;TokenCache userTokenCache =newMSALSessionCache(signedInUserID,HttpContext).GetMsalCacheInstance();ConfidentialClientApplication cca =newConfidentialClientApplication(mgpPortalApplicationId, authority, redirectUri,newClientCredential(mgpPortalSecretKey), userTokenCache,null);IEnumerable<IAccount> accounts =await cca.GetAccountsAsync();IAccount firstAccount = accounts.FirstOrDefault();AuthenticationResult result =await cca.AcquireTokenSilentAsync(null, firstAccount, authority,false);HttpClient client =newHttpClient();HttpRequestMessage request =newHttpRequestMessage(HttpMethod.Get,"https://localhost:44307/api/values");
    request.Headers.Authorization=newAuthenticationHeaderValue("Bearer", result.AccessToken);HttpResponseMessage response =await client.SendAsync(request);}

The problem is that accounts.FirstOrDefault() gives back null.

Additional observation: if I run the demo https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp, which uses an older Microsoft.Identity.Client version, then the call to cca.Users.FirstOrDefault() gives back a user correctly, and it all works ok. However, when I upgrade this demo project to .NET Core 2.2 and Microsoft.Identity.Client 2.7, then I have to pass an IAccount and so I need to call GetAccountsAsync(), and this returns no account.

Any idea?

I described this issue also here: https://stackoverflow.com/questions/54335269/get-access-token-in-web-site-integrated-with-azure-ad-b2c

Hi,

We currently have Office 365 and our Azure Directory sync is managed by a a third party service who do not use AD Connect but their own API. Once we configure ADFS our end and setup AD Connect will this break all the accounts on Azure since they have already been populated from our AD or will this re-enable the sync again once we come away from third party and allow SSO?

Also, would there be an issue with setting up AD Connect before we come away from our third party as Azure will be retrieving the same accounts from our ADFS and our third party identity provider?

Thanks,

Peter

I have created an SPN on azure.

I am unable to set another key it gives me an error.

Unable to complete the request due to data validation error.

Any idea what might be causing this.

KK

I've been working on a dynamic membership rule query. It took 5 minutes to get it applied a few hours ago but now it's been going for 30 min + twice and it's shorter than before. What is up?

Seems almost stuck on Processing Updates.

I am trying to create an Azure SSO application using the graph API (no console).

I am able to create an application using: `/beta/applications`

What I am having trouble with figuring out how to do using the graph API is the Set up Single Sign-On with SAML step. I want to be able to set the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) of the Basic SAML Configuration section.

Can someone explain which Graph API I should be using for this?

I have secured my Angular 7 application by using msal.js. I've created a custom policy that returns custom claimtypes in the id_token and in the access_token. To achieve this, I've been following this tutorial: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw. When I use the acquireTokenSilent() msal.js method, the JWT token does not contain the custom claims (contract, fileUploadAllowed).

When I use the "Run Now" button on the Custom Policy pane in Azure, I do receive an access_token that has the custom claims.

The payload of the JWT token thats is generated by running the policy in Azure (Changed some of the values):

{"iss": "https://login.microsoftonline.com/guid/v2.0/","exp": 1548416392,"nbf": 1548455092,"aud": "c152h904-835a-496f-8919-e74f5013374c","contract": "Contract03","fileUploadAllowed": false,"sub": "25a6ec11-16fd-477a-8917-e0728c69e1db","nonce": "defaultNonce","scp": "portal.read user_impersonation","azp": "c154c904-835a-496f-8919-e74f5087384c","ver": "1.0","iat": 1542213053
}

{"iss": "https://login.microsoftonline.com/guid/v2.0/","exp": 1548416396,"nbf": 1548455092,"aud": "c152h904-835a-496f-8919-e74f5013374c","sub": "25a6ec11-16fd-477a-8917-e0728c69e1db","nonce": "e6df86c9-7c19-4cb5-a4ac-1aa2a89b1951","scp": "portal.read user_impersonation","azp": "c154c904-835a-496f-8919-e74f5087384c","ver": "1.0","iat": 1542213953
}

I want to receive the custom claims in the access_token that is generated by msal.js. Does anyone know what I should do in order to make this work?

Thank you.

Hi,

I've created a conditional access policy which forces MFA when my services are accessed using a browser, since we are testing I wanted to exclude the Azure management portal from the applications applicable in order to be sure to be able to access the portal. 

• Settings:
• Name: Browser Access via MFA
• Assignments:
• Users and Groups: All users included, and specific group for fail safe accounts excluded
• Cloud apps: All Cloud Apps, Microsoft Azure Management excluded
• Conditions: 
• Locations: Any location, all trusted locations excluded
• Client apps (preview): Browser
• Access Controls:
• Grant: Grant access\Require multi-factor authentication

When I enable this Conditional Access policy and logon to the Azure Management Portal I'm receiving errors like: 

The portal is having issues getting an authentication token. The experience rendered may be degraded. Additional information from the call to get a token: Extension: fx Resource: graph Details: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'. Trace ID: f3b74d60-05f7-45a8-9035-8fbffa1d2900 Correlation ID: f6338c63-d5f6-4e8c-b030-7a06e7ea46ae Timestamp: 2019-01-23 13:21:38Z

Working in the portal is not doable, since only partial stuff works. 

If i remove the Azure Management Portal from the exclusion list, all seems to work as expected, I'm being asked for MFA when using the browser as expected.

I hope someone can shed a light on what I'm configuring wrong, it seems that the Microsoft Azure Management cloud app doesn't work as expected in this specific Conditional Access policy. 

What if tooling doesn't give any issues b.t.w. when testing the policy against that... 

Hope someone can help,

/Kenneth

Hi,

We are using ADFS 4.0 and have one site using SAML, with IP restrictions, and another site using OpenID Connect. When using IE/Edge the windows integrated authentication is enabled. We get an internal error in ADFS when you first sign in to the site using SAML and then try to sign in to the other site using OpenID Connect. The sign in to the OpenID Connect site works if you clear cookies and go straight to that site. 

It appears ADFS gets into an internal error state trying to use single sign-on between the first site (SAML) and second site (OpenID Connect), or gets into some internal conflict trying to track session for the user. Our intent is to really treat these sites as completely different logins, with SSO being driven by windows integrated authentication through the browser.

I'm trying to automate the creation of Azure AD managed domain services + joining a VM to that managed domain. 

One of the prerequisite is enabling password hash synchronization. The official docs (link below) mention how to do this via the portal. But is it possible to do this from powershell or ARM templates? 

Link: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started-password-sync

Please let me know if any additional details are needed.

Thanks,

Mithun

I have set up the basic Sign up Sign in for my Web app and everything is working fine.

I would now like to programmatically access then user profile variables from my MVC app.

@User.Identity.Name returns the name of the user. How do I access other variables in the profile.... 

@User.Identity.City or my custom variable name of @User.Identity.AgencyCode error out and don't return a value. How do I access these fields?

Our AD FS certificate was set to autorenew at 50 days before expiry, then roll over 10 days later

This didn't auto-rollover in Office 365 as I understand that starts checking at 30 days for a new certificate.

We set the rollover to manual, updated the certificate, forced O365 to use the new certificate, which allowed people to authenticate.

However, when I now check the certificates, there is no NextTokenSigningCertificate listed under AD FS, but there is still a NextTokenSigningCertificate listed in Office 365 - which expires before the current token signing certificate.

If I set this back to to autorollover, will Office 365 try to use the NextTokenSigningCertificate it has listed? Can I remove this?

Secondly, if I change the autorenew at 50 days before expiry, then roll over 21 days later, would this then give Office 365 time to start checking for a new signing certificate (at 30 days), account for any delay by giving it the extra day before rolling over? 

And will it then renew the NextTokenSigningCertificate I see in AD FS under Office 365?