In our use case we have a cloud based AD to manage all user accounts in our company, since it's cloud-only so Azure AD can replace all the function we used now.
We want to migrate all users from the on-premise AD to Azure AD, and delete the origin instance later. Using the Azure AD Connect syncing can sync all users with source 'Windows Server AD' but leaves them non-editable.
How to do a full migration instead of syncing?
Thanks,
Hi,
I'm trying to add two Azure AD Provider trust into ADFS.
When I do try to add the second one I get the exception:
MSIS7600 Each Signing Certificate value for a claims provider Trust must be unique across all claims provider trusts in ADFS 2.0 configuration
Shouldn't we be allow to add multiple Azure Ad tenants?
Is there any way to get around this?
Thanks.
Hi!
I have configured Autopilot and Device Writeback on AAD Sync for Hybrid Join. If i reset a windows 10 Noteboot (ver. 1809), i´m able to see my company branding logo after fresh restart and write my login credentials. The Azure AD registration works fine, and the onPrem AD join is working too. In the onPrem AD i can see under OU RegisteredDevices my deviceid, and the computer account under the OU Computers. But the process on the desktop device is just running for a long time (approx 6-10 min.) and then failes with just the errorcode 80004005. Can´t see more information and just able to click on reset device. Don´t know what else i can do. Anybody an idea? The user for tie Intune connector and the user i logged on to the windows 10 client have both the "Enterprise Mobility + Security E5" Licence.
Br
Manuel
Hi all,
I have set up:
- Domain Controller with Azure AD Connect
- Pass-through authentication
- Microsoft 365 E3
Summary:
We have synced our local AD to Azure AD and configured Pass-through authentication as primary authentication method.
We want to provide our users when they first get a new laptop with a temporary password, so the user can change it to something else.
When the user first logs in in Windows 10 he get's an "incorrect username or password" message.
When we turn off "User must change password at next logon" the user can login fine. I thought this behavior was fixed with PTA authentication? Am I wrong?
Hi,
I would like to know if updating of approle assignment is possible. Currently, i can only do a delete of appRole assignment 1st before adding the new appRole assignment through the Azure AD graph API.
Regards,
Zhi Jian
I have an ASP.NET MVC Core 2.2 application, that integrates with an Azure AD B2C to authenticate users. I can sign in correctly, and the user is authenticated.
I also have created an ASP.NET Core Web API which is also integrated with the Azure B2C AD, and the goal is to call that web api from an ASP.NET MVC controller action method. So in the MVC app I need to get the access token first. So I added the following test code in the controller of the MVC site:
if(HttpContext.User.Identity.IsAuthenticated){string signedInUserID =HttpContext.User.FindFirst(ClaimTypes.NameIdentifier).Value;TokenCache userTokenCache =newMSALSessionCache(signedInUserID,HttpContext).GetMsalCacheInstance();ConfidentialClientApplication cca =newConfidentialClientApplication(mgpPortalApplicationId, authority, redirectUri,newClientCredential(mgpPortalSecretKey), userTokenCache,null);IEnumerable<IAccount> accounts =await cca.GetAccountsAsync();IAccount firstAccount = accounts.FirstOrDefault();AuthenticationResult result =await cca.AcquireTokenSilentAsync(null, firstAccount, authority,false);HttpClient client =newHttpClient();HttpRequestMessage request =newHttpRequestMessage(HttpMethod.Get,"https://localhost:44307/api/values");
request.Headers.Authorization=newAuthenticationHeaderValue("Bearer", result.AccessToken);HttpResponseMessage response =await client.SendAsync(request);}The problem is that accounts.FirstOrDefault() gives
back null.
Additional observation: if I run the demo https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp,
which uses an older Microsoft.Identity.Client version, then the call to cca.Users.FirstOrDefault() gives back a user correctly, and it all works ok. However,
when I upgrade this demo project to .NET Core 2.2 and Microsoft.Identity.Client 2.7, then I have to pass an IAccount and so I need to call GetAccountsAsync(),
and this returns no account.
Any idea?
I described this issue also here: https://stackoverflow.com/questions/54335269/get-access-token-in-web-site-integrated-with-azure-ad-b2c
hi,
Recently,i have connected my azure web app with azure active directory.Now it is possible for people to sign in to app with azure account.But i dont know how to show user's name on the page.If i can get only the username from sign in (from page load or any other event) i can use that name to go anywhere in site.But i dont know how to get username or any other credientials from sign in.Office 365 and sharepoint does it very well.You can always see the username on right top corner.Can somebody explain how to get user data from sign in ?
I am trying to setup my SSO connection with Azure and Netsuite. I set up a connection with Netsuite Sandbox and now am trying to connect to Netsuite production. When I attempt to upload the xml file in Netsuite, it gives me the following error:
Identity provider with the entity ID XXX is already used by another account and contains different metadata associated with it. Use IDP with a different entity ID or make sure you have the latest metadata file uploaded in all accounts.
How can I get a new entity id in Azure?
We have setup a VM server in Azure that we plan to use as a file server.
We are trying to set it up so my users from our on-prem domain can use their on-prem AD credentials on the VM server.
This requires us to Enable Azure AD Domain Services password hash synch. We have AD Connect that we use for AD syncying for Office365. There is a powershell script that the instructions are asking us to use. We are stuck on the correct connector names to use. We tried the ones we use for Office365 but the Azure AD Domain Service still says we have to configure.
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started-password-sync-synced-tenant
Hello, I sucessfully joined a VM in to my domain (AD DS), and installed Active Directory tools now I am trying to access Active Directory Administrative center its throwing following error "your account or computer is not joined to any domain, try again" but I already joined that VM in to my domain please assist us to solve this.
Thanks.
Hello,
My question is related to this scenario :
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation
I would like to know how to configure the seconde AAdconnect server.
Thank you.
I want to share the same AD with multiple subscriptions to keep the same sets of users. How can i achieve that. Lets say I have 10 Azure subscriptions and I have one AD on prem. I want to make sure that the same users and groups now show up in all 10 Azure subscriptions so i can assign RBAC roles. Is that even possible and if so how ?
Thanks !
The 'User Risk Policy' under Azure AD Identity Protection has an option for "Allow Access (require password change)"
However, when we select an at-risk user and select 'Reset Password':
Does this mean that when the "require password change" is triggered by the policy, that it/the user can't reset the password, which then blocks the user signin?
So, we’re currently trialing Microsoft EMS in our organization and have set up a trail environment for a pilot program. Our estate is made up of standalone PC’s or a group of PC’s in a LAN/Workgroups and we do not have any on-prem ADDS or ADFS in place. In short, a cloud only setup.
With that said, we have been trying to set up Self Provisioning and Out-of-Box Enrolment /AD join for our Windows 10 Pro devices (laptops and desktops), in line with the guidance notes provided on the Docs & Technet portal for setting up Azure AD join for devices, but have had no luck so far.
Here are the key issues we’re facing:
- IF we let the employees perform Azure AD Join for their corporate owned devices, then the employee is made Administrator and then after the joining happens, rest of MDM Enrolment process kicks in… with all the polices set in the MDM, restrictions etc. The challenge here is, we cannot let the end user/ non IT staff have elevated permissions as administrator on their work laptops/desktops.
Leaving employee with Admin premissions on the device has 2 key issues:
OR
- IF we have an IT Admin perform the AD Join (and MDM enrolment) for all of our devices (before a device is handed over to the end user), then the issue we’re facing when the device is given to the enduser and he logs in as Other User with his Office365 credentials, is that, the user is not able to access the office365 resources which require conditional access (devcies must be compliant or domain joined).
When attepting to access, say Exchange Online, the user is presented with the error: “Your IT Admin is a ensuring this device is compliant and this may take some time. To check the status check the company portal”. Now, in the company portal, it says “you must Enrol this device” and shows and Enrol button which is basically a link to download Intune Client. And when we try to download Intune Client, again we’re presented with an error message: “This device is already managed by an MDM”, i.e. the built in MDM of Windows 10”.
Any guidance / help with this conundrum, will be highly appreciated. Many thanks.
Hi ,
Just wondering whether someone might be able to shed some light on results
I'm getting when running IDfix prior to running AAD Connect in a test environment .
I've created a test domain ad.domainname.com which should be non-routable. My test users UPN is test@ad.domainname.com and as such
I'm expecting that idfix should query the users and give back a top level domain error however they all pass the query test .
Has anyone experienced anything like this before ??? Does IDFix ignore a prefix in the upn suffix after the @ "ad" and then as the domainname.com does routable it's not an issue per se
Thanks in advance
I started this question in the Exchange Online Forum and it was suggested that I ask the question here.
I have a single on premises Exchange server in C1.com that accepts e-mail for C2.com as an alias to users. (me@C1.com has a secondary e-mail address of me@C2.com). There are also a couple of "e-mail only" domains (no AD) that are used as aliases. This works fine and has for many years.
I now want to migrate my Exchange server to Office 365 E3. I logged on to the Office365 portal and added my C1.com to my account using the txt record for verification with no problems. I also added the e-mail only domains. I have not modified the MX records yet.
When I add the C2.com domain I get the message "We have confirmed that you own C2.com, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: UserC2onmicrosoft.com."
All I need is the ability to have the same exchange online server accept e-mail into Office365 from C1.com and C2.com. I don't really care about the C2.com AD users in Office365 since the C1.com users have email address for both domains. I saw this article https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer, but I am not sure if it will accomplish what I want. Would putting both subscriptions under the same owner (and keeping the subscriptions separate) resolve this issue? If not, are there any other suggestions?
Thanks in advance for any help and advice.
Eric Logsdon Cooperative Technologies, Inc.
Hi, I'm trying to configure user provisioning on a new non-gallery-application. When I enter my Tenant URL & Secret key and test the connection I get the following error:
"You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account"
To check that the Tenant URL & Secret Key are correct, I updated an old application and successfully started the SCIM process.
Has anybody else encountered this issue?
