Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure Get Email After Sign In

January 31, 2019, 3:18 am
$
0
0

hi,

I asked a similar question before.About how to get someone's name after sign in.Someone showed me this example and worked really great.

var displayName = ((System.Security.Claims.ClaimsIdentity)User.Identity).Claims.Where(c => c.Type == "name").FirstOrDefault().Value;

It gets the name.Unfortunately,i quickly realized that,getting the name wont be enough.Some people have exact same names.I needed something unique.So i tried email instead.It always returned null.

i tried types like

1.If i read it correctly default token for email is "email"

var displayName = ((System.Security.Claims.ClaimsIdentity)User.Identity).Claims.Where(c => c.Type == "email").FirstOrDefault().Value;

returned nothing...

2.people were recommending using this query on forums.So i have tried "preferred_username

var displayName = ((System.Security.Claims.ClaimsIdentity)User.Identity).Claims.Where(c => c.Type == "preferred_username").FirstOrDefault().Value;

again returned nothing...

after these two,any type i tried returned no result except "name".

I checked the delegate settings for app in azure active directory and  "sign and read profile" is checked. Couldn't find anything wrong there.What could be the reason ? I am working in a company and we have a company domain which works under office 365...

Search

Microsoft Application Registration Portal creates app registration only in Default Directory

January 29, 2019, 2:47 pm
$
0
0

Hello,

When we used the Microsoft Application Registration Portal web site to register our application the portal created the application in our Default Directory (under App Registrations Preview in "Applications from personal account") and there is NO option to create/register the application in another Directory (one of our existing B2C Directories for example). Am I missing something here?  How can we accomplish registering our application in one of our B2C Directories (not the Default Directory)?  And what is "Applications from personal account"?  Did it create the app registration here because we have a Personal account and not a Work/School account?

https://apps.dev.microsoft.com/portal/register-app

From this article (Option 2: Advanced Mode)

https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp#register-your-application


Thanks,

Kris






Assigning AppRole in a programmatic way?

January 31, 2019, 3:37 am
$
0
0

Hi. 

My colleague is trying to assign AppRole to users in a programmatic way (to integrate it with our devops). It seems that currently there is no api for this (this api is just for built-in roles).

Apparently it's possible by means of PowerShell, however we have mac and CI servers aren't Windows, so this is not an option. Logically, it should be possible through CloudShell, but it's not possible to integrate CloudShell with DevOps pipeline (please correct me if i'm wrong). So I'm wondering, without having Windows machine, is there any way to do this in a programmatic way? Or the only way to achieve this is to change manifest file from Portal?

If any of assumptions are wrong, please correct me.

Bitlocker key mismatch

January 31, 2019, 4:24 am
$
0
0

Hi

I have a drive encrypted with Bitlocker, and I have needed to go through Startup Repair. The first time I used the Bitlocker Key, and it worked. I ran system restore, which crashed out and said the restore point had become corrupted, so I booted back into Startup Repair, tried the same Bitlocker key, which now does not work. The recovery window shows me the Bitlocker ID, which is different, when looking in Azure AD against the user next to Devices, I can see that this code is the computer ID.

The Bitlocker KeyID and recovery ID at the bottom of this page are the ones I have been trying.

I dont understand why the identifier ID would have changed. Any advise will be greatly appreciated. 

Azure AD Hybrid Join with Autopilot

January 30, 2019, 5:47 am
$
0
0

Hi!

I have configured Autopilot and Device Writeback on AAD Sync for Hybrid Join. If i reset a windows 10 Noteboot (ver. 1809), i´m able to see my company branding logo after fresh restart and write my login credentials. The Azure AD registration works fine, and the onPrem AD join is working too. In the onPrem AD i can see under OU RegisteredDevices my deviceid, and the computer account under the OU Computers. But the process on the desktop device is just running for a long time (approx 6-10 min.) and then failes with just the errorcode 80004005. Can´t see more information and just able to click on reset device. Don´t know what else i can do. Anybody an idea? The user for tie Intune connector and the user i logged on to the windows 10 client have both the "Enterprise Mobility + Security E5" Licence.

Br

Manuel

Azure MFA, Conditional Access and Oauth2

November 20, 2018, 11:59 am
$
0
0

I'm having trouble getting an access token for a test user who I've enabled Azure MFA and Conditional Access. When I try to use the curl call below, I'm issued a response with a claims attribute. After reading all the documentation I could find on how to use the claims attribute, I can't find any concrete examples on how to structure a new request for the user to perform MFA to then be able to get an access token.

I was wondering if anyone's seen something similar or if they know the structure of the subsequent request to be able to get to prompt the user for MFA.

Thanks!

Curl Request:
curl -vk -X POST -d '
resource=https://graph.windows.net&client_id=${clientId}&client_secret=${clientSecret}&scope=openid&grant_type=password&username=${mfaUser}&password=${mfaPassword}
'
https://login.microsoftonline.com/common/oauth2/token

Response:
{
    "error": "interaction_required","error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.\r\nTrace ID: 7e56a4f2-0a6d-4666-a322-25c96e961b00\r\nCorrelation ID: c7b1d42f-e796-4547-9704-4d971e71d4e2\r\nTimestamp: 2018-11-20 15:05:16Z","error_codes": [50076],"timestamp": "2018-11-20 15:05:16Z","trace_id": "7e56a4f2-0a6d-4666-a322-25c96e961b00","correlation_id": "c7b1d42f-e796-4547-9704-4d971e71d4e2","claims": "{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"${GUID}\"]}}}","suberror": "basic_action"
}

Best practice for SSO and MFA for on premise web Applications and Thick client Applications

January 31, 2019, 5:00 am
$
0
0
Hi,

We have On premise Web application and On premise Thick client application and we want to know what would be the best practice for authentication with MFA using Azure AD.
For now we have planned to use ADFS with Azure AD for thick client on premise application and Application proxy with Azure AD for web based application.
Can anyone Please Suggest the best practice for this?

Sign In Logs not coming to Storage account despite having P2 Trial

January 29, 2019, 10:43 am
$
0
0

Hi,

I am having trouble with receiving the SignIn Logs of Azure Active Directory to a storage account through Azure Active Directory Diagnostics Settings. I enabled the P2 trial license and then configured the storage account to get sign in logs as well but they are not coming. I have tried disabling and then enabling again as well after some time but nope. Could you please check?

Directory ID -- 2dfc6a32-d03c-4504-8d69-f08da326f294

Any idea what is happening?

Thanks,

Pranav

Search

Service account for C#/Net AD changes - what perms needed and how to

January 29, 2019, 7:15 am
$
0
0
hello,We are just changing a couple of attributes via GetDirectory entry , then change property and commit change. Our company admin has created a service account with access to update just those couple attributes. We get exception Unauthorized Access is denied on commit and I suspect we need full admin access to all attributes even though we are changing a few. Please provide some detailed step by step on how to create this service account so I can tell our AD admin to create the account correctly. I am able to change those couple attributes via sysinternals AD explorer using that service account but when done via C#/Getdirectoryentry/change/commit get access denied. Thanks

AD FS Certificate Rollover - NextTokenSigningCertificate still listed under Office 365 after failed rollover

January 28, 2019, 7:57 am
$
0
0

Our AD FS certificate was set to autorenew at 50 days before expiry, then roll over 10 days later

This didn't auto-rollover in Office 365 as I understand that starts checking at 30 days for a new certificate.

We set the rollover to manual, updated the certificate, forced O365 to use the new certificate, which allowed people to authenticate.

However, when I now check the certificates, there is no NextTokenSigningCertificate listed under AD FS, but there is still a NextTokenSigningCertificate listed in Office 365 - which expires before the current token signing certificate.

If I set this back to to autorollover, will Office 365 try to use the NextTokenSigningCertificate it has listed? Can I remove this?

Secondly, if I change the autorenew at 50 days before expiry, then roll over 21 days later, would this then give Office 365 time to start checking for a new signing certificate (at 30 days), account for any delay by giving it the extra day before rolling over? 

And will it then renew the NextTokenSigningCertificate I see in AD FS under Office 365?


Is it possible to get Authorization Logs?

January 31, 2019, 8:08 am
$
0
0

Hi,

Is it possible to get the authorization logs from the Azure Active Directory or Azure?

I am looking for logs which get produced when one person (who doesn't have the permission) tries to perform an operation which he is not supposed to do. For example, a Key Vault Contributor trying to change the Web App settings. Can I get those logs? Any way?

Thanks,

Pranav

Setting up Azure AD Domain Services

January 30, 2019, 2:09 pm
$
0
0

We have setup a VM server in Azure that we plan to use as a file server.

We are trying to set it up so my users from our on-prem domain can use their on-prem AD credentials on the VM server.

This requires us to Enable Azure AD Domain Services password hash synch. We have AD Connect that we use for AD syncying for Office365. There is a powershell script that the instructions are asking us to use. We are stuck on the correct connector names to use.  We tried the ones we use for Office365 but the Azure AD Domain Service still says we have to configure.

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started-password-sync-synced-tenant

Azure B2C Geo-Redundancy Options

January 31, 2019, 8:50 am
$
0
0

We switched from an internal authentication system for our external users to Azure B2C two weeks ago. A week before we went live Office365 went down which took out our non-prod B2C environment, Outlook and SharePoint (for our employees). This week Office365 went down again which now impacts our customers in additional to our employees. Our CIO is calling into question the decision to switch to Azure B2C in the light of two outages in the last month. Within minutes we were getting calls from angry customers and saying it is Azure's fault is not sufficient.

From what the status pages indicate the issues impacted one region of Azure. The temporary resolution was for the impacted services to be offloaded somewhere else. This improved connectivity but now made logins intermittently fail. One of the big claims about the cloud is the ability to have geo redundancy (or similar) such that if a region is having issues our apps can move to a different region where things are working properly.

Does B2C have anything that we can use to get this reliability so that future outages in a particular region won't negatively impact our users? Multi-cloud is the only other option we can think of but syncing login information across Azure and AWS doesn't even seem possible given the sensitive nature of the data.

Michael Taylor http://www.michaeltaylorp3.net

Deploying Azure AD

January 31, 2019, 10:44 am
$
0
0
I have a few questions about deploying Azure AD to a client.

1. We are looking to move a client to Azure AD. It is a mostly Windows 10 environment with 2 Windows 7 workstations though. There is currently an onsite Domain Controller with local AD. Is it possible to do a hybrid setup and have the Azure AD as the primary AD?

2. How does moving to Azure AD take our pre-existing GPO's in our environment

3. What are the licenses and costs the clients will need. They currently have Business Premium licenses.

locked out of default directory

January 31, 2019, 10:52 am
$
0
0

I am on free trial subscription and while playing with Azure Active Directory I deleted myself (my account) from Directory admins. Now I dont have any access to Azure Active directory (default directory). 

Is there a way to fix that?

thank you!

Search

List your application in the Azure Active Directory application gallery - need to add an account that is not in AAD

January 31, 2019, 10:56 am
$
0
0


Hello, 

As per https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing#submit-the-request-in-the-portal …, I am requesting to add cloud.root@softwareag.com to register Azure Active Directory application gallery, but haven't heard anything yet after a few days.

However, cloud.root@softwareag.com is not in our AAD directory.

Your Azure Twitter Support team suggest me to send the request in this forums.



Best Regards,

Ping Wu


Updating of AppRole Assignment

January 21, 2019, 2:15 am
$
0
0

Hi,

I would like to know if updating of approle assignment is possible. Currently, i can only do a delete of appRole assignment 1st before adding the new appRole assignment through the Azure AD graph API. 

Regards,

Zhi Jian

Buy more license for Office365 via Powershell or MOSI

June 13, 2014, 1:22 am
$
0
0

Hi all, 

Do you know is there a way to add/remove license for Office365 via either powershell command, or MOSI (Microsoft Online Syndication Interface) calls ?

So far:
- I couldn't find cmdlet for this in Windows Azure Active Directory Module.

- There is a call in MOSI for managing subscription, but I can't find subscription id of my office365.

Please help.
Thanks.

Azure AD B2C accessing user profile info...

January 25, 2019, 4:55 am
$
0
0

I have set up the basic Sign up Sign in for my Web app and everything is working fine.

I would now like to programmatically access then user profile variables from my MVC app.

@User.Identity.Name returns the name of the user. How do I access other variables in the profile.... 

@User.Identity.City or my custom variable name of @User.Identity.AgencyCode error out and don't return a value. How do I access these fields?

 

Azure B2C SSO and the free 50,000 users and logins

January 28, 2019, 8:05 pm
$
0
0

Hello,

We are trying to implement SSO using Azure B2C AD into one of our web sites. We want to migrate our PUBLIC users (NOT related to our company) into the B2C AD database. We want to take advantage of the free 50,000 users and B2C logins.

We have a few questions.

1. Is there a separate database where B2C AD "consumer" users are saved (NOT in the Azure AD)?  Or are all "consumer" users also stored in Azure AD along with "work account" users?

2. If there is a separate database for B2C AD "consumer" users then where is it and how can we access it directly? Is there an interface or portal or a connection string, etc. Can it be accessed by PowerShell? Is it a SQL Server database?

3. When looking at users in AD, how do we determine each users type ("work account" or a "consumer" user)?

4. How can we take advantage of the 50,000 free users and/or 50,000 free login? Does this also include self-serve password reset for all user types (including "consumer" users)?

5. Is an Azure AD license required to implement the B2C SSO?  If so would our Office 365 license satisfy this requirement?

6. Looking in the Azure Portal under Azure AD there is an application with the name "b2c-extensions-app. Do not modify. Used by AADB2C for storing user data" <-- What is this? What is it used for? How can we get the secret/key for it since it is automatically created and the key is hidden? Can we upload our own public key to replace the default secret/key?

Thank you,

Kris Sebesta


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>