Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure Licensing for B2B specific Scenario?

January 28, 2019, 1:14 am
$
0
0

Hello, 

We have a tenant (ex: www.contoso.com) at Azure, where we have our Azure AD includes 800 users. We are going to publish a new application (based onSharePoint on-prem) where it will be accessed by guest users (B2B) and scenario as following:

1- This will be a separate domain, lets say (newapp.contoso.com) or (www.newapp.com).

2- Azure AD will be separate also, as we want it to be separate from the original Azure AD (www.contoso.com).

3- We want to assign a specific users to manage the new Azure AD (www.newapp.com) through Azure Admin Portal.

4- We want to allow around 1000 to 5000 users to access our newapp using their different email address (B2B, each couple of users will be in a different organization)

5- We want to allow MFA for each user from the 1000 to 5000 users (B2B).

6- From this 1000 to 5000 users there will be around 10 users where their email from the original tenant (ex: adminuser1@contoso.com, ... )

I have couple of questions now:

1- Is point number 3 above available;  Can I assign one or couple of users to manage only the new Azure AD?

2- How will be the license (how much will we pay) as there will be around 1000-5000 guest users accessing our on-prem app using their emails (different companies) , and around 10 users accessing the on-prem app using (contoso.com) emails?

Thanks in advance.

Search

Security > Users flagged for risk - How to filter results

January 24, 2019, 2:18 am
$
0
0

Our organisation has recently started using the Azure AD.

In the Security > Users flagged for risk, we have a lot of records flagged as "Remediated".

We had to use the option "Dismiss all events" as the record was over 90 days old and held no useful information

Is there a way to filter out or remove these records in the Azure system.

Is there a way to order by a heading, mainly "last Updated (UTC)

Currently I am downloading the CSV file and filtering in Excel.

Thanking you in advance

Azure AD SSO Enterprise Apps

January 19, 2019, 2:22 am
$
0
0

I have O365 configured with AADConnect syncing my onprem AD.

I can see my users (including unlicensed O365 users) in Azure AD when I go to Admin panel in O365.

SSO is working via AADConnect - user logs on to PC with onprem AD credentials and launches O365 app with SSO.

I want to add an Azure AD Enterprise App which allows for AzureAD SSO to the Enterprise App.

1. Will I get end-to-end SSO from PC to Enterprise App now? If SSO is working from AD->AzureAD and Enterprise Apps allows SSO from AzureAD->Enterprise App then will that allow for seamless AD->AzureAD->EnterpriseApp SSO?

2. Would I need to launch an O365 app first to initiate the SSO before launching the Enterprise App?

3. Does this fully replace the need for ADFS?

Configuring AAD Connect with AD transitive trusts

January 17, 2019, 8:26 am
$
0
0

We are wanting to complete a Hybrid Office 365 migration from Exchange 2010. Our local active directory looks like this:

  • abc.local forest has the only Exchange organization for contoso.com mailboxes 
  • There is a AD transitive trust between abc.local and def.local and name suffix routing enabled
  • Contoso.com is a domain suffix that sits in abc.local ADDS
  • Currently, def.local users get a contoso.com mailbox which is created in the abc.local Exchange Organization
  •  So there is a AD Account in abc.local for the def.local user. This essentially means there is two accounts for 1 user in the trusted forests
  • def.local must be the local AD account that get's used to sync with Azure AD via AAD Connect for a single sign on
  • def.local must have a contoso.com UPN or Primary SMTP address. 

My question is: Is it possible to set up AAD Connect in a way to sync the users in def.local, exclude the abc.local AD accounts that have been created for the def.local mailboxes, and successfully migrate the mailbox content through Exchange Hybrid?

Azure MFA, Conditional Access and Oauth2

November 20, 2018, 11:59 am
$
0
0

I'm having trouble getting an access token for a test user who I've enabled Azure MFA and Conditional Access. When I try to use the curl call below, I'm issued a response with a claims attribute. After reading all the documentation I could find on how to use the claims attribute, I can't find any concrete examples on how to structure a new request for the user to perform MFA to then be able to get an access token.

I was wondering if anyone's seen something similar or if they know the structure of the subsequent request to be able to get to prompt the user for MFA.

Thanks!

Curl Request:
curl -vk -X POST -d '
resource=https://graph.windows.net&client_id=${clientId}&client_secret=${clientSecret}&scope=openid&grant_type=password&username=${mfaUser}&password=${mfaPassword}
'
https://login.microsoftonline.com/common/oauth2/token

Response:
{
    "error": "interaction_required","error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.\r\nTrace ID: 7e56a4f2-0a6d-4666-a322-25c96e961b00\r\nCorrelation ID: c7b1d42f-e796-4547-9704-4d971e71d4e2\r\nTimestamp: 2018-11-20 15:05:16Z","error_codes": [50076],"timestamp": "2018-11-20 15:05:16Z","trace_id": "7e56a4f2-0a6d-4666-a322-25c96e961b00","correlation_id": "c7b1d42f-e796-4547-9704-4d971e71d4e2","claims": "{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"${GUID}\"]}}}","suberror": "basic_action"
}

Azure AD Identity Protection - User Risk Policy and Federated Users

January 30, 2019, 7:53 pm
$
0
0

The 'User Risk Policy' under Azure AD Identity Protection has an option for "Allow Access (require password change)"

However, when we select an at-risk user and select 'Reset Password':


Does this mean that when the "require password change" is triggered by the policy, that it/the user can't reset the password, which then blocks the user signin?

Migrate from On premise ADFS to Azure Cloud Authentication(pass hash sync + SSO)

January 30, 2019, 3:37 am
$
0
0
Hi Team,

We are planning to migrate from on-premise ADFS authentication to Azure Cloud Authentication ( Password hash sync + SSO ). Wanted to know what all things we need to do-

1. We have a forest xyz.no and a domain inside that forest abc.xyz.no ( to which ADFS Servers are joined)
2. We have some applications Microsoft office 365, salesforce and few other homegrown on-premise application currently using on-premise ADFS authentication.
3. We are already syncing user data along with password hash to Azure AD tenant using Azure AD Connect.

Things to achieve :

We want to stop using on-premise ADFS and use Azure Cloud authentication, in order to do that I understand that I need to manually move my domain (abc.xyz.no) from federated to Managed ( manually because ADFS was installed standalone not with the help of AD Connect tool), but when I do such a thing will other applications using ADFS get affected ?
Also, once I migrate my domain what changes I need to do at application end like office 365, Salesforce makes them understand that it now needs to use Azure authentication and not ADFS anymore.
And what is the best Roll-back <g class="gr_ gr_232 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" data-gr-id="232" id="232">strategy.</g>

Note: Password Hash sync is already enabled.

Invited Guest users can see other users inside security group on Access Panel Applications

January 31, 2019, 11:59 pm
$
0
0

Hi,

We have a Xamarin-Form based mobile application developed, registered on Azure AD 'app registrations' as Native app. Our requirement is to allows access to this app only to the users listed inside one dedicated Security group.

The implementation is working fine using ADAL libraries and Microsoft Graph API. In Security Group, we have users having different type of email addresses like Gmail, Yahoo, Hotmail, and organization accounts. All are invited guest users and it is working fine.

The problem we are facing now is when guest users receives invitation via email and they click on 'Get Started', after providing valid credentials they gets navigated to 'Access Panel Applications' page. On this page they can see 'Apps' and 'Groups' they belongs to. Under 'Groups' if they click then they can see what all groups they belong to through page 'Access Panel Groups'. When they click on available group then that guest user can see all the users inside that group.

This is a security risk since now guest users can see what all users have access to my mobile app. 

Is there any way to restrict this access to user so that they wont be able to see users inside a group. There is one setting available at Azure AD level but we want this to be at application level. 

Sanjay Nipane

Search

Azure AD Hybrid Join with Autopilot

January 30, 2019, 5:47 am
$
0
0

Hi!

I have configured Autopilot and Device Writeback on AAD Sync for Hybrid Join. If i reset a windows 10 Noteboot (ver. 1809), i´m able to see my company branding logo after fresh restart and write my login credentials. The Azure AD registration works fine, and the onPrem AD join is working too. In the onPrem AD i can see under OU RegisteredDevices my deviceid, and the computer account under the OU Computers. But the process on the desktop device is just running for a long time (approx 6-10 min.) and then failes with just the errorcode 80004005. Can´t see more information and just able to click on reset device. Don´t know what else i can do. Anybody an idea? The user for tie Intune connector and the user i logged on to the windows 10 client have both the "Enterprise Mobility + Security E5" Licence.

Br

Manuel

Show error_description in case of Error response on login.microsoftonline.com

February 1, 2019, 4:54 am
$
0
0
Hi! 

While sending authorization request on my local app using login.microsoftonline/{tenant}/oauth2/v2.0/authorize? API 
I am getting the error in reponse something like this:
#error=access_denied&error_description=AADSTS50105%3a+The+signed+in+user+is+not+assigned+to+a+role+for+the+application...

Then I want to redirect the user to login.microsoftonline and say that User has no permissions to access this application, or similar. Is it possible to show such error description using API on login form in  login.microsoftonline?

Thank you in advance! 

User name does not exist Failed Login Attempts from Azure AD Sync server on Domain Controller

February 1, 2019, 9:15 am
$
0
0

Hello All,

Im seeing failed login attempts on our One of our domain controller and all them are originating from Azure AD Sync server. It says that user name "O" does not exist. 

The failed login event is coming from C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe. For some reason it's using partial username and domain. 

Username: O

Event Code: 4625
Subject: User name does not exist

Both domain controller and Azure AD sync server running on Windows 2008 R2. AD Sync client running on 1.2.69

Thank you,
Gopi

Azure Active Directory

January 30, 2019, 2:21 pm
$
0
0

Hello, I sucessfully joined a VM in to my domain (AD DS), and installed Active Directory tools now I am trying to access Active Directory Administrative center its throwing following error "your account or computer is not joined to any domain, try again" but I already joined that VM in to my domain please assist us to solve this.

Thanks.

Is it possible to get Authorization Logs?

January 31, 2019, 8:08 am
$
0
0

Hi,

Is it possible to get the authorization logs from the Azure Active Directory or Azure?

I am looking for logs which get produced when one person (who doesn't have the permission) tries to perform an operation which he is not supposed to do. For example, a Key Vault Contributor trying to change the Web App settings. Can I get those logs? Any way?

Thanks,

Pranav

Sign In Logs not coming to Storage account despite having P2 Trial

January 29, 2019, 10:43 am
$
0
0

Hi,

I am having trouble with receiving the SignIn Logs of Azure Active Directory to a storage account through Azure Active Directory Diagnostics Settings. I enabled the P2 trial license and then configured the storage account to get sign in logs as well but they are not coming. I have tried disabling and then enabling again as well after some time but nope. Could you please check?

Directory ID -- 2dfc6a32-d03c-4504-8d69-f08da326f294

Any idea what is happening?

Thanks,

Pranav

Assigning AppRole in a programmatic way?

January 31, 2019, 3:37 am
$
0
0

Hi. 

My colleague is trying to assign AppRole to users in a programmatic way, so that we can allow our  admins to add role from our web application UI. It seems that currently there is no api for this (this api is just for built-in roles).

Apparently it's possible to do this via CloudShell, but still someone needs to open cloud shell from browser and do this. So is there anyway to achieve this task in a programmatic way or do we need to do it manually  always?

Currently we are doing this manually by changing our manifest file from Portal.



Search

Azure Active Directory B2C versus Azure AD V2

February 1, 2019, 11:48 am
$
0
0

Hi,

I am considering identity providers for my project, which supports Open ID connect and Single Sign On, and the features below:

1 Role based access control

2 Offline Access

My questions are

1 Does B2C support RBAC and Offline Acess

2 What are the difference between B2C and AD V2, and their procs and cons? Why are there so many products from Azure that are doing the similar things?

Any pointers would be very much appreciated!

https://stackoverflow.com/questions/45885795/azure-ad-b2c-role-management

https://medium.com/the-new-control-plane/comparing-the-identity-providers-idps-that-i-use-f57aac756c70

Exchange online domain verification error

January 29, 2019, 6:28 am
$
0
0

I started this question in the Exchange Online Forum and it was suggested that I ask the question here. 

You cannot vote on your own post
0
I have two active directory domains (C1.com and C2.com) in separate locations that are not in the same forest. C1.com and C2.com are synced to separate Azure subscriptions using Azure AD Connect. I use the C2.com domain for user authentication in that Azure subscription and for website addresses. The two subscriptions have different owners in Azure.

I have a single on premises Exchange server in C1.com that accepts e-mail for C2.com as an alias to users. (me@C1.com has a secondary e-mail address of me@C2.com). There are also a couple of "e-mail only" domains (no AD) that are used as aliases. This works fine and has for many years.

I now want to migrate my Exchange server to Office 365 E3. I logged on to the Office365 portal and added my C1.com to my account using the txt record for verification with no problems. I also added the e-mail only domains. I have not modified the MX records yet.

When I add the C2.com domain I get the message "We have confirmed that you own C2.com, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: UserC2onmicrosoft.com."

All I need is the ability to have the same exchange online server accept e-mail into Office365 from C1.com and C2.com. I don't really care about the C2.com AD users in Office365 since the C1.com users have email address for both domains. I saw this article https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer, but I am not sure if it will accomplish what I want. Would putting both subscriptions under the same owner (and keeping the subscriptions separate) resolve this issue? If not, are there any other suggestions?

Thanks in advance for any help and advice.

Eric Logsdon Cooperative Technologies, Inc.

No SAML response from Azure AD?

February 16, 2016, 12:54 am
$
0
0

Hi

When i try to login to my app from the Azure AD SSO app i created, i see no http SAML response.

There is http redirect request, but it's http GET, not POST

https://account.activedirectory.windowsazure.com/applications/redirecttofederatedapplication.aspx?Operation=LinkedSignIn&applicationLinkName=myappname&applicationId=myappid HTTP/1.1

In more details, this is the sequence of calls:

1.GET https://myapps.microsoft.com/signin/myapp/appid HTTP/1.1

2. GET https://account.activedirectory.windowsazure.com/applications/signin/myapp/appid HTTP/1.1

3. GET https://account.activedirectory.windowsazure.com/applications/redirecttoapplication.aspx?Operation=LinkedSignIn&applicationLinkName=myapp&applicationId=appid HTTP/1.1

4. GET https://account.activedirectory.windowsazure.com/applications/redirecttofederatedapplication.aspx?Operation=LinkedSignIn&applicationLinkName=myapp&applicationId=appid HTTP/1.1

5. (After redirect) GET https://mySamlLoginURL HTTP/1.1

This is something new, the app was working (with SAML http POST redirect) last week. 

What happened?


Users not added to Dynamic group

January 29, 2019, 12:50 pm
$
0
0

I have created a dynamic rule for users that have a license assigned to them for Microsoft Project Professional.

I have a user that is assigned this license:

According to this article

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#multi-value-properties

I should be able to create a dynamic group and have users with this license assigned/enabled, and have them dynamically added to the group, (or inherited), using hte "assignedPlans" property.

I found the Project Online Professional Service ID here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

Then created the following Dynamic Memebership rule:

The rule created successfully and evaluated, processed, and shows as "update complete".  However, my user has not been added to the group, nor does his user object show him as having inherited the group as a result of this dynamic group rule.

Please help!

UPN Suffix & IDFix Tool

January 31, 2019, 2:06 am
$
0
0

Hi ,
Just wondering whether someone might be able to shed some light on results 
I'm getting when running IDfix prior to running AAD Connect in a test environment .

I've created a test domain ad.domainname.com  which should be non-routable. My test users UPN  is test@ad.domainname.com and as such
I'm expecting that idfix should query the users and give back a top level domain error however they all pass the query test .
Has anyone experienced anything like this before  ??? Does IDFix ignore a prefix in the upn suffix after the @   "ad" and then as the domainname.com does routable it's not an issue per se 
Thanks in advance

 

  

 


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>