Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Show error_description in case of Error response on login.microsoftonline.com

February 1, 2019, 4:54 am
$
0
0
Hi! 

While sending authorization request on my local app using login.microsoftonline/{tenant}/oauth2/v2.0/authorize? API 
I am getting the error in reponse something like this:
#error=access_denied&error_description=AADSTS50105%3a+The+signed+in+user+is+not+assigned+to+a+role+for+the+application...

Then I want to redirect the user to login.microsoftonline and say that User has no permissions to access this application, or similar. Is it possible to show such error description using API on login form in  login.microsoftonline?

Thank you in advance! 
Search

Azure Active Directory B2C versus Azure AD V2

February 1, 2019, 11:48 am
$
0
0

I am considering identity providers for my project, which supports Open ID connect and Single Sign On, and the features below:

1 Role based access control

2 Offline Access

My questions are

1 Does B2C support RBAC and Offline Acess

2 What are the difference between B2C and AD V2, and their procs and cons? Why are there so many products from Azure that are doing the similar things?

Any pointers would be very much appreciated!

https://stackoverflow.com/questions/45885795/azure-ad-b2c-role-management

https://medium.com/the-new-control-plane/comparing-the-identity-providers-idps-that-i-use-f57aac756c70

Update

https://docs.microsoft.com/en-gb/azure/active-directory/develop/


How to external federate and manage logins, accounts and subscriptions

February 2, 2019, 5:43 am
$
0
0

Hi there,

At my company we are currently evaluating a scenario to allow a Keycloak based multi cloud single sign on service. Its works rather well and currently we want to include the Azure cloud into this system. We managed to follow the instructions herehttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp (albeit we had to adapt some steps as the documentation seems erroneous especially when it comes to the shell commands used) but we managed to allow login of users in the Azure AD federated via the Keycloak IDP.

The question is: what is the best way to provide accounts/subscriptions to this users? We would need an automatic (REST API at best) way to create these accounts and subscriptions in Azure. We would need:


  • Create Subscriptions programmatically

  • Create Azure AD Users programatically

  • Assign these users to the subscriptions created

Is it correct that we need to have a Enterprise Enrollment in order to programatically create subscriptions in Azure? (https://azure.microsoft.com/en-us/blog/programmatically-create-enterprise-subscriptions-preview) Is it the same as the Cloud Solution Provider? (as there are claims in the docs these API is able to create subscriptions:https://docs.microsoft.com/en-us/azure/cloud-solution-provider/overview/azure-csp-overview

For the user creation we figured we can use the Azure API.

Is this in general correct or are there others, better ways to archive what we have planned with Azure?

Cannot see profile picture in Azure Portal

May 4, 2018, 10:40 am
$
0
0
I have updated the profile picture in AAD for a user and the same is not being seen when logged into Azure Portal.

Regards, Srivatsa

Two Forests two tenants one ADFS

January 29, 2019, 5:25 am
$
0
0

Hello,

My question is related to this scenario :

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation

I would like to know how to configure the second AAdconnect server.

Thank you.


azure ad connect installation

February 4, 2019, 8:47 am
$
0
0
unable to install the microsoft sql server express localdb azure ad connect

Trying to implement SSO with Azure AD on a MediaWiki Site using the module, SimpleSAMLphp, hosted on a Azure VM

January 28, 2019, 9:07 pm
$
0
0

So I'm trying to set up SSO login using Azure's Active Directory as an IdP and 
using the simpleSAMLphp module for Mediawiki to implement it, but I run into a 
error I have absolutely no idea how to solve.


Context:

I've followed these instructions: https://medium.com/vivritiengineering/mediawiki-and-azure-single-sign-on-e3fbc13d1f46
But instead of a server hosted on AWS servers, I have a virtual machine running
on Azure.

I'm using this image for my VM: https://bitnami.com/stack/mediawiki/cloud


Actions that lead to problem:

I sign onto the mediawiki server, attempt to login, get send to a 
login.microsoftonline.com page. I try and login, and then get sent back 
to a mediawiki /Special:UserLogin page will an error message of 
"User cannot be authenticated".


Logs:

Found within '/opt/bitnami/apache2/logs/error_log':

[Tue Jan 29 04:07:04.007768 2019] [proxy_fcgi:error] [pid 32390:tid 139796580050688] [client my.ip.addr.45:63407]
 AH01071: Got error 'PHP message: PHP Notice:
  Undefined variable: attributes in /opt/bitnami/apps/mediawiki/htdocs/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php on line 47\n
PHP message: PHP Warning:  array_key_exists() expects parameter 2 to be array, null given in /opt/bitnami/apps/mediawiki/htdocs/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php on line 47\n'
, referer: https://login.microsoftonline.com/kmsi


Found within '/opt/bitnami/apache2/logs/access_log':

my.ip.addr.45 - - [29/Jan/2019:04:07:03 +0000] "POST /simplesaml/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.1" 303 850my.ip.addr.45 - - [29/Jan/2019:04:07:03 +0000] "GET /Special:PluggableAuthLogin HTTP/1.1" 302 -
my.ip.addr.45 - - [29/Jan/2019:04:07:04 +0000] "GET /index.php?title=Special:UserLogin/return&wpLoginToken=87d0ee94955902b61de847138e89d4ff5c4fd146%2B%5C HTTP/1.1" 302 -
my.ip.addr.45 - - [29/Jan/2019:04:07:04 +0000] "GET /Special:UserLogin HTTP/1.1" 200 5472
my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /resources/assets/poweredby_mediawiki_88x31.png HTTP/1.1" 304 -
my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /load.php?debug=false&lang=en&modules=mediawiki.htmlform.styles%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.special.userlogin.common.styles%7Cmediawiki.special.userlogin.login.styles%7Cmediawiki.ui%7Cmediawiki.ui.button%2Ccheckbox%2Cinput%2Cradio%7Cskins.vector.styles&only=styles&skin=vector HTTP/1.1" 200 13492
my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /resources/assets/wiki.png?de8c8 HTTP/1.1" 304 -
my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /load.php?debug=false&lang=en&modules=startup&only=scripts&safemode=1&skin=vector HTTP/1.1" 200 38569
my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /load.php?debug=false&lang=en&modules=jquery%7Cjquery.lengthLimit%7Cmediawiki.htmlform&skin=vector&version=0g0bm48 HTTP/1.1" 200 163379
my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "POST /mod_pagespeed_beacon?url=https%3A%2F%2Fcompany-wiki.region.cloudapp.azure.com%2FSpecial%3AUserLogin HTTP/1.1" 204 -
my.ip.addr.45 - - [29/Jan/2019:04:07:05 +0000] "GET /favicon.ico HTTP/1.1" 200 3076

Comments:

Here is what I think the relevant code of  '/opt/bitnami/apps/mediawiki/htdocs/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php' referenced in the error_logs.

``` php

class SimpleSAMLphp extends PluggableAuth {

protected $attributes;

/**
* Get the user's username.  Override this if you need to change
* the appearance from what SAML gives.
*
* @param string &$username going into this
* @param int &$userId the user's id
* @param string|null &$errorMessage if you want to return an error message.
* @return bool|string false if there was a problem getting the username.
*
* @SuppressWarnings(PHPMD.Superglobals)
*/
protected function getUsername( &$username = '', &$userId = 0, &$errorMessage = null ) {
if ( isset( $GLOBALS['wgSimpleSAMLphp_UsernameAttribute'] ) ) {
                        $userNameAttribute = $GLOBALS['wgSimpleSAMLphp_UsernameAttribute'];
                        if ( is_array( $userNameAttribute ) ) {
                                $username = "";
                                foreach ( $userNameAttribute as $attribute ) {
                                        if ( array_key_exists( $attribute, $attributes ) ) {
                                                if ( $username != "" ) {
                                                        $username .= " ";
                                                }
                                                $username .= $attributes[$attribute][0];
                                        } else {
                                                wfDebug( 'SimpleSAMLphp: Could not find user name attribute ' .
                                                        $attribute );
                                                return false;
                                        }
                                }
                        } else {
                                if ( array_key_exists( $userNameAttribute, $attributes ) ) {
                                        $realname = $attributes[$userNameAttribute][0];
                                } else {
                                        wfDebug( 'SimpleSAMLphp: Could not find user name attribute ' .
                                                $attributes );
                                        return false;
                                }
                        }
} else {
                        wfDebug( 'SimpleSAMLphp: $wgSimpleSAMLphp_UsernameAttribute is not set' );
                        return false;
                }
return $username;
}

```

Basically, $attributes is not being filled and I have no idea how to fix this. 
Any sort of guidance or direction will be most appreciated.

AD App Access Key versus Service Principal Password

February 4, 2019, 1:13 pm
$
0
0

I am trying to understand the difference between the app registration key and the service principal password for a WebApp/API  app. I woud like to replicate the following steps with Azure CLI commands.

1. Create App Registration as WebApp/AP

2. Create App Access Key and capture it (the one that you have to save right away because it stays hidden)

3. Make the App into a Service Principal

A team member told me to only use az ad sp create-for-rbac, capture the output, and then save the specific values I need. He said that the Service Principle Password can be used in place of the App Access Key. Is this true? If not, which Azure CLI commands do you recommend to replicate the steps above.

Thank you!

Search

Azure Active Directory Connect error trying to federate wtih AD FS. Object reference not set to an instance of an object.

January 15, 2019, 2:39 pm
$
0
0

I've tried to configure this trust multiple times using Azure AD Connect Wizard and it fails ever time.  I tried pasting the output of the install log while trying Federate an Azure AD Domain but it was too long.

Can the trust be created not using Azure AD Connect?

AAD v2 Webapp to WebAPI - WebAPI service principal is not created in customers tenant on consent

February 4, 2019, 1:19 pm
$
0
0

I have an Webapp that includes the scopes of a WebAPI defined in it's manifest under the requiredResourceAccess field

When a customer attempts to login to the webapp, an error is returned.

AADSTS650052: The app needs access to a service [SERVICENAME] that your organization [CUSTOMER TENANT] has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.
Trace ID: a4a34e3f-5d55-4d05-8c73-c8b9981aab00
Correlation ID: 5fd2a2e4-bcc9-40bf-8b88-2fedb55d28c0
Timestamp: 2019-02-04 21:10:59Z:invalid_client

If I were to register the service principal in the customers tenant manually, the customer is presented with the consent page with the list of permissions.

The command I use to register the service principal in the customers tenant: az ad sp create --id [APP ID]


AnyConnect client using NPS Extension with SMS not sending av-pair

January 11, 2019, 12:57 pm
$
0
0
We are having an issue with using NPS Extension with Anyconnect clients, whereas SMS clients do not pass av-pairs back to the Radius server from Azure NPS Extension resulting in user being assigned to a default policy instead of the one they are expected to be authorized for. We have success with OATH, App Verification/Acceptance, Phone call, but SMS just does not work. Is there something we could be missing?

Powershell Connect-MsolService fails to authenticate with Microsoft Graph access token

December 4, 2018, 2:16 am
$
0
0

Hi,

I am trying to authenticate with the MSOnline powershell module using Connect-MsolService. I obtain a user's access token via a web application using the Azure AD Graph (graph.windows.net). If I authenticate with that token (Connect-MsolService -AccessToken <token>), things work fine.

However, since it's recommended to use the newer Microsoft Graph (graph.microsoft.com) I want to switch over to it, but the Connect-MsolService fails with the token granted by it. If I run Connect-MsolService -MsGraphAccessToken <token>, I get the following error: 

Connect-MsolService : The given key was not present in the dictionary.

To obtain the access token, I send users to the https://login.windows.net/common/oauth2/authorize end point with the correct client id, redirect_uri and resource set to https://graph.microsoft.com. The authentication succeeds and I get a valid token back (for example, a request to https://graph.microsoft.com/v1.0/me works fine). 

What am I doing wrong here?

Thanks for your help!

Best,
Steven


Distribution list deleted from local ad but it still shows in the cloud as synced with AD

January 9, 2019, 4:17 pm
$
0
0
We deleted a distribution list from the AD then ean the sync but it still shows in Office portal as the distribution list synced with AD

Unable to create Service Principal with correct permissions to Log Analytics

February 4, 2019, 3:03 pm
$
0
0

Hi all

I'm trying to create a Service Principal (SP) with the correct permissions to Log Analytics to allow me to connect with Grafana to create Dashboards.  Whichever way I create the SP (Portal, CLI, etc) or use an existing SP, Grafana gives me the below error

Azure Log Analytics: Forbidden: InsufficientAccessError. The provided credentials have insufficient access to perform the requested operation

I have followed the documentation to create the SP that's in various locations eg https://dev.loganalytics.io/oms/documentation/2-Authorization/1-AAD-Setup or https://docs.microsoft.com/en-us/azure/azure-monitor/platform/grafana-plugin.

The SP has Log Analytics Contributor role to the workspace itself (as well as the rest of the subscription). The SP has Delegated Permissions to Read Log Analytics Data as user and permissions have been granted.  Not sure what I'm missing, have tried this with different installs of Grafana (local machine and hosted in Azure).  

I can connect to Azure Monitor successfully from Grafana using an SP.  If I try to use the same SP for Log Analytics I get the above error again.  I'm trying to test this out in my MSDN subscription, if that makes any difference?

Happy to provide any other info that might be useful

Thanks

Unable To Access AAD features on a Pay as You Go Subscription

January 7, 2019, 5:34 pm
$
0
0

Hi All,

I am trying to create a new user in AAD and I see that all the features of the AAD are not accessible. I get "Error Occurred" notification. Please find the screen shot below. Please note that I am using the primary account linked to my Pay as You go subscription and I am the Global Administrator and the Owner of the resource. Any help with the issue is greatly appreciated.

My roles are as follows

Mandar Dharmadhikari


Search

AD FS Certificate Rollover - NextTokenSigningCertificate still listed under Office 365 after failed rollover

January 28, 2019, 7:57 am
$
0
0

Our AD FS certificate was set to autorenew at 50 days before expiry, then roll over 10 days later

This didn't auto-rollover in Office 365 as I understand that starts checking at 30 days for a new certificate.

We set the rollover to manual, updated the certificate, forced O365 to use the new certificate, which allowed people to authenticate.

However, when I now check the certificates, there is no NextTokenSigningCertificate listed under AD FS, but there is still a NextTokenSigningCertificate listed in Office 365 - which expires before the current token signing certificate.

If I set this back to to autorollover, will Office 365 try to use the NextTokenSigningCertificate it has listed? Can I remove this?

Secondly, if I change the autorenew at 50 days before expiry, then roll over 21 days later, would this then give Office 365 time to start checking for a new signing certificate (at 30 days), account for any delay by giving it the extra day before rolling over? 

And will it then renew the NextTokenSigningCertificate I see in AD FS under Office 365?


I deleted last user from Azure AD, how to recover the directory

January 19, 2019, 1:17 pm
$
0
0

I really mess with my Azure AD.

I am primarily using Office 365 with "Office 365 Enterprise E3 Developer" licence.

My initial domain is "example1.onmicrosoft.com" and I don't like the name. I wanted to rename it but found it not possible. Then I read I have to create a new tenant from Azure AD if I want a new name. And, I created one "example2.onmicrosoft.com". Then, I wanted to remove the new tenant just for test and seems like there was  few step to do that. So, without thinking much I removed the actual email id from example1.onmicrosoft.com, just because I thought that it will remove the new directory. Now I created the same email id again but I can't found "example2.onmicrosoft.com" from swith directory nor able to create one. How to solve the issue?

Azure AD with PingAccess Pros and Cons

January 24, 2019, 11:02 pm
$
0
0
Hi All,

We are preparing to implement Azure SSO and MFA for a new client (Fresh Build). The plan is to utilize "PingAccess with Azure AD" capability to accomplish the integration for vast range of applications in scope. 

1. I would like to understand the pros and cons of using a fully licenced PingAccess against just using the restricted functionalities that come with the "PingAccess with Azure AD" package. I would like to know the pointers in addition to the ones listed in the below link.

https://docs.pingidentity.com/bundle/pa_m_PingAccessOverview_pa50/page/pa_c_PingAccessforAzureAD.html

Appreciate your time and help. 

Regards,
Pradeep

Azure not working with premises

January 14, 2019, 6:04 am
$
0
0

Hi,

I am using proxy server to my web application and it is associated with azure ad during login time it's giving me as  {"error_description":"AADSTS70002: Error validating credentials. AADSTS50011: The reply address \does not match the reply address provided when requesting Authorization code} error due to it's not taking my proxy server instead it is taking my actual server address how to resolve this thing?

Unable to find out when my Azure Active Directory Premium trial started.

February 4, 2019, 9:40 pm
$
0
0

On my Azure account, I enabled Azure Active Directory Premium FREE trial a few weeks back. The trial is for 30 days. When I go to Azure portal and Click on `Azure Active Directory` from left, it does not give any option to find out exactly when the trial had started. I don't recal the exact date I had started the trial and there is no email sent by Azure on my email address on their file for my Azure account.

Question: How can I find out when exactly trial expiration date is so I can discontinue the Azure AD trial subscription because according the above link after the trial the regular rate applies and there is one year commitment (that I do not wat to make). Please help.


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>